Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Connecting to Azure MySQL over SSL fails #5393

Open
spewu opened this issue Jan 6, 2025 · 1 comment
Open

Connecting to Azure MySQL over SSL fails #5393

spewu opened this issue Jan 6, 2025 · 1 comment
Labels
bug Something isn't working needs triage part:ci/cd part:helm/kubernetes/docker

Comments

@spewu
Copy link

spewu commented Jan 6, 2025

What went wrong?

What happened:

  • I am trying to install OnCall with ArgoCD on my AKS cluster
  • The relevant part of my configuration looks like this:
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
  name: grafana-oncall
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
spec:
  project: default
  source:
    repoURL: 'https://grafana.github.io/helm-charts'
    chart: oncall
    helm:
      releaseName: grafana-oncall
      valuesObject:
        base_url_protocol: https
        ingress:
          enabled: false
        grafana:
          enabled: false  # Disable the bundled Grafana
        mariadb:
          enabled: false # Disable the included MariaDB
        redis:
          enabled: false # Disable included Redis and use existing Redis
        externalRedis:
          host: master.redis.svc.cluster.local
          port: 6379
          existingSecret: oncall-redis-secret
          passwordKey: redis-password
        externalMysql:
          host: my-database.mysql.database.azure.com
          port: 3306
          db_name: oncall
          user: oncall
          existingSecret: oncall-mysql-secret
          passwordKey: mysql-password
          options: >-
            ssl_verify_cert=true
            ssl_verify_identity=true
            ssl_ca=/etc/mysql-certificates/ca.crt
        engine:
          nodeSelector:
            kubernetes.io/arch: "arm64"
          tolerations:
            - key: "app"
              operator: "Equal"
              value: "arm"
              effect: "NoSchedule"
          extraVolumes:
            - name: mysql-certificate
              secret:
                secretName: mysql-certificate
          extraVolumeMounts:
            - name: mysql-certificate
              mountPath: /etc/mysql-certificates
              readOnly: true
        migrate:
          nodeSelector:
            kubernetes.io/arch: "arm64"
          tolerations:
            - key: "app"
              operator: "Equal"
              value: "arm"
              effect: "NoSchedule"
          enabled: true
          extraVolumes:
            - name: mysql-certificate
              secret:
                secretName: mysql-certificate
          extraVolumeMounts:
            - name: mysql-certificate
              mountPath: /etc/mysql-certificates
              readOnly: true
  destination:
    server: 'https://kubernetes.default.svc'
    namespace: grafana-oncall
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=true

I set up the CA certificate (which I downloaded from here) as a secret, and I verified that mounting it works fine.

If I inspect the migrate job, it looks like this:

apiVersion: batch/v1
kind: Job
metadata:
  annotations:
    kubectl.kubernetes.io/last-applied-configuration: |
      {"apiVersion":"batch/v1","kind":"Job","metadata":{"annotations":{},"labels":{"app.kubernetes.io/component":"engine","app.kubernetes.io/instance":"grafana-oncall","app.kubernetes.io/managed-by":"Helm","app.kubernetes.io/name":"oncall","app.kubernetes.io/version":"v1.9.25","argocd.argoproj.io/instance":"grafana-oncall","helm.sh/chart":"oncall-1.9.25"},"name":"grafana-oncall-engine-migrate-2025-01-06-13-48-49","namespace":"grafana-oncall"},"spec":{"backoffLimit":15,"template":{"metadata":{"labels":{"app.kubernetes.io/component":"engine","app.kubernetes.io/instance":"grafana-oncall","app.kubernetes.io/name":"oncall"},"name":"grafana-oncall-engine-migrate-2025-01-06-13-48-49"},"spec":{"containers":[{"command":["/bin/sh","-c","until (nc -vz $MYSQL_HOST $MYSQL_PORT);\ndo\n    echo \"waiting for MySQL\"; sleep 1;\ndone\npython manage.py migrate\n"],"env":[{"name":"BASE_URL","value":"https://oncall-staging.mydomain.com"},{"name":"SECRET_KEY","valueFrom":{"secretKeyRef":{"key":"SECRET_KEY","name":"grafana-oncall"}}},{"name":"MIRAGE_SECRET_KEY","valueFrom":{"secretKeyRef":{"key":"MIRAGE_SECRET_KEY","name":"grafana-oncall"}}},{"name":"MIRAGE_CIPHER_IV","value":"1234567890abcdef"},{"name":"DJANGO_SETTINGS_MODULE","value":"settings.helm"},{"name":"AMIXR_DJANGO_ADMIN_PATH","value":"admin"},{"name":"OSS","value":"True"},{"name":"DETACHED_INTEGRATIONS_SERVER","value":"False"},{"name":"UWSGI_LISTEN","value":"1024"},{"name":"BROKER_TYPE","value":"rabbitmq"},{"name":"GRAFANA_API_URL","value":"https://grafana-staging.mydomain.com"},{"name":"FEATURE_EMAIL_INTEGRATION_ENABLED","value":"True"},{"name":"EMAIL_HOST","value":null},{"name":"EMAIL_PORT","value":"587"},{"name":"EMAIL_HOST_USER","value":null},{"name":"EMAIL_HOST_PASSWORD","valueFrom":{"secretKeyRef":{"key":"smtp-password","name":"grafana-oncall-smtp","optional":true}}},{"name":"EMAIL_USE_TLS","value":"True"},{"name":"EMAIL_USE_SSL","value":"False"},{"name":"EMAIL_FROM_ADDRESS","value":null},{"name":"EMAIL_NOTIFICATIONS_LIMIT","value":"200"},{"name":"FEATURE_PROMETHEUS_EXPORTER_ENABLED","value":"False"},{"name":"MYSQL_HOST","value":"my-database.mysql.database.azure.com"},{"name":"MYSQL_PORT","value":"3306"},{"name":"MYSQL_DB_NAME","value":"oncall"},{"name":"MYSQL_USER","value":"oncall"},{"name":"MYSQL_PASSWORD","valueFrom":{"secretKeyRef":{"key":"mysql-password","name":"oncall-mysql-secret"}}},{"name":"MYSQL_OPTIONS","value":"ssl_ca=/etc/mysql-certificates/ca.crt ssl_verify_cert=true ssl_verify_identity=true"},{"name":"REDIS_PROTOCOL","value":"redis"},{"name":"REDIS_HOST","value":"master.redis.svc.cluster.local"},{"name":"REDIS_PORT","value":"6379"},{"name":"REDIS_DATABASE","value":"0"},{"name":"REDIS_USERNAME","value":""},{"name":"REDIS_PASSWORD","valueFrom":{"secretKeyRef":{"key":"redis-password","name":"oncall-redis-secret"}}},{"name":"RABBITMQ_USERNAME","value":"user"},{"name":"RABBITMQ_PASSWORD","valueFrom":{"secretKeyRef":{"key":"rabbitmq-password","name":"grafana-oncall-rabbitmq"}}},{"name":"RABBITMQ_HOST","value":"grafana-oncall-rabbitmq"},{"name":"RABBITMQ_PORT","value":"5672"},{"name":"RABBITMQ_PROTOCOL","value":"amqp"},{"name":"RABBITMQ_VHOST","value":""}],"image":"grafana/oncall:v1.9.25","imagePullPolicy":"Always","name":"oncall-migrate","resources":{},"securityContext":{},"volumeMounts":[{"mountPath":"/etc/mysql-certificates","name":"mysql-certificate","readOnly":true}]}],"nodeSelector":{"kubernetes.io/arch":"arm64"},"restartPolicy":"Never","securityContext":{},"serviceAccountName":"grafana-oncall","tolerations":[{"effect":"NoSchedule","key":"app","operator":"Equal","value":"arm"}],"volumes":[{"name":"mysql-certificate","secret":{"secretName":"mysql-certificate"}}]}},"ttlSecondsAfterFinished":20}}
  creationTimestamp: "2025-01-06T14:39:31Z"
  generation: 1
  labels:
    app.kubernetes.io/component: engine
    app.kubernetes.io/instance: grafana-oncall
    app.kubernetes.io/managed-by: Helm
    app.kubernetes.io/name: oncall
    app.kubernetes.io/version: v1.9.25
    argocd.argoproj.io/instance: grafana-oncall
    helm.sh/chart: oncall-1.9.25
  name: grafana-oncall-engine-migrate-2025-01-06-13-48-49
  namespace: grafana-oncall
  resourceVersion: "177437833"
  uid: ea1165d8-ce3a-4ba5-9c03-566376de6885
spec:
  backoffLimit: 15
  completionMode: NonIndexed
  completions: 1
  manualSelector: false
  parallelism: 1
  podReplacementPolicy: TerminatingOrFailed
  selector:
    matchLabels:
      batch.kubernetes.io/controller-uid: ea1165d8-ce3a-4ba5-9c03-566376de6885
  suspend: false
  template:
    metadata:
      creationTimestamp: null
      labels:
        app.kubernetes.io/component: engine
        app.kubernetes.io/instance: grafana-oncall
        app.kubernetes.io/name: oncall
        batch.kubernetes.io/controller-uid: ea1165d8-ce3a-4ba5-9c03-566376de6885
        batch.kubernetes.io/job-name: grafana-oncall-engine-migrate-2025-01-06-13-48-49
        controller-uid: ea1165d8-ce3a-4ba5-9c03-566376de6885
        job-name: grafana-oncall-engine-migrate-2025-01-06-13-48-49
      name: grafana-oncall-engine-migrate-2025-01-06-13-48-49
    spec:
      containers:
      - command:
        - /bin/sh
        - -c
        - |
          until (nc -vz $MYSQL_HOST $MYSQL_PORT);
          do
              echo "waiting for MySQL"; sleep 1;
          done
          python manage.py migrate
        env:
        - name: BASE_URL
          value: https://oncall-staging.mydomain.com
        - name: SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: SECRET_KEY
              name: grafana-oncall
        - name: MIRAGE_SECRET_KEY
          valueFrom:
            secretKeyRef:
              key: MIRAGE_SECRET_KEY
              name: grafana-oncall
        - name: MIRAGE_CIPHER_IV
          value: 1234567890abcdef
        - name: DJANGO_SETTINGS_MODULE
          value: settings.helm
        - name: AMIXR_DJANGO_ADMIN_PATH
          value: admin
        - name: OSS
          value: "True"
        - name: DETACHED_INTEGRATIONS_SERVER
          value: "False"
        - name: UWSGI_LISTEN
          value: "1024"
        - name: BROKER_TYPE
          value: rabbitmq
        - name: GRAFANA_API_URL
          value: https://grafana-staging.mydomain.com
        - name: FEATURE_EMAIL_INTEGRATION_ENABLED
          value: "True"
        - name: EMAIL_HOST
        - name: EMAIL_PORT
          value: "587"
        - name: EMAIL_HOST_USER
        - name: EMAIL_HOST_PASSWORD
          valueFrom:
            secretKeyRef:
              key: smtp-password
              name: grafana-oncall-smtp
              optional: true
        - name: EMAIL_USE_TLS
          value: "True"
        - name: EMAIL_USE_SSL
          value: "False"
        - name: EMAIL_FROM_ADDRESS
        - name: EMAIL_NOTIFICATIONS_LIMIT
          value: "200"
        - name: FEATURE_PROMETHEUS_EXPORTER_ENABLED
          value: "False"
        - name: MYSQL_HOST
          value: my-database.mysql.database.azure.com
        - name: MYSQL_PORT
          value: "3306"
        - name: MYSQL_DB_NAME
          value: oncall
        - name: MYSQL_USER
          value: oncall
        - name: MYSQL_PASSWORD
          valueFrom:
            secretKeyRef:
              key: mysql-password
              name: oncall-mysql-secret
        - name: MYSQL_OPTIONS
          value: ssl_ca=/etc/mysql-certificates/ca.crt ssl_verify_cert=true ssl_verify_identity=true
        - name: REDIS_PROTOCOL
          value: redis
        - name: REDIS_HOST
          value: master.redis.svc.cluster.local
        - name: REDIS_PORT
          value: "6379"
        - name: REDIS_DATABASE
          value: "0"
        - name: REDIS_USERNAME
        - name: REDIS_PASSWORD
          valueFrom:
            secretKeyRef:
              key: redis-password
              name: oncall-redis-secret
        - name: RABBITMQ_USERNAME
          value: user
        - name: RABBITMQ_PASSWORD
          valueFrom:
            secretKeyRef:
              key: rabbitmq-password
              name: grafana-oncall-rabbitmq
        - name: RABBITMQ_HOST
          value: grafana-oncall-rabbitmq
        - name: RABBITMQ_PORT
          value: "5672"
        - name: RABBITMQ_PROTOCOL
          value: amqp
        - name: RABBITMQ_VHOST
        image: grafana/oncall:v1.9.25
        imagePullPolicy: Always
        name: oncall-migrate
        resources: {}
        securityContext: {}
        terminationMessagePath: /dev/termination-log
        terminationMessagePolicy: File
        volumeMounts:
        - mountPath: /etc/mysql-certificates
          name: mysql-certificate
          readOnly: true
      dnsPolicy: ClusterFirst
      nodeSelector:
        kubernetes.io/arch: arm64
      restartPolicy: Never
      schedulerName: default-scheduler
      securityContext: {}
      serviceAccount: grafana-oncall
      serviceAccountName: grafana-oncall
      terminationGracePeriodSeconds: 30
      tolerations:
      - effect: NoSchedule
        key: app
        operator: Equal
        value: arm
      volumes:
      - name: mysql-certificate
        secret:
          defaultMode: 420
          secretName: mysql-certificate
  ttlSecondsAfterFinished: 20
status:
  failed: 11
  ready: 0
  startTime: "2025-01-06T14:39:31Z"
  terminating: 0
  uncountedTerminatedPods: {}

Notice the MYSQL_OPTIONS does have the SSL settings, so that looks good. However, when the migrate job runs, it fails to establish a secure connection with the MySQL database:

my-database.mysql.database.azure.com (4.208.78.XXX:3306) open
/usr/local/lib/python3.12/site-packages/telegram/utils/request.py:49: UserWarning: python-telegram-bot is using upstream urllib3. This is allowed but not supported by python-telegram-bot maintainers.
  warnings.warn(
source=engine:app google_trace_id=none logger=django_dbconn_retry.apps Database connection failed. Refreshing...
source=engine:app google_trace_id=none logger=django_dbconn_retry.apps Reconnecting to the database didn't help (3159, 'Connections using insecure transport are prohibited while --require_secure_transport=ON.')
Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/django_dbconn_retry/apps.py", line 51, in ensure_connection_with_retries
    self.connect()
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/base/base.py", line 270, in connect
    self.connection = self.get_new_connection(conn_params)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/base.py", line 247, in get_new_connection
    connection = Database.connect(**conn_params)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 361, in __init__
    self.connect()
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 669, in connect
    self._request_authentication()
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 957, in _request_authentication
    auth_packet = self._read_packet()
                  ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 775, in _read_packet
    packet.raise_for_error()
  File "/usr/local/lib/python3.12/site-packages/pymysql/protocol.py", line 219, in raise_for_error
    err.raise_mysql_exception(self._data)
  File "/usr/local/lib/python3.12/site-packages/pymysql/err.py", line 150, in raise_mysql_exception
    raise errorclass(errno, errval)
pymysql.err.OperationalError: (3159, 'Connections using insecure transport are prohibited while --require_secure_transport=ON.')

During handling of the above exception, another exception occurred:

Traceback (most recent call last):
  File "/usr/local/lib/python3.12/site-packages/django_dbconn_retry/apps.py", line 51, in ensure_connection_with_retries
    self.connect()
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/base/base.py", line 270, in connect
    self.connection = self.get_new_connection(conn_params)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/base.py", line 247, in get_new_connection
    connection = Database.connect(**conn_params)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 361, in __init__
    self.connect()
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 669, in connect
    self._request_authentication()
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 957, in _request_authentication
    auth_packet = self._read_packet()
                  ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 775, in _read_packet
    packet.raise_for_error()
  File "/usr/local/lib/python3.12/site-packages/pymysql/protocol.py", line 219, in raise_for_error
    err.raise_mysql_exception(self._data)
  File "/usr/local/lib/python3.12/site-packages/pymysql/err.py", line 150, in raise_mysql_exception
    raise errorclass(errno, errval)
pymysql.err.OperationalError: (3159, 'Connections using insecure transport are prohibited while --require_secure_transport=ON.')

The above exception was the direct cause of the following exception:

Traceback (most recent call last):
  File "/etc/app/manage.py", line 34, in <module>
    execute_from_command_line(sys.argv)
  File "/usr/local/lib/python3.12/site-packages/django/core/management/__init__.py", line 442, in execute_from_command_line
    utility.execute()
  File "/usr/local/lib/python3.12/site-packages/django/core/management/__init__.py", line 436, in execute
    self.fetch_command(subcommand).run_from_argv(self.argv)
  File "/usr/local/lib/python3.12/site-packages/django/core/management/base.py", line 412, in run_from_argv
    self.execute(*args, **cmd_options)
  File "/usr/local/lib/python3.12/site-packages/django/core/management/base.py", line 458, in execute
    output = self.handle(*args, **options)
             ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/core/management/base.py", line 106, in wrapper
    res = handle_func(*args, **kwargs)
          ^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/core/management/commands/migrate.py", line 100, in handle
    self.check(databases=[database])
  File "/usr/local/lib/python3.12/site-packages/django/core/management/base.py", line 485, in check
    all_issues = checks.run_checks(
                 ^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/core/checks/registry.py", line 88, in run_checks
    new_errors = check(app_configs=app_configs, databases=databases)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/core/checks/database.py", line 13, in check_database_backends
    issues.extend(conn.validation.check(**kwargs))
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/validation.py", line 9, in check
    issues.extend(self._check_sql_mode(**kwargs))
                  ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/validation.py", line 14, in _check_sql_mode
    self.connection.sql_mode & {"STRICT_TRANS_TABLES", "STRICT_ALL_TABLES"}
    ^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/utils/functional.py", line 57, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
                                         ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/base.py", line 443, in sql_mode
    sql_mode = self.mysql_server_data["sql_mode"]
               ^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/utils/functional.py", line 57, in __get__
    res = instance.__dict__[self.name] = self.func(instance)
                                         ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/base.py", line 399, in mysql_server_data
    with self.temporary_connection() as cursor:
  File "/usr/local/lib/python3.12/contextlib.py", line 137, in __enter__
    return next(self.gen)
           ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/base/base.py", line 705, in temporary_connection
    with self.cursor() as cursor:
         ^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/base/base.py", line 330, in cursor
    return self._cursor()
           ^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/base/base.py", line 306, in _cursor
    self.ensure_connection()
  File "/usr/local/lib/python3.12/site-packages/django_dbconn_retry/apps.py", line 69, in ensure_connection_with_retries
    self.ensure_connection()
  File "/usr/local/lib/python3.12/site-packages/django_dbconn_retry/apps.py", line 48, in ensure_connection_with_retries
    with self.wrap_database_errors:
  File "/usr/local/lib/python3.12/site-packages/django/db/utils.py", line 91, in __exit__
    raise dj_exc_value.with_traceback(traceback) from exc_value
  File "/usr/local/lib/python3.12/site-packages/django_dbconn_retry/apps.py", line 51, in ensure_connection_with_retries
    self.connect()
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/base/base.py", line 270, in connect
    self.connection = self.get_new_connection(conn_params)
                      ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/utils/asyncio.py", line 26, in inner
    return func(*args, **kwargs)
           ^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/django/db/backends/mysql/base.py", line 247, in get_new_connection
    connection = Database.connect(**conn_params)
                 ^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 361, in __init__
    self.connect()
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 669, in connect
    self._request_authentication()
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 957, in _request_authentication
    auth_packet = self._read_packet()
                  ^^^^^^^^^^^^^^^^^^^
  File "/usr/local/lib/python3.12/site-packages/pymysql/connections.py", line 775, in _read_packet
    packet.raise_for_error()
  File "/usr/local/lib/python3.12/site-packages/pymysql/protocol.py", line 219, in raise_for_error
    err.raise_mysql_exception(self._data)
  File "/usr/local/lib/python3.12/site-packages/pymysql/err.py", line 150, in raise_mysql_exception
    raise errorclass(errno, errval)
django.db.utils.OperationalError: (3159, 'Connections using insecure transport are prohibited while --require_secure_transport=ON.')

What did you expect to happen:

  • I expected that the connection to MySQL would use SSL, since I provided the ca.crt and specified that it should validate the SSL options.

How do we reproduce it?

To reproduce it you need to try connecting to an Azure MySQL database. I expect that you would be able to reproduce this with just the helm chart, and trying to get it to work with an Azure MySQL database that requires SSL.

Grafana OnCall Version

1.9.25

Product Area

Helm/Kubernetes/Docker, CI/CD

Grafana OnCall Platform?

Kubernetes

User's Browser?

No response

Anything else to add?

No response
@spewu spewu added the bug Something isn't working label Jan 6, 2025
@spewu
Copy link
Author

spewu commented Jan 6, 2025

Ahh, I just realised I am running a MySQL 8 database. Does OnCall only work with 5.7? (Azure has marked 5.7 as retired)

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working needs triage part:ci/cd part:helm/kubernetes/docker
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@spewu