Connection pooler does not support SCRAM-SHA authentication

[kien-truong]

After turning on SCRAM-SHA authentication and letting postgres-operator re-sync the password, our applications are unable to connected to the connection pooler. At the same time, this error appears in the connection pooler log:

2022-01-21 06:53:19.947 UTC [8] ERROR S-0x558ea0528100: xxx/xxx@10.11.209.70:5432 cannot do SCRAM authentication: password is SCRAM secret but client authentication did not provide SCRAM keys

We suspect this is due to the auth_type in pgbouncer.ini is hard-coded to plain, so the client applications don't sent the necessary information to pgbouncer.

Please, answer some short questions which should help us to understand your problem / question better?

• Which image of the operator are you using?
  • registry.opensource.zalan.do/acid/postgres-operator:v1.7.1
  • registry.opensource.zalan.do/acid/pgbouncer:master-19
• Where do you run it - cloud or metal? Kubernetes or OpenShift?
  • Bare Metal K8s
• Are you running Postgres Operator in production?
  • Yes
• Type of issue?
  • Bug report

[FxKu]

@kien-truong it is indeed configured to plain. Let us see, if we can change it to md5. From what I read it would switch to scram, once you have such a password in your secret. The latter is already supported by the operator when you have it specified under Spec.Postgresql.Parameters (password_encryption option). Unfortunately, this is not documented.