If pxc-operator enables TLS, does the HAProxy pod need to be configured with a certificate? How is the HAProxy certificate configured?
Percona operator for PXC supports TLS for the following 2 different communications.
- Internal - communication between Percona XtraDB Cluster instances,
- External - communication between the client application and ProxySQL.
For HaProxy as a load balancer, only SSL-Internal TLS is applicable.
Okay, thank you. If my database uses HAProxy as a proxy, which SSL certificate should be used when the business accesses it?
No. HAProxy, in this instance, operates as a layer-4 proxy, meaning HAProxy does not meddle with the SSL process; it simply passes the connection to the backend MySQL, and MySQL handles the SSL termination.
You don’t need to fetch any specific certificate. When accessing MySQL/PXC, SSL negotiation is handled automatically. If you still want the certs, use kubectl get secrets and output the secret contents for the non-internal SSL secret. There will be a CA, cert, and key that can be used by client applications.