KubeBlocks
BlogsKubeBlocks Cloud
Overview
Quickstart

Topologies

MySQL Semi-Synchronous Cluster
MySQL Cluster with ProxySQL
MySQL Group Replication Cluster
MySQL Group Replication with ProxySQL
MySQL Cluster with Orchestrator
MySQL with Orchestrator & ProxySQL

Operations

Lifecycle Management
Vertical Scaling
Horizontal Scaling
Volume Expansion
Manage MySQL Services
Minor Version Upgrade
Modify MySQL Parameters
Planned Switchover in MySQL
Decommission MySQL Replica
Recovering MySQL Replica

Backup And Restores

Create BackupRepo
Create Full Backup
Scheduled Backups
Scheduled Continuous Backup
Restore MySQL Cluster
Restore with PITR

Custom Secret

Custom Password
Custom Password Policy

TLS

MySQL Cluster with TLS
MySQL Cluster with User-Provided TLS
MySQL Cluster with mTLS

Monitoring

Observability for MySQL Clusters

Advanced Pod Management

Custom Scheduling Policies
Custom Pod Resources
Pod Management Parallelism
Using OnDelete for Controlled Pod Updates
Gradual Rolling Update
  1. Prerequisites
  2. Deploying the MySQL Semi-Synchronous Cluster
    1. Explanation:
  3. Verifying the Deployment
  4. Connect to MySQL Cluster
    1. Step 1: Retrieve the Root Credentials
    2. Step 2: Connect to MySQL Securely Using TLS
    3. Step 3: Verify the TLS Connection
  5. Cleanup
  6. Summary

Deploying a MySQL Cluster with TLS on KubeBlocks

This guide demonstrates how to deploy a MySQL cluster with TLS encryption using KubeBlocks. TLS ensures secure communication between the MySQL client and server by encrypting data in transit, protecting sensitive information. You will learn how to deploy the cluster, connect securely using TLS, and clean up resources after testing.

Prerequisites

Before proceeding, ensure the following:

  • Environment Setup:
    • A Kubernetes cluster is up and running.
    • The kubectl CLI tool is configured to communicate with your cluster.
    • KubeBlocks CLI and KubeBlocks Operator are installed. Follow the installation instructions here.
  • Namespace Preparation: To keep resources isolated, create a dedicated namespace for this tutorial:
kubectl create ns demo
namespace/demo created

Deploying the MySQL Semi-Synchronous Cluster

KubeBlocks uses a declarative approach for managing MySQL clusters. Below is an example configuration for deploying a MySQL cluster with 2 nodes (1 primary, 1 replicas) in semi-synchronous mode with TLS enabled.

Apply the following YAML configuration:

kubectl apply -f - <<EOF
apiVersion: apps.kubeblocks.io/v1
kind: Cluster
metadata:
  name: example-mysql-cluster
  namespace: demo
spec:
  clusterDef: mysql
  topology: semisync
  terminationPolicy: Delete
  componentSpecs:
    - name: mysql
      serviceVersion: 8.0.35
      replicas: 2
      tls: true
      issuer:
        name: KubeBlocks
      resources:
        limits:
          cpu: '0.5'
          memory: 0.5Gi
        requests:
          cpu: '0.5'
          memory: 0.5Gi
      volumeClaimTemplates:
        - name: data
          spec:
            storageClassName: ""
            accessModes:
              - ReadWriteOnce
            resources:
              requests:
                storage: 20Gi
EOF

Explanation:

  • tls: true: Enables TLS encryption for secure communication.
  • issuer: KubeBlocks: Uses KubeBlocks' default built-in certificate issuer for TLS.

Verifying the Deployment

Monitor the cluster status until it transitions to the Running state:

kubectl get cluster -n demo

Expected Output:

NAME                    CLUSTER-DEFINITION   TERMINATION-POLICY   STATUS    AGE
example-mysql-cluster   mysql                Delete               Running   11m

Connect to MySQL Cluster

Step 1: Retrieve the Root Credentials

KubeBlocks automatically creates a secret containing the MySQL root credentials. Retrieve the credentials with the following commands:

  1. Retrieve the root username:
kubectl get secrets -n demo example-mysql-cluster-mysql-account-root -o jsonpath='{.data.username}' | base64 -d

Expected Output:

root
  1. Retrieve the root password:
kubectl get secrets -n demo example-mysql-cluster-mysql-account-root -o jsonpath='{.data.password}' | base64 -d

Expected Output:

43Rysk6w10

Step 2: Connect to MySQL Securely Using TLS

Use the MySQL client to connect securely with TLS enabled. The '--ssl-mode=REQUIRED' option enforces the use of TLS for encryption.

kubectl exec -it -n demo example-mysql-cluster-mysql-0 -c mysql -- mysql -h example-mysql-cluster-mysql.demo.svc.cluster.local -uroot -p43Rysk6w10 --ssl-mode=REQUIRED

Step 3: Verify the TLS Connection

Verify TLS connection status in MySQL shell:

mysql> STATUS;
--------------

SSL:			Cipher in use is TLS_AES_256_GCM_SHA384

If the SSL field displays a cipher, the connection is successfully encrypted using TLS.

Cleanup

To remove all resources created in this tutorial, run the following commands:

kubectl delete cluster example-mysql-cluster -n demo
kubectl delete ns demo

Summary

In this guide, you learned how to:

  • Deploy a MySQL cluster using KubeBlocks and enable TLS encryption for secure communication between the MySQL client and server.
  • Establish a secure MySQL connection with TLS.
  • Verify the secure connection using the MySQL shell.

TLS encryption ensures secure communication by encrypting data in transit and protecting sensitive information. By following these steps, you can deploy a secure MySQL cluster on Kubernetes with ease using KubeBlocks.

© 2025 ApeCloud PTE. Ltd.