From 55fd90af9c4ea1610653fce1de1d1330950f72c6 Mon Sep 17 00:00:00 2001
From: jatin <jatin@retool.com>
Date: Mon, 15 Jun 2026 13:36:57 -0400
Subject: [PATCH] fix(rr): inherit backend SSL for agent sandbox postgres
 (sslmode=no-verify)

when agentSandbox.postgres inherits the backend connection (config.postgresql), the
assembled AGENT_SANDBOX_POSTGRES_URL carried no sslmode, so the controller/proxy
connected without TLS. an SSL-required RDS then rejects it: 'no pg_hba.conf entry for
host ... no encryption'. append ?sslmode=no-verify to the inherited DSN when the backend
uses SSL (retool.postgresql.ssl_enabled), mirroring the backend's connectionStringUtil.

- ci: add test-agent-sandbox-inherit-ssl-option.yaml exercising postgresql.enabled=false
  + config.postgresql.ssl_enabled=true (the external-SSL inherit path; existing inherit
  fixture uses the subchart with SSL off, so the suffix was never covered)
- bump chart 6.11.3 -> 6.11.4
---
 charts/retool/Chart.yaml                      |  2 +-
 ...test-agent-sandbox-inherit-ssl-option.yaml | 38 +++++++++++++++++++
 charts/retool/templates/_helpers.tpl          |  7 +++-
 3 files changed, 44 insertions(+), 3 deletions(-)
 create mode 100644 charts/retool/ci/test-agent-sandbox-inherit-ssl-option.yaml

diff --git a/charts/retool/Chart.yaml b/charts/retool/Chart.yaml
index d3ced8c..a13f06d 100644
--- a/charts/retool/Chart.yaml
+++ b/charts/retool/Chart.yaml
@@ -2,7 +2,7 @@ apiVersion: v2
 name: retool
 description: A Helm chart for Kubernetes
 type: application
-version: 6.11.3
+version: 6.11.4
 maintainers:
   - name: Retool Engineering
     email: engineering+helm@retool.com
diff --git a/charts/retool/ci/test-agent-sandbox-inherit-ssl-option.yaml b/charts/retool/ci/test-agent-sandbox-inherit-ssl-option.yaml
new file mode 100644
index 0000000..51de8d5
--- /dev/null
+++ b/charts/retool/ci/test-agent-sandbox-inherit-ssl-option.yaml
@@ -0,0 +1,38 @@
+rr:
+
+  # Agent Sandbox — inherit an EXTERNAL, SSL-required Postgres. Complements
+  # test-agent-sandbox-inherit-postgres-option.yaml (which inherits the in-cluster
+  # subchart with SSL off). Here postgresql.enabled is false and the backend points
+  # at an external DB with config.postgresql.ssl_enabled: true, so the inherited
+  # AGENT_SANDBOX_POSTGRES_URL must carry ?sslmode=no-verify (regression guard for
+  # the SSL-inheritance fix; without it an SSL-required RDS rejects the connection
+  # with "no pg_hba.conf entry ... no encryption").
+  #
+  # agentSandbox.postgres is left unset (only schema) so it inherits the backend.
+  agentSandbox:
+    enabled: true
+
+    image:
+      repository: tryretool/agent-sandbox-service
+      tag: 3.123.4
+      pullPolicy: IfNotPresent
+
+    jwtPublicKey: '-----BEGIN PUBLIC KEY-----\nMFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AI\nY+QUCicYtfv9wLGcEGPQuXoBQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==\n-----END PUBLIC KEY-----'
+    jwtPrivateKey: '-----BEGIN EC PRIVATE KEY-----\nMHcCAQEEIMFXLiN/YsJv89D2YkEZ6/Dj5fujghENmYTOilwdChU3oAoGCCqGSM49\nAwEHoUQDQgAEljtqa2nhBwe/PqNhWgPHhj0jv8AIY+QUCicYtfv9wLGcEGPQuXoBQtuoIuOwXOdbEWgrQyLdIEb0YjegAW3miA==\n-----END EC PRIVATE KEY-----'
+    # encryption key is required (proxy derives the asset-token HMAC key from it)
+    encryptionKey: a12b01429fe0fe69a80da94e9e837ab2f1e9bda378ed8a25905a238f6fea6b7a
+    postgres:
+      schema: agent_executor
+
+# Disable the in-cluster subchart and inherit an external SSL-required DB.
+postgresql:
+  enabled: false
+config:
+  postgresql:
+    host: agentdb-prod.postgres.database.example.com
+    port: 5432
+    db: hammerhead_production
+    user: retool_internal_user
+    ssl_enabled: true
+    passwordSecretName: main-postgres-password
+    passwordSecretKey: postgresql-password
diff --git a/charts/retool/templates/_helpers.tpl b/charts/retool/templates/_helpers.tpl
index 60521e9..5142aac 100644
--- a/charts/retool/templates/_helpers.tpl
+++ b/charts/retool/templates/_helpers.tpl
@@ -725,7 +725,8 @@ Render the AGENT_SANDBOX_POSTGRES_URL env entry for the controller/proxy (plus a
 PGPASSWORD entry when assembling from fields). validateSecrets guarantees one of
 these applies, in order: postgres.url -> postgres.host -> postgres.urlSecretName
 -> inherit the backend's config.postgresql connection (the default when nothing
-agent-specific is set). externalSecret.name covers only the JWT/encryption keys
+agent-specific is set; the inherited DSN also carries sslmode=no-verify when the
+backend uses SSL). externalSecret.name covers only the JWT/encryption keys
 -- it never sources Postgres. To read a DSN from that same secret, point
 postgres.urlSecretName at it (its postgres-url key is the urlSecretKey default).
 
@@ -803,8 +804,10 @@ Usage: {{- include "retool.agentSandbox.postgresUrlEnv" . | nindent 12 }}
       name: {{ template "retool.fullname" . }}
       key: postgresql-password
       {{- end }}
+{{- /* inherit the backend's SSL too (mirror POSTGRES_SSL_ENABLED) */}}
+{{- $sslSuffix := ternary "?sslmode=no-verify" "" (eq (include "retool.postgresql.ssl_enabled" . | trimAll "\"") "true") }}
 - name: AGENT_SANDBOX_POSTGRES_URL
-  value: {{ printf "postgres://%s@%s:%s/%s" (include "retool.postgresql.user" . | trimAll "\"") (include "retool.postgresql.host" . | trimAll "\"") (include "retool.postgresql.port" . | trimAll "\"" | default "5432") (include "retool.postgresql.database" . | trimAll "\"") | quote }}
+  value: {{ printf "postgres://%s@%s:%s/%s%s" (include "retool.postgresql.user" . | trimAll "\"") (include "retool.postgresql.host" . | trimAll "\"") (include "retool.postgresql.port" . | trimAll "\"" | default "5432") (include "retool.postgresql.database" . | trimAll "\"") $sslSuffix | quote }}
 {{- end }}
 {{- end -}}