Add SSL enforcement option for ProxySQL users #2216
Description
Proposal
Currently, it seems impossible to set use_ssl for users created by the operator, when doing so manually, the changes seem to be reverted almost immediately:
mysql> update mysql_users set use_ssl=1;
Query OK, 12 rows affected (0.00 sec)
mysql> select username, use_ssl from mysql_users;
+-------------------+---------+
| username | use_ssl |
+-------------------+---------+
| replication | 1 |
| operator | 1 |
| xtrabackup | 1 |
| percona.telemetry | 1 |
| root | 1 |
| monitor | 1 |
| replication | 1 |
| operator | 1 |
| xtrabackup | 1 |
| percona.telemetry | 1 |
| root | 1 |
| monitor | 1 |
+-------------------+---------+
12 rows in set (0.00 sec)
mysql> load mysql users to runtime;
Query OK, 0 rows affected (0.00 sec)
mysql> select username, use_ssl from mysql_users;
+-------------------+---------+
| username | use_ssl |
+-------------------+---------+
| replication | 0 |
| operator | 0 |
| xtrabackup | 0 |
| percona.telemetry | 0 |
| root | 0 |
| monitor | 0 |
| replication | 0 |
| operator | 0 |
| xtrabackup | 0 |
| percona.telemetry | 0 |
| root | 0 |
| monitor | 0 |
+-------------------+---------+
12 rows in set (0.00 sec)
The ideal scenario would be to have a parameter for this and be able to control behaviour using that parameter through the values.yaml here: https://github.com/percona/percona-helm-charts/blob/main/charts/pxc-db/values.yaml
For example, enableSsl or useSsl under the proxysql key or the tls key - whichever makes more sense, which would essentially set use_ssl to 1 for all existing users by running the UPDATE statement.
Use-Case
This would allow me to enforce ssl natively for all existing users by setting use_ssl to 1 in mysql_users table and as a result enhance security, as frontend user connections would require SSL certs rather than just using them optionally. I believe this would be a nice feature to have as surely I'm not the only person that could benefit from this security wise.
Is this a feature you are interested in implementing yourself?
Maybe
Anything else?
We could in theory create users in the configuration: in the mysql_users section, but this wouldn't be ideal, as it'd mean having static users defined with passwords stored in values.yaml.
In terms of implementing this myself, I've selected maybe as I'd need to get a better understanding of user management within the operator (only briefly skimmed through), but it's a bit difficult at the moment because I'm time constrained.