rud
rud•10mo ago

no pg_hba.conf entry for host - `init`+`setup` works fine with PG, but main `start` entrypoint fails

I'm seeing PostgreSQL connection errors from the zitadel "start" process, and I'm finding them puzzling, as the init and setup processes complete successfully. This is using version ghcr.io/zitadel/zitadel:v2.61.0. What does work: init and setup processes run to completion and can all connect just fine to PostgreSQL and manage to setup the full structure of schemas and tables. What does not work: The main start process boots fine, but shortly after starts emitting messages of this format (IPs anonymized). 
time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"
time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"
* Zitadel server: 10.10.10.3 * PostgreSQL server: 10.10.10.5. Version 16. Line from pg_hba.conf which I expected to allow access with the correct password: 
# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256
# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256
I verified the zitadel user in PostgreSQL does indeed use SCRAM-SHA-256: 
zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256
zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256
I have served up the connection credentials (stored encrypted) as a snippet of YAML looking like this: 
database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require
database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require
What am I not seeing? As may be apparent from the above I've been looking at this for a while now 🙂
1 Reply
rud
rudOP•9mo ago
I take this extract from the log to mean the setup step was able to connect to the database and do migration work: 
time="2024-09-06T07:34:20Z" level=info msg="setup started" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:99"
time="2024-09-06T07:34:25Z" level=info msg="verify migration" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:43" name=14_events_push
time="2024-09-06T07:34:25Z" level=info msg="verify migration" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:43" name=01_tables
time="2024-09-06T07:34:20Z" level=info msg="setup started" caller="/home/runner/work/zitadel/zitadel/cmd/setup/setup.go:99"
time="2024-09-06T07:34:25Z" level=info msg="verify migration" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:43" name=14_events_push
time="2024-09-06T07:34:25Z" level=info msg="verify migration" caller="/home/runner/work/zitadel/zitadel/internal/migration/migration.go:43" name=01_tables
Could it be ufw? The database server simply has 5432/tcp ALLOW; could be a ratelimiting thing? Resolution: it was ufw

Did you find this page helpful?