Switch off TLS in replication

[avin-kavish]

I'm using crunchy with a service mesh that has mTLS.

When I try to launch a primary-replica pair, I got this error in the replica,

pg_basebackup: error: connection to server at "test-pg-17-7-instance-set-1-nlhf-0.test-pg-17-7-pods" (10.244.7.48), port 5432 failed: received invalid response to SSL negotiation: 
2026-02-03 12:19:16,108 ERROR: Error when fetching backup: pg_basebackup exited with code=1
2026-02-03 12:19:16,108 ERROR: failed to bootstrap from leader 'test-pg-17-7-instance-set-1-nlhf-0'
2026-02-03 12:19:16,108 INFO: Removing data directory: /pgdata/pg17

I tried with service mesh side car injection turned off and it worked properly. So it seems like crunchy TLS is clashing with mesh mTLS.

So as a solution, I'm thinking of turning off the TLS used by crunchy's replication. Is that possible?

I'm also open to other suggestions if you have any. Running outside the service mesh is not an option.

I tried a few things generated by AI, but it didn't work:

  authentication:
    rules:
      - connection: host
        databases:
          - replication
        users:
          - _crunchyrepl
        method: md5
      - connection: host
        databases: [ ]
        users: [ ]
        method: md5
  
  patroni:
    dynamicConfiguration:
      failsafe_mode: false
      synchronous_mode: false
      postgresql:
        parameters: { }
          ssl: "off"
          primary_conninfo: "sslmode=disable"

Environment

Please provide the following details:

• Platform: Kubernetes
• Platform Version: 1.33.5
• PGO Image Tag: postgres-operator:ubi9-5.8.5-0
• Postgres Version:17.7