ZITADELZZITADEL
Powered by
rudR
ZITADEL•2y ago•
3 replies
rud

no pg_hba.conf entry for host - `init`+`setup` works fine with PG, but main `start` entrypoint fails

I'm seeing PostgreSQL connection errors from the zitadel "start" process, and I'm finding them puzzling, as the 
init
init
 and 
setup
setup
 processes complete successfully. This is using version 
ghcr.io/zitadel/zitadel:v2.61.0
ghcr.io/zitadel/zitadel:v2.61.0
.

What does work:

init
init
 and 
setup
setup
 processes run to completion and can all connect just fine to PostgreSQL and manage to setup the full structure of schemas and tables.

What does not work:

The main 
start
start
 process boots fine, but shortly after starts emitting messages of this format (IPs anonymized).

time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"
time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"


* Zitadel server: 10.10.10.3
* PostgreSQL server: 10.10.10.5. Version 16.


Line from 
pg_hba.conf
pg_hba.conf
 which I expected to allow access with the correct password:

# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256
# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256


I verified the 
zitadel
zitadel
 user in PostgreSQL does indeed use SCRAM-SHA-256:

zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256
zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256


I have served up the connection credentials (stored encrypted) as a snippet of YAML looking like this:

database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require
database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require


What am I not seeing? As may be apparent from the above I've been looking at this for a while now 🙂
ZITADEL banner
ZITADELJoin
ZITADEL - Identity infrastructure, simplified for you.
4,374Members
Resources
Was this page helpful?

Similar Threads

Recent Announcements

Similar Threads

Zitadel failed to start but no error
WolfbergenWWolfbergen / questions-help-bugs
3mo ago
Indefinite migration already started for zitadel setup job
kevinightKkevinight / questions-help-bugs
12mo ago
ZITADEL v4.1.4 — Init successful, but no console/login UI visible (Caddy reverse proxy)
BlazespectreBBlazespectre / questions-help-bugs
5mo ago
SystemUser Works for Debug Stock Image but not Non-Debug Image
nullsenseNnullsense / questions-help-bugs
4mo ago