[source-oracle] Cannot connect to a database with an internally-signed certificate

don-code commented 4 months ago

Connector Name

source-oracle

Connector Version

0.5.2

What step the error happened?

Configuring a new connector

Relevant information

We run n Oracle database with a TLS certificate that's signed by an internal signing authority, which is not in the JVM's default trust store. Authentication to said database uses client certificates, so TLS is mandatory to connect.

For other applications, either the JVM trust store, or the system trust store, can be updated to trust this signing authority.

There does not seem to be a way to tell Airbyte to trust this internal root CA, OR (less ideally) to disable TLS certificate verification altogether. This prevents Airbyte from being able to interact with this database.

Other options investigated:

Forking the source-oracle image, and patching it with a custom trust store. While this works, it would mean we'd have to drop and recreate the source and all connections whenever this issue is fixed at Airbyte's end, and also maintain a forked Dockerfile (at minimum) on our end, which we upgrade on a close cadence.
Mounting in a custom trust store to source pods (we run Airbyte on Kubernetes, deployed with the Helm chart). There does not appear to be a configuration flag which allows this. We can indeed mount a custom trust store into the worker pod, but not the pods which the worker pod schedules.

Relevant log output

io.airbyte.commons.exceptions.ConnectionErrorException: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 60001ms (total=0, active=0, idle=0, waiting=0)
    at io.airbyte.cdk.db.jdbc.DefaultJdbcDatabase.getMetaData(DefaultJdbcDatabase.java:88)
    at io.airbyte.cdk.integrations.source.jdbc.AbstractJdbcSource.createDatabase(AbstractJdbcSource.java:451)
    at io.airbyte.cdk.integrations.source.jdbc.AbstractJdbcSource.createDatabase(AbstractJdbcSource.java:429)
    at io.airbyte.cdk.integrations.source.jdbc.AbstractJdbcSource.createDatabase(AbstractJdbcSource.java:88)
    at io.airbyte.cdk.integrations.source.relationaldb.AbstractDbSource.check(AbstractDbSource.java:96)
    at io.airbyte.cdk.integrations.base.ssh.SshTunnel.sshWrap(SshTunnel.java:344)
    at io.airbyte.cdk.integrations.base.ssh.SshWrappedSource.check(SshWrappedSource.java:54)
    at io.airbyte.cdk.integrations.base.IntegrationRunner.runInternal(IntegrationRunner.java:153)
    at io.airbyte.cdk.integrations.base.IntegrationRunner.run(IntegrationRunner.java:125)
    at io.airbyte.integrations.source.oracle.OracleSource.main(OracleSource.java:206)
Caused by: java.sql.SQLTransientConnectionException: HikariPool-1 - Connection is not available, request timed out after 60001ms (total=0, active=0, idle=0, waiting=0)
    at com.zaxxer.hikari.pool.HikariPool.createTimeoutException(HikariPool.java:686)
    at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:179)
    at com.zaxxer.hikari.pool.HikariPool.getConnection(HikariPool.java:144)
    at com.zaxxer.hikari.HikariDataSource.getConnection(HikariDataSource.java:99)
    at io.airbyte.cdk.db.jdbc.DefaultJdbcDatabase.getMetaData(DefaultJdbcDatabase.java:79)
    ... 9 more
Caused by: java.sql.SQLRecoverableException: IO Error: IO Error PKIX path building failed: sun.security.provider.certpath.SunCertPathBuilderException: unable to find valid certification path to requested target, Authentication lapse 0 ms.
    at oracle.jdbc.driver.T4CConnection.logon(T4CConnection.java:878)
    at oracle.jdbc.driver.PhysicalConnection.connect(PhysicalConnection.java:793)
    at oracle.jdbc.driver.T4CDriverExtension.getConnection(T4CDriverExtension.java:57)