PMM client setup is not compatible with SSL: no pg_hba.conf entry for host

Description

Steps to reproduce:
Create a cluster with SSL support
+ sslCA: cluster2-ssl-ca
+ sslSecretName: cluster2-ssl-keypair
+ sslReplicationSecretName: cluster2-ssl-keypair
upgradeOptions:
versionServiceEndpoint: https://check.percona.com
apply: disabled
@@ -17,109 +17,109 @@ spec:
port: "5432"
user: pguser
disableAutofail: false

  • tlsOnly: false
    + tlsOnly: true

https://docs.percona.com/percona-operator-for-postgresql/TLS.html#installation-of-the-cert-manager

PMM client is not able to connect:
kubectl -n pgo -c pmm-client logs cluster2-6b4984cc99-brghd
INFO[2023-02-21T17:14:50.853+00:00] time="2023-02-21T17:14:50Z" level=error msg="Error opening connection to database (postgres://postgres:PASSWORD_REMOVED@cluster2-6b4984cc99-brghd:5432/postgres?connect_timeout=1&sslmode=disable): \"pq: no pg_hba.conf entry for host \\\"10.42.2.10\\\", user \\\"postgres\\\", database \\\"postgres\\\", no encryption\": too many connection retries" source="postgres_exporter.go:1661" agentID=/agent_id/8a255b2a-cf9f-4b7d-8c72-2fcce88052a3 component=agent-process type=postgres_exporter

Solution:
a) create localhost record allowing insecure connections and connect to 127.0.0.1 instead of hostname:

b) handle ssl connection properly and use certificates for the pmm connection

Environment

None

AFFECTED CS IDs

CS0032841

Activity

Slava Sarzhan 
March 22, 2023 at 10:46 AM

The issue was fixed. This fix will be available in the next PGv1 release.  

Jobin Augustine 
March 14, 2023 at 2:54 AM

Hi Team,

Customer is awaiting a fix.

Regards,

Jobin.

Nickolay Ihalainen 
February 21, 2023 at 7:48 PM

2.0.0 is also affected due to:

Done

Details

Assignee

Reporter

Needs QA

Fix versions

Affects versions

Priority

Created February 21, 2023 at 7:23 PM
Updated March 5, 2024 at 3:51 PM
Resolved March 23, 2023 at 8:50 AM