open-vault/website/pages/docs/configuration/storage/mysql.mdx
Lauren Voswinkel 8fc08f8c91
Require TLS or plaintext flagging in MySQL configuration (#9012)
* Adds a safety switch to configuration files.

This requires a user to either use TLS, or acknowledge that they are sending
credentials over plaintext.

* Warn if plaintext credentials will be passed

* Add true/false support to the plaintext transmission ack

* Updated website docs and ensured ToLower is used for true comparison
2020-05-21 09:09:37 -07:00

102 lines
3.5 KiB
Plaintext
Raw Blame History

This file contains ambiguous Unicode characters

This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.

---
layout: docs
page_title: MySQL - Storage Backends - Configuration
sidebar_title: MySQL
description: |-
The MySQL storage backend is used to persist Vault's data in a MySQL server or
cluster.
---
# MySQL Storage Backend
The MySQL storage backend is used to persist Vault's data in a [MySQL][mysql]
server or cluster.
- **High Availability** the MySQL storage backend supports high availability.
Note that due to the way mysql locking functions work they are lost if a connection
dies. If you would like to not have frequent changes in your elected leader you
can increase interactive_timeout and wait_timeout MySQL config to much higher than
default which is set at 8 hours.
- **Community Supported** the MySQL storage backend is supported by the
community. While it has undergone review by HashiCorp employees, they may not
be as knowledgeable about the technology. If you encounter problems with them,
you may be referred to the original author.
```hcl
storage "mysql" {
username = "user1234"
password = "secret123!"
database = "vault"
}
```
## `mysql` Parameters
- `address` `(string: "127.0.0.1:3306")` Specifies the address of the MySQL
host.
- `database` `(string: "vault")` Specifies the name of the database. If the
database does not exist, Vault will attempt to create it.
- `table` `(string: "vault")` Specifies the name of the table. If the table
does not exist, Vault will attempt to create it.
- `tls_ca_file` `(string: "")` Specifies the path to the CA certificate to
connect using TLS.
- `plaintext_credentials_transmission` `(string: "")` - Provides authorization
to send credentials over plaintext. Failure to provide a value AND a failure
to provide a TLS CA certificate will warn that the credentials are being sent
over plain text. In the future, failure to do acknowledge or use TLS will
result in server start being prevented. This will be done to ensure credentials
are not leaked accidentally.
- `max_parallel` `(string: "128")` Specifies the maximum number of concurrent
requests to MySQL.
- `max_idle_connections` `(string: "0")` Specifies the maximum number of idle
connections to the database. A zero uses value defaults to 2 idle connections
and a negative value disables idle connections. If larger than
`max_parallel` it will be reduced to be equal.
- `max_connection_lifetime` `(string: "0")` Specifies the maximum amount of
time in seconds that a connection may be reused. If <= 0s connections are reused forever.
Additionally, Vault requires the following authentication information.
- `username` `(string: <required>)` Specifies the MySQL username to connect to
the database.
- `password` `(string: <required>)` Specifies the MySQL password to connect to
the database.
### High Availability Parameters
- `ha_enabled` `(string: "true")` - Specifies if high availability mode is
enabled. This is a boolean value, but it is specified as a string like "true"
or "false".
- `lock_table` `(string: "vault_lock")` Specifies the name of the table to
use for storing high availability information. By default, this is the name
of the `table` suffixed with `_lock`. If the table does not exist, Vault will
attempt to create it.
## `mysql` Examples
### Custom Database and Table
This example shows configuring the MySQL backend to use a custom database and
table name.
```hcl
storage "mysql" {
database = "my-vault"
table = "vault-data"
username = "user1234"
password = "pass5678"
}
```
[mysql]: https://dev.mysql.com