secrets/mysql: Add `tls_server_name` and `tls_skip_verify` parameters (#18799)
* secret/mysql: add tls_server_name config parameter * Add skip verify * Add doc * changelog * changelog * Update plugins/database/mysql/connection_producer.go Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com> * Update plugins/database/mysql/connection_producer.go Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com> Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
This commit is contained in:
parent
2702902120
commit
16f199cff9
|
@ -0,0 +1,3 @@
|
|||
```release-note:improvement
|
||||
secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters
|
||||
```
|
|
@ -24,12 +24,13 @@ type mySQLConnectionProducer struct {
|
|||
MaxOpenConnections int `json:"max_open_connections" mapstructure:"max_open_connections" structs:"max_open_connections"`
|
||||
MaxIdleConnections int `json:"max_idle_connections" mapstructure:"max_idle_connections" structs:"max_idle_connections"`
|
||||
MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"`
|
||||
|
||||
Username string `json:"username" mapstructure:"username" structs:"username"`
|
||||
Password string `json:"password" mapstructure:"password" structs:"password"`
|
||||
|
||||
TLSCertificateKeyData []byte `json:"tls_certificate_key" mapstructure:"tls_certificate_key" structs:"-"`
|
||||
TLSCAData []byte `json:"tls_ca" mapstructure:"tls_ca" structs:"-"`
|
||||
TLSServerName string `json:"tls_server_name" mapstructure:"tls_server_name" structs:"tls_server_name"`
|
||||
TLSSkipVerify bool `json:"tls_skip_verify" mapstructure:"tls_skip_verify" structs:"tls_skip_verify"`
|
||||
|
||||
// tlsConfigName is a globally unique name that references the TLS config for this instance in the mysql driver
|
||||
tlsConfigName string
|
||||
|
@ -111,12 +112,12 @@ func (c *mySQLConnectionProducer) Init(ctx context.Context, conf map[string]inte
|
|||
c.Initialized = true
|
||||
|
||||
if verifyConnection {
|
||||
if _, err := c.Connection(ctx); err != nil {
|
||||
return nil, fmt.Errorf("error verifying connection: %w", err)
|
||||
if _, err = c.Connection(ctx); err != nil {
|
||||
return nil, fmt.Errorf("error verifying - connection: %w", err)
|
||||
}
|
||||
|
||||
if err := c.db.PingContext(ctx); err != nil {
|
||||
return nil, fmt.Errorf("error verifying connection: %w", err)
|
||||
return nil, fmt.Errorf("error verifying - ping: %w", err)
|
||||
}
|
||||
}
|
||||
|
||||
|
@ -206,6 +207,8 @@ func (c *mySQLConnectionProducer) getTLSAuth() (tlsConfig *tls.Config, err error
|
|||
tlsConfig = &tls.Config{
|
||||
RootCAs: rootCertPool,
|
||||
Certificates: clientCert,
|
||||
ServerName: c.TLSServerName,
|
||||
InsecureSkipVerify: c.TLSSkipVerify,
|
||||
}
|
||||
|
||||
return tlsConfig, nil
|
||||
|
@ -222,6 +225,5 @@ func (c *mySQLConnectionProducer) addTLStoDSN() (connURL string, err error) {
|
|||
}
|
||||
|
||||
connURL = config.FormatDSN()
|
||||
|
||||
return connURL, nil
|
||||
}
|
||||
|
|
|
@ -52,6 +52,12 @@ has a number of parameters to further configure a connection.
|
|||
- `tls_ca` `(string: "")` - x509 CA file for validating the certificate presented by the
|
||||
MySQL server. Must be PEM encoded.
|
||||
|
||||
- `tls_server_name` `(string: "")` - Specifies the subject alternative name should be present in the
|
||||
server's certificate.
|
||||
|
||||
- `tls_skip_verify` `(boolean: false)` - When set to true, disables the server certificate verification.
|
||||
Setting this to true is not recommended for production.
|
||||
|
||||
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
|
||||
dynamic usernames are generated.
|
||||
|
||||
|
|
Loading…
Reference in New Issue