bitnami / charts

Bitnami Helm Charts
https://bitnami.com
Other
9.08k stars 9.25k forks source link

Enabling metrics with mutual tls enabled starts logging authentication errors for bitnami/postgresql #29348

Closed Haskell-fmap closed 1 month ago

Haskell-fmap commented 2 months ago

Name and Version

bitnami/postgresql-15.5.28

What architecture are you using?

amd64

What steps will reproduce the bug?

  1. Environment - azure aks with Kubernetes version v 1.29.4
  2. Config - use config for bitnami chart which I've supplied in the "Are you using any custom parameters or values?" The most important part is setting metrics.enabled and tls.enabled.
  3. Run - Simply apply the helm release with "kubectl apply -f" (best to create a new stateful set, modifying charts linked to old sets tends to not show the error)
  4. See error -
    2024-09-10 17:42:47.293 GMT [2050] LOG:  certificate authentication failed for user "postgres": client certificate contains no user name
    2024-09-10 17:42:47.385 GMT [2050] FATAL:  certificate authentication failed for user "postgres"
    2024-09-10 17:42:47.385 GMT [2050] DETAIL:  Connection matched file "/opt/bitnami/postgresql/conf/pg_hba.conf" line 1: "hostssl     all             all             0.0.0.0/0               cert""

Are you using any custom parameters or values?

    fullNameOverride: keycloak-postgres
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
        labels:
          app.kubernetes.io/part-of: postgres
          release: kube-prometheus-stack
        namespace: monitoring
    primary:
      extendedConfiguration: |
        max_connections = 400
    tls:
      autoGenerated: false
      certCAFilename: ca.crt
      certFilename: tls.crt
      certKeyFilename: tls.key
      certificatesSecret: <secret-name>
      enabled: true

What is the expected behavior?

Errors regarding logging into a database for user postgres do not occur

What do you see instead?

Pod is constantly logging

2024-09-10 17:42:47.293 GMT [2050] LOG:  certificate authentication failed for user "postgres": client certificate contains no user name
2024-09-10 17:42:47.385 GMT [2050] FATAL:  certificate authentication failed for user "postgres"
2024-09-10 17:42:47.385 GMT [2050] DETAIL:  Connection matched file "/opt/bitnami/postgresql/conf/pg_hba.conf" line 1: "hostssl     all             all             0.0.0.0/0               cert"

Additional information

Weirdly, metrics seem to be properly collected.

Since the default pg_hba.conf file has host all all 0.0.0.0/0 md5 as the first line I've tried to manually set it with primary.pgHbaConfiguration, but then I'm simply getting

2024-09-10 17:05:00.315 GMT [34207] FATAL:  password authentication failed for user "postgres"
2024-09-10 17:05:00.315 GMT [34207] DETAIL:  User "postgres" has no password assigned.
        Connection matched file "/opt/bitnami/postgresql/conf/pg_hba.conf" line 2: "host     all             all        127.0.0.1/32                 md5"

but now metrics are also gone(?). Keeping this settings auth.enablePostgresUser: true or/and auth.postgresPassword doesn't help either.

The only thing that helps with that is to add host all all localhost trust, but I don't want to do this as this is insecure.

I don't see any option to add password or certificates under values.metrics.

Haskell-fmap commented 2 months ago

Hi @carrodher, I see that this has been moved to "in-progress", does that mean that there's an investigation on his being done? I would be grateful for some update.

github-actions[bot] commented 2 months ago

This Issue has been automatically marked as "stale" because it has not had recent activity (for 15 days). It will be closed if no further activity occurs. Thanks for the feedback.

github-actions[bot] commented 1 month ago

Due to the lack of activity in the last 5 days since it was marked as "stale", we proceed to close this Issue. Do not hesitate to reopen it later if necessary.