Our company uses the PXC Operator and it’s truly amazing!
Recently, we upgraded from 1.6.0 (MySQL image 8.0.20-11.3) to 1.7.0 (MySQL image 8.0.21-12.1) and noticed something strange in some of our applications.
I’ll be using a shortened way to refer to the base images for simplicity’s sake.
Whenever we used SSL in 8.0.20 (generated by cert-manager) everything worked and we could follow any and all MySQL documentation.
Now, once the cluster start using 8.0.21 we notice the SSL variables disappear from performance_schema.session_status…
We started thinking it was nothing because our users are required to login with X509 so the applications kept working and all was fine until some different support was needed and people started port-forwarding to the cluster’s service and/or directly to one of the replicas (as in pxc-0 and so on).
Some desktop applications, like MySQL Shell, never complain, but other applications like Heidi and another custom tool we use yield the error SSL Connection Error: unknown error number.
We tried a lot of things before deciding to write this post, but once we recreated the cluster with the old 1.6.0 & 8.0.20 images (keeping every single configuration unchanged, even SSL!) and all worked again we started getting frustrated to what even would cause the SSL configuration to differ between the newer version of the operator and the old one…
As far as our limited understating of PXC goes, the difference is the lack of any indication SSL is even enabled in the session (even if the connection goes through using MySQL Shell).
Not knowing if this is a bug or misconfiguration, we decided to ask here instead of opening a bug report over Jira…
This is the output from SELECT * FROM performance_schema.session_status WHERE VARIABLE_NAME LIKE '%ssl%'\G.
Please notice the lack of variables such as Ssl_version, Ssl_cipher_list, and others. We suspect the client errors are related to the missing configuration…