Osquery uses basic SQL commands to leverage a relational data-model to describe a device.

osquery

Anyone currently using TLS for Fleet's MySQL connection? Can you show us how you are configuring that in Fleet?

TLS Client certificate auth or connecting to a TLS endpoint ?

Connecting to a MySQL database using TLS as a transport

So currently we are but nothing special on the fleet end.

```            - name: KOLIDE_MYSQL_DATABASE
              valueFrom:
                secretKeyRef:
                  name: kolide-mysql
                  key: database```

Where it’s raw IP username + password on key’s

I just checked the mysql connection from the DB end and it’s upgraded to an SSL connection and it appears there is a client upgrade.

specifically, what mysql: tls_config: value are you setting in fleet.yml?

did this get resolved <@U0JFM04MS> - I’m surprised this issue is not more common considering the importance of TLS comms between fleet and the db! Is it correct to assume that only `mysql_tls_ca`  is required to connect to a TLS enabled mysql server?

it is currently ambiguous whether other mysql_tls* keys are related to client or server (one can infer but still)

we just gave up on it and went back to non-TLS
If anyone has a fix, we'd love to implement it

It seems like we should support this natively and I'm not sure why we don't. I know that some folks have used tunneling to get encrypted connections to the DB.

Are we just not exposing the right parameters to allow the connection?

it requires all of mysql_tls_ca, mysql_tls_cert, and mysql_tls_key, but it should only require either ca or cert/key

Can you please file that in an issue so I can have it tracked to get to? If it's really that simple should be able to get to it before the next release.

Hey <@U014R09LVHR> <@U01MZDZQGA2> please give this another try with Fleet 3.11.0. I fixed this for at least some of the cases with <https://github.com/fleetdm/fleet/pull/689>.

thanks!  we'll upgrade and give it a whirl