At present the options block of the database object is hardcoded to be empty. We use TLS on our Percona instance and there seems to be no way to connect when using the official docker image.
We do not use client certificates, only TLS for connection security so an ideal solution would allow this configuration as well as one that DOES use client certificates.
This is the line I am referencing where I say the options block is hard coded to be empty:
https://github.com/kiwitcms/Kiwi/blob/master/tcms/settings/common.py#L36
And here is a discussion about using TLS on a MySQL connection with Django:
https://stackoverflow.com/questions/4323737/how-to-connect-django-to-a-mysql-database-over-an-ssl-connection
For us it would be sufficient to simply give us the equivalent of the "--ssl" flag on the mysql command line client however I would imagine others that are more security conscious than us would hope to see client certificate support as well. I think it would be sufficient to accept a path to a CA certificate file (or directory containing certificates) and accept a path to client cert/key as environment variables.
At present the options block of the database object is hardcoded to be empty. We use TLS on our Percona instance and there seems to be no way to connect when using the official docker image.
We do not use client certificates, only TLS for connection security so an ideal solution would allow this configuration as well as one that DOES use client certificates.
This is the line I am referencing where I say the options block is hard coded to be empty:
https://github.com/kiwitcms/Kiwi/blob/master/tcms/settings/common.py#L36
And here is a discussion about using TLS on a MySQL connection with Django:
https://stackoverflow.com/questions/4323737/how-to-connect-django-to-a-mysql-database-over-an-ssl-connection
For us it would be sufficient to simply give us the equivalent of the "--ssl" flag on the mysql command line client however I would imagine others that are more security conscious than us would hope to see client certificate support as well. I think it would be sufficient to accept a path to a CA certificate file (or directory containing certificates) and accept a path to client cert/key as environment variables.