|
15 | 15 | cat > ${PGDATA}/pg_hba.conf <<EOF |
16 | 16 | # PostgreSQL Client Authentication Configuration File |
17 | 17 | # Custom configuration for sink-postgres container |
18 | | -# |
| 18 | +# |
19 | 19 | # SECURITY CONTEXT: |
20 | 20 | # This configuration uses trust authentication for connections within Docker networks. |
21 | 21 | # This is safe because: |
@@ -53,11 +53,27 @@ host replication all ::1/128 trust |
53 | 53 | # 172.16.0.0/12 - Default Docker bridge networks |
54 | 54 | # 192.168.0.0/16 - User-defined bridge networks |
55 | 55 | # 10.0.0.0/8 - Additional private network range |
| 56 | +# fc00::/7 - IPv6 Unique Local Address range (RFC 4193); the |
| 57 | +# IPv6 equivalent of the above three RFC 1918 ranges. |
| 58 | +# Docker assigns IPv6 prefixes inside fc00::/7 when |
| 59 | +# IPv6 is enabled on a Compose network — which mon |
| 60 | +# local-install does by default so containers can |
| 61 | +# reach IPv6-only external databases (Supabase |
| 62 | +# free-tier db.<ref>.supabase.co, etc.). Without |
| 63 | +# this entry, dual-stack hostname resolution serves |
| 64 | +# the AAAA result first per RFC 6724 and Python |
| 65 | +# clients (flask-pgss-api, postgres-reports) fail |
| 66 | +# the connection on pg_hba.conf without falling |
| 67 | +# back to IPv4. Go's pgx driver recovers via |
| 68 | +# happy-eyeballs but logs ~18 startup-race errors. |
56 | 69 | host all all 172.16.0.0/12 trust |
57 | 70 | host all all 192.168.0.0/16 trust |
58 | 71 | host all all 10.0.0.0/8 trust |
| 72 | +host all all fc00::/7 trust |
| 73 | +
|
| 74 | +# Replication over the IPv6 ULA range (mirrors the IPv4 docker ranges above) |
| 75 | +host replication all fc00::/7 trust |
59 | 76 | EOF |
60 | 77 |
|
61 | 78 | # Reload PostgreSQL configuration |
62 | 79 | pg_ctl reload -D ${PGDATA} |
63 | | - |
|
0 commit comments