I can't get Authentik to connect to postgres via Pgpool-II

[simonjcarr]

TLDR;
The specific pgpool error "kind does not match between main(53) slot[1] (45)" seems to indicate some protocol or authentication issue between authentik and pgpool. Is there any specific pgpool configuration needed for authentik, or any other parameters I should set beyond what's in the documentation?

I'm trying to connect authentik to PostgreSQL through pgpool-ii (a connection pooler) in a Kubernetes environment, but authentik fails to establish a connection. When connecting directly to PostgreSQL it works fine, but
when using pgpool as an intermediary, the connection fails. I'd like to understand if there are specific configuration requirements or known limitations when using authentik with pgpool.

Relevant info

• I'm running authentik in Kubernetes using the Helm chart
• PostgreSQL is in a separate namespace with pgpool-ii as a connection pooler
• pgpool-ii service: pgpool-direct.postgres.svc.cluster.local
• PostgreSQL direct service: postgres.postgres.svc.cluster.local
• PostgreSQL authentication works when connecting directly to the postgres service
• The database has been created and proper permissions granted to the user

Logs
When trying to connect through pgpool:
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746387644.8233562, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746387644.8238285, "count": 60}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746387645.242502}
{"event": "PostgreSQL connection failed, retrying... (connection failed: connection to server at "10.152.183.233", port 5432 failed: ERROR: unable to read message kind\nDETAIL: kind does not match between main(53)
slot[1] (45))", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746387646.287669}
{"event": "PostgreSQL connection failed, retrying... (connection failed: connection to server at "10.152.183.233", port 5432 failed: ERROR: unable to read message kind\nDETAIL: kind does not match between main(53)
slot[1] (45))", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746387647.3134503}
{"event": "PostgreSQL connection failed, retrying... (connection failed: connection to server at "10.152.183.233", port 5432 failed: ERROR: unable to read message kind\nDETAIL: kind does not match between main(53)
slot[1] (45))", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746387648.3383214}

When connecting directly to PostgreSQL:
{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746387868.0041738, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1746387868.0046964, "count": 59}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746387868.4710834}
{"event": "PostgreSQL connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1746387868.4872897}

Version and Deployment:

• authentik version: 2025.4.0
• Deployment: Kubernetes with Helm Chart

Additional context
I've tried various configurations based on the documentation, including:

1. Setting these environment variables:
   AUTHENTIK_POSTGRESQL__CONN_MAX_AGE: "0"
   AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS: "true"
   AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS: "true"
   AUTHENTIK_POSTGRESQL__USE_POOL: "false"
   AUTHENTIK_POSTGRESQL__SSLMODE: "prefer"

2. I can verify database connectivity from test pods in both the authentik and postgres namespaces:
   kubectl exec -n authentik authentik-psql-test -- bash -c "PGPASSWORD='postgres-password' psql -h pgpool-direct.postgres.svc.cluster.local -U postgres -c '\l'"
   (This works and lists databases)

3. I've confirmed network connectivity between namespaces works fine and DNS resolution works correctly.

The specific pgpool error "kind does not match between main(53) slot[1] (45)" seems to indicate some protocol or authentication issue between authentik and pgpool. Is there any specific pgpool configuration needed for
authentik, or any other parameters I should set beyond what's in the documentation?