chrisplim · July 29, 2025 11:13
diff --git a/repro_ssl_config_bug.sh b/repro_ssl_config_bug.sh
 #! /bin/bash
 DOCKER_CONTAINER_NAME="test-external-mysql"
 MYSQL_IMAGE="mysql:8.0.35"

 # Generate SSL certificates first

 # Create directory for certificates
 mkdir -p certs
 cd certs

 # Create CA certificate
 openssl genrsa 2048 > ca-key.pem
 openssl req -new -x509 -nodes -days 3600 \
        -key ca-key.pem -out ca.pem \
        -subj "/CN=MySQL_Server_CA"

 # Create server certificate
 openssl req -newkey rsa:2048 -days 3600 -nodes \
        -keyout server-key.pem -out server-req.pem \
        -subj "/CN=MySQL_Server"
        
 openssl rsa -in server-key.pem -out server-key.pem
 openssl x509 -req -in server-req.pem -days 3600 \
        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

 # Create client certificate
 openssl req -newkey rsa:2048 -days 3600 -nodes \
        -keyout client-key.pem -out client-req.pem \
        -subj "/CN=MySQL_Client"
        
 openssl rsa -in client-key.pem -out client-key.pem
 openssl x509 -req -in client-req.pem -days 3600 \
        -CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

 # Copy the client certificates to the names used in your script
 cp ca.pem ../ca.pem
 cp client-cert.pem ../cert.pem
 cp client-key.pem ../key.pem

 cd ..

 # Verify the certificates were created
 echo "Certificates created successfully:"
 ls -la *.pem 



 # Create MySQL configuration for SSL
 cat <<EOF > my.cnf
 [mysqld]
 ssl-ca=/etc/mysql/certs/ca.pem
 ssl-cert=/etc/mysql/certs/server-cert.pem
 ssl-key=/etc/mysql/certs/server-key.pem
 require_secure_transport=ON
 EOF

 # Create directory for mounting certificates
 mkdir -p mysql_certs

 # Copy certificates to the mount directory
 cp certs/ca.pem mysql_certs/
 cp certs/server-cert.pem mysql_certs/
 cp certs/server-key.pem mysql_certs/

 # cleanup any previous containers/processes
 docker stop $DOCKER_CONTAINER_NAME || true
 docker rm $DOCKER_CONTAINER_NAME || true
 pkill -f etcd
 pkill -f vttablet
 rm -rf .vtdataroot

 docker run --name $DOCKER_CONTAINER_NAME \
    -e MYSQL_ROOT_PASSWORD=strong_password \
    -p 3307:3306 \
    -v $(pwd)/my.cnf:/etc/mysql/conf.d/my.cnf \
    -v $(pwd)/mysql_certs:/etc/mysql/certs \
    -d $MYSQL_IMAGE

 # Wait for MySQL to start
 echo -n "Waiting for MySQL to start"
 while ! docker exec -it $DOCKER_CONTAINER_NAME mysqladmin --protocol=TCP -uroot -pstrong_password ping --silent > /dev/null 2>&1; do
    echo -n "."
    sleep 1
 done
 echo ""
 echo "MySQL is ready"

 docker exec -it $DOCKER_CONTAINER_NAME mysql -u root -pstrong_password -e "CREATE DATABASE test;"
 docker exec -it $DOCKER_CONTAINER_NAME mysql -u root -pstrong_password -e "CREATE TABLE test.test_table (id INT PRIMARY KEY, name VARCHAR(255));"

 cat <<EOF > credentials.json
 {
    "root": ["strong_password"]
 }
 EOF

 # start etcd
 etcd_dir=".vtdataroot/etcd"
 mkdir -p $etcd_dir
 ./bin/etcd \
    --data-dir "${etcd_dir}" \
    --listen-client-urls "http://127.0.0.1:2379" \
    --advertise-client-urls "http://127.0.0.1:2379" \
    > "${etcd_dir}"/etcd.out 2>&1 &

 echo -n "Waiting for etcd to be ready"
 while ! curl "http://127.0.0.1:2379/health" > /dev/null 2>&1; do
    echo -n "."
    sleep 1
 done
 echo ""
 echo "etcd is ready"

 # Add cell info
 ./bin/vtctldclient --server=internal AddCellInfo \
    --root=/vitess/cell1 \
    --server-address=127.0.0.1:2379 \
    cell1

 # start vttablet in unmanaged mode
 ./bin/vttablet \
    --logtostderr=true \
    --db-credentials-file=credentials.json \
    --db_allprivs_user=root \
    --db_app_user=root \
    --db_appdebug_user=root \
    --db_dba_user=root \
    --db_filtered_user=root \
    --db_host=127.0.0.1 \
    --db_port=3307 \
    --db_repl_user=root \
    --db_ssl_ca=ca.pem \
    --db_ssl_cert=cert.pem \
    --db_ssl_key=key.pem \
    --db_ssl_mode=verify_ca \
    --db_flags=2048 \
    --alsologtostderr \
    --grpc_port=15999 \
    --init_db_name_override=test \
    --init_keyspace=test-keyspace \
    --init_shard=- \
    --init_tablet_type=spare \
    --mysql_server_version=8.0.40-Vitess \
    --port=15000 \
    --restore_from_backup=false \
    --service_map=grpc-queryservice,grpc-tabletmanager,grpc-updatestream \
    --tablet-path=cell1-1 \
    --tablet_hostname=127.0.0.1 \
    --topo_global_root=/vitess/global \
    --topo_global_server_address=127.0.0.1:2379 \
    --topo_implementation=etcd2 \
    --unmanaged
	#! /bin/bash
	DOCKER_CONTAINER_NAME="test-external-mysql"
	MYSQL_IMAGE="mysql:8.0.35"

	# Generate SSL certificates first

	# Create directory for certificates
	mkdir -p certs
	cd certs

	# Create CA certificate
	openssl genrsa 2048 > ca-key.pem
	openssl req -new -x509 -nodes -days 3600 \
	-key ca-key.pem -out ca.pem \
	-subj "/CN=MySQL_Server_CA"

	# Create server certificate
	openssl req -newkey rsa:2048 -days 3600 -nodes \
	-keyout server-key.pem -out server-req.pem \
	-subj "/CN=MySQL_Server"

	openssl rsa -in server-key.pem -out server-key.pem
	openssl x509 -req -in server-req.pem -days 3600 \
	-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out server-cert.pem

	# Create client certificate
	openssl req -newkey rsa:2048 -days 3600 -nodes \
	-keyout client-key.pem -out client-req.pem \
	-subj "/CN=MySQL_Client"

	openssl rsa -in client-key.pem -out client-key.pem
	openssl x509 -req -in client-req.pem -days 3600 \
	-CA ca.pem -CAkey ca-key.pem -set_serial 01 -out client-cert.pem

	# Copy the client certificates to the names used in your script
	cp ca.pem ../ca.pem
	cp client-cert.pem ../cert.pem
	cp client-key.pem ../key.pem

	cd ..

	# Verify the certificates were created
	echo "Certificates created successfully:"
	ls -la *.pem



	# Create MySQL configuration for SSL
	cat <<EOF > my.cnf
	[mysqld]
	ssl-ca=/etc/mysql/certs/ca.pem
	ssl-cert=/etc/mysql/certs/server-cert.pem
	ssl-key=/etc/mysql/certs/server-key.pem
	require_secure_transport=ON
	EOF

	# Create directory for mounting certificates
	mkdir -p mysql_certs

	# Copy certificates to the mount directory
	cp certs/ca.pem mysql_certs/
	cp certs/server-cert.pem mysql_certs/
	cp certs/server-key.pem mysql_certs/

	# cleanup any previous containers/processes
	docker stop $DOCKER_CONTAINER_NAME \|\| true
	docker rm $DOCKER_CONTAINER_NAME \|\| true
	pkill -f etcd
	pkill -f vttablet
	rm -rf .vtdataroot

	docker run --name $DOCKER_CONTAINER_NAME \
	-e MYSQL_ROOT_PASSWORD=strong_password \
	-p 3307:3306 \
	-v $(pwd)/my.cnf:/etc/mysql/conf.d/my.cnf \
	-v $(pwd)/mysql_certs:/etc/mysql/certs \
	-d $MYSQL_IMAGE

	# Wait for MySQL to start
	echo -n "Waiting for MySQL to start"
	while ! docker exec -it $DOCKER_CONTAINER_NAME mysqladmin --protocol=TCP -uroot -pstrong_password ping --silent > /dev/null 2>&1; do
	echo -n "."
	sleep 1
	done
	echo ""
	echo "MySQL is ready"

	docker exec -it $DOCKER_CONTAINER_NAME mysql -u root -pstrong_password -e "CREATE DATABASE test;"
	docker exec -it $DOCKER_CONTAINER_NAME mysql -u root -pstrong_password -e "CREATE TABLE test.test_table (id INT PRIMARY KEY, name VARCHAR(255));"

	cat <<EOF > credentials.json
	{
	"root": ["strong_password"]
	}
	EOF

	# start etcd
	etcd_dir=".vtdataroot/etcd"
	mkdir -p $etcd_dir
	./bin/etcd \
	--data-dir "${etcd_dir}" \
	--listen-client-urls "http://127.0.0.1:2379" \
	--advertise-client-urls "http://127.0.0.1:2379" \
	> "${etcd_dir}"/etcd.out 2>&1 &

	echo -n "Waiting for etcd to be ready"
	while ! curl "http://127.0.0.1:2379/health" > /dev/null 2>&1; do
	echo -n "."
	sleep 1
	done
	echo ""
	echo "etcd is ready"

	# Add cell info
	./bin/vtctldclient --server=internal AddCellInfo \
	--root=/vitess/cell1 \
	--server-address=127.0.0.1:2379 \
	cell1

	# start vttablet in unmanaged mode
	./bin/vttablet \
	--logtostderr=true \
	--db-credentials-file=credentials.json \
	--db_allprivs_user=root \
	--db_app_user=root \
	--db_appdebug_user=root \
	--db_dba_user=root \
	--db_filtered_user=root \
	--db_host=127.0.0.1 \
	--db_port=3307 \
	--db_repl_user=root \
	--db_ssl_ca=ca.pem \
	--db_ssl_cert=cert.pem \
	--db_ssl_key=key.pem \
	--db_ssl_mode=verify_ca \
	--db_flags=2048 \
	--alsologtostderr \
	--grpc_port=15999 \
	--init_db_name_override=test \
	--init_keyspace=test-keyspace \
	--init_shard=- \
	--init_tablet_type=spare \
	--mysql_server_version=8.0.40-Vitess \
	--port=15000 \
	--restore_from_backup=false \
	--service_map=grpc-queryservice,grpc-tabletmanager,grpc-updatestream \
	--tablet-path=cell1-1 \
	--tablet_hostname=127.0.0.1 \
	--topo_global_root=/vitess/global \
	--topo_global_server_address=127.0.0.1:2379 \
	--topo_implementation=etcd2 \
	--unmanaged