secrets/mysql: Add `tls_server_name` and `tls_skip_verify` parameters (#18799)

* secret/mysql: add tls_server_name config parameter

* Add skip verify

* Add doc

* changelog

* changelog

* Update plugins/database/mysql/connection_producer.go

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

* Update plugins/database/mysql/connection_producer.go

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>

Co-authored-by: Christopher Swenson <christopher.swenson@hashicorp.com>
This commit is contained in:
Jason O'Donnell 2023-01-23 15:06:46 -05:00 committed by GitHub
parent 2702902120
commit 16f199cff9
No known key found for this signature in database
GPG Key ID: 4AEE18F83AFDEB23
3 changed files with 20 additions and 9 deletions

3
changelog/18799.txt Normal file
View File

@ -0,0 +1,3 @@
```release-note:improvement
secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters
```

View File

@ -24,12 +24,13 @@ type mySQLConnectionProducer struct {
MaxOpenConnections int `json:"max_open_connections" mapstructure:"max_open_connections" structs:"max_open_connections"`
MaxIdleConnections int `json:"max_idle_connections" mapstructure:"max_idle_connections" structs:"max_idle_connections"`
MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"`
Username string `json:"username" mapstructure:"username" structs:"username"`
Password string `json:"password" mapstructure:"password" structs:"password"`
TLSCertificateKeyData []byte `json:"tls_certificate_key" mapstructure:"tls_certificate_key" structs:"-"`
TLSCAData []byte `json:"tls_ca" mapstructure:"tls_ca" structs:"-"`
TLSServerName string `json:"tls_server_name" mapstructure:"tls_server_name" structs:"tls_server_name"`
TLSSkipVerify bool `json:"tls_skip_verify" mapstructure:"tls_skip_verify" structs:"tls_skip_verify"`
// tlsConfigName is a globally unique name that references the TLS config for this instance in the mysql driver
tlsConfigName string
@ -111,12 +112,12 @@ func (c *mySQLConnectionProducer) Init(ctx context.Context, conf map[string]inte
c.Initialized = true
if verifyConnection {
if _, err := c.Connection(ctx); err != nil {
return nil, fmt.Errorf("error verifying connection: %w", err)
if _, err = c.Connection(ctx); err != nil {
return nil, fmt.Errorf("error verifying - connection: %w", err)
}
if err := c.db.PingContext(ctx); err != nil {
return nil, fmt.Errorf("error verifying connection: %w", err)
return nil, fmt.Errorf("error verifying - ping: %w", err)
}
}
@ -206,6 +207,8 @@ func (c *mySQLConnectionProducer) getTLSAuth() (tlsConfig *tls.Config, err error
tlsConfig = &tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
ServerName: c.TLSServerName,
InsecureSkipVerify: c.TLSSkipVerify,
}
return tlsConfig, nil
@ -222,6 +225,5 @@ func (c *mySQLConnectionProducer) addTLStoDSN() (connURL string, err error) {
}
connURL = config.FormatDSN()
return connURL, nil
}

View File

@ -52,6 +52,12 @@ has a number of parameters to further configure a connection.
- `tls_ca` `(string: "")` - x509 CA file for validating the certificate presented by the
MySQL server. Must be PEM encoded.
- `tls_server_name` `(string: "")` - Specifies the subject alternative name should be present in the
server's certificate.
- `tls_skip_verify` `(boolean: false)` - When set to true, disables the server certificate verification.
Setting this to true is not recommended for production.
- `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how
dynamic usernames are generated.