Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

feat: revert use of SystemCertPool() and add env vars to cover all custom_tls settings #184

Merged
merged 2 commits into from
Nov 21, 2024
Merged

feat: revert use of SystemCertPool() and add env vars to cover all custom_tls settings #184

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
0ad2abb
build: slightly extend the timeout for tests as they are avergaging v…
david-heward-unmind Nov 21, 2024
14ef0db
feat: revert use of SystemCertPool() it doesn't seem like the right t…
david-heward-unmind Nov 21, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
2 changes: 1 addition & 1 deletion GNUmakefile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -20,7 +20,7 @@ bin/terraform:
(cd $(CURDIR)/bin/ ; unzip terraform.zip)

testacc: fmtcheck bin/terraform
PATH="$(CURDIR)/bin:${PATH}" TF_ACC=1 go test $(TEST) -v $(TESTARGS) -timeout=90s
PATH="$(CURDIR)/bin:${PATH}" TF_ACC=1 go test $(TEST) -v $(TESTARGS) -timeout=120s

acceptance: testversion5.6 testversion5.7 testversion8.0 testpercona5.7 testpercona8.0 testmariadb10.3 testmariadb10.8 testmariadb10.10 testtidb6.1.0 testtidb7.5.2

Expand Down
54 changes: 28 additions & 26 deletions mysql/provider.go
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -137,23 +137,24 @@ func Provider() *schema.Provider {
Elem: &schema.Resource{
Schema: map[string]*schema.Schema{
"config_key": {
Type: schema.TypeString,
Default: "custom",
Optional: true,
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CONFIG_KEY", "custom"),
},
"ca_cert": {
Type: schema.TypeString,
Required: true,
Type: schema.TypeString,
Required: true,
DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CA_CERT", nil),
},
"client_cert": {
Type: schema.TypeString,
Default: "",
Optional: true,
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CLIENT_CERT", ""),
},
"client_key": {
Type: schema.TypeString,
Default: "",
Optional: true,
Type: schema.TypeString,
Optional: true,
DefaultFunc: schema.EnvDefaultFunc("MYSQL_TLS_CLIENT_KEY", ""),
},
},
},
Expand Down Expand Up @@ -331,11 +332,12 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
var privateIp = d.Get("private_ip").(bool)
var tlsConfig = d.Get("tls").(string)
var tlsConfigStruct *tls.Config
configKey := "default"

customTLSMap := d.Get("custom_tls").([]interface{})
if len(customTLSMap) > 0 {
log.Printf("[DEBUG] Using custom TLS config")
var customTLS CustomTLS
var rootCertPool *x509.CertPool
customMap := customTLSMap[0].(map[string]interface{})
customTLSJson, err := json.Marshal(customMap)
if err != nil {
Expand All @@ -347,8 +349,16 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
return nil, diag.Errorf("failed to unmarshal tls config %v with error %v", customTLSJson, err)
}

// Update the configKey if it is set
if customTLS.ConfigKey != "" {
configKey = customTLS.ConfigKey
}

tlsConfigStruct = &tls.Config{}

var pem []byte
if customTLS.CACert != "" {
log.Printf("[DEBUG] Using custom CA cert")
rootCertPool := x509.NewCertPool()
if strings.HasPrefix(customTLS.CACert, "-----BEGIN") {
pem = []byte(customTLS.CACert)
Expand All @@ -361,21 +371,12 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return nil, diag.Errorf("failed to append pem: %v", pem)
}
} else {
// Use system cert pool as fallback
rootCertPool, err = x509.SystemCertPool()
if err != nil {
return nil, diag.Errorf("failed to get system cert pool: %v", err)
}
}

tlsConfigStruct = &tls.Config{
RootCAs: rootCertPool,
tlsConfigStruct.RootCAs = rootCertPool
}

var cert tls.Certificate

if customTLS.ClientCert != "" && customTLS.ClientKey != "" {
log.Printf("[DEBUG] Using custom ClientCert & ClientKey")
var cert tls.Certificate
if strings.HasPrefix(customTLS.ClientCert, "-----BEGIN") {
cert, err = tls.X509KeyPair([]byte(customTLS.ClientCert), []byte(customTLS.ClientKey))
} else {
Expand All @@ -387,11 +388,12 @@ func providerConfigure(ctx context.Context, d *schema.ResourceData) (interface{}
tlsConfigStruct.Certificates = []tls.Certificate{cert}
}

err = mysql.RegisterTLSConfig(customTLS.ConfigKey, tlsConfigStruct)
// Register the config
err = mysql.RegisterTLSConfig(configKey, tlsConfigStruct)
if err != nil {
return nil, diag.Errorf("failed registering TLS config: %v", err)
}
tlsConfig = customTLS.ConfigKey
tlsConfig = configKey
}

proto := "tcp"
Expand Down
Loading