diff --git a/changelog/18799.txt b/changelog/18799.txt new file mode 100644 index 0000000000..1d7159363b --- /dev/null +++ b/changelog/18799.txt @@ -0,0 +1,3 @@ +```release-note:improvement +secrets/db/mysql: Add `tls_server_name` and `tls_skip_verify` parameters +``` diff --git a/plugins/database/mysql/connection_producer.go b/plugins/database/mysql/connection_producer.go index f143e85fbf..208debe519 100644 --- a/plugins/database/mysql/connection_producer.go +++ b/plugins/database/mysql/connection_producer.go @@ -24,12 +24,13 @@ type mySQLConnectionProducer struct { MaxOpenConnections int `json:"max_open_connections" mapstructure:"max_open_connections" structs:"max_open_connections"` MaxIdleConnections int `json:"max_idle_connections" mapstructure:"max_idle_connections" structs:"max_idle_connections"` MaxConnectionLifetimeRaw interface{} `json:"max_connection_lifetime" mapstructure:"max_connection_lifetime" structs:"max_connection_lifetime"` - - Username string `json:"username" mapstructure:"username" structs:"username"` - Password string `json:"password" mapstructure:"password" structs:"password"` + Username string `json:"username" mapstructure:"username" structs:"username"` + Password string `json:"password" mapstructure:"password" structs:"password"` TLSCertificateKeyData []byte `json:"tls_certificate_key" mapstructure:"tls_certificate_key" structs:"-"` TLSCAData []byte `json:"tls_ca" mapstructure:"tls_ca" structs:"-"` + TLSServerName string `json:"tls_server_name" mapstructure:"tls_server_name" structs:"tls_server_name"` + TLSSkipVerify bool `json:"tls_skip_verify" mapstructure:"tls_skip_verify" structs:"tls_skip_verify"` // tlsConfigName is a globally unique name that references the TLS config for this instance in the mysql driver tlsConfigName string @@ -111,12 +112,12 @@ func (c *mySQLConnectionProducer) Init(ctx context.Context, conf map[string]inte c.Initialized = true if verifyConnection { - if _, err := c.Connection(ctx); err != nil { - return nil, fmt.Errorf("error verifying connection: %w", err) + if _, err = c.Connection(ctx); err != nil { + return nil, fmt.Errorf("error verifying - connection: %w", err) } if err := c.db.PingContext(ctx); err != nil { - return nil, fmt.Errorf("error verifying connection: %w", err) + return nil, fmt.Errorf("error verifying - ping: %w", err) } } @@ -204,8 +205,10 @@ func (c *mySQLConnectionProducer) getTLSAuth() (tlsConfig *tls.Config, err error } tlsConfig = &tls.Config{ - RootCAs: rootCertPool, - Certificates: clientCert, + RootCAs: rootCertPool, + Certificates: clientCert, + ServerName: c.TLSServerName, + InsecureSkipVerify: c.TLSSkipVerify, } return tlsConfig, nil @@ -222,6 +225,5 @@ func (c *mySQLConnectionProducer) addTLStoDSN() (connURL string, err error) { } connURL = config.FormatDSN() - return connURL, nil } diff --git a/website/content/api-docs/secret/databases/mysql-maria.mdx b/website/content/api-docs/secret/databases/mysql-maria.mdx index 9e1c5cb2ad..0164853f33 100644 --- a/website/content/api-docs/secret/databases/mysql-maria.mdx +++ b/website/content/api-docs/secret/databases/mysql-maria.mdx @@ -52,6 +52,12 @@ has a number of parameters to further configure a connection. - `tls_ca` `(string: "")` - x509 CA file for validating the certificate presented by the MySQL server. Must be PEM encoded. +- `tls_server_name` `(string: "")` - Specifies the subject alternative name should be present in the + server's certificate. + +- `tls_skip_verify` `(boolean: false)` - When set to true, disables the server certificate verification. + Setting this to true is not recommended for production. + - `username_template` `(string)` - [Template](/docs/concepts/username-templating) describing how dynamic usernames are generated.