add support for periodically reloading mysql client certs (#14892)

pkg/services/sqlstore/sqlstore.go

@@ -171,7 +171,7 @@ func (ss *SqlStore) buildConnectionString() (string, error) {
 			ss.dbCfg.User, ss.dbCfg.Pwd, protocol, ss.dbCfg.Host, ss.dbCfg.Name)
 
 		if ss.dbCfg.SslMode == "true" || ss.dbCfg.SslMode == "skip-verify" {
-			tlsCert, err := makeCert("custom", ss.dbCfg)
+			tlsCert, err := makeCert(ss.dbCfg)
 			if err != nil {
 				return "", err
 			}

pkg/services/sqlstore/tls_mysql.go

@@ -5,9 +5,13 @@ import (
 	"crypto/x509"
 	"fmt"
 	"io/ioutil"
+
+	"github.com/grafana/grafana/pkg/infra/log"
 )
 
-func makeCert(tlsPoolName string, config DatabaseConfig) (*tls.Config, error) {
+var tlslog = log.New("tls_mysql")
+
+func makeCert(config DatabaseConfig) (*tls.Config, error) {
 	rootCertPool := x509.NewCertPool()
 	pem, err := ioutil.ReadFile(config.CaCertPath)
 	if err != nil {
@@ -16,18 +20,16 @@ func makeCert(tlsPoolName string, config DatabaseConfig) (*tls.Config, error) {
 	if ok := rootCertPool.AppendCertsFromPEM(pem); !ok {
 		return nil, err
 	}
-	clientCert := make([]tls.Certificate, 0, 1)
-	if config.ClientCertPath != "" && config.ClientKeyPath != "" {
 
-		certs, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
-		if err != nil {
-			return nil, err
-		}
-		clientCert = append(clientCert, certs)
-	}
 	tlsConfig := &tls.Config{
-		RootCAs:      rootCertPool,
-		Certificates: clientCert,
+		RootCAs: rootCertPool,
+	}
+	if config.ClientCertPath != "" && config.ClientKeyPath != "" {
+		tlsConfig.GetClientCertificate = func(*tls.CertificateRequestInfo) (*tls.Certificate, error) {
+			tlslog.Debug("Loading client certificate")
+			cert, err := tls.LoadX509KeyPair(config.ClientCertPath, config.ClientKeyPath)
+			return &cert, err
+		}
 	}
 	tlsConfig.ServerName = config.ServerCertName
 	if config.SslMode == "skip-verify" {