Implement TLS connection support

github · Feb 3, 2021 · ddf5d12 · ddf5d12
1 parent fb9728f
commit ddf5d12
Show file tree

Hide file tree

Showing 4 changed files with 65 additions and 3 deletions.
diff --git a/pkg/group/mysql.go b/pkg/group/mysql.go
@@ -83,6 +83,10 @@ func NewMySQLBackend(throttler *throttle.Throttler) (*MySQLBackend, error) {
 		settings.BackendMySQLSchema,
 		settings.BackendMySQLUser,
 		settings.BackendMySQLPassword,
+		settings.BackendMySQLTlsCaCertPath,
+		settings.BackendMySQLTlsClientCertPath,
+		settings.BackendMySQLTlsClientKeyPath,
+		settings.BackendMySQLTlsSkipVerify,
 		connectionTimeout)
 
 	if err != nil {

diff --git a/pkg/mysql/probe.go b/pkg/mysql/probe.go
@@ -43,8 +43,8 @@ func NewProbes() *Probes {
 
 // NewProbe allocates memory for a new Probe value and returns its address, or an error in case tlsConfiguration parameters were
 // provided, but TLS configuration couldn't be registered. If that's the case, the address of the probe will be nil.
-func NewProbe(key *InstanceKey, user, password, databaseName, metricQuery string, cacheMillis int, httpCheckPath string, httpCheckPort int) (*Probe, error) {
-	uri, err := MakeUri(key.Hostname, key.Port, user, password, databaseName, probeTimeout)
+func NewProbe(key *InstanceKey, user, password, databaseName, tlsCaCertPath, tlsClientCertPath, tlsClientKeyPath string, tlsSkipVerify bool, metricQuery string, cacheMillis int, httpCheckPath string, httpCheckPort int) (*Probe, error) {
+	uri, err := MakeUri(key.Hostname, key.Port, user, password, databaseName, tlsCaCertPath, tlsClientCertPath, tlsClientKeyPath, tlsSkipVerify, probeTimeout)
 	if err != nil {
 		return nil, fmt.Errorf("cannot create probe. Cause:  %w", err)
 	}

diff --git a/pkg/mysql/uri.go b/pkg/mysql/uri.go
@@ -1,18 +1,32 @@
 package mysql
 
 import (
+	"crypto/tls"
+	"crypto/x509"
+	"errors"
 	"fmt"
+	"io/ioutil"
 	"net"
 	"time"
+
+	"github.com/go-sql-driver/mysql"
 )
 
 const timeout = 10 * time.Millisecond
 
 // MakeUri creates a new string representing the URI for the mysql driver to connect to, including timeout, charset and tls settings.
 // In case the URI cannot be created due to a wrong TLS configuration, an error is returned.
-func MakeUri(hostname string, port int, databaseName, user, password string, timeout time.Duration) (uri string, err error) {
+func MakeUri(hostname string, port int, databaseName, user, password, tlsCaCerPath, tlsClientCertPath, tlsClientKeyPath string, tlsSkipVerify bool, timeout time.Duration) (uri string, err error) {
 	tlsKey := "false"
 
+	if tlsCaCerPath != "" || tlsClientCertPath != "" || tlsClientKeyPath != "" {
+		tlsKey = fmt.Sprintf("%s:%d", hostname, port)
+		err = registerTlsConfig(tlsKey, tlsCaCerPath, tlsClientCertPath, tlsClientKeyPath, tlsSkipVerify)
+		if err != nil {
+			return "", err
+		}
+	}
+
 	ip := net.ParseIP(hostname)
 	if (ip != nil) && (ip.To4() == nil) {
 		// Wrap IPv6 literals in square brackets
@@ -22,3 +36,43 @@ func MakeUri(hostname string, port int, databaseName, user, password string, tim
 	uri = fmt.Sprintf("%s:%s@tcp(%s:%d)/%s?interpolateParams=true&charset=utf8mb4,utf8,latin1&tls=%s&timeout=%dms", user, password, hostname, port, databaseName, tlsKey, timeout.Milliseconds())
 	return uri, err
 }
+
+// registerTlsConfig registers the certificates under a given key which is calculated based on the
+// paths of the certificates, and returns that key, or an error if the certificates couldn't be registered.
+func registerTlsConfig(key, tlsCaCertificatePath, tlsClientCertPath, tlsClientKeyPath string, tlsSkipVerify bool) (err error) {
+	var cert tls.Certificate
+	var rootCertPool *x509.CertPool
+	var pem []byte
+
+	if tlsCaCertificatePath == "" {
+		rootCertPool, err = x509.SystemCertPool()
+		if err != nil {
+			return
+		}
+	} else {
+		rootCertPool = x509.NewCertPool()
+		pem, err = ioutil.ReadFile(tlsCaCertificatePath)
+		if err != nil {
+			return
+		}
+		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+			err = errors.New("cannot add ca certificate to cert pool")
+			return
+		}
+	}
+	if tlsClientCertPath != "" || tlsClientKeyPath != "" {
+		cert, err = tls.LoadX509KeyPair(tlsClientCertPath, tlsClientKeyPath)
+		if err != nil {
+			return
+		}
+	}
+
+	config := tls.Config{
+		Certificates:       []tls.Certificate{cert},
+		RootCAs:            rootCertPool,
+		InsecureSkipVerify: tlsSkipVerify,
+	}
+
+	err = mysql.RegisterTLSConfig(key, &config)
+	return
+}
diff --git a/pkg/throttle/throttler.go b/pkg/throttle/throttler.go
@@ -288,6 +288,10 @@ func (throttler *Throttler) refreshMySQLInventory() error {
 			clusterSettings.User,
 			clusterSettings.Password,
 			defaultDatabaseName,
+			clusterSettings.TlsCaCertPath,
+			clusterSettings.TlsClientCertPath,
+			clusterSettings.TlsClientKeyPath,
+			clusterSettings.TlsSkipVerify,
 			clusterSettings.MetricQuery,
 			clusterSettings.CacheMillis,
 			clusterSettings.HttpCheckPath,