search

graphprotocol / indexer

Graph Protocol indexer components and infrastructure
MIT License
242 stars 135 forks source link

connect to postgres with ssl option #827

Open MattKetmo opened 12 months ago

MattKetmo commented 12 months ago

Hello, I'm trying to connect the graph index to our Postgres DB which expect to use an SSL connection, but I get the error SequelizeConnectionError: no pg_hba.conf entry for host ...

Full error trace 

Starting the Indexer Agent in single-network mode
{"level":20,"time":1701860133051,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","msg":"Reviewing Indexer Agent configuration"}
{"level":40,"time":1701860133052,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","msg":"The option '--collect-receipts-endpoint' is deprecated. Please use the option '--gateway-endpoint' to inform the Gateway base URL."}
{"level":40,"time":1701860133052,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","gasIncreaseTimeout":0.24,"msg":"Gas increase timeout is set to less than 0.24 seconds. This may lead to high gas usage"}
{"level":30,"time":1701860133180,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","host":"xxxxxxx.eu-west-1.rds.amazonaws.com","port":5432,"database":"indexer","poolMax":50,"msg":"Connect to database"}
{"level":20,"time":1701860133212,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","component":"MetricsServer","component":"MetricsServer","port":7300,"msg":"Listening on port"}
{"level":40,"time":1701860133221,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","err":{"type":"IndexerError","message":"Unhandled promise rejection","stack":"IndexerError: Unhandled promise rejection\n    at indexerError (/opt/indexer/packages/indexer-common/dist/errors.js:173:12)\n    at process. (/opt/indexer/packages/indexer-agent/dist/commands/start.js:387:56)\n    at process.emit (node:events:527:28)\n    at process.emit (node:domain:475:12)\n    at emit (node:internal/process/promises:140:20)\n    at processPromiseRejections (node:internal/process/promises:274:27)\n    at processTicksAndRejections (node:internal/process/task_queues:97:32)","code":"IE035","explanation":"https://github.com/graphprotocol/indexer/blob/main/docs/errors.md#ie035","cause":{"type":"ConnectionError","message":"no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption","stack":"SequelizeConnectionError: no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption\n    at Client._connectionCallback (/opt/indexer/node_modules/sequelize/lib/dialects/postgres/connection-manager.js:143:24)\n    at Client._handleErrorWhileConnecting (/opt/indexer/node_modules/pg/lib/client.js:327:19)\n    at Client._handleErrorMessage (/opt/indexer/node_modules/pg/lib/client.js:347:19)\n    at Connection.emit (node:events:527:28)\n    at Connection.emit (node:domain:475:12)\n    at /opt/indexer/node_modules/pg/lib/connection.js:117:12\n    at Parser.parse (/opt/indexer/node_modules/pg-protocol/dist/parser.js:40:17)\n    at Socket. (/opt/indexer/node_modules/pg-protocol/dist/index.js:11:42)\n    at Socket.emit (node:events:527:28)\n    at Socket.emit (node:domain:475:12)","name":"SequelizeConnectionError","parent":{"type":"DatabaseError","message":"no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption","stack":"error: no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption\n    at Parser.parseErrorMessage (/opt/indexer/node_modules/pg-protocol/dist/parser.js:287:98)\n    at Parser.handlePacket (/opt/indexer/node_modules/pg-protocol/dist/parser.js:126:29)\n    at Parser.parse (/opt/indexer/node_modules/pg-protocol/dist/parser.js:39:38)\n    at Socket. (/opt/indexer/node_modules/pg-protocol/dist/index.js:11:42)\n    at Socket.emit (node:events:527:28)\n    at Socket.emit (node:domain:475:12)\n    at addChunk (node:internal/streams/readable:315:12)\n    at readableAddChunk (node:internal/streams/readable:289:9)\n    at Socket.Readable.push (node:internal/streams/readable:228:10)\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23)","length":159,"name":"error","severity":"FATAL","code":"28000","file":"auth.c","line":"550","routine":"ClientAuthentication"},"original":{"type":"DatabaseError","message":"no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption","stack":"error: no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption\n    at Parser.parseErrorMessage (/opt/indexer/node_modules/pg-protocol/dist/parser.js:287:98)\n    at Parser.handlePacket (/opt/indexer/node_modules/pg-protocol/dist/parser.js:126:29)\n    at Parser.parse (/opt/indexer/node_modules/pg-protocol/dist/parser.js:39:38)\n    at Socket. (/opt/indexer/node_modules/pg-protocol/dist/index.js:11:42)\n    at Socket.emit (node:events:527:28)\n    at Socket.emit (node:domain:475:12)\n    at addChunk (node:internal/streams/readable:315:12)\n    at readableAddChunk (node:internal/streams/readable:289:9)\n    at Socket.Readable.push (node:internal/streams/readable:228:10)\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23)","length":159,"name":"error","severity":"FATAL","code":"28000","file":"auth.c","line":"550","routine":"ClientAuthentication"}}},"msg":"Unhandled promise rejection"}

Looking at other issue around Sequelize for this error, it seems possible to fix via an option in the constructor eg https://github.com/sequelize/sequelize/issues/956

sequelize: {
  databaseUrl: `${DATABASE_URL}?sslmode=require`,
  options: {
    native: true,
    dialect: 'postgres',
    dialectOptions: {
      ssl: {
        rejectUnauthorized: false, // very important
      },
    },
  }
}

However the graph indexer (agent or service) doesn't allow to pass any ssl option nor a custom dsn:

https://github.com/graphprotocol/indexer/blob/040c33734fd9b074a248a2d62b235c4f3791d17c/packages/indexer-agent/src/db/cli/umzug.ts#L39-L51

Do you think to make it possible to add some options to configure a pg ssl connection for both agent & service?

Thanks

drew-u410 commented 3 months ago

Underlying library needs an update first: https://github.com/graphprotocol/common-ts/pull/119. If / when accepted, I would add to this repo (that utilizes it).