This topic describes how to rotate the MySQL root password and the MySQL backup user password.
When a user provisions a MySQL instance, the MySQL Operator automatically creates a Kubernetes secret containing the MySQL root password as well as the password for the MySQL backup user.
To adhere to security best practices or to company regulations, VMware recommends rotating a MySQL instance's credentials regularly. In addition, you should rotate a password if it is compromised for any reason.
This topic provides multiple methods for rotating passwords for a MySQL instance.
Option 1: Delete the Kubernetes Secret: Kubernetes automatically re-creates the secret with newly generated passwords.
Option 2: Patch the Kubernetes Secret with a Custom Password: This procedure enables you to configure MySQL with your own custom passwords. It also enables you to rotate the root password and the backup user password individually.
Before you rotate a MySQL instance's password, you need:
The Kubernetes Command Line Interface (kubectl) installed. For more information, see the Kubernetes documentation.
admin
Role access to the namespace of the MySQL instance for which you want to rotate the root password. For more information about User-facing roles, see the Kubernetes documentation.
This option deletes the Kubernetes secret containing the MySQL passwords. When the secret is deleted, Kubernetes automatically re-creates the secret with newly generated passwords. This procedure rotates both the MySQL root password and the backup user password.
Delete the Kubernetes secret by running:
kubectl delete secret INSTANCE-NAME-credentials
Where INSTANCE-NAME
is the name of the MySQL instance.
For example:
kubectl delete secret mysql-sample-credentials
secret "mysql-sample-credentials" deleted
Wait until Kubernetes has automatically re-created the secret. You can watch the progress by running:
kubectl get secret --watch
For example:
kubectl get secret --watch
NAME TYPE DATA AGE
default-token-wb7gl kubernetes.io/service-account-token 3 10d
mysql-sample-credentials Opaque 4 48s
tanzu-mysql-backup-cron-token-c7bnt kubernetes.io/service-account-token 3 10d
tanzu-image-registry kubernetes.io/dockerconfigjson 1 2m3s
tanzu-mysql-token-24cdv kubernetes.io/service-account-token 3 10d
Update the database with the new passwords by restarting your MySQL instance:
kubectl rollout restart statefulset INSTANCE-NAME
For example:
kubectl rollout restart statefulset mysql-sample
statefulset.apps/mysql-sample restarted
Verify that your MySQL instance has finished updating by running:
kubectl get mysql INSTANCE-NAME
A MySQL instance has finished updating when the value of the STATUS
column is Running
. For example:
kubectl get mysql mysql-sample
NAME READY STATUS AGE
mysql-sample true Running 10d
To verify that the passwords were rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.
This option patches the existing Kubernetes secret with a new password. This procedure allows you to configure MySQL with your own custom passwords. You can use this procedure to rotate either the MySQL root password or the backup user password.
Patch the secret with your custom password by running:
kubectl patch secret INSTANCE-NAME-credentials -p='{"stringData":{"PASSWORD-FIELD":"CUSTOM-PASSWORD"}}'
Where:
INSTANCE-NAME
is the name of the MySQL instance.PASSWORD-FIELD
is either rootPassword
if you are changing the MySQL root password or backupPassword
if you are changing the MySQL backup user password.CUSTOM-PASSWORD
is your custom password in plaintext. Kubernetes stores this password as a base64-encoded string in the Kubernetes secret.For example:
kubectl patch secret mysql-sample-credentials -p='{"stringData":{"rootPassword":"examplepassword"}}'
secret/mysql-sample-credentials patched
To update the database with the new password, restart your MySQL instance by running:
kubectl rollout restart statefulset INSTANCE-NAME
For example:
kubectl rollout restart statefulset mysql-sample
statefulset.apps/mysql-sample restarted
Verify that your MySQL instance has finished updating by running:
kubectl get mysql INSTANCE-NAME
A MySQL instance has finished updating when the value of the STATUS
column is Running
. For example:
kubectl get mysql mysql-sample
NAME READY STATUS AGE
mysql-sample true Running 10d
To verify that the password was rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.