Commit 73e40597 by Tom Petr Committed by Carl Bergquist

add support for periodically reloading mysql client certs (#14892)

parent 3dbc3251
......@@ -171,7 +171,7 @@ func (ss *SqlStore) buildConnectionString() (string, error) {
ss.dbCfg.User, ss.dbCfg.Pwd, protocol, ss.dbCfg.Host, ss.dbCfg.Name)
if ss.dbCfg.SslMode == "true" || ss.dbCfg.SslMode == "skip-verify" {
tlsCert, err := makeCert("custom", ss.dbCfg)
tlsCert, err := makeCert(ss.dbCfg)
if err != nil {
return "", err
}
......
......@@ -5,9 +5,13 @@ import (
"crypto/x509"
"fmt"
"io/ioutil"
"github.com/grafana/grafana/pkg/infra/log"
)
func makeCert(tlsPoolName string, config DatabaseConfig) (*tls.Config, error) {
var tlslog = log.New("tls_mysql")
func makeCert(config DatabaseConfig) (*tls.Config, error) {
rootCertPool := x509.NewCertPool()
pem, err := ioutil.ReadFile(config.CaCertPath)
if err != nil {
......@@ -16,18 +20,16 @@ func makeCert(tlsPoolName string, config DatabaseConfig) (*tls.Config, error) {
if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
return nil, err
}
clientCert := make([]tls.Certificate, 0, 1)
if config.ClientCertPath != "" && config.ClientKeyPath != "" {
certs, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
if err != nil {
return nil, err
}
clientCert = append(clientCert, certs)
}
tlsConfig := &tls.Config{
RootCAs: rootCertPool,
Certificates: clientCert,
RootCAs: rootCertPool,
}
if config.ClientCertPath != "" && config.ClientKeyPath != "" {
tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
tlslog.Debug("Loading client certificate")
cert, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
return &cert, err
}
}
tlsConfig.ServerName = config.ServerCertName
if config.SslMode == "skip-verify" {
......
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment