Hello @williamdes , I am sorry to have to you ask you such a thing, but can you see my proposal please ?

The related issue is here: #449

If you can also open a PR to the QA_5_2 branch of https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it

I guess an example using https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature.

If you can also open a PR to the QA_5_2 branch of https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it

I guess an example using https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature.

So, if I understand correctly, you wan't to me to open a PR for PhpMyAdmin application and add mTLS support in the installing-using-docker section of the setup.rst.

If yes, I am your men.

If you can also open a PR to the QA_5_2 branch of https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/setup.rst#installing-using-docker to add the new ENVs that would be great. Else I will do it

I guess an example using https://github.com/phpmyadmin/phpmyadmin/blob/QA_5_2/doc/config.rst#amazon-rds-aurora-with-ssl could clarify how to use this feature.

Here the PR about documentation adds: phpmyadmin/phpmyadmin#19465

Many thanks for your time and consideration

I am writing tests for the feature 🤞🏻
Maybe tomorrow I will be finished and can merge all this work

Update: I am still trying to find a solution for MySQL to deny the login, and then it can prove the test works

Update: I am still trying to find a solution for MySQL to deny the login, and then it can prove the test works

When MariaDB/MySQL is waiting for mTLS, the server close the request without "real" response (closed by peer).
So I guess to perform the test we need a working mTLS server.

I have tested on my installations, as my first screen show it up. But I agree that only a real automated test can proove that the system is working or not.

I will try somthing on my side with a new docker-compose file and self signed certificates with 100 years validity

Hello @williamdes ,
I've just seen that you open an error on bitnami.

Seems weir to see that nobody have seen this bug before. No one use mTLS with containers ?

My tests was done with my "installation", my bad on this side again: I didn't said my MariaDB service is a Galera + MaxScale cluster and not a Docker pod.

Seems weir to see that anyone have seen this bug before. No one use mTLS with containers ?

Looks like it :/

My tests was done with my "installation", my bad on this side again: I didn't said my MariaDB service is a Galera + MaxScale cluster and not a Docker pod.

good to know, that should be okay
Well, I am merging this anyway. I doubt there is more to fix now

Please try and verify that the merged result works 🙏🏻
So I can send it to the Docker official repository
I will test myself and at work, but in much more days

Please try and verify that the merged result works 🙏🏻 So I can send it to the Docker official repository I will test myself and at work, but in much more days

okay, I will build localy and connect PMA to my dev cluster.
tomorrow I will work on a K8S deployment and verify with my val/prod.

It not taste as a "full victory", but I hope its enought. As you said.

See you tomorrow for report.

Hum, yes.
Here my Ansible automation to install and configure my MariaDB/MaxScale cluster:
https://gitlab.com/cbz-d-velop/public-ansible/ansible-playbook-labocbz-deploy-mariadb-cluster

I can build a Docker image with a working mTLS connexion.
But I can't promise to maintain such an image. I dont know how to do with very long terms

EDIT because of miss understood

Yeah nervermind, I will validate this at work with Amazon Aurora RDS using SSL only that we already have setup

I can build a Docker image with a working mTLS connexion.

No need for something public, a validation that it works for you will be all I need to open a PR at Docker and get this into phpmyadmin:latest

EDIT because of miss understood

Yeah nervermind, I will validate this at work with Amazon Aurora RDS using SSL only that we already have setup

I can build a Docker image with a working mTLS connexion.

No need for something public, a validation that it works for you will be all I need to open a PR at Docker and get this into phpmyadmin:latest

Will be done tomorrow :)

This got accepted in Docker official: docker-library/official-images#17398
It should build soon, I hope everything works fine 🙏🏻
Builds: https://doi-janky.infosiftr.net/job/multiarch/job/amd64/job/phpmyadmin/

I will report back here, as soon as I test it at work

Hello

Okay, I will check builds and when the new one will be available I will check on my side.

I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap.

If so, I will open another PR here to document HTTPS configuration :)

One build have been done this morning, but I dont see mTLS parameters in the docker hub page and in the image analysis layer :/

I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap.

Can you link it here ?

but I dont see mTLS parameters in the docker hub page

Because I need to open a PR to https://github.com/docker-library/docs/tree/master/phpmyadmin and stitch the actual docs into it

One build have been done this morning, but I dont see mTLS parameters in the docker hub page and in the image analysis layer :/

It is live !

docker run --rm  -it phpmyadmin:5.2.1 ls -lah /etc/phpmyadmin
total 28K
drwxr-xr-x 1 root     root     4.0K Jan 14 03:18 .
drwxr-xr-x 1 root     root     4.0K Jan 14 12:33 ..
-rw-r--r-- 1 www-data www-data 8.3K Jan 14 03:17 config.inc.php
-rw-r--r-- 1 www-data www-data 1.9K Jan 14 03:17 helpers.php
drwxr-xr-x 2 www-data www-data 4.0K Jan 14 03:18 ssl

I ve opened another PR on php side to enable HTTPS. I hope it will be merge asap.

Can you link it here ?

but I dont see mTLS parameters in the docker hub page

Because I need to open a PR to https://github.com/docker-library/docs/tree/master/phpmyadmin and stitch the actual docs into it

here the link of the PR, to add HTTPS support to php:apache2
docker-library/php#1559

Good news, the testing phase is going fine.
Right now tests are passing for SSL connection, adding more and I will push

Hello @williamdes,
I've deployed the new Docker image and this is the result in my production K8s cluster:

From my ArgoCD:

As you can see, it's correct and working :)

Notice: K8s needs a base64 encoded string to set up a secret, so for base64 strings (e.g., CAS), we need to encode the CA in base64, get the string, add a ",", and encode the whole string in base64. It seems tricky, but it's working!

For me, the next step is to add support for Redis in mTLS in order to make the application scalable. I'll note it for my future self.

Notice: K8s needs a base64 encoded string to set up a secret, so for base64 strings (e.g., CAS), we need to encode the CA in base64, get the string, add a ",", and encode the whole string in base64. It seems tricky, but it's working!

I did not test yet the base64 part. But are you saying it is base64(`<base 64 cert>,`) ?
I expect it to work like <base 64 cert> for only one host

For me, the next step is to add support for Redis in mTLS in order to make the application scalable. I'll note it for my future self.

Maybe use Valkey or KeyDB ?
Feel free to post a php.ini configuration example as some users of Docker may find interesting to store sessions elsewhere.
And maybe by the same occasion make the containers read only

I did not test yet the base64 part. But are you saying it is base64(`<base 64 cert>,`) ? I expect it to work like <base 64 cert> for only one host

Yes its work with base64 string, as wanted. But to test in Kubernetes (my use case), to setup secret object in K8S cluster, strings have to be encoded in base64. So as our new vars need base64, you need to encore 2 times to set your secret. Its only for K8S secrets

Maybe use Valkey or KeyDB ? Feel free to post a php.ini configuration example as some users of Docker may find interesting to store sessions elsewhere. And maybe by the same occasion make the containers read only

The helpers.php file create multiples files inside the container when we load the PMA application, so I dont think the container can be read only (if you use mTLS).

For Redis and the php.ini file, I think the best solution if to edit the php image to add suport for Redis, so PMA will extends these configurations (as I done for HTTPS).

So, finally, for me it's working without any modifications. My use case is completed and I can use PMA. So I think we are done here.

It was a great pleasure to add some new features to a Docker tool/application used by full stack developers, students, new developers, etc., around the world and on a solution used by multiple providers.

It's a great achievement for me. Many thanks.

Tests pushed as ab37078 and they did pass: https://github.com/phpmyadmin/docker/actions/runs/12778155949/job/35620415452

It was a great pleasure to add some new features to a Docker tool/application used by full stack developers, students, new developers, etc., around the world and on a solution used by multiple providers.
It's a great achievement for me. Many thanks.

I was very pleased with your contribution and work on the feedback.
Thank you for contributing !

So, finally, for me it's working without any modifications. My use case is completed and I can use PMA. So I think we are done here.

Yes, I have to add the documentation in the main repo: phpmyadmin/phpmyadmin#19465 and on Docker Hub (docker-library/docs#2527) and this will be fully done