MySQL

The MySQL service connector processes connection requests to a MySQL database.

To secure connections, we support common MySQL SSL options. For details, see sslmode.

Unlike other clients, the default sslmode for Secretless is require since most use cases require TLS. If your environment does not use TLS, turn it off if you can do so safely.

Configure the service connector

Configure the Secretless Broker to specify where to find your database connection details in the credentials section of the yaml file. This includes where to find the host, port, username, and password of your database, as well as the sslmode details, such as the location of any relevant certificates and revocation lists, if applicable.

The options are as follows:

Option	Description	Required
`host`	The host name of the MySQL server.	Required
`port`	The port of the MySQL server.	Optional (Default setting is 3306)
`username`	The username of the MySQL account.	Required
`password`	The password of the MySQL account.	Required
`sslmode`	This option determines if the connection between Secretless Broker and your database is protected by SSL. For details on the supported values of this parameter, see SSL Modes.	Optional (Default setting is `require`)
`sslcert`	The content of this parameter specifies the client SSL certificate in PEM format. This parameter is ignored if an SSL connection is not made. Corresponds to `ssl-cert`.	Optional
`sslrootcert`	The content of this parameter specifies the SSL certificate authority (CA) certificate(s) in PEM format. If present, the server’s certificate will be verified to be signed by one of these authorities. Corresponds to `ssl-ca`.	Optional
`sslkey`	The content of this parameter specifies the secret key used for the client certificate. This parameter is ignored if an SSL connection is not made. Corresponds to `ssl-key`.	Optional

You must supply a valid value for port in the MySQL service connector configuration. A missing or invalid port causes the Secretless Broker to error. For details, see Troubleshoot Secretless Service Connectors.

The MySQL documentation website provides detail on the levels of protection provided by different values for the sslmode parameter.

Secretless supports the following SSL modes:

Mode	Description
`disable`	Corresponds to `DISABLED`. Try only a non-SSL connection.
`require` Default	Corresponds to `REQUIRED`. Try only an SSL connection. As is the MySQL standard, if a root CA file is present in this mode, no verification of the server certificate is done, despite a CA certificate option being specified.
`verify-ca`	Corresponds to `VERIFY_CA`. Try only an SSL connection, and verify that the server certificate is issued by a trusted certificate authority (CA).
`verify-full`	Corresponds to `VERIFY_IDENTITY`. Try only an SSL connection, and verify the server certificate against the configured CA certificates (provided in the Secretless configuration via `sslrootcert`). In addition, the `verify-full` SSL mode option helps prevent man-in-the-middle attacks by performing a host name identity verification. Secretless checks the host name the client uses for connecting to the server against the identity provided in the certificate the server sends to the client. The connection fails if the host name does not match the certificate Common Name. Secretless uses the value of the `host` parameter in the Secretless configuration to perform the host name identity verification. If desired, you can override this value for the purpose of the certificate check by providing a value for the `sslhost` configuration parameter.

Secretless does not currently support the MySQL PREFERRED or VERIFY_IDENTITY modes, and does not yet support providing an SSL certificate revocation list (eg ssl-crl). Please see our GitHub issues for more information on our plans to add support for these modes.

When sslmode is set to require or verify-ca, the optional SSL configuration parameters sslcert, sslkey, and sslrootcert may be necessary. The particular values needed depend on your use case; more information on these parameters can be found in the MySQL documentation.

Examples

Listening on a network address with default sslmode of require


version: "2"
services:
  mysql_tcp:
    connector: mysql
    listenOn: tcp://0.0.0.0:3306
    credentials:
      host: mysql.my-service.internal
      port: 3306
      username: my-service
      password:
        from: env
        get: MYSQL_PASSWORD

Listening on a Unix-domain socket with default sslmode of require


version: "2"
services:
  mysql_tcp:
    connector: mysql
    listenOn: unix:///sock/mysql.sock
    credentials:
      host: mysql.my-service.internal
      port: 3306
      username: my-service
      password:
        from: env
        get: MYSQL_PASSWORD

Listening on a network address with verifiable CA, revocation list and private key-pair


version: "2"
services:
  mysql_tcp:
    connector: mysql
    listenOn: tcp://0.0.0.0:3306
    credentials:
      host: mysql.my-service.internal
      port: 3306
      username: my-service
      password:
        from: env
        get: MYSQL_PASSWORD
      sslmode: verify-ca
      sslrootcert:
        from: file
        get: /etc/mysql/root.crt
      sslcert:
        from: file
        get: /etc/mysql/client.crt
      sslkey:
        from: file
        get: /etc/mysql/client.key

If your certificate is stored in the environment or a secret store rather than a file, you can use the appropriate provider.

MySQL

Configure the service connector

Examples

See also