Improve TLS section of README

Make it clearer how TLS works.

Change-Id: I9e64f7aae273de2ca3eac96f16ac29e0b7ecbe2c

src/README.md

@@ -39,16 +39,16 @@ Charms Deployment Guide][cdg] for more deploy information.
 ## TLS
 
 TLS communication between MySQL InnoDB Cluster and its cloud clients is
-supported.
+supported out of the box via a self-signed CA certificate bundled within MySQL
+itself.
 
-Due to the circular dependency between the vault and mysql-innodb-cluster
+A better option is to use a certificate signed by a Vault-based CA. This can be
-applications, the enablement of this feature can only be done post-deployment
+done once Vault has been initialised and has a root CA:
-(once vault has been initialised and has a root Certificate Authority).
-
-Enable database TLS communication with this relation:
 
     juju add-relation mysql-innodb-cluster:certificates vault:certificates
 
+See the [vault][vault-charm-readme] charm README for more information.
+
 ## Actions
 
 This section lists Juju [actions][juju-docs-actions] supported by the charm.
@@ -87,6 +87,7 @@ Please report bugs on [Launchpad][lp-bugs-charm-mysql-innodb-cluster].
 [percona-cluster-charm]: https://jaas.ai/percona-cluster
 [mysql-innodb-cluster-charm]: https://jaas.ai/mysql-innodb-cluster
 [mysql-router-charm]: https://jaas.ai/mysql-router
+[vault-charm-readme]: https://opendev.org/openstack/charm-vault/src/branch/master/src/README.md
 [upstream-mysql8]: https://dev.mysql.com/doc/refman/8.0/en/mysql-innodb-cluster-userguide.html
 [cdg-app-ha-mysql8]: https://docs.openstack.org/project-deploy-guide/charm-deployment-guide/latest/app-ha.html#mysql-8
 [juju-docs-config-apps]: https://juju.is/docs/configuring-applications