Add option to specify TLS config for mongodb database plugin #5632
Conversation
| @@ -153,7 +158,7 @@ func (c *mongoDBConnectionProducer) Close() error { | |||
| return nil | |||
| } | |||
|
|
|||
| func parseMongoURL(rawURL string) (*mgo.DialInfo, error) { | |||
| func parseMongoURL(rawURL string, sslCert string, sslKey string, sslCA string) (*mgo.DialInfo, error) { | |||
There was a problem hiding this comment.
If all variable are the same type, you can just repeat the variable names and put the type at the end.
| @@ -29,6 +31,9 @@ type mongoDBConnectionProducer struct { | |||
| WriteConcern string `json:"write_concern" structs:"write_concern" mapstructure:"write_concern"` | |||
| Username string `json:"username" structs:"username" mapstructure:"username"` | |||
| Password string `json:"password" structs:"password" mapstructure:"password"` | |||
| SSLCert string `json:"ssl_cert" structs:"ssl_cert" mapstructure:"ssl_cert"` | |||
There was a problem hiding this comment.
These should all be labeled TLS instead of SSL.
| @@ -46,7 +49,10 @@ has a number of parameters to further configure a connection. | |||
| "connection_url": "mongodb://{{username}}:{{password}}@mongodb.acme.com:27017/admin?ssl=true", | |||
| "write_concern": "{ \"wmode\": \"majority\", \"wtimeout\": 5000 }", | |||
| "username": "admin", | |||
| "password": "Password!" | |||
| "password": "Password!", | |||
| "ssl_cert": "/path/to/ssl/cert", | |||
There was a problem hiding this comment.
These parameters would not be paths. They should be PEM encoded certs.
| - `password` `(string: "")` - The root credential password used in the connection URL. | ||
| - `username` `(string: "")` - The root credential username used in the connection URL. | ||
| - `password` `(string: "")` - The root credential password used in the connection URL. | ||
| - `ssl_cert` `(string: "")` - Path to a PEM-encoded client certificate. |
There was a problem hiding this comment.
Path is an incorrect description since this is this is an API endpoint not a local resource.
| return tls.Dial("tcp", addr.String(), &tls.Config{}) | ||
| tlsConfig := &tls.Config{} | ||
| if sslCert != "" && sslKey != "" && sslCA != "" { | ||
| clientCertPEM, err := ioutil.ReadFile(sslCert); |
There was a problem hiding this comment.
The API server will not have access to local resources. You must consume the PEM encoded string directly.
There was a problem hiding this comment.
Thanks, I totally forgot about that. I have changed the code to consume as strings instead
|
Thank you for your submission! We require that all contributors sign our Contributor License Agreement ("CLA") before we can accept the contribution. Read and sign the agreement Learn more about why HashiCorp requires a CLA and what the CLA includes Have you signed the CLA already but the status is still pending? Recheck it. |
|
Sorry for the delay here. Since this PR was opened, we added a CLA and there are some conflicts with recent changes. Would you mind amending this PR and addressing the CLA? |
|
Really hoping to see this TLS config released soon! |
|
We really need this feature to get a project into production. |
|
This feature is very necessary! I work on a large and important project, and this user manager plug-in is very useful in our context. |
|
It would be amazing to have this feature on an important project I'm working on. |
|
@chrishoffman : Hi, is there any news about this issue and a global approach for mysql, mssql and other ? Is there any way to specify the tls_ca through a vault write database/config and also the tls_certificate_key as pem_bundle to have mutual TLS ? |
|
I'm closing this for now because, unfortunately, the CLA hasn't been signed so we can't merge it. Also, it has developed merge conflicts. Just want to give a huge thank-you to @Kaisle for the time and energy dedicated to this. Please do feel free to reopen it if you get a chance to circle back around and update it. Thank you! |
Fixes #1996
Related: #3191