MAAS does not support PostgreSQL with SSL enabled out of the box. There is also this topic that refers to PostgreSQL SSL and the Temporal Server configuration FYI: Postgres with SSL works, but disappears when production.yaml is rendered
If your PostgreSQL SSL settings were compatible with how MAAS is using psycopg2 before the introduction of Temporal on 3.5, then a potential patch on the below files could work for you.
As I said, it is not supported so please consider them before applying them at your own risk.
- This is needed to run dbupgrade when on SSL. It could be an alternative to what you did on the PostgreSQL side.
diff --git a/src/maasserver/management/commands/dbupgrade.py b/src/maasserver/management/commands/dbupgrade.py
index 18d7156e4..8ab1e7fe8 100644
--- a/src/maasserver/management/commands/dbupgrade.py
+++ b/src/maasserver/management/commands/dbupgrade.py
@@ -149,6 +149,9 @@ class Command(BaseCommand):
get_path("/usr/bin/temporal-sql-tool"),
"--plugin",
"postgres12",
+ "--tls",
+ "--tls-ca-file",
+ "/path/of/ca/with/self/signed",
+ # or skipping the host verification
+ # "--tls-disable-host-verification",
"--endpoint",
endpoint,
"--port",
- This is needed to operate Temporal Server with PostgreSQL on SSL mode:
diff --git a/src/maasserver/templates/temporal/production.yaml.template b/src/maasserver/templates/temporal/production.yaml.template
index ae8e478a1..4c176518e 100644
--- a/src/maasserver/templates/temporal/production.yaml.template
+++ b/src/maasserver/templates/temporal/production.yaml.template
@@ -23,6 +23,9 @@ persistence:
maxConns: 5
maxIdleConns: 5
maxConnLifetime: "5m"
+ tls:
+ enabled: true
+ caFile: "/path/of/ca/with/self/signed"
+ # or enableHostVerification: false
visibility:
sql:
@@ -40,6 +43,9 @@ persistence:
maxConns: 1
maxIdleConns: 1
maxConnLifetime: "5m"
+ tls:
+ enabled: true
+ caFile: "/path/of/ca/with/self/signed"
+ # or enableHostVerification: false
global:
membership: