Switch off TLS in replication #4402
Description
I'm using crunchy with a service mesh that has mTLS.
When I try to launch a primary-replica pair, I got this error in the replica,
pg_basebackup: error: connection to server at "test-pg-17-7-instance-set-1-nlhf-0.test-pg-17-7-pods" (10.244.7.48), port 5432 failed: received invalid response to SSL negotiation:
2026-02-03 12:19:16,108 ERROR: Error when fetching backup: pg_basebackup exited with code=1
2026-02-03 12:19:16,108 ERROR: failed to bootstrap from leader 'test-pg-17-7-instance-set-1-nlhf-0'
2026-02-03 12:19:16,108 INFO: Removing data directory: /pgdata/pg17
I tried with service mesh side car injection turned off and it worked properly. So it seems like crunchy TLS is clashing with mesh mTLS.
So as a solution, I'm thinking of turning off the TLS used by crunchy's replication. Is that possible?
I'm also open to other suggestions if you have any. Running outside the service mesh is not an option.
I tried a few things generated by AI, but it didn't work:
authentication:
rules:
- connection: host
databases:
- replication
users:
- _crunchyrepl
method: md5
- connection: host
databases: [ ]
users: [ ]
method: md5
patroni:
dynamicConfiguration:
failsafe_mode: false
synchronous_mode: false
postgresql:
parameters: { }
ssl: "off"
primary_conninfo: "sslmode=disable"Environment
Please provide the following details:
- Platform:
Kubernetes - Platform Version:
1.33.5 - PGO Image Tag:
postgres-operator:ubi9-5.8.5-0 - Postgres Version:
17.7