Argo Database Persistence SSL does not work

[AntoineDao]

Checklist:

• I've included the version.
• I've included reproduction steps.
• I've included the workflow YAML.
• I've included the logs.

What happened:
Setting up SSL on postgres database to persist workflow objects fails because config is incorrect.

What you expected to happen:
I expected SSL to work 😄

How to reproduce it (as minimally and precisely as possible):
Deploy argo with Helm chart v0.6.4 and set values as follows:

argo:
  controller:
    persistence:
      connectionPool:
        maxIdleConns: 100
        maxOpenConns: 0
      # save the entire workflow into etcd and DB
      nodeStatusOffLoad: false
      postgresql:
        host: database.data.com
        port: 25060
        database: test
        tableName: argo_workflows
        userNameSecret:
          name: argo-postgres-secret
          key: POSTGRES_USER
        passwordSecret:
          name: argo-postgres-secret
          key: POSTGRES_PASSWORD
        ssl: true

Anything else we need to know?:

This relates to the following issue (#1712) and PR (#1756)

Environment:

• Argo version: 2.4.3

$ argo version

• Kubernetes version : 1.15.5

$ kubectl version -o yaml

Other debugging information (if applicable):

• workflow-controller logs:

time="2019-12-17T04:12:15Z" level=info msg="workflow controller configuration from argo-workflow-controller-configmap:\ncontainerRuntimeExecutor: docker\nartifactRepository:\n  archiveLogs: true\n  s3:\n    accessKeySecret:\n      key: accesskey\n      name: argo-artifact-creds\n    secretKeySecret:\n      key: secretkey\n      name: argo-artifact-creds\n    bucket: pollination-bucket\n    endpoint: argo-minio:9000\n    insecure: false\n    keyPrefix: simulation-logs\npersistence:\n  connectionPool:\n    maxIdleConns: 100\n    maxOpenConns: 0\n  nodeStatusOffLoad: false\n  postgresql:\n    database: simulations\n    host: data-hive-do-user-2842631-0.db.ondigitalocean.com\n    passwordSecret:\n      key: POSTGRES_PASSWORD\n      name: argo-postgres-secret\n    port: 25060\n    ssl: true\n    tableName: argo_workflows\n    userNameSecret:\n      key: POSTGRES_USER\n      name: argo-postgres-secret\n  \n"
time="2019-12-17T04:12:15Z" level=info msg="Persistence configuration enabled"
time="2019-12-17T04:12:15Z" level=error msg="Error in createPersistenceContext. pq: unsupported sslmode \"true\"; only \"require\" (default), \"verify-full\", \"verify-ca\", and \"disable\" supported"
time="2019-12-17T04:12:15Z" level=error msg="Error Creating Persistence context. pq: unsupported sslmode \"true\"; only \"require\" (default), \"verify-full\", \"verify-ca\", and \"disable\" supported"
time="2019-12-17T04:12:15Z" level=info msg="Workflow Controller (version: v2.4.3) starting"
time="2019-12-17T04:12:15Z" level=info msg="Workers: workflow: 8, pod: 8"
time="2019-12-17T04:12:15Z" level=info msg="Watch Workflow controller config map updates"
time="2019-12-17T04:12:15Z" level=info msg="Starting workflow TTL controller (resync 20m0s)"
time="2019-12-17T04:12:15Z" level=info msg="Detected ConfigMap update. Updating the controller config."
time="2019-12-17T04:12:15Z" level=info msg="workflow controller configuration from argo-workflow-controller-configmap:\ncontainerRuntimeExecutor: docker\nartifactRepository:\n  archiveLogs: true\n  s3:\n    accessKeySecret:\n      key: accesskey\n      name: argo-artifact-creds\n    secretKeySecret:\n      key: secretkey\n      name: argo-artifact-creds\n    bucket: bucket\n    endpoint: argo-minio:9000\n    insecure: false\n    keyPrefix: simulation-logs\npersistence:\n  connectionPool:\n    maxIdleConns: 100\n    maxOpenConns: 0\n  nodeStatusOffLoad: false\n  postgresql:\n    database: test\n    host: database.my-data.com\n    passwordSecret:\n      key: POSTGRES_PASSWORD\n      name: argo-postgres-secret\n    port: 25060\n    ssl: true\n    tableName: argo_workflows\n    userNameSecret:\n      key: POSTGRES_USER\n      name: argo-postgres-secret\n  \n"
time="2019-12-17T04:12:15Z" level=info msg="Persistence configuration enabled"
time="2019-12-17T04:12:15Z" level=error msg="Error in createPersistenceContext. pq: unsupported sslmode \"true\"; only \"require\" (default), \"verify-full\", \"verify-ca\", and \"disable\" supported"
time="2019-12-17T04:12:15Z" level=error msg="Error Creating Persistence context. pq: unsupported sslmode \"true\"; only \"require\" (default), \"verify-full\", \"verify-ca\", and \"disable\" supported"
time="2019-12-17T04:12:16Z" level=info msg="Started workflow TTL worker"

[AntoineDao]

I will aim to submit a fix within the next day or two as it seems the issue is just that the SSL config should accept:

• require
• verify-full
• verify-ca
• disable

Oddly enough the debugging message indicates that sslmode is set to require by default. Not sure why previous workflow-manager pods with persistence were not able to use SSL.

[logicfox]

I know its holidays, but did you get a chance to work on the PR? I'd really love to test this feature and start using it.