fix(data-warehouse): Use SSL CA for mysql connections (#25485)

PostHog · Oct 10, 2024 · 8e53309 · 8e53309
1 parent a0f26e1
commit 8e53309
Show file tree

Hide file tree

Showing 2 changed files with 10 additions and 1 deletion.
diff --git a/posthog/temporal/data_imports/pipelines/sql_database/__init__.py b/posthog/temporal/data_imports/pipelines/sql_database/__init__.py
@@ -15,6 +15,8 @@
 from dlt.sources.credentials import ConnectionStringCredentials
 from urllib.parse import quote
 
+from posthog.settings.utils import get_from_env
+from posthog.utils import str_to_bool
 from posthog.warehouse.types import IncrementalFieldType
 from posthog.warehouse.models.external_data_source import ExternalDataSource
 from sqlalchemy.sql import text
@@ -68,7 +70,12 @@ def sql_source_for_type(
             f"postgresql://{user}:{password}@{host}:{port}/{database}?sslmode={sslmode}"
         )
     elif source_type == ExternalDataSource.Type.MYSQL:
-        credentials = ConnectionStringCredentials(f"mysql+pymysql://{user}:{password}@{host}:{port}/{database}")
+        # We have to get DEBUG in temporal workers cos we're not loading Django in the same way as the app
+        is_debug = get_from_env("DEBUG", False, type_cast=str_to_bool)
+        ssl_ca = "/etc/ssl/cert.pem" if is_debug else "/etc/ssl/certs/ca-certificates.crt"
+        credentials = ConnectionStringCredentials(
+            f"mysql+pymysql://{user}:{password}@{host}:{port}/{database}?ssl_ca={ssl_ca}"
+        )
     elif source_type == ExternalDataSource.Type.MSSQL:
         credentials = ConnectionStringCredentials(
             f"mssql+pyodbc://{user}:{password}@{host}:{port}/{database}?driver=ODBC+Driver+18+for+SQL+Server&TrustServerCertificate=yes"

diff --git a/posthog/warehouse/models/external_data_schema.py b/posthog/warehouse/models/external_data_schema.py
@@ -4,6 +4,7 @@
 from django.db import models
 from django_deprecate_fields import deprecate_field
 import snowflake.connector
+from django.conf import settings
 from posthog.models.team import Team
 from posthog.models.utils import CreatedMetaFields, DeletedMetaFields, UUIDModel, UpdatedMetaFields, sane_repr
 import uuid
@@ -314,6 +315,7 @@ def get_schemas(mysql_host: str, mysql_port: int):
             user=user,
             password=password,
             connect_timeout=5,
+            ssl_ca="/etc/ssl/cert.pem" if settings.DEBUG else "/etc/ssl/certs/ca-certificates.crt",
         )
 
         with connection.cursor() as cursor: