moco-agent, a sidecar container in mysqld Pod, provides gRPC API to
CLONE INSTANCE and required operations after CLONE.
More importantly, the request contains credentials to access the source
To protect the credentials and prevent abuse of API, MOCO configures mTLS between moco-agent and moco-controller as follows:
- Create an Issuer resource in
moco-systemnamespace as the Certificate Authority.
- Create a Certificate resource to issue the certificate for
moco-controllerissues certificates for each MySQLCluster by creating Certificate resources.
moco-controllercopies Secret resources created by cert-manager to the namespaces of MySQLCluster.
- Both moco-controller and moco-agent verifies the certificate with the CA certificate.
- The CA certificate is embedded in the Secret resources.
- moco-agent additionally verifies the certificate from
moco-controllerif it's Common Name is
MOCO generates its user passwords randomly with the OS random device. The passwords then stored as Secret resources.
As to communication between moco-controller and mysqld, it is not (yet) over TLS. That said, the password is encrypted anyway thanks to caching_sha2_password authentication.