PostgreSQL Cluster Requiring Encrypted Connections After 230 Days

[uk1988]

Environment

• PostgreSQL Cluster: Managed by the Zalando operator
• Kubernetes: Single node, 1 PostgreSQL replica
• Node Details: Azure VM, D-class
• Image Versions: Observed with spilo-16:3.3-p2 and spilo-15:3.0-p1
• Application: Keycloak, configured for unencrypted PostgreSQL connections
• Uptime: Solution ran successfully for 230 days prior to issue

Issue Description

After 230 days of stable operation, the PostgreSQL database began rejecting all unencrypted connections, enforcing an encrypted connection requirement. This caused connectivity failures with Keycloak, which is configured to use an unencrypted connection. The change in behavior was unexpected and not preceded by any known configuration changes.

Temporary Resolution

Restarting the PostgreSQL pod resolves the issue, restoring normal operation and allowing unencrypted connections again.

Observations

• The issue has occurred with both spilo-16:3.3-p2 and spilo-15:3.0-p1 images.
• The Zalando operator does not support adding a liveness probe, limiting automated detection or recovery options.

Questions

1. What could cause PostgreSQL to suddenly enforce encrypted connections after 230 days of operation without this requirement?
2. Are there known conditions (e.g., certificate updates, operator behavior) that might trigger this behavior?