timothyclarke opened a new issue #17574:
URL: https://github.com/apache/airflow/issues/17574
**Apache Airflow version**: 2.12
**Apache Airflow Provider versions** : not applicable - none / standard /
unknown (delete as applicable). I am installing the helm chart from this repo
with very little customization
**Kubernetes version (if you are using kubernetes)** : not applicable - 1.20
**Environment**:
- **Cloud provider or hardware configuration**: AWS
- **OS** (e.g. from /etc/os-release): linux
- **Kernel** (e.g. `uname -a`): not applicable - unknown
- **Install tools**: helm
- **Others**:
**What happened**:
I am attempting to install airflow into a kubernetes cluster with a secure
connection to the database
I am using the provided helm chart and my install command is
```
helm upgrade airflow airflow \
--repo https://airflow.apache.org \
--version 1.1.0 \
--history-max 2 \
--namespace airflow \
--values helm/apache-airflow.overrides.yaml \
--timeout 15m \
--install
```
The pertinent part of `apache-airflow.overrides.yaml` contains
```
data:
metadataConnection:
sslmode: verify-full
```
I am using an AWS RDS instance and so the CA certs SHOULD be in the OS by
default. If they are not then they are available in [the AWS RDS PKI
truststore](https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem).
Telling people to build a custom docker container to add ssl certs is not a
realistic solution.
**Errors** :
When installing for the first time the migrations job runs and generates the
following error
```
[2021-08-12 09:30:42,956] {cli_action_loggers.py:105} WARNING - Failed to
log action with (psycopg2.OperationalError) root certificate file
"/home/airflow/.postgresql/root.crt" does not exist
Either provide the file or change sslmode to disable server certificate
verification.
```
```
psycopg2.OperationalError: root certificate file
"/home/airflow/.postgresql/root.crt" does not exist
Either provide the file or change sslmode to disable server certificate
verification.
```
**What you expected to happen**:
I expect the all sslmodes to be supported (or to be removed from the chart).
If a custom or self signed SSL cert is needed then there should be an option to
provide it to the chart
**How to reproduce it**:
1. Create an external database.
2. When installing the chart provide database details with
`.data.metadataConnection.*` ensure that .data.metadataConnection.sslmode` is
set to a valid enabled state.
**Anything else we need to know**:
How often does this problem occur? whenever sslmode is enabled
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
