potiuk edited a comment on issue #17574: URL: https://github.com/apache/airflow/issues/17574#issuecomment-897759148
> I am using an AWS RDS instance and so the CA certs SHOULD be in the OS by default. If they are not then they are available in the AWS RDS PKI truststore. This is postgres' requirement, not airflow's (And for a very good reason). Postgres will never verify server certificate from the certificate chain installed in the system for a very good reason. What postgres does during verification is to not verify if the service is signed with "a" certificate authority, but whether it is signed with "THE" certificate authorities that are specifically configured as "OK" when you configure the connectivity. From https://www.postgresql.org/docs/9.1/libpq-ssl.html > To allow server certificate verification, the certificate(s) of one or more trusted CAs must be placed in the file ~/.postgresql/root.crt in the user's home directory. (On Microsoft Windows the file is named %APPDATA%\postgresql\root.crt.) You could map the certificates to the home directory via additional secrets mapping, however I recommend to follow the "recommended" way of configuring SSL using PGBouncer's configuration (that's why we have no easy option to do it in the chart). Configuring "direct" postgres connectivity is a bad idea. Airflow opens a number of connections to database and it is recommended (also default in the Official Helm Chart) that PGBouncer is used to provide proxy/pool functionality for Postgres connections. This is fully supported by the Official Helm Chart, it's proven and working for a lot of huge production installation (and you get yourself into trouble of too many open connections if you try to connect directly to postgres and you have many tasks running). The SSL configuration of PGBouncer is fully supported by Helm Chart - https://airflow.apache.org/docs/helm-chart/stable/parameters-ref.html#pgbouncer and you should use that. Under the hood it works in the way that internally airflow talks to pgbouncer without SSL (this is on internal Kubernetes network and only Airflow Pods can talk to each other via this port) and then PGBouncer talks to the external DB using SSL. It's robust, secure, proven and tested. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
