Support reading mysql backend credentials from environment variables (#30136)

Signed-off-by: Miles <[email protected]>
Co-authored-by: Violet Hynes <[email protected]>

Author: miles-w-3

changelog/30136.txt

@@ -0,0 +1,3 @@
+```release-note:improvement
+storage/mysql: Added support for getting mysql backend username and password from the environment variables `VAULT_MYSQL_USERNAME` and `VAULT_MYSQL_PASSWORD`.
+```

physical/mysql/mysql.go

@@ -13,6 +13,7 @@ import (
 	"io/ioutil"
 	"math"
 	"net/url"
+	"os"
 	"sort"
 	"strconv"
 	"strings"
@@ -268,13 +269,22 @@ func NewMySQLClient(conf map[string]string, logger log.Logger) (*sql.DB, error)
 	var err error
 
 	// Get the MySQL credentials to perform read/write operations.
-	username, ok := conf["username"]
-	if !ok || username == "" {
-		return nil, fmt.Errorf("missing username")
+	username := os.Getenv("VAULT_MYSQL_USERNAME")
+	if username == "" {
+		confUsername, ok := conf["username"]
+		if !ok || confUsername == "" {
+			return nil, fmt.Errorf("missing username")
+		}
+		username = confUsername
 	}
-	password, ok := conf["password"]
-	if !ok || password == "" {
-		return nil, fmt.Errorf("missing password")
+
+	password := os.Getenv("VAULT_MYSQL_PASSWORD")
+	if password == "" {
+		confPassword, ok := conf["password"]
+		if !ok || confPassword == "" {
+			return nil, fmt.Errorf("missing password")
+		}
+		password = confPassword
 	}
 
 	// Get or set MySQL server address. Defaults to localhost and default port(3306)

website/content/docs/configuration/storage/mysql.mdx

@@ -43,7 +43,7 @@ storage "mysql" {
 - `tls_ca_file` `(string: "")` – Specifies the path to the CA certificate to
   connect using TLS.
 
-- `plaintext_credentials_transmission` `(string: "")` - Provides authorization
+- `plaintext_connection_allowed` `(string: "")` - Provides authorization
   to send credentials over plaintext. Failure to provide a value AND a failure
   to provide a TLS CA certificate will warn that the credentials are being sent
   over plain text. In the future, failure to do acknowledge or use TLS will
@@ -64,10 +64,10 @@ storage "mysql" {
 Additionally, Vault requires the following authentication information.
 
 - `username` `(string: <required>)` – Specifies the MySQL username to connect to
-  the database.
+  the database. This value can also be set using the `VAULT_MYSQL_USERNAME` environment variable.
 
 - `password` `(string: <required>)` – Specifies the MySQL password to connect to
-  the database.
+  the database. This value can also be set using the `VAULT_MYSQL_PASSWORD` environment variable.
 
 ### High availability parameters