Self hosted retool is failing to start using Aurora Postgres DB

girishsu · February 27, 2024, 9:36pm

Self hosted retool is failing to start using Aurora Postgres DB. It works fine if the postgres is running on a sidecar. But after switching to Aurora DB, it exiting with an error. I am able to connect to the DB manually from the retool pod though.

setsid su retool_user -c /retool_backend/docker_scripts/start_api.sh
root@retool-gql--nonprod-xxx-aws-staging-use1-0:/retool_backend# not untarring the bundle
sed: can't read ./dist/mobile/*.js: No such file or directory
{"level":"info","message":"[process service types] DB_CONNECTOR, DB_SSH_CONNECTOR, MAIN_BACKEND, JOBS_RUNNER, WORKFLOW_WORKER","timestamp":"2024-02-27T21:29:05.100Z"}
Failing checking database migrations

---------------------------
-     EXITING RETOOL      -
---------------------------

Error running database migrations: SequelizeConnectionError: no pg_hba.conf entry for host "10.XXX.XX.XXX", user "admin_user", database "retooldb", no encryption

Are there any environment variables to be set for external DB connections?

shawntax · February 27, 2024, 9:59pm

Hi there @girishsu! Looking at these AWS Aurora security docs, they note that a no pg_hba.conf entry for host error will occur if your cluster has rds.force_ssl enabled and a client is attempting to connect without using SSL.

Can you try setting the following environment variables on your deployment:

POSTGRES_SSL_ENABLED=true
POSTGRES_SSL_REJECT_UNAUTHORIZED=true

The Retool Docker images includes the AWS certificate bundle built-in.

girishsu · February 27, 2024, 10:04pm

Thanks @shawntax. Tried setting the postgres env variables.

Now I see - Error running database migrations: SequelizeConnectionError: unable to get local issuer certificate

I am using tryretool/backend:3.28.4

girishsu · February 27, 2024, 11:00pm

Retool team, Any updates on this issue? We wan't to address this ASAP or we have to roll back the changes.

girishsu · February 27, 2024, 11:27pm

@shawntax

Similar issue

Setting ENV POSTGRES_SSL_REJECT_UNAUTHORIZED=false in the Dockerfile resolved the issue. was the resolution provided. Is this recommended?

cc: @victoria

shawntax · February 28, 2024, 12:29am

@girishsu hmm, first can you try adding the following environment variable as well:

NODE_EXTRA_CA_CERTS=certs/global-bundle.pem

This attempts to explicitly tell the Node process running Retool to add the AWS cert bundle we provide to it's known certs.

If that doesn't work, then it's worth trying to set POSTGRES_SSL_REJECT_UNAUTHORIZED=false

girishsu · February 28, 2024, 1:56am

Thanks. This setting worked for me. I didn't try NODE_EXTRA_CA_CERTS.