Skip to content

feat(pooler): support custom TLS and CA secrets in PgBouncer spec#8692

Merged
gbartolini merged 9 commits intocloudnative-pg:mainfrom
leonardoce:customize-secret-pgbouncer
Oct 28, 2025
Merged

feat(pooler): support custom TLS and CA secrets in PgBouncer spec#8692
gbartolini merged 9 commits intocloudnative-pg:mainfrom
leonardoce:customize-secret-pgbouncer

Conversation

@leonardoce
Copy link
Contributor

@leonardoce leonardoce commented Sep 30, 2025
edited by gbartolini
Loading

This patch extends the Pooler CRD by introducing new fields under .spec.pgbouncer for custom TLS configuration:

  • clientTLSSecret: maps to client_tls_key_file and client_tls_cert_file
  • clientCASecret: maps to client_tls_ca_file
  • serverTLSSecret: maps to server_tls_key_file and server_tls_cert_file
  • serverCASecret: maps to server_ca_file

When defined, these fields take precedence over the automatically generated TLS configuration that CloudNativePG provides for PgBouncer.

The existing authQuery and authQuerySecret behaviour remains unchanged for backward compatibility, though serverTLSSecret may override them if set.

Closes #8672
Closes #8675

@leonardoce leonardoce requested review from a team and jsilvela as code owners September 30, 2025 15:38
@dosubot dosubot bot added the size:XL This PR changes 500-999 lines, ignoring generated files. label Sep 30, 2025
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Sep 30, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Sep 30, 2025

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@leonardoce leonardoce force-pushed the customize-secret-pgbouncer branch from 3df907d to 561324e Compare September 30, 2025 15:38
@dosubot dosubot bot added the enhancement 🪄 New feature or request label Sep 30, 2025
@leonardoce leonardoce added do not backport This PR must not be backported - it will be in the next minor release and removed backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.26 release-1.27 labels Sep 30, 2025
@leonardoce
Copy link
Contributor Author

leonardoce commented Sep 30, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Sep 30, 2025

@leonardoce, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18135910829

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label Sep 30, 2025
@leonardoce leonardoce force-pushed the customize-secret-pgbouncer branch from c068074 to 07840fd Compare October 1, 2025 09:31
@leonardoce
Copy link
Contributor Author

leonardoce commented Oct 1, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Oct 1, 2025

@leonardoce, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18157853970

@leonardoce leonardoce force-pushed the customize-secret-pgbouncer branch from 07840fd to d005059 Compare October 1, 2025 12:23
@armru armru force-pushed the customize-secret-pgbouncer branch 3 times, most recently from d96850b to 3f96a76 Compare October 3, 2025 13:54
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Oct 3, 2025
@armru armru force-pushed the customize-secret-pgbouncer branch from 1af0e17 to e9d6103 Compare October 3, 2025 15:53
@armru
Copy link
Member

armru commented Oct 3, 2025

/test limit=local

@github-actions
Copy link
Contributor

github-actions bot commented Oct 3, 2025

@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18227184678

@NiccoloFei
Copy link
Collaborator

NiccoloFei commented Oct 8, 2025

/test ft=service-connectivity

@github-actions
Copy link
Contributor

github-actions bot commented Oct 8, 2025

@NiccoloFei, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18351241312

@gbartolini gbartolini changed the title feat: add client/server TLS and CA secret fields to PgBouncer spec feat(pooler): support custom TLS and CA secrets in PgBouncer spec Oct 9, 2025
@gbartolini gbartolini force-pushed the customize-secret-pgbouncer branch from 2e79cf7 to 0ee9248 Compare October 9, 2025 15:36
@dosubot dosubot bot added size:XL This PR changes 500-999 lines, ignoring generated files. and removed size:XXL This PR changes 1000+ lines, ignoring generated files. labels Oct 9, 2025
@NiccoloFei
Copy link
Collaborator

NiccoloFei commented Oct 9, 2025

/test ft=service-connectivity

@github-actions
Copy link
Contributor

github-actions bot commented Oct 9, 2025

@NiccoloFei, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18382206588

@dougkirkley
Copy link
Contributor

dougkirkley commented Oct 11, 2025
edited
Loading

@leonardoce Will this change allow users to use cert-manager with the Pooler integration still working, assuming we only provide the client secret? I am trying to provide as much cert-manager resources while also allowing the Pooler integration to still work correctly without needing to do the manual steps. I have opened this issue, but it would be great if this handled what I am looking for.

@dougkirkley
Copy link
Contributor

dougkirkley commented Oct 11, 2025

Or @NiccoloFei if you are now handling this PR

@dougkirkley
Copy link
Contributor

dougkirkley commented Oct 13, 2025

Okay, I actually built a cluster using this branch and some of the settings from the tests and was able to successfully provide all my certs via cert-manager. So sounds like a success to me, I'll close my issue.

@dougkirkley dougkirkley mentioned this pull request Oct 13, 2025
Closed
2 tasks
@gbartolini gbartolini force-pushed the customize-secret-pgbouncer branch from 864c71b to 907d27e Compare October 28, 2025 13:28
@gbartolini
Copy link
Contributor

gbartolini commented Oct 28, 2025

/test

@github-actions
Copy link
Contributor

github-actions bot commented Oct 28, 2025

@gbartolini, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/18876538809

leonardoce and others added 9 commits October 28, 2025 22:16
@leonardoce @gbartolini
feat: add client/server TLS and CA secret fields to PgBouncer spec
557ae9e 
This patch extends the Pooler CRD with the following new fields in
`.spec.pgbouncer`:

- `clientTLSSecret` maps to the `client_tls_key_file` and
  `client_tls_cert_file` parameters
- `clientCASecret` maps to the `client_tls_ca_file` parameter
- `serverTLSSecret` maps to the `server_tls_key_file` and
  `server_tls_cert_file` parameters
- `serverCASecret` maps to the `server_ca_file` parameter

When specified, these fields take precedence over the automatic TLS
configuration that CloudNativePG already generates for PgBouncer.

The existing `authQuery` and `authQuerySecret` behavior is preserved for
backward compatibility, although `serverTLSSecret` may override it if set.

See: cloudnative-pg#8675

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@leonardoce @gbartolini
chore: authQuerySecret is now optional
bf9c6a8 
Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
@armru @gbartolini
chore: centralize waiting statements in pooler controller
44d15ea 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
chore(style): inline if statements
5799f03 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
fix: do not tie the secret waiting if both auth and server tls secret…
24be5cc 
… are missing

Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@armru @gbartolini
chore: doc
1e94d36 
Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
@NiccoloFei @gbartolini
test: add E2Es for manual TLS configuration of both pooler and postgres
98d9c71 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
@NiccoloFei @gbartolini
test: fix authQuery
6265a18 
Signed-off-by: Niccolò Fei <niccolo.fei@enterprisedb.com>
@gbartolini
docs: mention authquery
5fb49f0 
Signed-off-by: Gabriele Bartolini <gabriele.bartolini@enterprisedb.com>
@gbartolini gbartolini force-pushed the customize-secret-pgbouncer branch from 9a8d0cd to 5fb49f0 Compare October 28, 2025 21:16
@gbartolini gbartolini merged commit e204e99 into cloudnative-pg:main Oct 28, 2025
15 of 18 checks passed
@nicholass-alcidion nicholass-alcidion mentioned this pull request Dec 16, 2025
Open
4 tasks
@tghartland tghartland mentioned this pull request Jan 19, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbartolini gbartolini gbartolini approved these changes

@NiccoloFei NiccoloFei NiccoloFei approved these changes

@armru armru armru approved these changes

@jsilvela jsilvela Awaiting requested review from jsilvela jsilvela is a code owner

@litaocdl litaocdl Awaiting requested review from litaocdl litaocdl is a code owner

Assignees

No one assigned

Labels

do not backport This PR must not be backported - it will be in the next minor release enhancement 🪄 New feature or request lgtm This PR has been approved by a maintainer ok to merge 👌 This PR can be merged size:XL This PR changes 500-999 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Chore]: Deprecated authQuerySecret [Feature]: Allow TLS certificate customisation in the PgBouncer Pooler resource

6 participants

@leonardoce @armru @gbartolini @NiccoloFei @dougkirkley @cnpg-bot