[misc] Add SSL to CI servers

rusher · rusher · commit b679369dcc2a · 2025-06-09T17:22:38.000+02:00
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -54,6 +54,13 @@ jobs:
           else
             echo "127.0.0.1 mariadb.example.com" | sudo tee -a /etc/hosts
           fi
+
+      - name: Generate self-signed certificates
+        shell: bash
+        run: |
+          chmod +x .github/workflows/generate-certs.sh
+          ./.github/workflows/generate-certs.sh
+
       - uses: actions/setup-node@v4
         with:
           node-version: ${{ matrix.node }}
@@ -69,7 +76,13 @@ jobs:
           registry: ${{ matrix.db-type == 'enterprise' && 'docker.mariadb.com/enterprise-server' || (matrix.db-type == 'dev' && 'quay.io/mariadb-foundation/mariadb-devel' || '') }}
           registry-user: ${{ matrix.db-type == 'enterprise' && secrets.ENTERPRISE_USER || '' }}
           registry-password: ${{ matrix.db-type == 'enterprise' && secrets.ENTERPRISE_TOKEN || '' }}
-          additional-conf: ${{ matrix.additional-conf || '' }}
+          additional-conf: |
+            ${{ matrix.additional-conf || '' }}
+            ${{ matrix.os == 'ubuntu-latest' && '--ssl-ca=/etc/mysql/conf.d/ca.crt' || '' }}
+            ${{ matrix.os == 'ubuntu-latest' && '--ssl-cert=/etc/mysql/conf.d/server.crt' || '' }}
+            ${{ matrix.os == 'ubuntu-latest' && '--ssl-key=/etc/mysql/conf.d/server.key' || '' }}
+          conf-script-folder: ${{ github.workspace }}/.github/workflows/certs
+          port: ${{ env.TEST_DB_PORT }}
 
       - name: Setup MySQL
         if: matrix.db-type == 'mysql'
@@ -82,11 +95,38 @@ jobs:
       - name: Install dependencies
         run: npm install
 
+      - name: Debug - Check MariaDB connection
+        shell: bash
+        run: |
+          echo "=== Network and Port Information ==="
+          echo "Checking if MariaDB port is accessible..."
+          netstat -tuln | grep :3306 || echo "Port 3306 not found in netstat"
+          echo ""
+          echo "Testing connection to mariadb.example.com:3306..."
+          timeout 10 bash -c 'cat < /dev/null > /dev/tcp/mariadb.example.com/3306' && echo "✅ Connection successful" || echo "❌ Connection failed"
+          echo ""
+          echo "Testing connection to 127.0.0.1:3306..."
+          timeout 10 bash -c 'cat < /dev/null > /dev/tcp/127.0.0.1/3306' && echo "✅ Connection successful" || echo "❌ Connection failed"
+          echo ""
+          echo "=== Environment Variables ==="
+          echo "TEST_DB_HOST: $TEST_DB_HOST"
+          echo "TEST_DB_PORT: $TEST_DB_PORT"
+          echo "TEST_DB_USER: $TEST_DB_USER"
+          echo "LOCAL_DB: $LOCAL_DB"
+          echo "DB_TYPE: $DB_TYPE"
+        env:
+          TEST_DB_HOST: ${{ env.TEST_DB_HOST }}
+          TEST_DB_PORT: ${{ env.TEST_DB_PORT }}
+          TEST_DB_USER: ${{ env.TEST_DB_USER }}
+          LOCAL_DB: ${{ steps.mariadb-install.outputs.database-type }}
+          DB_TYPE: ${{ matrix.db-type }}
+
       - name: Run Tests
         run: npm run coverage:test
         env:
           LOCAL_DB: ${{ steps.mariadb-install.outputs.database-type }}
           DB_TYPE: ${{ matrix.db-type }}
+          TEST_DB_SERVER_CERT: ${{ matrix.db-type == 'container' && './.github/workflows/certs/server.crt' || '' }}
 
       - name: Download Codecov uploader
         shell: bash
diff --git a/.github/workflows/generate-certs.sh b/.github/workflows/generate-certs.sh
@@ -0,0 +1,77 @@
+#!/bin/bash
+
+# // SPDX-License-Identifier: LGPL-2.1-or-later
+# // Copyright (c) 2015-2025 MariaDB Corporation Ab
+
+# Script to generate self-signed certificates for testing
+# CN: mariadb.example.com
+
+set -e
+
+echo "Generating self-signed certificates for mariadb.example.com..."
+
+# Create directory for certificates
+mkdir -p .github/workflows/certs
+
+echo "Generate CA private key"
+openssl genrsa 2048 > .github/workflows/certs/ca.key
+
+echo "[ req ]" > .github/workflows/certs/ca.conf
+echo "prompt                 = no" >> .github/workflows/certs/ca.conf
+echo "distinguished_name     = req_distinguished_name" >> .github/workflows/certs/ca.conf
+echo "" >> .github/workflows/certs/ca.conf
+echo "[ req_distinguished_name ]" >> .github/workflows/certs/ca.conf
+echo "countryName            = FR" >> .github/workflows/certs/ca.conf
+echo "stateOrProvinceName    = Loire-atlantique" >> .github/workflows/certs/ca.conf
+echo "localityName           = Nantes" >> .github/workflows/certs/ca.conf
+echo "organizationName       = Home" >> .github/workflows/certs/ca.conf
+echo "organizationalUnitName = Lab" >> .github/workflows/certs/ca.conf
+echo "commonName             = mariadb.example.com" >> .github/workflows/certs/ca.conf
+echo "emailAddress           = admin@mariadb.example.com" >> .github/workflows/certs/ca.conf
+
+echo "Generate CA certificate (self-signed)"
+openssl req -days 365 -new -x509 -nodes -key .github/workflows/certs/ca.key -out .github/workflows/certs/ca.crt --config .github/workflows/certs/ca.conf
+
+
+
+echo "[ req ]" > .github/workflows/certs/server.conf
+echo "prompt                 = no" >> .github/workflows/certs/server.conf
+echo "distinguished_name     = req_distinguished_name" >> .github/workflows/certs/server.conf
+echo "req_extensions         = req_ext" >> .github/workflows/certs/server.conf
+echo "" >> .github/workflows/certs/server.conf
+echo "[ req_distinguished_name ]" >> .github/workflows/certs/server.conf
+echo "countryName            = FR" >> .github/workflows/certs/server.conf
+echo "stateOrProvinceName    = Loire-atlantique" >> .github/workflows/certs/server.conf
+echo "localityName           = Nantes" >> .github/workflows/certs/server.conf
+echo "organizationName       = Home" >> .github/workflows/certs/server.conf
+echo "organizationalUnitName = Lab" >> .github/workflows/certs/server.conf
+echo "commonName             = mariadb.example.com" >> .github/workflows/certs/server.conf
+echo "emailAddress           = admin@mariadb.example.com" >> .github/workflows/certs/server.conf
+echo "" >> .github/workflows/certs/server.conf
+echo "[ req_ext ]" >> .github/workflows/certs/server.conf
+echo "subjectAltName = DNS: mariadb.example.com, IP: 127.0.0.1" >> .github/workflows/certs/server.conf
+
+
+echo "Generating private key..."
+openssl genrsa -out .github/workflows/certs/server.key 2048
+
+echo "Generating certificate signing request..."
+openssl req -new -key .github/workflows/certs/server.key -out .github/workflows/certs/server.csr --config .github/workflows/certs/server.conf
+
+
+echo "Generate the certificate for the server:"
+openssl x509 -req -days 365 -in .github/workflows/certs/server.csr -out .github/workflows/certs/server.crt -CA .github/workflows/certs/ca.crt -CAkey .github/workflows/certs/ca.key -extensions req_ext -extfile .github/workflows/certs/server.conf
+
+# Set appropriate permissions
+chmod 600 .github/workflows/certs/ca.key
+chmod 644 .github/workflows/certs/server.crt .github/workflows/certs/ca.crt .github/workflows/certs/server.key
+
+# List generated certificates
+echo "Generated certificates:"
+ls -la .github/workflows/certs/
+
+# Verify certificate
+echo "Certificate details:"
+openssl x509 -in .github/workflows/certs/server.crt -text -noout | grep -E "(Subject|CN)"
+
+echo "Certificate generation completed successfully!"
