Rotating VMware SQL with MySQL for Kubernetes Credentials

This topic describes how to rotate the MySQL root password and the MySQL backup user password.

Overview

When a user provisions a MySQL instance, the MySQL Operator automatically creates a Kubernetes secret containing the MySQL root password as well as the password for the MySQL backup user.

To adhere to security best practices or to company regulations, VMware recommends rotating a MySQL instance's credentials regularly. In addition, you should rotate a password if it is compromised for any reason.

This topic provides multiple methods for rotating passwords for a MySQL instance.

Option 1: Delete the Kubernetes Secret: Kubernetes automatically re-creates the secret with newly generated passwords.
Option 2: Patch the Kubernetes Secret with a Custom Password: This procedure enables you to configure MySQL with your own custom passwords. It also enables you to rotate the root password and the backup user password individually.

Prerequisites

Before you rotate a MySQL instance's password, you need:

The Kubernetes Command Line Interface (kubectl) installed. For more information, see the Kubernetes documentation.
admin Role access to the namespace of the MySQL instance for which you want to rotate the root password. For more information about User-facing roles, see the Kubernetes documentation.

Option 1: Delete the Kubernetes Secret

This option deletes the Kubernetes secret containing the MySQL passwords. When the secret is deleted, Kubernetes automatically re-creates the secret with newly generated passwords. This procedure rotates both the MySQL root password and the backup user password.

Delete the Kubernetes secret by running:

kubectl delete secret INSTANCE-NAME-credentials

Where INSTANCE-NAME is the name of the MySQL instance.

For example:

kubectl delete secret mysql-sample-credentials

secret "mysql-sample-credentials" deleted

Wait until Kubernetes has automatically re-created the secret. You can watch the progress by running:

kubectl get secret --watch

For example:

kubectl get secret --watch

NAME                                  TYPE                                  DATA   AGE
default-token-wb7gl                   kubernetes.io/service-account-token   3      10d
mysql-sample-credentials              Opaque                                4      48s
tanzu-mysql-backup-cron-token-c7bnt   kubernetes.io/service-account-token   3      10d
tanzu-image-registry                  kubernetes.io/dockerconfigjson        1      2m3s
tanzu-mysql-token-24cdv               kubernetes.io/service-account-token   3      10d

Update the database with the new passwords by restarting your MySQL instance:

kubectl rollout restart statefulset INSTANCE-NAME

For example:

kubectl rollout restart statefulset mysql-sample

statefulset.apps/mysql-sample restarted

Verify that your MySQL instance has finished updating by running:
```
kubectl get mysql INSTANCE-NAME
```
A MySQL instance has finished updating when the value of the STATUS column is Running. For example:
```
kubectl get mysql mysql-sample
```
```
NAME           READY   STATUS    AGE
mysql-sample   true    Running   10d
```
To verify that the passwords were rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.

Option 2: Patch the Kubernetes Secret with a Custom Password

This option patches the existing Kubernetes secret with a new password. This procedure allows you to configure MySQL with your own custom passwords. You can use this procedure to rotate either the MySQL root password or the backup user password.

Patch the secret with your custom password by running:
```
kubectl patch secret INSTANCE-NAME-credentials -p='{"stringData":{"PASSWORD-FIELD":"CUSTOM-PASSWORD"}}'
```
Where:
- INSTANCE-NAME is the name of the MySQL instance.
- PASSWORD-FIELD is either rootPassword if you are changing the MySQL root password or backupPassword if you are changing the MySQL backup user password.
- CUSTOM-PASSWORD is your custom password in plaintext. Kubernetes stores this password as a base64-encoded string in the Kubernetes secret.
For example:
```
kubectl patch secret mysql-sample-credentials -p='{"stringData":{"rootPassword":"examplepassword"}}'
```
```
secret/mysql-sample-credentials patched
```

To update the database with the new password, restart your MySQL instance by running:

kubectl rollout restart statefulset INSTANCE-NAME

For example:

kubectl rollout restart statefulset mysql-sample

statefulset.apps/mysql-sample restarted

Verify that your MySQL instance has finished updating by running:
```
kubectl get mysql INSTANCE-NAME
```
A MySQL instance has finished updating when the value of the STATUS column is Running. For example:
```
kubectl get mysql mysql-sample
```
```
NAME           READY   STATUS    AGE
mysql-sample   true    Running   10d
```
To verify that the password was rotated successfully, try connecting to your MySQL instance. See Accessing MySQL Instances.