From 7b9c2747cab44bc84ba9325ce8c618f3fbfee1bc Mon Sep 17 00:00:00 2001
From: darshitp091 <darshitp091@gmail.com>
Date: Sat, 23 May 2026 15:46:39 +0530
Subject: [PATCH] fix: scheme-aware ClickHouse DSN for migrations

Addresses issue #3674 by avoiding unconditional secure=true on HTTP ClickHouse URLs in the webapp entrypoint.
---
 docker/scripts/entrypoint.sh | 16 ++++------------
 1 file changed, 4 insertions(+), 12 deletions(-)

diff --git a/docker/scripts/entrypoint.sh b/docker/scripts/entrypoint.sh
index a6bc7dd15b9..127446f03b6 100755
--- a/docker/scripts/entrypoint.sh
+++ b/docker/scripts/entrypoint.sh
@@ -17,18 +17,10 @@ if [ -n "$CLICKHOUSE_URL" ] && [ "$SKIP_CLICKHOUSE_MIGRATIONS" != "1" ]; then
   # Run ClickHouse migrations
   echo "Running ClickHouse migrations..."
   export GOOSE_DRIVER=clickhouse
-  
-  # Ensure secure=true is in the connection string
-  if echo "$CLICKHOUSE_URL" | grep -q "secure="; then
-    # secure parameter already exists, use as is
-    export GOOSE_DBSTRING="$CLICKHOUSE_URL"
-  elif echo "$CLICKHOUSE_URL" | grep -q "?"; then
-    # URL has query parameters, append secure=true
-    export GOOSE_DBSTRING="${CLICKHOUSE_URL}&secure=true"
-  else
-    # URL has no query parameters, add secure=true
-    export GOOSE_DBSTRING="${CLICKHOUSE_URL}?secure=true"
-  fi
+
+  # Goose derives TLS from the URL scheme. Strip any existing secure query
+  # parameter and only set secure=true for https URLs.
+  export GOOSE_DBSTRING="$(node -e 'const url = new URL(process.env.CLICKHOUSE_URL); url.searchParams.delete("secure"); if (url.protocol === "https:") { url.searchParams.set("secure", "true"); } process.stdout.write(url.toString());')"
   
   export GOOSE_MIGRATION_DIR=/triggerdotdev/internal-packages/clickhouse/schema
   /usr/local/bin/goose up