feat: add TLS config for MySQL driver

[burningalchemist]

resolves #906

This pull request adds support for custom TLS configurations when connecting to MySQL databases, allowing users to specify their own CA certificate, client certificate, and client key via connection parameters. It also introduces conditional compilation to handle builds without MySQL support.

MySQL TLS support enhancements:

• Added registerMySQLTLSConfig function in tls_mysql.go to register a custom TLS configuration for MySQL using DSN parameters (tls-ca, tls-cert, tls-key). This enables secure connections with custom certificates and keys.
• Updated OpenConnection in sql.go to call registerMySQLTLSConfig when the tls parameter is set to custom, and to strip custom TLS parameters from the DSN before connecting to avoid driver errors.

Build tag support:

• Added tls_nomysql.go with a stub implementation of registerMySQLTLSConfig that returns an error if MySQL TLS support is disabled via the nomysql build tag.

[Copilot]

Pull request overview

This pull request adds support for custom TLS configurations when connecting to MySQL databases, enabling secure connections with user-provided CA certificates, client certificates, and client keys. The implementation uses build tags to conditionally include or exclude MySQL TLS support.

Changes:

• Adds tls_mysql.go with registerMySQLTLSConfig function to create and register custom TLS configurations based on DSN parameters (tls-ca, tls-cert, tls-key)
• Updates OpenConnection in sql.go to invoke TLS registration when tls=custom is specified and strips custom TLS parameters from the DSN before connecting
• Adds tls_nomysql.go with a stub implementation that returns an error when built with the no_mysql build tag

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 2 comments.

File	Description
tls_mysql.go	Implements MySQL TLS configuration registration with CA, client cert, and client key support
tls_nomysql.go	Provides stub implementation for builds without MySQL support
sql.go	Integrates TLS registration into connection flow and strips custom TLS parameters from DSN

Comments suppressed due to low confidence (3)

tls_mysql.go:44

• The error message "failed to append PEM" is too vague and doesn't explain why the operation failed. This could be due to invalid PEM format, corrupted data, or other issues. Consider providing more context, such as "failed to append CA certificate from PEM: invalid PEM format or no valid certificates found".

			return errors.New("failed to append PEM")

tls_mysql.go:64

• The TLS configuration does not set InsecureSkipVerify explicitly to false, which is good. However, when no CA certificate is provided (caCert is empty), the RootCAs field will be nil, which causes Go's TLS to use the system's default CA pool. This behavior should be documented or explicitly validated to ensure users understand that when tls-ca is omitted, system root CAs will be used for verification. Consider adding a comment explaining this behavior or validate that at least one TLS parameter is provided when tls=custom is used.

	tlsConfig := &tls.Config{
		RootCAs:      rootCertPool,
		Certificates: certs,
		MinVersion:   tls.VersionTLS12,
	}

sql.go:48

• After stripping the custom TLS parameters (tls-ca, tls-cert, tls-key), the "tls" parameter with value "custom" remains in the DSN. This is correct and necessary because the MySQL driver needs to know which registered TLS configuration to use. However, this should be documented in a comment to clarify why the "tls" parameter is not stripped along with the other TLS parameters.

		// Strip TLS parameters from the URL as they are interpreted as system variables by the MySQL driver which
		// causes connection failure. The TLS configuration is already registered globally.
		q := url.Query()
		for _, param := range mysqlTLSParams {
			q.Del(param)
		}
		url.URL.RawQuery = q.Encode()

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.