TLS connections to databases like AWS RDS don't work #428
Description
Here's my example docker compose
services:
mysql-backup:
image: databack/mysql-backup:latest
environment:
DB_DEBUG: ${DB_DEBUG}
DB_SERVER: ${DB_SERVER}
DB_PORT: ${DB_PORT}
DB_USER: ${DB_USER}
DB_PASS: ${DB_PASS}
DB_DUMP_INCLUDE: ${DB_DUMP_INCLUDE}
SINGLE_DATABASE: ${SINGLE_DATABASE}
NO_DATABASE_NAME: ${NO_DATABASE_NAME}
DB_DUMP_ONCE: ${DB_DUMP_ONCE}
DB_DUMP_TARGET: ${DB_DUMP_TARGET}
AWS_ACCESS_KEY_ID: ${AWS_ACCESS_KEY_ID}
AWS_SECRET_ACCESS_KEY: ${AWS_SECRET_ACCESS_KEY}
AWS_ENDPOINT_URL: ${AWS_ENDPOINT_URL}
command: dumphere are the env variables ( obfuscated)
DB_SERVER=mydb-prod.obfuscated.us-east-1.rds.amazonaws.com
DB_PORT=3306
DB_USER=myuser
DB_PASS=obfuscated
DB_DUMP_INCLUDE=MY_DB
SINGLE_DATABASE=true
NO_DATABASE_NAME=true
DB_DUMP_ONCE=trueHere's the output of running docker compose up mysql-backup
docker compose up mysql-backup
[+] Running 1/1
✔ Container iac-mysql-backup-1 Recreated 0.0s
Attaching to mysql-backup-1
mysql-backup-1 | time="2025-04-18T03:59:15Z" level=info msg="beginning dump 2025-04-18T03:59:15Z" run=7967e784-9969-4e47-b943-3b62a1f7e681
mysql-backup-1 | Error: error running command: error running command: error running dump: failed to dump database: failed to dump database MY_DB: Error 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON.
mysql-backup-1 | time="2025-04-18T03:59:15Z" level=fatal msg="error running command: error running command: error running dump: failed to dump database: failed to dump database MY_DB: Error 3159 (HY000): Connections using insecure transport are prohibited while --require_secure_transport=ON."
mysql-backup-1 exited with code 1Notice the error saying insecure connections are not supported.
I believe error is coming from go-sql-driver for mysql. https://github.com/go-sql-driver/mysql?tab=readme-ov-file#tls
According to the documentation for tls setting it is false by default. We need a way to set it using environment variable like DB_TLS
In this case for the connection to work the the value of tls should be true or preferred
It doesn't look like is being set:
func (c Connection) MySQL() string {
config := mysql.NewConfig()
config.User = c.User
config.Passwd = c.Pass
if strings.HasPrefix(c.Host, "/") {
config.Net = "unix"
config.Addr = c.Host
} else {
config.Net = "tcp"
config.Addr = fmt.Sprintf("%s:%d", c.Host, c.Port)
}
config.ParseTime = true
return config.FormatDSN()
}