Go의 database/sql 패키지를 사용하여 MySQL용 Cloud SQL에 대한 TCP 연결에 사용되는 SSL(보안 소켓 레이어) 인증서를 구성합니다.
코드 샘플
Go
MySQL용 Cloud SQL에 인증하려면 애플리케이션 기본 사용자 인증 정보를 설정합니다. 자세한 내용은 로컬 개발 환경의 인증 설정을 참조하세요.
package cloudsql
import (
"crypto/tls"
"crypto/x509"
"database/sql"
"errors"
"fmt"
"io/ioutil"
"log"
"os"
"github.com/go-sql-driver/mysql"
)
// connectTCPSocket initializes a TCP connection pool for a Cloud SQL
// instance of MySQL.
func connectTCPSocket() (*sql.DB, error) {
mustGetenv := func(k string) string {
v := os.Getenv(k)
if v == "" {
log.Fatalf("Fatal Error in connect_tcp.go: %s environment variable not set.", k)
}
return v
}
// Note: Saving credentials in environment variables is convenient, but not
// secure - consider a more secure solution such as
// Cloud Secret Manager (https://cloud.google.com/secret-manager) to help
// keep secrets safe.
var (
dbUser = mustGetenv("DB_USER") // e.g. 'my-db-user'
dbPwd = mustGetenv("DB_PASS") // e.g. 'my-db-password'
dbName = mustGetenv("DB_NAME") // e.g. 'my-database'
dbPort = mustGetenv("DB_PORT") // e.g. '3306'
dbTCPHost = mustGetenv("INSTANCE_HOST") // e.g. '127.0.0.1' ('172.17.0.1' if deployed to GAE Flex)
)
dbURI := fmt.Sprintf("%s:%s@tcp(%s:%s)/%s?parseTime=true",
dbUser, dbPwd, dbTCPHost, dbPort, dbName)
// (OPTIONAL) Configure SSL certificates
// For deployments that connect directly to a Cloud SQL instance without
// using the Cloud SQL Proxy, configuring SSL certificates will ensure the
// connection is encrypted.
if dbRootCert, ok := os.LookupEnv("DB_ROOT_CERT"); ok { // e.g., '/path/to/my/server-ca.pem'
var (
dbCert = mustGetenv("DB_CERT") // e.g. '/path/to/my/client-cert.pem'
dbKey = mustGetenv("DB_KEY") // e.g. '/path/to/my/client-key.pem'
)
pool := x509.NewCertPool()
pem, err := ioutil.ReadFile(dbRootCert)
if err != nil {
return nil, err
}
if ok := pool.AppendCertsFromPEM(pem); !ok {
return nil, errors.New("unable to append root cert to pool")
}
cert, err := tls.LoadX509KeyPair(dbCert, dbKey)
if err != nil {
return nil, err
}
mysql.RegisterTLSConfig("cloudsql", &tls.Config{
RootCAs: pool,
Certificates: []tls.Certificate{cert},
InsecureSkipVerify: true,
VerifyPeerCertificate: verifyPeerCertFunc(pool),
})
dbURI += "&tls=cloudsql"
}
// dbPool is the pool of database connections.
dbPool, err := sql.Open("mysql", dbURI)
if err != nil {
return nil, fmt.Errorf("sql.Open: %w", err)
}
// ...
return dbPool, nil
}
// verifyPeerCertFunc returns a function that verifies the peer certificate is
// in the cert pool.
func verifyPeerCertFunc(pool *x509.CertPool) func([][]byte, [][]*x509.Certificate) error {
return func(rawCerts [][]byte, _ [][]*x509.Certificate) error {
if len(rawCerts) == 0 {
return errors.New("no certificates available to verify")
}
cert, err := x509.ParseCertificate(rawCerts[0])
if err != nil {
return err
}
opts := x509.VerifyOptions{Roots: pool}
if _, err = cert.Verify(opts); err != nil {
return err
}
return nil
}
}
다음 단계
다른 Google Cloud 제품의 코드 샘플을 검색하고 필터링하려면 Google Cloud 샘플 브라우저를 참조하세요.