401 Unauthorized error in Postgres Operator 5.0.4

[InderpreetSaini]

Hi,

We are deploying Postgres Cluster 5.0.4 in our RKE2 cluster using the Helm Chart.

Issue faced: To mitigate the service account token leaks and make the cluster more secure, we have given the below parameter in our kube-api server argument: --service-account-extend-token-expiration=false . But after enabling this setting, we are seeing 401 Unauthorized error after every 1 hour. Argument reference (https://kubernetes.io/docs/reference/command-line-tools-reference/kube-apiserver/ )

Environment details: Rancher RKE2 downstream cluster(3 master- 3 worker), Version: v1.21.7+rke2r2

Steps to reproduce the error:

1. For the all 3 kube-api pods(1 for each master deployed as part of RKE2 cluster setup), edit the pod and add this parameter(--service-account-extend-token-expiration=false) in the kube-api settings as an additional parameter. Now deploy the Crunchy operator and PostgreSQL DB Cluster using helm chart version 5.0.4. 2. After 1 hour the database container in each of the db pods will start throwing attached error in the logs. and the database container will stop working.

Logs screenshot:

Is there a way to resolve this error while keeping this configuration setting as this will ensure that the cluster is more secure?

Thanks and Regards, Inderpreet.

[andrewlecuyer]

Just noting that this has been fixed in Patroni 2.1.4, which will be included in the next release of PGO.

[benjaminjb]

@InderpreetSaini Have you upgraded to a Postgres image with Patroni 2.1.4?