MySQL IAM authentication fails when custom CAs are specified in config

[kc9wwh]

Fleet version: 4.78.3
Web browser and operating system: N/A (Server-side issue)

---

💥 Actual behavior

When specifying custom Certificate Authorities (CAs) via the Fleet config, MySQL IAM authentication is effectively disabled, causing database connections to fail. This issue particularly affects customers in AWS GovCloud environments where the included RDS auth certificate chain doesn't work, requiring custom CAs to be specified.

The custom CA configuration overrides the IAM auth settings, preventing successful authentication to RDS instances that have IAM auth enabled.

🧑‍💻 Steps to reproduce

1. Configure Fleet to connect to an AWS RDS MySQL database in GovCloud (or any environment requiring custom CAs)
2. Enable MySQL IAM authentication on the RDS instance
3. Specify custom CAs in the Fleet configuration to accommodate GovCloud requirements
4. Attempt to connect Fleet to the database
5. Observe that the connection fails due to IAM auth being disabled when custom CAs are provided

🕯️ More info (optional)

• Root Cause: Custom CA configuration was overriding IAM auth settings
• Fix: PR Allow MySQL IAM authentication when a custom TLS CA/TLS config is set #39808 addresses this with a minimal code change
• Testing: Fix has been tested locally against RDS DB in load testing environment with IAM auth enabled, including testing with assumed IAM roles that have limited-scope permissions (no admin powers)
• Potential Related Issue: There may be a separate bug with STS assume role on read replicas when using IAM auth (role may get dropped), but this is not currently affecting any known deployments and requires separate investigation
• Slack thread: https://fleetdm.slack.com/archives/C019WG4GH0A/p1770946125940059

[kc9wwh]

@sharon-fdm tagged as P1 since this breaks a supported workflow.

[kc9wwh]

@sharon-fdm dropped to P2 after discussion with Ian.

PR is already up here: #39808

[rfairburn]

@kc9wwh also submitted a PR to the upstream to have govcloud CA certs loaded directly into the module: shogo82148/rdsmysql#222.

We should still support manually specifying the certs since there could be other edge cases and our configs make it look like this is a valid configuration pattern.