Support custom CA truststore and client SSL keypair. #255
Conversation
Per discussion in #226, there is no way to specify a custom CA that the mysqld exporter will trust when establishing a SSL connection to a mysql server. So if a mysql server has a custom truststore, an operator would need to set DSN, where tls=skip-verify. With this change, a user can define the ssl options in the mysql cnf and then the mysqld exporter will construct a DSN and a custom TLS config based on those options.
|
I would prefer these to be flags, rather than in the config file. By utilizing flags, it's still possible to control normal connection settings via the |
|
I believe these are standard my.cnf settings. |
|
I would like to make it possible to keep the ENV + flags option, rather than force users to use a config file. (It makes it easier for docker users) |
|
@SuperQ I debated whether to add that in but was on the fence. The thing that makes this a little tricky is that DSN will need to have the name of the custom TLS config struct and it was not entirely clear to me how that should be specified. For example, we could hardcode it to "custom" and then document that the DSN needs to be set to that accordingly. Anyway, I'll update the PR to support both use cases in the next day or two. |
|
@jaloren Any chance you still want to work on the ENV option for TLS configs? I guess we could merge this and add the ENV stuff later. |
|
@SuperQ sorry I just saw this email pop up. I have been swamped at work and I am not sure when I'll have a chance to look at this again. Thanks for the consideration and merge! |
Per discussion in #226, there is no way to specify a custom CA that the
mysqld exporter will trust when establishing a SSL connection to a mysql
server. So if a mysql server has a custom truststore, an operator would
need to set DSN, where tls=skip-verify.
With this change, a user can define the ssl options in the mysql cnf and
then the mysqld exporter will construct a DSN and a custom TLS config
based on those options.