SSL off error in pod despite correct Temporal TLS environment variables

Summary

Pod is encountering an ‘SSL off’ error despite proper configuration of Temporal TLS environment variables.


Question

Temporal TLS environment variables are set correctly but the pod is still getting an “SSL off” error. Any ideas?



This topic has been created from a Slack thread to give it more visibility.
It will be on Read-Only mode here. Click here if you want
to access the original thread.

Join the conversation on Slack

["temporal-tls", "ssl-off-error", "pod", "environment-variables"]

Based on talking to the bot I think the issue is related to the DATABASE_URL not being set in the temporal pod correctly. Has anybody experienced this type of issue?

Ensure Full DATABASE_URL is Used:
According to the maintainer’s comment, the root cause might be that the Temporal service should use a full DATABASE_URL variable instead of individual parameters. This ensures that URL extra parameters such as sslmode=require are taken into account.

Unfortunately, the Helm chart might not support setting a full DATABASE_URL directly. However, you can try to override the Temporal image or modify the Helm chart to ensure the full connection string is used.

The temporal deployment manifest pulls in this:

- name: airbyte-temporal
  image: {{ printf "%s:%s" .Values.image.repository .Values.image.tag }}
  imagePullPolicy: {{ .Values.image.pullPolicy }}
  env:
  {{- if eq .Values.global.deploymentMode "oss"}}
    - name: AUTO_SETUP
      value: "true"
    - name: DB # The DB engine to use
      value: "postgresql"
    - name: DYNAMIC_CONFIG_FILE_PATH
      value: "config/dynamicconfig/development.yaml"

    {{- include "airbyte.temporal.database.envs" . | nindent 10 }}```
Which gives it the necessary variables for the database connection:

The following variables are set:

  value: "true"
- name: SQL_TLS_ENABLED
  value: "true"
- name: SQL_HOST_VERIFICATION
  value: "false"
- name: SQL_TLS_DISABLE_HOST_VERIFICATION
  value: "true"```

What more can be done here? The connection string that is built via these settings are clearly not setting the sslmode=require option correctly.

After many hours of painful research I’ve found the solution to enable TLS on the temporal pod. It’s using this setup script: https://github.com/temporalio/docker-builds/blob/main/docker/auto-setup.sh#L38

Which has the TLS variables disabled by default:
: “${POSTGRES_TLS_ENABLED:=false}”
: “${POSTGRES_TLS_DISABLE_HOST_VERIFICATION:=false}”
: “${POSTGRES_TLS_CERT_FILE:=}”
: “${POSTGRES_TLS_KEY_FILE:=}”
: “${POSTGRES_TLS_CA_FILE:=}”
: “${POSTGRES_TLS_SERVER_NAME:=}”

But more importantly, the variables are prefixed with POSTGRES_ and not just TLS_ENABLED as indicated elsewhere.

By adding these two variables I managed to enable TLS on the postgres connection:

It also pulls in extraEnv set in values.yml: