[Feature request] MySQL SSL CA in datasource connector

https://github.com/grafana/grafana/issues/8570

pkg/tsdb/mysql/mysql.go

@@ -6,6 +6,10 @@ import (
 	"reflect"
 	"strconv"
 	"strings"
+	"errors"
+
+	"crypto/x509"
+	"crypto/tls"
 
 	"github.com/go-sql-driver/mysql"
 	"github.com/go-xorm/core"
@@ -32,6 +36,46 @@ func newMysqlQueryEndpoint(datasource *models.DataSource) (tsdb.TsdbQueryEndpoin
 		datasource.Url,
 		datasource.Database,
 	)
+
+	var tlsSkipVerify, tlsAuth, tlsAuthWithCACert bool
+	if datasource.JsonData != nil {
+		tlsAuth = datasource.JsonData.Get("tlsAuth").MustBool(false)
+		tlsAuthWithCACert = datasource.JsonData.Get("tlsAuthWithCACert").MustBool(false)
+		tlsSkipVerify = datasource.JsonData.Get("tlsSkipVerify").MustBool(false)
+	}
+
+	if tlsAuth || tlsAuthWithCACert {
+
+		secureJsonData := datasource.SecureJsonData.Decrypt()
+		tlsConfig := tls.Config {
+			InsecureSkipVerify: tlsSkipVerify,
+		}
+
+		if tlsAuthWithCACert && len(secureJsonData["tlsCACert"]) > 0 {
+
+			caPool := x509.NewCertPool()
+			if ok := caPool.AppendCertsFromPEM([]byte(secureJsonData["tlsCACert"])); !ok {
+				return nil, errors.New("Failed to parse TLS CA PEM certificate")
+			}
+
+			tlsConfig.RootCAs = caPool
+		}
+
+		if tlsAuth {
+			certs, err := tls.X509KeyPair([]byte(secureJsonData["tlsClientCert"]), []byte(secureJsonData["tlsClientKey"]))
+			if err != nil {
+				return nil, err
+			}
+			clientCert := make([]tls.Certificate, 0, 1)
+			clientCert = append(clientCert, certs)
+
+			tlsConfig.Certificates = clientCert
+		}
+
+		mysql.RegisterTLSConfig(datasource.Name, &tlsConfig)
+		cnnstr += "&tls=" + datasource.Name
+	}
+
 	logger.Debug("getEngine", "connection", cnnstr)
 
 	config := tsdb.SqlQueryEndpointConfiguration{