MSSQL: Configuration of certificate verification for TLS connection (#31865)

Fixes #24589

Co-authored-by: Marcus Efraimsson <marcus.efraimsson@gmail.com>

devenv/datasources.yaml

@@ -255,6 +255,17 @@ datasources:
     secureJsonData:
       password: Password!
 
+  - name: gdev-mssql-tls
+    type: mssql
+    url: localhost:1434
+    database: grafana
+    user: grafana
+    jsonData:
+      encrypt: "true"
+      tlsSkipVerify: true
+    secureJsonData:
+      password: Password!
+
   - name: gdev-mssql-ds-tests
     type: mssql
     url: localhost:1433

devenv/datasources_docker.yaml

@@ -42,7 +42,7 @@ datasources:
       version: Flux
       organization: myorg
       defaultBucket: mybucket
-      
+
   - name: gdev-influxdb-influxql
     type: influxdb
     access: proxy
@@ -220,6 +220,17 @@ datasources:
     secureJsonData:
       password: Password!
 
+  - name: gdev-mssql-tls
+    type: mssql
+    url: localhost:1434
+    database: grafana
+    user: grafana
+    jsonData:
+      encrypt: "true"
+      tlsSkipVerify: true
+    secureJsonData:
+      password: Password!
+
   - name: gdev-mssql-ds-tests
     type: mssql
     url: mssqltests:1433
@@ -259,4 +270,4 @@ datasources:
     type: loki
     access: proxy
     url: http://loki:3100
-    editable: false
+    editable: false

devenv/docker/blocks/mssql_tls/build/Dockerfile

@@ -0,0 +1,21 @@
+FROM mcr.microsoft.com/mssql/server:2019-CU8-ubuntu-18.04
+
+WORKDIR /usr/setup
+COPY setup.sh setup.sql.template entrypoint.sh ./
+COPY mssql.conf /var/opt/mssql/mssql.conf
+
+USER root
+
+RUN chmod +x setup.sh
+RUN chown -R mssql ./
+RUN mkdir -p /home/mssql
+RUN chown -R mssql /home/mssql
+
+USER mssql
+
+RUN touch ~/.rnd
+RUN openssl req -x509 -nodes -newkey rsa:2048 -subj '/CN=mssql_tls' -keyout /var/opt/mssql/mssql.key -out /var/opt/mssql/mssql.pem -days 365
+RUN chmod 440 /var/opt/mssql/mssql.key
+RUN chmod 440 /var/opt/mssql/mssql.pem
+
+CMD /bin/bash ./entrypoint.sh

devenv/docker/blocks/mssql_tls/build/entrypoint.sh

@@ -0,0 +1,2 @@
+#start SQL Server and run setup script
+/usr/setup/setup.sh & /opt/mssql/bin/sqlservr

devenv/docker/blocks/mssql_tls/build/mssql.conf

@@ -0,0 +1,5 @@
+[network]
+tlscert = /var/opt/mssql/mssql.pem
+tlskey = /var/opt/mssql/mssql.key
+tlsprotocols = 1.2
+forceencryption = 1

devenv/docker/blocks/mssql_tls/build/setup.sh

@@ -0,0 +1,13 @@
+#/bin/bash
+set -eo pipefail
+
+#wait for the SQL Server to come up
+sleep 15s
+
+cat /usr/setup/setup.sql.template | awk '{
+  gsub(/%%DB%%/,"'$MSSQL_DATABASE'");
+  gsub(/%%USER%%/,"'$MSSQL_USER'");
+  gsub(/%%PWD%%/,"'$MSSQL_PASSWORD'")
+}1' > /usr/setup/setup.sql
+
+/opt/mssql-tools/bin/sqlcmd -S localhost -U sa -P $MSSQL_SA_PASSWORD -d master -i /usr/setup/setup.sql

devenv/docker/blocks/mssql_tls/build/setup.sql.template

@@ -0,0 +1,26 @@
+CREATE LOGIN %%USER%% WITH PASSWORD = '%%PWD%%'
+GO
+
+CREATE DATABASE %%DB%%
+ON
+( NAME = %%DB%%,
+    FILENAME = '/var/opt/mssql/data/%%DB%%.mdf',
+    SIZE = 500MB,
+    MAXSIZE = 1000MB,
+    FILEGROWTH = 100MB )
+LOG ON
+( NAME = %%DB%%_log,
+    FILENAME = '/var/opt/mssql/data/%%DB%%_log.ldf',
+    SIZE = 500MB,
+    MAXSIZE = 1000MB,
+    FILEGROWTH = 100MB );
+GO
+
+USE %%DB%%;
+GO
+
+CREATE USER %%USER%% FOR LOGIN %%USER%%;
+GO
+
+EXEC sp_addrolemember 'db_owner', '%%USER%%';
+GO

devenv/docker/blocks/mssql_tls/docker-compose.yaml

@@ -0,0 +1,18 @@
+  mssql_tls:
+    build:
+      context: docker/blocks/mssql_tls/build
+    environment:
+      ACCEPT_EULA: Y
+      MSSQL_SA_PASSWORD: Password!
+      MSSQL_PID: Developer
+      MSSQL_DATABASE: grafana
+      MSSQL_USER: grafana
+      MSSQL_PASSWORD: Password!
+    ports:
+      - "1434:1433"
+
+  fake-mssql-tls-data:
+    image: grafana/fake-data-gen
+    environment:
+      FD_DATASOURCE: mssql_tls
+      FD_PORT: 1434