fix(api): normalize pg sslmode and add runtime tsconfig for jobs

Author: hugbubby

src/helm/openerrata/templates/selector-cronjob.yaml

@@ -21,7 +21,7 @@ spec:
             - name: selector
               image: {{ include "openerrata.image" . | quote }}
               imagePullPolicy: {{ .Values.image.pullPolicy }}
-              command: ["node", "node_modules/tsx/dist/cli.mjs", "src/lib/services/selector-entrypoint.ts"]
+              command: ["node", "node_modules/tsx/dist/cli.mjs", "--tsconfig", "tsconfig.runtime.json", "src/lib/services/selector-entrypoint.ts"]
               envFrom:
                 - secretRef:
                     name: {{ include "openerrata.fullname" . }}

src/helm/openerrata/templates/worker-deployment.yaml

@@ -21,7 +21,7 @@ spec:
         - name: worker
           image: {{ include "openerrata.image" . | quote }}
           imagePullPolicy: {{ .Values.image.pullPolicy }}
-          command: ["node", "node_modules/tsx/dist/cli.mjs", "src/lib/services/worker-entrypoint.ts"]
+          command: ["node", "node_modules/tsx/dist/cli.mjs", "--tsconfig", "tsconfig.runtime.json", "src/lib/services/worker-entrypoint.ts"]
           envFrom:
             - secretRef:
                 name: {{ include "openerrata.fullname" . }}

src/typescript/api/Dockerfile

@@ -28,6 +28,7 @@ COPY --from=build /app/api/prisma /app/api/prisma
 COPY --from=build /app/api/prisma.config.ts /app/api/prisma.config.ts
 COPY --from=build /app/api/src /app/api/src
 COPY --from=build /app/api/package.json /app/api/package.json
+COPY --from=build /app/api/tsconfig.runtime.json /app/api/tsconfig.runtime.json
 
 EXPOSE 3000
 ENV PORT=3000

src/typescript/api/package.json

@@ -9,9 +9,9 @@
     "test:unit": "tsx --test \"test/unit/**/*.test.ts\"",
     "test:integration": "tsx test/integration/run-integration-tests.ts",
     "test:integration:raw": "tsx --test test/integration/api-endpoints.integration.test.ts",
-    "worker": "tsx src/lib/services/worker-entrypoint.ts",
-    "selector": "tsx src/lib/services/selector-entrypoint.ts",
-    "instance-api-key": "tsx src/lib/services/instance-api-key-entrypoint.ts",
+    "worker": "tsx --tsconfig tsconfig.runtime.json src/lib/services/worker-entrypoint.ts",
+    "selector": "tsx --tsconfig tsconfig.runtime.json src/lib/services/selector-entrypoint.ts",
+    "instance-api-key": "tsx --tsconfig tsconfig.runtime.json src/lib/services/instance-api-key-entrypoint.ts",
     "prisma:generate": "svelte-kit sync && prisma generate",
     "prisma:migrate:dev": "prisma migrate dev",
     "prisma:migrate:deploy": "prisma migrate deploy",

src/typescript/api/src/lib/db/client.ts

@@ -1,5 +1,6 @@
 import "./prisma-enum-compat.js";
 import { PrismaPg } from "@prisma/adapter-pg";
+import { normalizePgConnectionStringForNode } from "$lib/db/connection-string.js";
 import { PrismaClient } from "$lib/generated/prisma/client";
 import { getEnv } from "$lib/config/env.js";
 import { Pool } from "pg";
@@ -13,7 +14,7 @@ declare global {
 
 function createPrismaClient(): PrismaClient {
   const env = getEnv();
-  const databaseUrl = env.DATABASE_URL;
+  const databaseUrl = normalizePgConnectionStringForNode(env.DATABASE_URL);
 
   const pool = new Pool({
     connectionString: databaseUrl,

src/typescript/api/src/lib/db/connection-string.ts

@@ -0,0 +1,22 @@
+const libpqCompatSslModes = new Set(["allow", "prefer", "require"]);
+
+export function normalizePgConnectionStringForNode(
+  databaseUrl: string,
+): string {
+  const parsed = new URL(databaseUrl);
+  const sslMode = parsed.searchParams.get("sslmode");
+  if (sslMode === null) {
+    return databaseUrl;
+  }
+
+  if (!libpqCompatSslModes.has(sslMode.toLowerCase())) {
+    return databaseUrl;
+  }
+
+  if (parsed.searchParams.has("uselibpqcompat")) {
+    return databaseUrl;
+  }
+
+  parsed.searchParams.set("uselibpqcompat", "true");
+  return parsed.toString();
+}

src/typescript/api/src/lib/services/instance-api-key-entrypoint.ts

@@ -1,5 +1,6 @@
 import { config as loadDotenv } from "dotenv";
 import { PrismaPg } from "@prisma/adapter-pg";
+import { normalizePgConnectionStringForNode } from "$lib/db/connection-string.js";
 import { PrismaClient, type Prisma } from "$lib/generated/prisma/client";
 import { Pool } from "pg";
 import { hashInstanceApiKey } from "$lib/services/instance-api-key.js";
@@ -173,7 +174,7 @@ function requireDatabaseUrl(): string {
   if (typeof value !== "string" || value.trim().length === 0) {
     throw new Error("DATABASE_URL is required.");
   }
-  return value.trim();
+  return normalizePgConnectionStringForNode(value.trim());
 }
 
 function createScriptPrismaClient(): PrismaClient {

src/typescript/api/src/lib/services/queue.ts

@@ -1,9 +1,12 @@
 import { makeWorkerUtils } from "graphile-worker";
 import { getEnv } from "$lib/config/env.js";
+import { normalizePgConnectionStringForNode } from "$lib/db/connection-string.js";
 import { createQueueManager } from "./queue-lifecycle.js";
 
+const databaseUrl = normalizePgConnectionStringForNode(getEnv().DATABASE_URL);
+
 const manager = createQueueManager(() =>
-  makeWorkerUtils({ connectionString: getEnv().DATABASE_URL }),
+  makeWorkerUtils({ connectionString: databaseUrl }),
 );
 
 export async function enqueueInvestigationRun(

src/typescript/api/src/lib/services/worker-runner.ts

@@ -1,8 +1,9 @@
 import { run } from "graphile-worker";
 import { getEnv } from "$lib/config/env.js";
+import { normalizePgConnectionStringForNode } from "$lib/db/connection-string.js";
 import { orchestrateInvestigation } from "./orchestrator.js";
 
-const databaseUrl = getEnv().DATABASE_URL;
+const databaseUrl = normalizePgConnectionStringForNode(getEnv().DATABASE_URL);
 
 function isInvestigatePayload(
   payload: unknown,

src/typescript/api/test/unit/db-connection-string.test.ts

@@ -0,0 +1,48 @@
+import assert from "node:assert/strict";
+import { test } from "node:test";
+import { normalizePgConnectionStringForNode } from "../../src/lib/db/connection-string.js";
+
+test("adds uselibpqcompat for sslmode=require", () => {
+  const input = "postgresql://user:pass@db.example.com:5432/openerrata?sslmode=require";
+  const output = normalizePgConnectionStringForNode(input);
+  const url = new URL(output);
+
+  assert.equal(url.searchParams.get("sslmode"), "require");
+  assert.equal(url.searchParams.get("uselibpqcompat"), "true");
+});
+
+test("adds uselibpqcompat for sslmode=prefer and sslmode=allow", () => {
+  const prefer = normalizePgConnectionStringForNode(
+    "postgresql://user:pass@db.example.com/openerrata?sslmode=prefer",
+  );
+  const allow = normalizePgConnectionStringForNode(
+    "postgresql://user:pass@db.example.com/openerrata?sslmode=allow",
+  );
+
+  assert.equal(new URL(prefer).searchParams.get("uselibpqcompat"), "true");
+  assert.equal(new URL(allow).searchParams.get("uselibpqcompat"), "true");
+});
+
+test("leaves connection strings unchanged when sslmode is absent", () => {
+  const input = "postgresql://user:pass@db.example.com:5432/openerrata";
+  assert.equal(normalizePgConnectionStringForNode(input), input);
+});
+
+test("leaves connection strings unchanged when uselibpqcompat is already present", () => {
+  const input =
+    "postgresql://user:pass@db.example.com/openerrata?sslmode=require&uselibpqcompat=false";
+  assert.equal(normalizePgConnectionStringForNode(input), input);
+});
+
+test("leaves strict sslmodes unchanged", () => {
+  const verifyFull =
+    "postgresql://user:pass@db.example.com/openerrata?sslmode=verify-full";
+  const verifyCa =
+    "postgresql://user:pass@db.example.com/openerrata?sslmode=verify-ca";
+  const disable =
+    "postgresql://user:pass@db.example.com/openerrata?sslmode=disable";
+
+  assert.equal(normalizePgConnectionStringForNode(verifyFull), verifyFull);
+  assert.equal(normalizePgConnectionStringForNode(verifyCa), verifyCa);
+  assert.equal(normalizePgConnectionStringForNode(disable), disable);
+});