This topic gives you reference information about the Google MySQL service (csb-google-mysql). It details the plans, configuration parameters, and binding credentials.
Note Release v1.2.0 removes brokerpak pre-configured plans for MySQL. All plans must be configured through the tile. For how to do so, see Configure Services with Cloud Service Broker for GCP. For more information about upgrade steps, see Upgrading Tanzu Cloud Service Broker for GCP.
Plan Configuration Parameters
When configuring Cloud Service Broker for GCP you can add additional plans. For how to configure plans, see Configure Services with Cloud Service Broker for GCP.
The following table lists parameters that can only be configured for additional plans:
| Parameter Name | Values | Default | Required |
|---|---|---|---|
name |
The plan name. | n/a | Yes |
id |
A unique GUID. | n/a | Yes |
description |
Description of the new plan. | n/a | Yes |
free |
When false, service instances of this service plan have a cost. | true | No |
bindable |
Specifies whether service instances of the service plan can bind to applications. | true | No |
plan_updateable |
Specifies whether the plan supports upgrade/downgrade/sidegrade to another version. | true | No |
metadata.displayName |
Name to use when displaying the plan in the Marketplace. | n/a | No |
metadata.bullets |
List of bullet points to display in Apps Manager. | n/a | No |
You can also add any of the configuration parameters listed in the parameters section to your plan.
To create plans with specific sizes and versions, set the tier, storage_gb, and mysql_version properties.
Note If you set a parameter at plan level, developers cannot change the value when creating or updating service instances.
Configuration Parameters
You can provision a service by running:
cf create-service csb-google-mysql PLAN-NAME SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
You can update the configuration parameters for a service instance by running:
cf update-service SERVICE-INSTANCE-NAME -c '{"PARAMETER-NAME": "PARAMETER-VALUE"}'
The following table lists the parameters that you can configure, by using the -c flag, when provisioning a csb-google-mysql service:
| Parameter Name | Type | Description | Default | Operation |
|---|---|---|---|---|
tier |
string | Required unless defined in plan. This is the GCP database machine type. For more information, see the Google Cloud documentation. | None | provision and update |
deletion_protection |
boolean | Sets whether deletion protection is enabled. The database cannot be deleted when this value is set. | false |
provision and update |
disk_autoresize |
boolean | Enables auto-resizing of the storage size. When deactivating the storage auto-resizing, set value of the disk_autoresize_limit to 0. |
true |
provision and update |
disk_autoresize_limit |
number | The maximum size in GB to which storage capacity can be automatically increased. The default value is 0, which specifies that there is no limit. | 0 |
provision and update |
mysql_version |
string | Required unless defined in plan. This is the version for the MySQL instance, and it can be any version that the provider supports. Note that enforcing secure connections is only supported with MySQL v5.7 and later. If you are using MySQL v5.6, you must also set the allow_insecure_connections property. |
None | provision and update |
storage_gb |
number | Required unless defined in plan. Size of storage volume for service instance. To understand the limits, see the Google Cloud documentation. | 10 |
provision and update |
instance_name |
string | Name for the mysql instance. | csb-mysql-INSTANCE-ID |
provision |
db_name |
string | Name for the database. | csb-db |
provision |
region |
string | The region of the MySQL instance. | The value the operator entered for Region in Tanzu Operations Manager. | provision |
authorized_network_id |
string | Self link of the Google Compute Engine network to which the instance is connected. It has the format https://www.googleapis.com/compute/v1/projects/PROJECT-NAME/global/networks/VPC-NAME. |
The value the operator entered for Authorized Network ID in Tanzu Operations Manager. If this is empty then the default network of the region is used. | provision |
authorized_networks_cidrs |
array | CIDR notation IPv4 or IPv6 addresses that are allowed to access this instance. | [] |
provision and update |
public_ip |
Boolean | Assigns a static public IPv4 IP to the database. You must configure authorized_networks_cidrs on the selected network to enable access. For more information, see the Google Cloud documentation. |
false |
provision and update |
credentials |
string | The GCP credentials. | The value the operator entered for Credentials in Tanzu Operations Manager. | provision and update |
backups_retain_number |
number | The number of backups to retain. Setting this value to 0 deactivates the backups. | 7 |
provision and update |
backups_location |
string | The name of the GCP region in which to store the backup. | null |
provision and update |
backups_start_time |
string | Time in HH:MM format that indicates when the backup starts. | 07:00 |
provision and update |
backups_transaction_log_retention_days |
number | The number of days to retain the transaction logs. Setting this value to 0 deactivates transaction log backups.The transaction logs can be retained up to seven days. When transaction logs are activated, regular backups are forced to be enabled, even if backups_retain_number is set to 0. |
0 |
provision and update |
highly_available |
boolean | Enable regional high availability for the service instance. This deploys a hot standby instance to a different zone in the same region, and affects the billing accordingly. Enabling this setting requires transaction log backups to be enabled. For more information, see the Google Cloud Documentation. |
false |
provision and update |
location_preference_zone |
string | Preferred zone in the instance region for the primary instance in a highly available setup. For example, a or c.When not specified, one of the available zones is chosen automatically. For a list of available zones, see the Google Cloud Documentation. |
"" |
provision and update |
location_preference_secondary_zone |
string | Preferred zone in the instance region for the standby instance in a highly available setup. For example, b or f.In a highly available configuration, when the secondary zone is not specified, a zone different from the one specified for the primary instance is chosen automatically. For a list of available zones, see the Google Cloud Documentation. |
"" |
provision and update |
allow_insecure_connections |
boolean | Specifies whether insecure connections are allowed for this service instance. Note that enforcing secure connections is not supported by MySQL v5.6. If you are using MySQL v5.6, you must set this property to true. Despite `allow_insecure_connections` being `false`, there might be a misconception based on the settings visible in the Google Cloud Console. These settings reflect `server-level` configurations, whereas the CSB enforces security at the user level, ensuring that all bindings (user credentials) created by CSB mandate SSL connections. |
false |
provision |
project |
string | The GCP project to use. | The value the operator entered for Project in Tanzu Operations Manager. | provision and update |
TLS Connections
By default, all new service instances do not allow insecure connections. To establish a secure connection, the application must extract the CA certificate from the binding, because CloudSQL generates a separate CA certificate for every service instance. For more information about certificate generation, see the Google Cloud documentation.
ImportantBecause a CloudSQL server certificate does not contain the server name, or its IP address in any form, the server certificate verification must be limited to CA verification only. For more information, see the Google Cloud documentation.
You can establish a mutual TLS connection to the server by using the contents of the sslcert and sslkey binding properties. However, mutual TLS is not enforced. For more information, see the Google Cloud documentation.
To avoid the TLS requirement, set the allow_insecure_connections parameter to true during service instance creation.
Important You cannot change the value for the `allow_insecure_connections` parameter after creating the instance.
Java applications
Java applications typically require that the certificates used by the application are loaded into a trust store (for CA certificates) or a key store (for client certificates) in a well-known location.
Typically, CA certificates are shared either globally or within an organization. In most scenarios, any extra certificates can be installed in Ops Manager so that the Java buildpack can pick them up to be integrated with the app. However, this is not possible with CloudSQL. Instead, the application itself must handle certificates at load time, and you can achieve this by deploying a pre-runtime script with the application. For more information, see the Cloud Foundry documentation.
The script extracts the certificates from the environment variables and loads them into the appropriate stores. You can use the pre-run script in the JDBC test app on GitHub as an example and adapt it to the required deployment context.
Binding Process
For each new binding, the Google MySQL service creates new user credentials with full access rights to the service instance database, so that all the data remains accessible. However, the client certificate exposed through the binding credentials is created during provisioning, and is shared between all binding users. The client certificate is managed in this manner for the following reasons:
- Each CloudSQL instance is limited to 10 certificates. For more information, see the Google Cloud documentation.
- The lifetime of a client certificate is set to 10 years
- The client certificate is used to authorize only the connection and never the user
Currently, the Google MySQL service does not provide a mechanism for TLS certificate rotation.
Binding Credentials
You can bind a service by running:
cf bind-service APP-NAME SERVICE-INSTANCE --binding-name BINDING-NAME
The format for binding credentials for Google MySQL is as follows:
{
"name": "DATABASE-NAME",
"hostname": "DATABASE-SERVER-HOST",
"port": "DATABASE-SERVER-PORT",
"username": "AUTHENTICATION-USERNAME",
"password": "AUTHENTICATION-PASSWORD",
"uri": "DATABASE-CONNECTION-URI",
"jdbcUrl": "JDBC-FORMAT-CONNECTION-URL",
"sslcert": "SSL-CLIENT-CERT",
"sslkey": "SSL-CLIENT-CERT-KEY",
"sslrootcert": "SSL-INSTANCE-CA-CERT"
}
