Merge pull request #439 from geckoboard/feature-tls-mysql
Using SSL to encrypt connections to MYSQL
This commit is contained in:
commit
f58f46c243
|
@ -1,16 +1,24 @@
|
|||
package physical
|
||||
|
||||
import (
|
||||
"crypto/tls"
|
||||
"crypto/x509"
|
||||
"database/sql"
|
||||
"fmt"
|
||||
"io/ioutil"
|
||||
"net/url"
|
||||
"sort"
|
||||
"strings"
|
||||
"time"
|
||||
|
||||
"github.com/armon/go-metrics"
|
||||
_ "github.com/go-sql-driver/mysql"
|
||||
mysql "github.com/go-sql-driver/mysql"
|
||||
)
|
||||
|
||||
// Unreserved tls key
|
||||
// Reserved values are "true", "false", "skip-verify"
|
||||
const mysqlTLSKey = "default"
|
||||
|
||||
// MySQLBackend is a physical backend that stores data
|
||||
// within MySQL database.
|
||||
type MySQLBackend struct {
|
||||
|
@ -49,8 +57,18 @@ func newMySQLBackend(conf map[string]string) (Backend, error) {
|
|||
}
|
||||
dbTable := database + "." + table
|
||||
|
||||
dsnParams := url.Values{}
|
||||
tlsCaFile, ok := conf["tls_ca_file"]
|
||||
if ok {
|
||||
if err := setupMySQLTLSConfig(tlsCaFile); err != nil {
|
||||
return nil, fmt.Errorf("failed register TLS config: %v", err)
|
||||
}
|
||||
|
||||
dsnParams.Add("tls", mysqlTLSKey)
|
||||
}
|
||||
|
||||
// Create MySQL handle for the database.
|
||||
dsn := username + ":" + password + "@tcp(" + address + ")/"
|
||||
dsn := username + ":" + password + "@tcp(" + address + ")/?" + dsnParams.Encode()
|
||||
db, err := sql.Open("mysql", dsn)
|
||||
if err != nil {
|
||||
return nil, fmt.Errorf("failed to connect to mysql: %v", err)
|
||||
|
@ -173,3 +191,28 @@ func (m *MySQLBackend) List(prefix string) ([]string, error) {
|
|||
sort.Strings(keys)
|
||||
return keys, nil
|
||||
}
|
||||
|
||||
// Establish a TLS connection with a given CA certificate
|
||||
// Register a tsl.Config associted with the same key as the dns param from sql.Open
|
||||
// foo:bar@tcp(127.0.0.1:3306)/dbname?tls=default
|
||||
func setupMySQLTLSConfig(tlsCaFile string) error {
|
||||
rootCertPool := x509.NewCertPool()
|
||||
|
||||
pem, err := ioutil.ReadFile(tlsCaFile)
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
|
||||
return err
|
||||
}
|
||||
|
||||
err = mysql.RegisterTLSConfig(mysqlTLSKey, &tls.Config{
|
||||
RootCAs: rootCertPool,
|
||||
})
|
||||
if err != nil {
|
||||
return err
|
||||
}
|
||||
|
||||
return nil
|
||||
}
|
||||
|
|
|
@ -188,6 +188,8 @@ The MySQL backend has the following options:
|
|||
|
||||
* `table` (optional) - The name of the table to use. Defaults to "vault".
|
||||
|
||||
* `tls_ca_file` (optional) - The path to the CA certificate to connect using TLS
|
||||
|
||||
#### Backend Reference: Inmem
|
||||
|
||||
The in-memory backend has no configuration options.
|
||||
|
|
Loading…
Reference in a new issue