replication-manager enforces security at every layer: the REST API is TLS-only, all database connections support mutual TLS with CA validation, sensitive configuration values are AES-encrypted at rest, and secrets can be sourced from HashiCorp Vault at runtime. API access is controlled through a credential-based ACL system.
The monitoring API and web GUI are served over HTTPS. Server certificate and key are configured per instance. Clients that cannot present a valid certificate can be denied.
All connections replication-manager opens to MariaDB/MySQL nodes (monitoring, replication setup, failover) can be secured with TLS. Supported options include server certificates, client certificates, CA chain validation, and per-cluster SSL mode overrides (db-servers-tls-*).
Passwords, API tokens, and Vault credentials stored in TOML files are AES-encrypted. replication-manager decrypts them at startup using a per-cluster key. Plain-text values are never written back after first encryption.
Credentials can be retrieved from Vault at runtime using AppRole authentication. Vault paths, role ID, secret ID, and auth mode are configurable. The integration supports both KV v1 and v2 secret engines.
| Config key | Purpose |
|---|---|
vault-server-addr |
Vault server URL |
vault-role-id |
AppRole role ID |
vault-secret-id |
AppRole secret ID |
vault-mode |
Secret engine mode |
vault-auth |
Authentication method |
The REST API authenticates all requests against a configurable credential list (api-credentials). ACL rules allow fine-grained whitelisting and blacklisting of credentials for both internal and external API access:
api-credentials-acl-allow / api-credentials-acl-allow-externalapi-credentials-acl-discard / api-credentials-acl-discard-externalTLS certificates for the provisioning orchestration layer (OpenSVC, Kubernetes) are configured separately from the monitoring API (prov-tls-server-ca, prov-tls-server-cert, prov-tls-server-key).
See Configuration Guide for all TLS, Vault, encryption, and ACL configuration keys.