fix(pg-pg): better tls wiring for pgdump command#4540
Conversation
91bef1c to
46ca680
Compare
|
Code review: Found 1 issue - see review below. |
|
Bug in appendTLSEnv (pgdump_schema.go line 302): The |
Code reviewNo issues found. Checked for bugs and CLAUDE.md compliance. |
❌ 2 Tests Failed:
View the top 2 failed test(s) by shortest run time
To view more test analytics, go to the Test Analytics Dashboard |
❌ Test FailureAnalysis: A deterministic (0.00s) assertion failure in TestAppendTLSEnv/pgdump_schema_test.go — expected PGSSLROOTCERT empty but got a cert path — which is exactly the pgdump TLS wiring logic this PR modifies, so it's a real bug in the change, not a flaky/timeout/race/network failure. |
543c825 to
6a0c3a9
Compare
🔄 Flaky Test DetectedAnalysis: All 13 failures are SSH-tunnel tests rejected by the test SSH bastion with "ssh: rejected: administratively prohibited (open failed)"—an infra issue that hit only 1 of 3 matrix jobs while the identical tests passed on the other two, on a TLS-focused PR unrelated to SSH. ✅ Automatically retrying the workflow |
When a root CA certificate was provided in the peer configuration but TLS wasn't explicitly required, pg_dump and psql would attempt to connect without TLS — even though the regular connector correctly used TLS in this scenario. This caused schema migration to fail with a connection error.
Now pg_dump and psql enable TLS under the same conditions as the regular connector. Added unit tests covering argument building and all TLS configuration combinations.
Also adds TLS host wiring for pgdump