This topic describes how to rotate the MySQL root password and the MySQL backup user password.

Overview

When a user provisions a MySQL instance, the MySQL Operator automatically creates a Kubernetes secret containing the MySQL root password as well as the password for the MySQL backup user.

To adhere to security best practices or to company regulations, VMware recommends rotating a MySQL instance's credentials regularly. In addition, you should rotate a password if it is compromised for any reason.

This topic provides multiple methods for rotating passwords for a MySQL instance.

Prerequisites

Before you rotate a MySQL instance's password, you need:

  • The Kubernetes Command Line Interface (kubectl) installed. For more information, see the Kubernetes documentation.

  • admin Role access to the namespace of the MySQL instance for which you want to rotate the root password. For more information about User-facing roles, see the Kubernetes documentation.

Option 1: Delete the Kubernetes Secret

This option deletes the Kubernetes secret containing the MySQL passwords. When the secret is deleted, Kubernetes automatically re-creates the secret with newly generated passwords. This procedure rotates both the MySQL root password and the backup user password.

  1. Delete the Kubernetes secret by running:

    kubectl delete secret INSTANCE-NAME-credentials
    

    Where INSTANCE-NAME is the name of the MySQL instance.

    For example:

    kubectl delete secret mysql-sample-credentials
    
    secret "mysql-sample-credentials" deleted
    
  2. Wait until Kubernetes has automatically re-created the secret. You can watch the progress by running:

    kubectl get secret --watch
    

    For example:

    kubectl get secret --watch
    
    NAME                                  TYPE                                  DATA   AGE
    default-token-wb7gl                   kubernetes.io/service-account-token   3      10d
    mysql-sample-credentials              Opaque                                4      48s
    tanzu-mysql-backup-cron-token-c7bnt   kubernetes.io/service-account-token   3      10d
    tanzu-image-registry                  kubernetes.io/dockerconfigjson        1      2m3s
    tanzu-mysql-token-24cdv               kubernetes.io/service-account-token   3      10d
    
  3. Update the database with the new passwords by restarting your MySQL instance:

    kubectl rollout restart statefulset INSTANCE-NAME
    

    For example:

    kubectl rollout restart statefulset mysql-sample
    
    statefulset.apps/mysql-sample restarted
    
  4. Verify that your MySQL instance has finished updating by running:

    kubectl get mysql INSTANCE-NAME
    

    A MySQL instance has finished updating when the value of the STATUS column is Running. For example:

    kubectl get mysql mysql-sample
    
    NAME           READY   STATUS    AGE
    mysql-sample   true    Running   10d
    
  5. To verify that the passwords were rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.

Option 2: Patch the Kubernetes Secret with a Custom Password

This option patches the existing Kubernetes secret with a new password. This procedure allows you to configure MySQL with your own custom passwords. You can use this procedure to rotate either the MySQL root password or the backup user password.

  1. Patch the secret with your custom password by running:

    kubectl patch secret INSTANCE-NAME-credentials -p='{"stringData":{"PASSWORD-FIELD":"CUSTOM-PASSWORD"}}'
    

    Where:

    • INSTANCE-NAME is the name of the MySQL instance.
    • PASSWORD-FIELD is either rootPassword if you are changing the MySQL root password or backupPassword if you are changing the MySQL backup user password.
    • CUSTOM-PASSWORD is your custom password in plaintext. Kubernetes stores this password as a base64-encoded string in the Kubernetes secret.

    For example:

    kubectl patch secret mysql-sample-credentials -p='{"stringData":{"rootPassword":"examplepassword"}}'
    
    secret/mysql-sample-credentials patched
    
  2. To update the database with the new password, restart your MySQL instance by running:

    kubectl rollout restart statefulset INSTANCE-NAME
    

    For example:

    kubectl rollout restart statefulset mysql-sample
    
    statefulset.apps/mysql-sample restarted
    
  3. Verify that your MySQL instance has finished updating by running:

    kubectl get mysql INSTANCE-NAME
    

    A MySQL instance has finished updating when the value of the STATUS column is Running. For example:

    kubectl get mysql mysql-sample
    
    NAME           READY   STATUS    AGE
    mysql-sample   true    Running   10d
    
  4. To verify that the password was rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.

check-circle-line exclamation-circle-line close-line
Scroll to top icon