-
Notifications
You must be signed in to change notification settings - Fork 4.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support SSL server certificate parameter for MySQL #15172
Conversation
Fixes #1350. |
Codecov Report
@@ Coverage Diff @@
## master #15172 +/- ##
==========================================
- Coverage 84.42% 84.40% -0.02%
==========================================
Files 390 390
Lines 30903 30903
Branches 2213 2214 +1
==========================================
- Hits 26089 26084 -5
- Misses 2601 2605 +4
- Partials 2213 2214 +1
Continue to review full report at Codecov.
|
113af45
to
dc4e90d
Compare
It would be a good idea to include the Azure cert chain as well (https://cacerts.digicert.com/DigiCertGlobalRootG2.crt.pem) so users can use postgres and mysql in both public clouds without issues (till we have a self upload option and we can eliminate certificate bundling altogether) |
One more thing: if you bundle the scripts in the release jar, they won't be needed in the container right? (so this one can be reverted e2147a2) |
I think creating a Metabase-wide trust store and automatically including certain CAs into it is out of scope for this issue/change. For one thing, it's complicated (we would either need to copy the JDK-wide I think bundling them with the Docker image is good, since it will automatically handle a lot of this for people running the Docker image (which includes a lot of deployment scenarios). |
cf9ceac
to
92fd9d7
Compare
To close the loop on a few things, as this is finally ready for review.
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It seems really crazy to do a whole separate job just to test connecting with SSL. I'd just pass the existing env vars to an existing test job and then write a new test that will look for the extra env vars and see whether we can connect with them if those env vars are present
fa00968
to
d74af16
Compare
Adding ssl-cert config field to MySQL DB details map, to hold the server cert chain in PEM format (similar to what is done in MongoDB driver) Updating MySQL driver init to map :ssl-cert into :serverSslCert for the JDBC url, when ssl is in use and cert is provided (the MariaDB driver we are using accepts PEM format certificates inline directly for the param value, so no need to shepherd into a temp file) Adding new test to mysql_test.clj to run a single test while connecting via SSL with PEM cert Update CircleCI config: - use extra-env to set all the MySQL SSL instance DB related vars (for an RDS instance, currently) - adding the rds-combined-ca-bundle.pem certificate to resources/certificates - loading that cert bundle from resources directory via env var Adding to/fixing assertion in connection-spec-test for :ssl
81525bd
to
7f83eb8
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
cool works for me
Adding ssl-cert config field to MySQL DB details map, to hold the server cert chain in PEM format (similar to what is done in MongoDB driver)
Updating MySQL driver init to map :ssl-cert into :serverSslCert for the JDBC url, when ssl is in use and cert is provided (the MariaDB driver we are using accepts PEM format certificates inline directly for the param value, so no need to shepherd into a temp file)
Update CircleCI config with new be-tests-mysql-ssl-latest-ee job, modeled similarly to the be-tests-oracle-ssl-ee one