Summary
In 3scale 2.16, enabling TLS for the connection between 3scale components and zync-database fails specifically for the zync-que pod. While the zync pod connects successfully, zync-que enters a CrashLoopBackOff state.

Symptoms
The zync-que logs show the following error, despite certificates being mounted:

FATAL: connection requires a valid client certificate
FATAL: no pg_hba.conf entry for host "...", user "...", database "...", no encryption

Root Cause
The issue is caused by incorrect file permissions on the mounted certificates within the zync-que pod.

• zync pod: Certificates are owned by non-root user (Correct).
• zync-que pod: Certificates are owned by root (Incorrect), making them unreadable by the application.

This discrepancy stems from zync-que using a different init container image (quay.io/openshift/origin-cli:4.7) compared to the zync pod in the 2.16 codebase.

Resolution
The issue has been identified as fixed in the master branch (where init container logic is unified). Please backport the fix from master to the 2.16 branch.