fix(cnpgi): support custom plugin certificate DNS names#9222
Merged
gbartolini merged 1 commit intomainfrom Nov 21, 2025
Merged
Conversation
Contributor
|
❗ By default, the pull request is configured to backport to all release branches.
|
Member
Author
|
/test limit=local |
Contributor
|
@armru, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/19471025535 |
| pluginAddress := fmt.Sprintf("%s:%d", service.Name, pluginPort) | ||
|
|
||
| // Use custom server name if provided, otherwise default to service name | ||
| serverName := service.Annotations[utils.PluginServerNameAnnotationName] |
Contributor
There was a problem hiding this comment.
does it make sense to allow a comma separate list of server names?
Member
There was a problem hiding this comment.
No, it doesn't. This is the server name the operator uses to contact the plugin. It's only one.
2 tasks
mnencia
approved these changes
Nov 20, 2025
jbattiato
approved these changes
Nov 21, 2025
gbartolini
approved these changes
Nov 21, 2025
Add a new annotation `cnpg.io/pluginServerName` that allows customizing the DNS name used for TLS certificate verification when connecting to CNPG-I plugins. Previously, the operator always used the Service name as the ServerName in the TLS configuration. This caused issues in environments where the plugin's certificate was issued with a different DNS name (e.g., `barman-cloud.svc` instead of `barman-cloud`). With this change, users can specify the expected DNS name via the new annotation, enabling the operator to verify the plugin's certificate against the custom name while still connecting to the Service. Fixes #9218 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com>
cnpg-bot
pushed a commit
that referenced
this pull request
Nov 21, 2025
Add a new annotation `cnpg.io/pluginServerName` that allows customizing the DNS name used for TLS certificate verification when connecting to CNPG-I plugins. Previously, the operator always used the Service name as the ServerName in the TLS configuration. This caused issues in environments where the plugin's certificate was issued with a different DNS name (e.g. `barman-cloud.svc` instead of `barman-cloud`). With this change, users can specify the expected DNS name via the new annotation, enabling the operator to verify the plugin's certificate against the custom name while still connecting to the Service. Closes #9218 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com> (cherry picked from commit d475849)
cnpg-bot
pushed a commit
that referenced
this pull request
Nov 21, 2025
Add a new annotation `cnpg.io/pluginServerName` that allows customizing the DNS name used for TLS certificate verification when connecting to CNPG-I plugins. Previously, the operator always used the Service name as the ServerName in the TLS configuration. This caused issues in environments where the plugin's certificate was issued with a different DNS name (e.g. `barman-cloud.svc` instead of `barman-cloud`). With this change, users can specify the expected DNS name via the new annotation, enabling the operator to verify the plugin's certificate against the custom name while still connecting to the Service. Closes #9218 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com> (cherry picked from commit d475849)
mnencia
pushed a commit
that referenced
this pull request
Nov 26, 2025
Add a new annotation `cnpg.io/pluginServerName` that allows customizing the DNS name used for TLS certificate verification when connecting to CNPG-I plugins. Previously, the operator always used the Service name as the ServerName in the TLS configuration. This caused issues in environments where the plugin's certificate was issued with a different DNS name (e.g. `barman-cloud.svc` instead of `barman-cloud`). With this change, users can specify the expected DNS name via the new annotation, enabling the operator to verify the plugin's certificate against the custom name while still connecting to the Service. Closes #9218 Signed-off-by: Armando Ruocco <armando.ruocco@enterprisedb.com> (cherry picked from commit d475849)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
6 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Add a new annotation
cnpg.io/pluginServerNamethat allows customizing the DNS name used for TLS certificate verification when connecting to CNPG-I plugins.Previously, the operator always used the Service name as the ServerName in the TLS configuration. This caused issues in environments where the plugin's certificate was issued with a different DNS name (e.g.,
barman-cloud.svcinstead ofbarman-cloud).With this change, users can specify the expected DNS name via the new annotation, enabling the operator to verify the plugin's certificate against the custom name while still connecting to the Service.
Closes #9218