Fix mysql tls enable (#6807)

weed/command/scaffold/filer.toml

@@ -54,6 +54,10 @@ enabled = false
 # dsn will take priority over "hostname, port, username, password, database".
 # [username[:password]@][protocol[(address)]]/dbname[?param1=value1&...&paramN=valueN]
 dsn = "root@tcp(localhost:3306)/seaweedfs?collation=utf8mb4_bin"
+enable_tls = false
+ca_crt = ""                # ca.crt dir when enable_tls set true
+client_crt = ""            # mysql client.crt dir when enable_tls set true
+client_key = ""            # mysql client.key dir when enable_tls set true
 hostname = "localhost"
 port = 3306
 username = "root"

weed/filer/mysql/mysql_store.go

@@ -1,9 +1,12 @@
 package mysql
 
 import (
+	"crypto/tls"
+	"crypto/x509"
 	"database/sql"
 	"fmt"
 	"github.com/go-sql-driver/mysql"
+	"os"
 	"strings"
 	"time"
 
@@ -16,6 +19,7 @@ import (
 
 const (
 	CONNECTION_URL_PATTERN     = "%s:%s@tcp(%s:%d)/%s?collation=utf8mb4_bin"
+	CONNECTION_TLS_URL_PATTERN = "%s:%s@tcp(%s:%d)/%s?collation=utf8mb4_bin&tls=mysql-tls"
 )
 
 func init() {
@@ -44,11 +48,15 @@ func (store *MysqlStore) Initialize(configuration util.Configuration, prefix str
 		configuration.GetInt(prefix+"connection_max_open"),
 		configuration.GetInt(prefix+"connection_max_lifetime_seconds"),
 		configuration.GetBool(prefix+"interpolateParams"),
+		configuration.GetBool(prefix+"enable_tls"),
+		configuration.GetString(prefix+"ca_crt"),
+		configuration.GetString(prefix+"client_crt"),
+		configuration.GetString(prefix+"client_key"),
 	)
 }
 
 func (store *MysqlStore) initialize(dsn string, upsertQuery string, enableUpsert bool, user, password, hostname string, port int, database string, maxIdle, maxOpen,
-	maxLifetimeSeconds int, interpolateParams bool) (err error) {
+	maxLifetimeSeconds int, interpolateParams bool, enableTls bool, caCrtDir string, clientCrtDir string, clientKeyDir string) (err error) {
 
 	store.SupportBucketTable = false
 	if !enableUpsert {
@@ -60,8 +68,38 @@ func (store *MysqlStore) initialize(dsn string, upsertQuery string, enableUpsert
 		UpsertQueryTemplate:    upsertQuery,
 	}
 
+	if enableTls {
+		rootCertPool := x509.NewCertPool()
+		pem, err := os.ReadFile(caCrtDir)
+		if err != nil {
+			return err
+		}
+		if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
+			return fmt.Errorf("failed to append root certificate")
+		}
+
+		clientCert := make([]tls.Certificate, 0)
+		if cert, err := tls.LoadX509KeyPair(clientCrtDir, clientKeyDir); err == nil {
+			clientCert = append(clientCert, cert)
+		}
+
+		tlsConfig := &tls.Config{
+			RootCAs:      rootCertPool,
+			Certificates: clientCert,
+			MinVersion:   tls.VersionTLS12,
+		}
+		err = mysql.RegisterTLSConfig("mysql-tls", tlsConfig)
+		if err != nil {
+			return err
+		}
+	}
+
 	if dsn == "" {
-		dsn = fmt.Sprintf(CONNECTION_URL_PATTERN, user, password, hostname, port, database)
+		pattern := CONNECTION_URL_PATTERN
+		if enableTls {
+			pattern = CONNECTION_TLS_URL_PATTERN
+		}
+		dsn = fmt.Sprintf(pattern, user, password, hostname, port, database)
 		if interpolateParams {
 			dsn += "&interpolateParams=true"
 		}