ZITADEL•17mo ago•

3 replies

no pg_hba.conf entry for host - `init`+`setup` works fine with PG, but main `start` entrypoint fails

I'm seeing PostgreSQL connection errors from the zitadel "start" process, and I'm finding them puzzling, as the

init

init

init

init and

setup

setup

setup

setup processes complete successfully. This is using version

ghcr.io/zitadel/zitadel:v2.61.0

ghcr.io/zitadel/zitadel:v2.61.0

ghcr.io/zitadel/zitadel:v2.61.0

ghcr.io/zitadel/zitadel:v2.61.0.

What does work:

init

init

init

init and

setup

setup

setup

setup processes run to completion and can all connect just fine to PostgreSQL and manage to setup the full structure of schemas and tables.

What does not work:

The main

start

start

start

start process boots fine, but shortly after starts emitting messages of this format (IPs anonymized).

time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"

time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"

time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"

time="2024-09-06T11:26:02Z" level=info msg="query failed" caller="/home/runner/work/zitadel/zitadel/internal/eventstore/repository/sql/query.go:129" error="failed to connect to `user=zitadel database=zitadel`: 10.10.10.5:5432 (example.com): server error: FATAL: no pg_hba.conf entry for host \"10.10.10.3\", user \"zitadel\", database \"zitadel\", SSL encryption (SQLSTATE 28000)"

* Zitadel server: 10.10.10.3
* PostgreSQL server: 10.10.10.5. Version 16.

Line from

pg_hba.conf

pg_hba.conf

pg_hba.conf

pg_hba.conf which I expected to allow access with the correct password:

# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256

# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256

# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256

# method database user    address       auth-method
hostssl  zitadel  zitadel 10.10.10.0/24 scram-sha-256

I verified the

zitadel

zitadel

zitadel

zitadel user in PostgreSQL does indeed use SCRAM-SHA-256:

zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256

zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256

zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256

zitadel=# select rolname,rolpassword from pg_authid where rolname = 'zitadel';
-[ RECORD 1 ]--------------------
rolname     | zitadel
rolpassword | SCRAM-SHA-256$4096:<snipped>

zitadel=# show password_encryption;
-[ RECORD 1 ]-------+--------------
password_encryption | scram-sha-256

I have served up the connection credentials (stored encrypted) as a snippet of YAML looking like this:

database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require

database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require

database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require

database:
  postgres:
    Host: 10.10.10.5
    Port: 5432
    Database: zitadel
    User:
      Username: zitadel
      Password: TheActualPasswordInPlainTextHere
      SSL:
        Mode: require

What am I not seeing? As may be apparent from the above I've been looking at this for a while now

no pg_hba.conf entry for host - `init`+`setup` works fine with PG, but main `start` entrypoint fails

Similar Threads

Similar Threads

Similar Threads