Skip to content

Migrations do not respect conn_options #19133

New issue
New issue
Closed
Bug
#19134
Closed
Migrations do not respect conn_options#19133
Bug
#19134
Labels
bugSomething isn't workingtriageAdd this label to issues that need to be triaged
@D-Tasker207

Description

@D-Tasker207
D-Tasker207
opened on Dec 31, 2025

Describe the bug

When additional conn_options are specified (i.e. target_session_attrs), they are not respected and the connection proceeds with the first host in the list.
This bug occurs both when starting a new authentik installation or when upgrading versions.

How to reproduce

  1. Create an authentik instance backed by a primary write server and a read replica. The writable server must not be the first one listed. Example docker compose file here
  2. Docker compose
  3. Observe the server logs and observe it is trying to write to a read only server

Expected behavior

The connection made should use the conn_options to filter the connection it makes.

Screenshots

No response

Additional context

This causes issues with HA Postgresql clusters as the current primary is not guaranteed to be the first in the hosts list.

Deployment Method

Docker

Version

2025.10.3

Relevant log output

{"event": "Loaded config", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1767207416.502048, "file": "/authentik/lib/default.yml"}
{"event": "Loaded environment variables", "level": "debug", "logger": "authentik.lib.config", "timestamp": 1767207416.5021894, "count": 6}
{"event": "Starting authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767207416.6510103}
{"event": "PostgreSQL connection successful", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767207416.6568558}
{"event": "Finished authentik bootstrap", "level": "info", "logger": "authentik.lib.config", "timestamp": 1767207416.6569622}
2025-12-31 18:56:56 [info     ] waiting to acquire database lock
2025-12-31 18:56:56 [info     ] Migration needs to be applied  migration=install_id.py
2025-12-31 18:56:56 [info     ] releasing database lock
Failed to read config file: ./lifecycle/gunicorn.conf.py
Traceback (most recent call last):
  File "/lifecycle/migrate.py", line 103, in run_migrations
    migration.run()
    ~~~~~~~~~~~~~^^
  File "/lifecycle/system_migrations/install_id.py", line 41, in run
    return self.upgrade(migrate=False)
           ~~~~~~~~~~~~^^^^^^^^^^^^^^^
  File "/lifecycle/system_migrations/install_id.py", line 22, in upgrade
    self.cur.execute(SQL_STATEMENT)
    ~~~~~~~~~~~~~~~~^^^^^^^^^^^^^^^
  File "/ak-root/.venv/lib/python3.13/site-packages/psycopg/cursor.py", line 97, in execute
    raise ex.with_traceback(None)
psycopg.errors.ReadOnlySqlTransaction: cannot execute CREATE TABLE in a read-only transaction

Metadata

Metadata

Assignees

No one assigned

    Labels

    bugSomething isn't workingtriageAdd this label to issues that need to be triaged

    Type

    Bug

    Projects

    No projects

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions