secrets/mysql: Add `tls_server_name` and `tls_skip_verify` parameters (#18799)

* secret/mysql: add tls_server_name config parameter

* Add skip verify

* Add doc

* changelog

* changelog

* Update plugins/database/mysql/connection_producer.go

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update plugins/database/mysql/connection_producer.go

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

changelog/18799.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters
+```

plugins/database/mysql/connection_producer.go

@@ -24,12 +24,13 @@ type mySQLConnectionProducer struct {
 	MaxOpenConnections       int         `json:"max_open_connections"    mapstructure:"max_open_connections"    structs:"max_open_connections"`
 	MaxIdleConnections       int         `json:"max_idle_connections"    mapstructure:"max_idle_connections"    structs:"max_idle_connections"`
 	MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"`
-
-	Username string `json:"username" mapstructure:"username" structs:"username"`
-	Password string `json:"password" mapstructure:"password" structs:"password"`
+	Username                 string      `json:"username" mapstructure:"username" structs:"username"`
+	Password                 string      `json:"password" mapstructure:"password" structs:"password"`
 
 	TLSCertificateKeyData []byte `json:"tls_certificate_key" mapstructure:"tls_certificate_key" structs:"-"`
 	TLSCAData             []byte `json:"tls_ca"              mapstructure:"tls_ca"              structs:"-"`
+	TLSServerName         string `json:"tls_server_name" mapstructure:"tls_server_name" structs:"tls_server_name"`
+	TLSSkipVerify         bool   `json:"tls_skip_verify" mapstructure:"tls_skip_verify" structs:"tls_skip_verify"`
 
 	// tlsConfigName is a globally unique name that references the TLS config for this instance in the mysql driver
 	tlsConfigName string
@@ -111,12 +112,12 @@ func (c *mySQLConnectionProducer) Init(ctx context.Context, conf map[string]inte
 	c.Initialized = true
 
 	if verifyConnection {
-		if _, err := c.Connection(ctx); err != nil {
-			return nil, fmt.Errorf("error verifying connection: %w", err)
+		if _, err = c.Connection(ctx); err != nil {
+			return nil, fmt.Errorf("error verifying - connection: %w", err)
 		}
 
 		if err := c.db.PingContext(ctx); err != nil {
-			return nil, fmt.Errorf("error verifying connection: %w", err)
+			return nil, fmt.Errorf("error verifying - ping: %w", err)
 		}
 	}
 
@@ -204,8 +205,10 @@ func (c *mySQLConnectionProducer) getTLSAuth() (tlsConfig *tls.Config, err error
 	}
 
 	tlsConfig = &tls.Config{
-		RootCAs:      rootCertPool,
-		Certificates: clientCert,
+		RootCAs:            rootCertPool,
+		Certificates:       clientCert,
+		ServerName:         c.TLSServerName,
+		InsecureSkipVerify: c.TLSSkipVerify,
 	}
 
 	return tlsConfig, nil
@@ -222,6 +225,5 @@ func (c *mySQLConnectionProducer) addTLStoDSN() (connURL string, err error) {
 	}
 
 	connURL = config.FormatDSN()
-
 	return connURL, nil
 }

website/content/api-docs/secret/databases/mysql-maria.mdx

@@ -52,6 +52,12 @@ has a number of parameters to further configure a connection.
 - `tls_ca` `(string: "")` - x509 CA file for validating the certificate presented by the
   MySQL server. Must be PEM encoded.
 
+- `tls_server_name` `(string: "")` - Specifies the subject alternative name should be present in the 
+  server's certificate.
+
+- `tls_skip_verify` `(boolean: false)` - When set to true, disables the server certificate verification. 
+  Setting this to true is not recommended for production.
+
 - `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
   dynamic usernames are generated.