Re: Grafana unable to connect Azure Postgresql Flexible server

Hi Magnus,
Thanks for your email. We raised a ticket with Microsoft
and they confirmed that :-

There are 905 failed connections to PostgreSQL server postgresql-ha between
9/6/2021 2:42:16 PM(UTC) and 9/8/2021 4:24:13 AM(UTC) because of an invalid
authorization specification. This error typically indicates a mismatch
between the SSL settings on the Postgres server and the client making the
connection. Please refer to this document
<https://nam11.safelinks.protection.outlook.com/?url=https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Fpostgresql%2Fflexible-server%2Fhow-to-connect-tls-ssl&data=04%7C01%7Cprabir.sarkar%40lexmark.com%7C80d22b68b5774dbe035508d972afa1cc%7C127090656e6c41c99e4dfb0a436969ce%7C1%7C0%7C637666920927323086%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C1000&sdata=nCT7YEmEnSrSlkowJpQa%2F0D5KrO%2F1YQDIj%2BUwpkTpoU%3D&reserved=0>for
more information.

And asked us to:

- Check the SSL settings on the client. Flexible Server supports
encrypted connections using Transport Layer Security (TLS 1.2+) and all
incoming connections with TLS 1.0 and TLS 1.1 will be denied.

Regards
Prabir

On Tue, Sep 7, 2021 at 2:39 PM Magnus Hagander <magnus(at)hagander(dot)net> wrote:

> On Tue, Sep 7, 2021 at 10:54 AM Prabir Kr Sarkar
> <prabir(dot)kr(dot)sarkar(at)gmail(dot)com> wrote:
> >
> > Hi Julien,
> > Thanks for your response. The url -
> https://docs.microsoft.com/en-us/azure/postgresql/flexible-server/concepts-networking
> says the following :
> >
> > Because Azure Database for PostgreSQL is a managed database service,
> users are not provided host or OS access to view or modify configuration
> files such as pg_hba.conf. The content of the files is automatically
> updated based on the network settings.
>
> That means that issues around it are better discussed with Azure
> support, as your problems are related to their managed service, and
> not to PostgreSQL, no?
>
>
> > Applications that are deployed on different subnets within the same
> virtual network can access flexible servers directly.
> >
> > So, since our AKS and Postgresql flexible servers are in the same VNet
> the above assertion holds. Have attached a snapshot of the Networking tab
> of postgresql server which says the same thing.
>
> It's very clear from the message that the failing connection is coming
> from a different subnet. The connection into PostgreSQL comes from
> 10.240.1.45, which is very definitely not in the 10.144.0.0/16 subnet.
>
> //Magnus
>
>
> > On Tue, Sep 7, 2021 at 1:51 PM Julien Rouhaud <rjuju123(at)gmail(dot)com>
> wrote:
> >>
> >> On Tue, Sep 7, 2021 at 4:14 PM Prabir Kr Sarkar
> >> <prabir(dot)kr(dot)sarkar(at)gmail(dot)com> wrote:
> >> >
> >> > The grafana pod fails to start with the following error:
> >> >
> >> > t=2021-09-07T06:40:00+0000 lvl=info msg="Connecting to DB"
> logger=sqlstore dbtype=postgres
> >> > t=2021-09-07T06:40:00+0000 lvl=info msg="Starting DB migrations"
> logger=migrator
> >> > service init failed: failed to check table existence: pq: no
> pg_hba.conf entry for host "10.240.1.45", user "grafana", database
> "grafana", SSL off
> >>
> >> That seems quite self explanatory. Your grafana is trying to connect
> >> as "grafana" role, on "grafana" database from 10.240.1.45, and your
> >> pg_hba.conf file doesn't allow it. I'm not sure how to configure that
> >> on AKS but you need to either authorize it or configure grafana to use
> >> some other credentials that are already allowed, like this one:
> >>
> >> > Note: - We can however, connect to the postgresql flexible server
> from a pod (with psql) in the same AKS.
> >>
> >> (assuming that this psql connection is allowing other IP). See
> >> https://www.postgresql.org/docs/current/auth-pg-hba-conf.html for more
> >> details about the pg_hba.conf file.
> >
> >
> >
> > --
> > Thanks and Regards
> > Prabir Sarkar
>

--
*Thanks and Regards*
*Prabir Sarkar*