Doubts in pg_hba.conf behavior changes

[Arun-Trichy]

Hi Team,

We had been using postgres-operator v1.6.3 and spilo-12 where we used to bypass non-ssl connections to postgres using the following configuration in postgresql CRD YAML

  patroni:
    pg_hba:
      - host all all all md5

When we had to migrate to postgres-operator v1.7.1 and spilo-14 in-order to support in-place major version upgrades, we are not able to use the same configuration as mentioned above to bypass non-ssl connections. We went through the Git Hub Issue https://github.com/zalando/postgres-operator/issues/1555 and could understand that the new versions of Spilo has override rather than append behavior. So we ended up having to place the entire pg_hba.conf file entries (got the values by spinning up a new cluster) to get the postgres working as before. Something like this

patroni:
    pg_hba:
      - host all all all md5
      - local   all             all                                   trust
      - hostssl all             +zalandos    127.0.0.1/32       pam
      - host    all             all                127.0.0.1/32       md5
      - hostssl all             +zalandos    ::1/128            pam
      - host    all             all                ::1/128            md5
      - local   replication     standby                    trust
      - hostssl replication     standby all                md5
      - hostnossl all           all                all                reject
      - hostssl all             +zalandos    all                pam
      - hostssl all             all                all                md5

So, my question is

• Is the above approach correct ?
• If so, Is it right to override default entries created by zalando itself ? What if we make a mistake in entries containing "+zalandos" ?
• Is there any easier approach to append my lines to pg_hba.conf like before ?

Regards, Arun

Please, answer some short questions which should help us to understand your problem / question better?

• Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.7.1
• Where do you run it - cloud or metal? Kubernetes or OpenShift? Bare Metal K8s
• Are you running Postgres Operator in production? yes
• Type of issue? question

Some general remarks when posting a bug report:

• Please, check the operator, pod (Patroni) and postgresql logs first. When copy-pasting many log lines please do it in a separate GitHub gist together with your Postgres CRD and configuration manifest.
• If you feel this issue might be more related to the Spilo docker image or Patroni, consider opening issues in the respective repos.

[FxKu]

1. yes
2. zalandos group role is for oauth authentication by Zalando employees. Changes would be harmless for you.
3. Not via the manifest. You could patch Spilo and use a custom image so that you don't have to specify anything in the manifest.