Flyway is a handy utility to manage database schema migrations. Very similar to the schema migration mechanism in Ruby on Rails or Django, but Flyway is a standalone tool. So it’s best suited for some project which doesn’t have database schema management yet.
I needed to use Flyway for a project I worked with, the only catch is that the MySQL database requires SSL encrypted connection. I had a read on the official SSL support page and understood how it works with SSL. I ran the schema migrations in a CI pipeline which means running Flyway in a Docker container makes perfect sense. However there’s no out-of-box SSL support from Flyway’s office Docker document.
Then I decided to give it a try.
I tried to automate things as much as possible and came out with a solution which I thought most straight-forward: supply 3 SSL certs to the container(ENVs for path-to-file and volume mount for read access) and it should just work. Here’s a copy of the entrypoint script I did for the Flyway container
#!/bin/bash
set -euo pipefail
# ref. https://dev.mysql.com/doc/connector-j/5.1/en/connector-j-reference-using-ssl.html
# This script check ENVs and generate the java truststore if needed
if [[ -v CA_CERT_FILE ]] && [[ -v CLIENT_CERT_FILE ]] && [[ -v CLIENT_KEY_FILE ]]; then
# the password is only used inside the container
export STORE_PASS=playground
export JAVA_ARGS="-Djavax.net.ssl.trustStore=/flyway/flyway-truststore -Djavax.net.ssl.trustStorePassword=${STORE_PASS} -Djavax.net.ssl.keyStore=/flyway/flyway-keystore -Djavax.net.ssl.keyStorePassword=${STORE_PASS}"
echo "Generating a Java keystore..."
# $CA_CERT_FILE, $CLIENT_KEY_FILE and $CLIENT_CERT_FILE are the paths to SSL certs for mysql client
# for example
# CA_CERT_FILE=/work/${CERTS}/ca.pem
# CLIENT_KEY_FILE=/work/${CERTS}/client-key.pem
# CLIENT_CERT_FILE=/work/${CERTS}/client-cert.pem
# trust store for server authentication
keytool -keystore flyway-truststore -storepass:env STORE_PASS -noprompt -trustcacerts -importcert -alias mysqlclient -file $CA_CERT_FILE
# key store for client authentication
openssl pkcs12 -export -in ${CLIENT_CERT_FILE} -inkey ${CLIENT_KEY_FILE} -out client.p12 -name mysql-client -passout pass:${STORE_PASS}
keytool -importkeystore -deststorepass ${STORE_PASS} -destkeystore flyway-keystore -srckeystore client.p12 -srcstoretype PKCS12 -srcstorepass ${STORE_PASS} -alias mysql-client
fi
flyway $@This is already tested in my project and you’re welcome to use pull it from DockerHub:
docker pull raynix/flyway:8.5.5
I’ve submitted this back to Flyway as a pull request. Hope it can be accepted.
Ref. MySQL Connector/J SSL Support
🙂