fix(rr): inherit backend SSL for agent sandbox postgres (sslmode=no-verify)

[JatinNanda]

what

When rr.agentSandbox.postgres is left to inherit the backend connection (config.postgresql), the chart assembled AGENT_SANDBOX_POSTGRES_URL with no sslmode. The agent-sandbox controller/proxy connect via Knex/pg, which only does TLS if the connection string says so — so an SSL-required RDS rejects them:

no pg_hba.conf entry for host "...", user "retool_internal_user", database "hammerhead_admin_prod", no encryption

The backend connects to the same DB fine because it applies SSL (common/resources/connectionStringUtil.ts → sslmode=no-verify); the inherited sandbox DSN didn't carry it.

fix

Append ?sslmode=no-verify to the inherited DSN when the backend uses SSL (retool.postgresql.ssl_enabled is true), mirroring the backend. No effect when SSL is off (e.g. the in-cluster postgresql subchart). The explicit postgres.url / urlSecretName paths are unchanged — operators put sslmode in those themselves.

testing

• helm template: external pg + ssl_enabled: true → …/hammerhead_admin_prod?sslmode=no-verify; in-cluster subchart → no sslmode. All ci/ fixtures render; helm lint clean.
• New CI fixture ci/test-agent-sandbox-inherit-ssl-option.yaml exercises the external-SSL inherit path (postgresql.enabled: false + config.postgresql.ssl_enabled: true), which no existing fixture covered — locks in the sslmode suffix against future regressions.
• Chart bumped 6.11.3 → 6.11.4.

🤖 Generated with Claude Code

[greptile-apps]

Greptile Summary

This PR fixes AGENT_SANDBOX_POSTGRES_URL missing sslmode=no-verify when the agent-sandbox postgres inherits the backend's connection and ssl_enabled is true, causing SSL-required RDS instances to reject connections.

• _helpers.tpl: In the "inherit" branch of retool.agentSandbox.postgresUrlEnv, computes a $sslSuffix from the retool.postgresql.ssl_enabled helper and appends ?sslmode=no-verify to the assembled DSN, mirroring what the backend already does. The explicit url / host / urlSecretName paths are untouched.
• New CI fixture (test-agent-sandbox-inherit-ssl-option.yaml): Exercises the external-SSL inherit path (postgresql.enabled: false + config.postgresql.ssl_enabled: true), locking in the sslmode suffix as a regression guard. Chart bumped to 6.11.4.

Confidence Score: 5/5

Safe to merge — the change is a one-line DSN suffix appended only in the inherit branch, with a new CI fixture confirming the fixed path renders correctly.

The fix is tightly scoped: only the inherit backend branch of the DSN builder is touched, the helper it calls already exists and is tested elsewhere, and the new CI fixture directly exercises the external-SSL path that previously had no coverage. The explicit url/host/urlSecretName paths are untouched. No logic errors or edge cases were found.

No files require special attention.

Important Files Changed

Filename	Overview
charts/retool/templates/_helpers.tpl	Appends ?sslmode=no-verify to the inherited AGENT_SANDBOX_POSTGRES_URL when ssl_enabled is true; logic is correct, scoped to the inherit branch only, and doesn't affect other DSN construction paths.
charts/retool/ci/test-agent-sandbox-inherit-ssl-option.yaml	New CI fixture covering the external-SSL inherit path (postgresql.enabled: false + ssl_enabled: true); correctly exercises the fixed code path that no prior fixture reached.
charts/retool/Chart.yaml	Patch version bump 6.11.3 → 6.11.4 to reflect the bug fix.

Flowchart

%%{init: {'theme': 'neutral'}}%%
flowchart TD
    A[postgresUrlEnv helper] --> B{pg.url set?}
    B -- yes --> C[Use literal URL directly]
    B -- no --> D{pg.host set?}
    D -- yes --> E[Build DSN from host fields\nno SSL suffix]
    D -- no --> F{pg.urlSecretName set?}
    F -- yes --> G[Pull DSN from Kubernetes Secret]
    F -- no --> H[Inherit backend connection]
    H --> I{ssl_enabled == true?}
    I -- yes --> J[sslSuffix = sslmode=no-verify]
    I -- no --> K[sslSuffix = empty]
    J --> L[Append SSL suffix to assembled DSN]
    K --> M[Assembled DSN without SSL suffix]

Loading

_{Reviews (2): Last reviewed commit: "fix(rr): inherit backend SSL for agent s..." | Re-trigger Greptile}

[greptile-apps]

No CI fixture for the fixed scenario

The new code path — postgresql.enabled: false + config.postgresql.ssl_enabled: true + inherited agent-sandbox postgres — is not exercised by any ci/ YAML. All existing fixtures that hit the else (inherit) branch use postgresql.enabled: true / ssl_enabled: false, so $sslSuffix is always "" in CI. If someone later changes retool.postgresql.ssl_enabled or the ternary logic, CI won't catch a regression in the external-SSL path. Adding a companion to test-agent-sandbox-inherit-postgres-option.yaml with postgresql.enabled: false, config.postgresql.host/ssl_enabled: true, and the required sandbox JWT keys would lock in the fix.

[lukefoster11]

"%s %s %s %s %s" ("this") ("looks") ("good") ("to") ("me")