Skip to content

Support MySQL TLS certificate config#297

Open
tonghia wants to merge 8 commits into
rubenv:masterfrom
tonghia:codex/mysql-client-cert-auth
Open

Support MySQL TLS certificate config#297
tonghia wants to merge 8 commits into
rubenv:masterfrom
tonghia:codex/mysql-client-cert-auth

Conversation

@tonghia

@tonghia tonghia commented Jun 29, 2026

Copy link
Copy Markdown

Summary

Adds CLI configuration for MySQL TLS certificates:

  • supports MySQL client certificate authentication with mysql-client-cert and mysql-client-key
  • supports CA-only server certificate verification with mysql-ca-cert
  • preserves existing datasource parameters such as parseTime=true
  • rejects conflicting datasource tls= values when YAML TLS fields are used
  • documents both MySQL TLS modes in the README
  • adds test-integration/mysql-tls-setup.sh to generate disposable TLS certs and start a Docker MySQL TLS environment
  • adds test-integration/mysql-tls.sh for simple real-env TLS verification

Why

Issue #27 asks for a way to connect to MySQL servers that require client certificate authentication. The existing CLI only passed the datasource directly to sql.Open, so it had no hook to call mysql.RegisterTLSConfig before connecting.

Validation

  • go test ./sql-migrate
  • go test ./...
  • ./.idea/test-integration/mysql-client-cert-fixed.sh
  • go build -o /tmp/sql-migrate-mtls-test/sql-migrate ./sql-migrate
  • ./test-integration/mysql-tls-setup.sh
    • generated/reused CA, server, and client certificates under /tmp/sql-migrate-mtls-test/certs
    • recreated Docker container sql-migrate-mtls-mysql on port 13306
    • verified have_ssl=YES and require_secure_transport=ON
    • created caonly with REQUIRE SSL and migrate with REQUIRE X509
  • SQL_MIGRATE=/tmp/sql-migrate-mtls-test/sql-migrate ./test-integration/mysql-tls.sh for CA-only verification
  • MYSQL_USER=migrate MYSQL_PASSWORD=migratepass DATABASE_NAME=test_mtls MYSQL_CLIENT_CERT=/tmp/sql-migrate-mtls-test/certs/client-cert.pem MYSQL_CLIENT_KEY=/tmp/sql-migrate-mtls-test/certs/client-key.pem SQL_MIGRATE=/tmp/sql-migrate-mtls-test/sql-migrate ./test-integration/mysql-tls.sh for client-certificate verification
  • manual Docker CA-only check with a REQUIRE SSL MySQL user and config containing only mysql-ca-cert, mysql-server-name, and mysql-tls-config; sql-migrate status connected successfully

@tonghia tonghia changed the title [codex] Support MySQL TLS certificate config Support MySQL TLS certificate config Jun 29, 2026
@tonghia tonghia marked this pull request as ready for review June 29, 2026 11:39
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant