Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Unable to disable TLS effectively #3915

Open
christian-schlichtherle opened this issue May 20, 2024 · 3 comments
Open

Unable to disable TLS effectively #3915

christian-schlichtherle opened this issue May 20, 2024 · 3 comments

Comments

@christian-schlichtherle
Copy link

christian-schlichtherle commented May 20, 2024

All node-to-node communication in our cluster is secured by a VPN, so I want to disable TLS because it's not helping with security, but only reducing bandwidth instead (~ 30% when I tested it some years ago - YMMV).

In another issue (which is now closed), it was said I should configure:

spec:
  patroni:
    dynamicConfiguration:
      postgresql:
        pg_hba:
          - "hostnossl all all all md5"
  proxy:
    pgBouncer:
      config:
        global:
          server_tls_sslmode: disable

However, this results in the following pg_hba.conf:

# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
host all "_crunchyrepl" all reject
hostssl all "_crunchypgbouncer" all scram-sha-256
host all "_crunchypgbouncer" all reject
hostnossl all all all md5

The problem is that my custom rule is appended, but the rules are order specific. So when I try to connect via pgbouncer, I get this:

$ psql -h test-pgbouncer.test.svc -U test
psql: error: connection to server at "test-pgbouncer.test.svc" (10.33.150.124), port 5432 failed: FATAL:  pg_hba.conf rejects connection for host "10.32.2.221", user "_crunchypgbouncer", database "test", no encryption
connection to server at "test-pgbouncer.test.svc" (10.33.150.124), port 5432 failed: FATAL:  SSL required

I'm using PGO 5.5 with Pg 16.

@andreas-geissler
Copy link

I can confirm this problem, while trying to use pgbouncer in a ServiceMesh environment (Istio).
Is there any plan to fix this issue ?

@agravelot
Copy link

client_tls_sslmode: disable will correct the SSL required error.
But pg_hba.conf will still be broken, auth will fail.

@Y0ngg4n
Copy link

Y0ngg4n commented Aug 27, 2024

any updates on this issue? pgbouncer without tls is unusable without proper pg_hba.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

4 participants