[Bug] Unable to use mTLS certs to connect to mysql in the schema setup/upgrade jobs #472
Description
What are you really trying to do?
Allow the schema-setup and schema-update jobs to connect to cloudsql and run successfully, using the configured values.
Describe the bug
The schema setup and update jobs do not have the configmaps that the other services do, so they are missing the mysql ssl certs.
I logged into the admin tools pod and connected to mysql via the cli using the --ssl-cert-key (etc) flags and it worked perfectly.
Minimal Reproduction
We're using jsonnet to process the helm charts, and here are the settings I have configured:
values: {
server: {
config: {
persistence: {
default: {
driver: 'sql',
sql: {
driver: 'mysql8',
host: c.mysqlBackend,
port: 3306,
database: 'temporal',
user: 'temporal',
existingSecret: 'temporal-mysql-secrets',
secretName: 'password',
maxConns: 20,
maxConnLifetime: '1h',
tls: {
enabled: true,
certFile: '/secrets/mysql/client-cert.pem',
keyFile: '/secrets/mysql/client-key.pem',
caFile: '/secrets/mysql/server-ca.pem',
enableHostVerification: false,
},
},
},
visibility: {
driver: 'sql',
sql: {
driver: 'mysql8',
host: c.mysqlBackend,
port: 3306,
database: 'temporal_visibility',
user: 'temporal',
existingSecret: 'temporal-mysql-secrets',
secretName: 'password',
maxConns: 20,
maxConnLifetime: '1h',
tls: {
enabled: true,
certFile: '/secrets/mysql/client-cert.pem',
keyFile: '/secrets/mysql/client-key.pem',
caFile: '/secrets/mysql/server-ca.pem',
enableHostVerification: false,
},
},
},
},
},
},
}
The normal deployments (web, frontend, worker, etc) all pick this up and connect successfully, but the jobs do not.
Environment/Versions
- OS and processor: [e.g. M1 Mac, x86 Windows, Linux]
- Temporal Version: 1.22.4
- Chart Version: 0.33.0
- Are you using Docker or Kubernetes or building Temporal from source? We're using the helm chart which pulls in the stock docker images