Integrating 3scale with external MySQL using secure connection

Solution Verified - Updated -

Issue

I'm trying to startup a fresh install of 3scale on our OpenShift 4.10 cluster using the latest version of the operator.

The system-app-1-hook-pre lifecycle container never starts up and keeps throwing this error:

Raw
system-app-1-hook-pre lifecycle rake aborted!
system-app-1-hook-pre lifecycle Mysql2::Error: Connections using insecure transport are prohibited while --require_secure_transport=ON.
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/mysql2-0.5.3/lib/mysql2/client.rb:90:in `connect'
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/mysql2-0.5.3/lib/mysql2/client.rb:90:in `initialize'
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/activerecord-5.1.7/lib/active_record/connection_adapters/mysql2_adapter.rb:21:in `new'
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/activerecord-5.1.7/lib/active_record/connection_adapters/mysql2_adapter.rb:21:in `mysql2_connection'
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/activerecord-5.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:761:in `new_connection'
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/activerecord-5.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:805:in `checkout_new_connection'
system-app-1-hook-pre lifecycle /opt/system/vendor/bundle/ruby/2.6.0/gems/activerecord-5.1.7/lib/active_record/connection_adapters/abstract/connection_pool.rb:784:in `try_to_checkout_new_connection'

I've tried creating the system-database secret in the following ways:

Raw
$ oc -n 3scale create secret generic system-database --dry-run=client -o json \                                                    
    --from-literal=URL='mysql2://user:passwd@mysql.example.com:3306/3scale' \
    --from-literal=DB_USER=user \
    --from-literal=DB_PASSWORD='passwd'

$ oc -n 3scale create secret generic system-database --dry-run=client -o json \                                                    
    --from-literal=URL='mysql2://user:passwd@mysql.example.com:3306/3scale?ssl=true' \
    --from-literal=DB_USER=user \
    --from-literal=DB_PASSWORD='passwd'

My APIManager CR looks like this:

Raw
apiVersion: apps.3scale.net/v1alpha1
kind: APIManager
metadata:
  name: apimanager
  namespace: 3scale
spec:
  wildcardDomain: apps.example.com
  tenantName: 3scale

  externalComponents:
    backend:
      redis: false
    system:
      database: true
      redis: false
    zync:
      database: false

Any ideas what I'm missing here? Or, what I need to do? Our DB is correctly forcing secure connections I believe. Is there something I'm missing on the client connect?

Environment

  • Red Hat 3scale API Management
    • 2.11 On-Premises

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content