feat(storage): tls connection support (#4233)

This adds support to PostgreSQL and MySQL to connect via TLS via the standard TLS configuration options.

1 files changed, 9 insertions, 2 deletions

diff --git a/internal/storage/sql_provider_backend_mysql.go b/internal/storage/sql_provider_backend_mysql.go
index b0382ed7d..32cc7de16 100644
--- a/internal/storage/sql_provider_backend_mysql.go
+++ b/internal/storage/sql_provider_backend_mysql.go
@@ -9,6 +9,7 @@ import (
 	"github.com/go-sql-driver/mysql"
 
 	"github.com/authelia/authelia/v4/internal/configuration/schema"
+	"github.com/authelia/authelia/v4/internal/utils"
 )
 
 // MySQLProvider is a MySQL provider.
@@ -19,7 +20,7 @@ type MySQLProvider struct {
 // NewMySQLProvider a MySQL provider.
 func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (provider *MySQLProvider) {
 	provider = &MySQLProvider{
-		SQLProvider: NewSQLProvider(config, providerMySQL, providerMySQL, dsnMySQL(config.Storage.MySQL)),
+		SQLProvider: NewSQLProvider(config, providerMySQL, providerMySQL, dsnMySQL(config.Storage.MySQL, caCertPool)),
 	}
 
 	// All providers have differing SELECT existing table statements.
@@ -31,7 +32,7 @@ func NewMySQLProvider(config *schema.Configuration, caCertPool *x509.CertPool) (
 	return provider
 }
 
-func dsnMySQL(config *schema.MySQLStorageConfiguration) (dataSourceName string) {
+func dsnMySQL(config *schema.MySQLStorageConfiguration, caCertPool *x509.CertPool) (dataSourceName string) {
 	dsnConfig := mysql.NewConfig()
 
 	switch {
@@ -46,6 +47,12 @@ func dsnMySQL(config *schema.MySQLStorageConfiguration) (dataSourceName string)
 		dsnConfig.Addr = fmt.Sprintf("%s:%d", config.Host, config.Port)
 	}
 
+	if config.TLS != nil {
+		_ = mysql.RegisterTLSConfig("storage", utils.NewTLSConfig(config.TLS, caCertPool))
+
+		dsnConfig.TLSConfig = "storage"
+	}
+
 	switch config.Port {
 	case 0:
 		dsnConfig.Addr = config.Host