Unable to disable TLS effectively

[christian-schlichtherle]

All node-to-node communication in our cluster is secured by a VPN, so I want to disable TLS because it's not helping with security, but only reducing bandwidth instead (~ 30% when I tested it some years ago - YMMV).

In another issue (which is now closed), it was said I should configure:

spec:
  patroni:
    dynamicConfiguration:
      postgresql:
        pg_hba:
          - "hostnossl all all all md5"
  proxy:
    pgBouncer:
      config:
        global:
          server_tls_sslmode: disable

However, this results in the following pg_hba.conf:

# Do not edit this file manually!
# It will be overwritten by Patroni!
local all "postgres" peer
hostssl replication "_crunchyrepl" all cert
hostssl "postgres" "_crunchyrepl" all cert
host all "_crunchyrepl" all reject
hostssl all "_crunchypgbouncer" all scram-sha-256
host all "_crunchypgbouncer" all reject
hostnossl all all all md5

The problem is that my custom rule is appended, but the rules are order specific. So when I try to connect via pgbouncer, I get this:

$ psql -h test-pgbouncer.test.svc -U test
psql: error: connection to server at "test-pgbouncer.test.svc" (10.33.150.124), port 5432 failed: FATAL:  pg_hba.conf rejects connection for host "10.32.2.221", user "_crunchypgbouncer", database "test", no encryption
connection to server at "test-pgbouncer.test.svc" (10.33.150.124), port 5432 failed: FATAL:  SSL required

I'm using PGO 5.5 with Pg 16.

[andreas-geissler]

I can confirm this problem, while trying to use pgbouncer in a ServiceMesh environment (Istio).
Is there any plan to fix this issue ?

[agravelot]

client_tls_sslmode: disable will correct the SSL required error.
But pg_hba.conf will still be broken, auth will fail.

[Y0ngg4n]

any updates on this issue? pgbouncer without tls is unusable without proper pg_hba.