You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@airflow.apache.org by GitBox <gi...@apache.org> on 2021/08/12 15:59:50 UTC

[GitHub] [airflow] potiuk commented on issue #17574: [BUG] Helm chart does not correctly support sslmode for PostgreSQL connection

potiuk commented on issue #17574:
URL: https://github.com/apache/airflow/issues/17574#issuecomment-897759148


   This is postgres' requirement, not airflow's (And for a very good reason). Postgres will never read from the certificate chain installed in the system for a very good reason. What postgres does during verification is to not verify if the service is signed with "a" certificate authority, but whether it is signed with "THE" certificate authorities that are specifically configured as "OK" when you configure the connectivity.
   
   From https://www.postgresql.org/docs/9.1/libpq-ssl.html
   
   > To allow server certificate verification, the certificate(s) of one or more trusted CAs must be placed in the file ~/.postgresql/root.crt in the user's home directory. (On Microsoft Windows the file is named %APPDATA%\postgresql\root.crt.)
   
   You could map the certificates to the home directory via additional secrets mapping, however I recommend to follow the "recommended" way of configuring SSL using PGBouncer's configuration (that's why we have no easy option to do it in the chart).
   
    Configuring "direct" postgres connectivity is a bad idea. Airflow opens a number of connection to database and it is recommended (also default in the Official Helm Chart) that PGBouncer is used to provide proxy/pool functionality for  Postgres connections. This is fully supported by the Official Helm Chart, it's proven and working for a lot of huge production installation (and you get yourself into trouble of too many open connections if you try to connect directly to postgres and you have many tasks running). 
   
   The SSL configuration of PGBouncer is fully supported by Helm Chart - https://airflow.apache.org/docs/helm-chart/stable/parameters-ref.html#pgbouncer and you should use that. Under the hood it works in the way that internally airflow talks to pgbouncer without SSL (this is on internal Kubernetes network and only Airflow Pods can talk to each other via this port) and then PGBouncer talks to the external DB using SSL. It's robust, secure, proven and tested. 


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: commits-unsubscribe@airflow.apache.org

For queries about this service, please contact Infrastructure at:
users@infra.apache.org