petoju
Ignore custom_tls client_cert, client_key are not always required for use with for example an AWS RDS cert
Hi there,
I believe client_cert and client_key are, in fact, not required and, in many cases, should be ignored. Therefore, I'm wondering if they are incorrectly configured and we could make them optional in both the provider and the go code?
Current behaviour
Forces you to set a value.
https://github.com/petoju/terraform-provider-mysql/blob/71dfdd06073e2f92c1680cf1ad9162f694c6bda0/mysql/provider.go#L362-L371
Where something like this is all thats required for referencing of a custom CA.
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile("/path/ca-cert.pem")
if err != nil {
log.Fatal(err)
}
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
log.Fatal("Failed to append PEM.")
}
mysql.RegisterTLSConfig("custom", &tls.Config{
ServerName: "qcaurora.cb556lynvxio.us-east-1.rds.amazonaws.com",
RootCAs: rootCertPool,
})
db, err := sql.Open("mysql", "user:pass@tcp(qcrds.example.com:3306)/databasename?tls=custom")
Therefore, I'm wondering if they are incorrectly configured and we could make them optional in both the provider and the go code?
Yes, that is possible - but it would have to be correctly handled in code and no one has needed it so far. Once someone needs it, they can send a PR (or if I happen to need it, I will send a PR) and add this possibility.
Therefore, I'm wondering if they are incorrectly configured and we could make them optional in both the provider and the go code?
Yes, that is possible - but it would have to be correctly handled in code and no one has needed it so far. Once someone needs it, they can send a PR (or if I happen to need it, I will send a PR) and add this possibility.
I'll submit something this week 👍
@petoju I'm just doing some validation this morning. Then we can close this issue off.
@petoju I just opened #183 which slightly refactors my previous modification to cert pool behaviour.