Skip to content

fix(docker): stop injecting secure=true into CLICKHOUSE_URL #3190

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed
mangit955 wants to merge 1 commit into from
Closed

fix(docker): stop injecting secure=true into CLICKHOUSE_URL #3190

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 2 additions & 11 deletions docker/scripts/entrypoint.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -18,17 +18,8 @@ if [ -n "$CLICKHOUSE_URL" ] && [ "$SKIP_CLICKHOUSE_MIGRATIONS" != "1" ]; then
echo "Running ClickHouse migrations..."
export GOOSE_DRIVER=clickhouse

# Ensure secure=true is in the connection string
if echo "$CLICKHOUSE_URL" | grep -q "secure="; then
# secure parameter already exists, use as is
export GOOSE_DBSTRING="$CLICKHOUSE_URL"
elif echo "$CLICKHOUSE_URL" | grep -q "?"; then
# URL has query parameters, append secure=true
export GOOSE_DBSTRING="${CLICKHOUSE_URL}&secure=true"
else
# URL has no query parameters, add secure=true
export GOOSE_DBSTRING="${CLICKHOUSE_URL}?secure=true"
fi
# Use the provided ClickHouse URL directly
export GOOSE_DBSTRING="$CLICKHOUSE_URL"
Comment on lines +21 to +22
Copy link
Contributor

@devin-ai-integration devin-ai-integration bot Mar 7, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

🚩 Breaking change for self-hosting users who relied on implicit secure=true

The old code automatically appended secure=true to CLICKHOUSE_URL if no secure= parameter was present. Self-hosting users who previously omitted the secure parameter from their CLICKHOUSE_URL (relying on the entrypoint to inject it) will now have their goose migrations connect without TLS. This could cause migration failures if their ClickHouse instance requires secure connections. The hosting/docker/.env.example:65 already includes ?secure=false explicitly, and hosting/docker/webapp/docker-compose.yml:71 defaults to ?secure=false, suggesting the self-hosting defaults are fine. However, users with production ClickHouse behind TLS who relied on the auto-injection will need to update their CLICKHOUSE_URL to include secure=true.

Open in Devin Review

Was this helpful? React with 👍 or 👎 to provide feedback.


export GOOSE_MIGRATION_DIR=/triggerdotdev/internal-packages/clickhouse/schema
/usr/local/bin/goose up
Expand Down