[bitnami/mysql] Support replication with TLS

[gretro]

Name and Version

bitnami/mysql 12.3.0

What is the problem this feature will solve?

Currently, I'm in the process of setting up a hardened MySQL database (mTLS) with replication.

I understand the TLS options are quite new to the chart, but they seem to clash a bit with the replication feature.

It would be nice if:

• The replicas stopped using the root user to ping the primary node, and instead used the replication user, which has less permissions.
  • This would allow users to limit the root user to be limited to localhost connections.
• The replicas used secured transport to the primary node when either checking for readiness and when setting up the replica.

I think making some minor modifications would make the bitnami MySQL chart more secure and more convivial for security-minded users.

What is the feature you are proposing to solve the problem?

I'm proposing modifications be made to the chart and the scripts to harmonize the TLS settings with replication.

The primary node works fine with the previously mentioned modifications, but the replicas are unable to boot. The setup script has a couple of behaviours that should be adjusted:

• It uses the primary root user to determine if the primary is up and available. Why not use the replication user for this case? (https://github.com/bitnami/containers/blob/main/bitnami/mysql/8.4/debian-12/rootfs/opt/bitnami/scripts/libmysql.sh#L236)
• The remote call should add the --ssl-mode=VERIFY_CA --ssl-ca <path-to-the-ca> --ssl-cert <path-to-the-cert> --ssl-key <path to the key> parameters when tls is enabled. (https://github.com/bitnami/containers/blob/main/bitnami/mysql/8.4/debian-12/rootfs/opt/bitnami/scripts/libmysql.sh#L236)
• The CHANGE REPLICATION SOURCE statement should include the SOURCE_SSL_VERIFY_SERVER_CERT=1, SOURCE_SSL_CA=<PATH_TO_THE_CA>, SOURCE_SSL_CERT=<PATH_TO_THE_CERT>, SOURCE_SSL_KEY=<PATH_TO_THE_KEY> options when tls is enabled. (https://github.com/bitnami/containers/blob/main/bitnami/mysql/8.4/debian-12/rootfs/opt/bitnami/scripts/libmysql.sh#L246)

Additionally, there are a couple of strange behaviours with the tls configuration in the current version of the chart.

• Setting tls.existingSecret=<whatever my secret> and tls.autoGenerated.enabled=false does not prevent the generation of an unused Helm TLS certificate (<release-name>-crt)
• Setting the tls.autoGenerated.engine='cert-manager' does not inject the CA config, preventing self-signed certificates from working. It would be nice if this could be controlled via a manual setting, rather than depend on the engine be set to helm.

I may have missed some areas that would require changes.

What alternatives have you considered?

I am considering deploying two standalone instances and triggering the replication myself. However, since the chart offers both TLS and replication, it would be nice if those two features were harmonized better.

Is there an appetite for making the changes I described above? I could give it a shot, but I would rather ask if this is something that is likely to be merged at the end.

[javsalgar]

Hi!

Thank you so much for the proposal! We are open to contributions, so we would definitely appreciate a contribution and would help with any suggestions so it's merged at the end :D