Hi… The second half of that sentence is referring exactly to the above fly secrets set invocation, and really it’s just pointing out that you’ll need to do that step at least twice (since the settings aren’t shared): once for the MySQL machine itself and then again (!) for any application that wants to connect to it. (By running that command in the directory that contains the Java application’s fly.toml file, typically, or with the -a knob.) That establishes environment variables MYSQL_PASSWORD (for the non-root user) and MYSQL_ROOT_PASSWORD.
You can check with fly secrets list -a java-app-name.
The other half of the quote is a convention, which your Java properties are an adequate substitute for—if that’s how you prefer to handle such things, 
.
The database is most likely configured so that you can log in as root only when you’re on localhost. (That’s how the MySQL Docker entrypoints that I’ve seen initialize it by default, anyway.)
Try MYSQL_USER—assuming you had MYSQL_DATABASE, MYSQL_USER, and the secrets all set correctly on first deploy of the MySQL machine.
(The first two are in the sample fly.toml.)
A bit of extra context:
https://community.fly.io/t/mysql-not-connecting-even-after-setting-up-wire-guard-and-peering/16532
Hope this helps!