Fix issue #71 Added SSL and mTLS support

Dockerfile

@@ -14,5 +14,6 @@ RUN curl -L https://repo1.maven.org/maven2/org/flywaydb/flyway-commandline/${FLY
 
 ENV PATH="/flyway:${PATH}"
 
-ENTRYPOINT ["flyway"]
+ADD ./entrypoint.sh /flyway/entrypoint.sh
+ENTRYPOINT ["entrypoint.sh"]
 CMD ["-?"]

README.md

@@ -138,6 +138,15 @@ You can now let Flyway make use of it my mapping that volume as well:
 
 `docker run --rm -v /absolute/path/to/my/sqldir:/flyway/sql -v /absolute/path/to/my/confdir:/flyway/conf -v /absolute/path/to/my/jardir:/flyway/jars flyway/flyway migrate`
 
+## SSL Support
+
+To connect to a data source with SSL encryption enabled, set paths to the client certs in the following ENVs:
+- CA_CERT_FILE
+- CLIENT_KEY_FILE
+- CLIENT_CERT_FILE
+
+Please see the docker compose SSL example below too.
+
 ## Docker Compose
 
 To run both Flyway and the database that will be migrated in containers, you can use a `docker-compose.yml` file that
@@ -165,3 +174,36 @@ services:
 ```
 
 Run `docker-compose up`, this will start both Flyway and MySQL. Flyway will automatically wait for up to one minute for MySQL to be initialized before it begins to migrate the database.
+
+SSL Example
+```
+version: '3'
+services:
+  flyway:
+    image: flyway/flyway
+    command: -url=jdbc:mysql://db?useSSL=true -schemas=myschema -user=root -password=P@ssw0rd -connectRetries=60 migrate
+    environment:
+      - CA_CERT_FILE=/etc/certs/ca.pem
+      - CLIENT_KEY_FILE=/etc/certs/local-client.key.pem
+      - CLIENT_CERT_FILE=/etc/certs/local-client.crt.pem
+    volumes:
+      - .:/flyway/sql
+      - ./pki/:/etc/certs/:ro
+    depends_on:
+      - db
+  db:
+    image: mysql
+    environment:
+      - MYSQL_ROOT_PASSWORD=P@ssw0rd
+    command:
+      - --character-set-server=utf8mb4
+      - --collation-server=utf8mb4_unicode_ci
+      - --ssl-ca=/etc/certs/ca.pem
+      - --ssl-cert=/etc/certs/mysql.crt.pem
+      - --ssl-key=/etc/certs/mysql.key.pem
+    ports:
+      - 3306:3306
+    volumes:
+      - ./pki/:/etc/certs/:ro
+
+```

entrypoint.sh

@@ -0,0 +1,26 @@
+#!/bin/bash
+set -euo pipefail
+
+# ref. https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
+# This script check ENVs and generate the java truststore if needed
+if [[ -v CA_CERT_FILE ]] && [[ -v CLIENT_CERT_FILE ]] && [[ -v CLIENT_KEY_FILE ]]; then
+    # the password is only used inside the container
+    export STORE_PASS=playground
+    export JAVA_ARGS="-Djavax.net.ssl.trustStore=/flyway/flyway-truststore -Djavax.net.ssl.trustStorePassword=${STORE_PASS} -Djavax.net.ssl.keyStore=/flyway/flyway-keystore -Djavax.net.ssl.keyStorePassword=${STORE_PASS}"
+
+    echo "Generating a Java keystore..."
+    # $CA_CERT_FILE, $CLIENT_KEY_FILE and $CLIENT_CERT_FILE are the paths to SSL certs for mysql client
+    # for example
+    # CA_CERT_FILE=/work/${CERTS}/ca.pem
+    # CLIENT_KEY_FILE=/work/${CERTS}/client-key.pem
+    # CLIENT_CERT_FILE=/work/${CERTS}/client-cert.pem
+
+    # trust store for server authentication
+    keytool -keystore flyway-truststore -storepass:env STORE_PASS -noprompt -trustcacerts -importcert -alias mysqlclient -file $CA_CERT_FILE
+
+    # key store for client authentication
+    openssl pkcs12 -export -in ${CLIENT_CERT_FILE} -inkey ${CLIENT_KEY_FILE} -out client.p12 -name mysql-client -passout pass:${STORE_PASS}
+    keytool -importkeystore -deststorepass ${STORE_PASS} -destkeystore flyway-keystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass ${STORE_PASS} -alias mysql-client
+fi
+
+flyway $@