search

graphprotocol / indexer

Graph Protocol indexer components and infrastructure
MIT License
238 stars 127 forks source link

connect to postgres with ssl option #827

Open MattKetmo opened 9 months ago

MattKetmo commented 9 months ago

Hello, I'm trying to connect the graph index to our Postgres DB which expect to use an SSL connection, but I get the error SequelizeConnectionError: no pg_hba.conf entry for host ...

Full error trace 

Starting the Indexer Agent in single-network mode
{"level":20,"time":1701860133051,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","msg":"Reviewing Indexer Agent configuration"}
{"level":40,"time":1701860133052,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","msg":"The option '--collect-receipts-endpoint' is deprecated. Please use the option '--gateway-endpoint' to inform the Gateway base URL."}
{"level":40,"time":1701860133052,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","gasIncreaseTimeout":0.24,"msg":"Gas increase timeout is set to less than 0.24 seconds. This may lead to high gas usage"}
{"level":30,"time":1701860133180,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","host":"xxxxxxx.eu-west-1.rds.amazonaws.com","port":5432,"database":"indexer","poolMax":50,"msg":"Connect to database"}
{"level":20,"time":1701860133212,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","component":"MetricsServer","component":"MetricsServer","port":7300,"msg":"Listening on port"}
{"level":40,"time":1701860133221,"pid":1,"hostname":"graph-network-indexer-agent-0","name":"IndexerAgent","err":{"type":"IndexerError","message":"Unhandled promise rejection","stack":"IndexerError: Unhandled promise rejection\n    at indexerError (/opt/indexer/packages/indexer-common/dist/errors.js:173:12)\n    at process. (/opt/indexer/packages/indexer-agent/dist/commands/start.js:387:56)\n    at process.emit (node:events:527:28)\n    at process.emit (node:domain:475:12)\n    at emit (node:internal/process/promises:140:20)\n    at processPromiseRejections (node:internal/process/promises:274:27)\n    at processTicksAndRejections (node:internal/process/task_queues:97:32)","code":"IE035","explanation":"https://github.com/graphprotocol/indexer/blob/main/docs/errors.md#ie035","cause":{"type":"ConnectionError","message":"no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption","stack":"SequelizeConnectionError: no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption\n    at Client._connectionCallback (/opt/indexer/node_modules/sequelize/lib/dialects/postgres/connection-manager.js:143:24)\n    at Client._handleErrorWhileConnecting (/opt/indexer/node_modules/pg/lib/client.js:327:19)\n    at Client._handleErrorMessage (/opt/indexer/node_modules/pg/lib/client.js:347:19)\n    at Connection.emit (node:events:527:28)\n    at Connection.emit (node:domain:475:12)\n    at /opt/indexer/node_modules/pg/lib/connection.js:117:12\n    at Parser.parse (/opt/indexer/node_modules/pg-protocol/dist/parser.js:40:17)\n    at Socket. (/opt/indexer/node_modules/pg-protocol/dist/index.js:11:42)\n    at Socket.emit (node:events:527:28)\n    at Socket.emit (node:domain:475:12)","name":"SequelizeConnectionError","parent":{"type":"DatabaseError","message":"no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption","stack":"error: no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption\n    at Parser.parseErrorMessage (/opt/indexer/node_modules/pg-protocol/dist/parser.js:287:98)\n    at Parser.handlePacket (/opt/indexer/node_modules/pg-protocol/dist/parser.js:126:29)\n    at Parser.parse (/opt/indexer/node_modules/pg-protocol/dist/parser.js:39:38)\n    at Socket. (/opt/indexer/node_modules/pg-protocol/dist/index.js:11:42)\n    at Socket.emit (node:events:527:28)\n    at Socket.emit (node:domain:475:12)\n    at addChunk (node:internal/streams/readable:315:12)\n    at readableAddChunk (node:internal/streams/readable:289:9)\n    at Socket.Readable.push (node:internal/streams/readable:228:10)\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23)","length":159,"name":"error","severity":"FATAL","code":"28000","file":"auth.c","line":"550","routine":"ClientAuthentication"},"original":{"type":"DatabaseError","message":"no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption","stack":"error: no pg_hba.conf entry for host \"X.X.X.X\", user \"thegraph\", database \"indexer\", no encryption\n    at Parser.parseErrorMessage (/opt/indexer/node_modules/pg-protocol/dist/parser.js:287:98)\n    at Parser.handlePacket (/opt/indexer/node_modules/pg-protocol/dist/parser.js:126:29)\n    at Parser.parse (/opt/indexer/node_modules/pg-protocol/dist/parser.js:39:38)\n    at Socket. (/opt/indexer/node_modules/pg-protocol/dist/index.js:11:42)\n    at Socket.emit (node:events:527:28)\n    at Socket.emit (node:domain:475:12)\n    at addChunk (node:internal/streams/readable:315:12)\n    at readableAddChunk (node:internal/streams/readable:289:9)\n    at Socket.Readable.push (node:internal/streams/readable:228:10)\n    at TCP.onStreamRead (node:internal/stream_base_commons:190:23)","length":159,"name":"error","severity":"FATAL","code":"28000","file":"auth.c","line":"550","routine":"ClientAuthentication"}}},"msg":"Unhandled promise rejection"}

Looking at other issue around Sequelize for this error, it seems possible to fix via an option in the constructor eg https://github.com/sequelize/sequelize/issues/956

sequelize: {
  databaseUrl: `${DATABASE_URL}?sslmode=require`,
  options: {
    native: true,
    dialect: 'postgres',
    dialectOptions: {
      ssl: {
        rejectUnauthorized: false, // very important
      },
    },
  }
}

However the graph indexer (agent or service) doesn't allow to pass any ssl option nor a custom dsn:

https://github.com/graphprotocol/indexer/blob/040c33734fd9b074a248a2d62b235c4f3791d17c/packages/indexer-agent/src/db/cli/umzug.ts#L39-L51

Do you think to make it possible to add some options to configure a pg ssl connection for both agent & service?

Thanks

drew-u410 commented 1 month ago

Underlying library needs an update first: https://github.com/graphprotocol/common-ts/pull/119. If / when accepted, I would add to this repo (that utilizes it).