Summary
Pod is encountering an ‘SSL off’ error despite proper configuration of Temporal TLS environment variables.
Question
Temporal TLS environment variables are set correctly but the pod is still getting an “SSL off” error. Any ideas?
This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. Click here if you want
to access the original thread.
Join the conversation on Slack
["temporal-tls", "ssl-off-error", "pod", "environment-variables"]
Based on talking to the bot I think the issue is related to the DATABASE_URL not being set in the temporal pod correctly. Has anybody experienced this type of issue?
Ensure Full DATABASE_URL
is Used:
According to the maintainer’s comment, the root cause might be that the Temporal service should use a full DATABASE_URL
variable instead of individual parameters. This ensures that URL extra parameters such as sslmode=require
are taken into account.
Unfortunately, the Helm chart might not support setting a full DATABASE_URL
directly. However, you can try to override the Temporal image or modify the Helm chart to ensure the full connection string is used.
The temporal deployment manifest pulls in this:
- name: airbyte-temporal
image: {{ printf "%s:%s" .Values.image.repository .Values.image.tag }}
imagePullPolicy: {{ .Values.image.pullPolicy }}
env:
{{- if eq .Values.global.deploymentMode "oss"}}
- name: AUTO_SETUP
value: "true"
- name: DB # The DB engine to use
value: "postgresql"
- name: DYNAMIC_CONFIG_FILE_PATH
value: "config/dynamicconfig/development.yaml"
{{- include "airbyte.temporal.database.envs" . | nindent 10 }}```
Which gives it the necessary variables for the database connection:
The following variables are set:
value: "true"
- name: SQL_TLS_ENABLED
value: "true"
- name: SQL_HOST_VERIFICATION
value: "false"
- name: SQL_TLS_DISABLE_HOST_VERIFICATION
value: "true"```
What more can be done here? The connection string that is built via these settings are clearly not setting the sslmode=require
option correctly.
After many hours of painful research I’ve found the solution to enable TLS on the temporal pod. It’s using this setup script: https://github.com/temporalio/docker-builds/blob/main/docker/auto-setup.sh#L38
Which has the TLS variables disabled by default:
: “${POSTGRES_TLS_ENABLED:=false}”
: “${POSTGRES_TLS_DISABLE_HOST_VERIFICATION:=false}”
: “${POSTGRES_TLS_CERT_FILE:=}”
: “${POSTGRES_TLS_KEY_FILE:=}”
: “${POSTGRES_TLS_CA_FILE:=}”
: “${POSTGRES_TLS_SERVER_NAME:=}”
But more importantly, the variables are prefixed with POSTGRES_
and not just TLS_ENABLED
as indicated elsewhere.
By adding these two variables I managed to enable TLS on the postgres connection:
It also pulls in extraEnv set in values.yml: