K8SPG-952 | allow specifying trusted CAs for pgbouncer frontend#1676
Open
mayankshah1607 wants to merge 13 commits into
Open
K8SPG-952 | allow specifying trusted CAs for pgbouncer frontend#1676mayankshah1607 wants to merge 13 commits into
mayankshah1607 wants to merge 13 commits into
Conversation
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Contributor
There was a problem hiding this comment.
Pull request overview
This PR adds support for configuring extra trusted CA bundles for the PgBouncer frontend TLS verification path, allowing mTLS client certs signed by external CAs while retaining operator-managed PKI for the cluster.
Changes:
- Adds
additionalTrustedCAsto the PgBouncer spec (both upstream and percona APIs) and propagates it through conversions/deep-copies. - Updates PgBouncer secret reconciliation to append additional CA bundle bytes into the frontend CA bundle (and adjusts pod volume projections for “custom TLS secret + additional CAs”).
- Adds targeted unit tests covering bundle concatenation behavior and manual/custom TLS interactions; updates CRD/bundle manifests.
Reviewed changes
Copilot reviewed 13 out of 16 changed files in this pull request and generated 1 comment.
Show a summary per file
| File | Description |
|---|---|
| pkg/apis/upstream.pgv2.percona.com/v1beta1/zz_generated.deepcopy.go | DeepCopy support for the new AdditionalTrustedCAs slice. |
| pkg/apis/upstream.pgv2.percona.com/v1beta1/pgbouncer_types.go | Adds additionalTrustedCAs to the upstream PgBouncer API type. |
| pkg/apis/pgv2.percona.com/v2/zz_generated.deepcopy.go | DeepCopy support for AdditionalTrustedCAs in the percona API. |
| pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go | Adds additionalTrustedCAs to percona API and maps it into the upstream Crunchy spec (ToCrunchy). |
| internal/pgbouncer/reconcile.go | Appends additional CA bytes into the generated/managed frontend CA bundle; updates projected volume sources to handle custom TLS + merged CA bundle mounting. |
| internal/pgbouncer/reconcile_test.go | Adds tests for CA bundle appending and custom TLS + additional CAs behavior; updates Secret() calls for new signature. |
| internal/pgbouncer/certificates.go | Extends frontend certificate volume projections to support mounting merged CA bundle from operator Secret when custom TLS is used with additional CAs; adds helper for CA key remapping. |
| internal/pgbouncer/certificates_test.go | Updates existing projection tests and adds coverage for “custom TLS + additional CAs” projection behavior and CA-key remapping helper. |
| internal/controller/postgrescluster/pgbouncer.go | Fetches referenced CA Secrets and passes their bytes into PgBouncer Secret reconciliation; introduces getAdditionalTrustedCAs. |
| internal/controller/postgrescluster/pgbouncer_test.go | Adds tests for getAdditionalTrustedCAs (including custom TLS CA prepending and not-found handling). |
| deploy/cw-bundle.yaml | CRD schema update for additionalTrustedCAs. |
| deploy/crd.yaml | CRD schema update for additionalTrustedCAs. |
| deploy/bundle.yaml | CRD schema update for additionalTrustedCAs. |
| config/crd/bases/upstream.pgv2.percona.com_postgresclusters.yaml | Base CRD schema update for additionalTrustedCAs. |
| config/crd/bases/pgv2.percona.com_perconapgclusters.yaml | Base CRD schema update for additionalTrustedCAs. |
| build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml | Generated CRD schema update for additionalTrustedCAs. |
Files not reviewed (2)
- pkg/apis/pgv2.percona.com/v2/zz_generated.deepcopy.go: Generated file
- pkg/apis/upstream.pgv2.percona.com/v1beta1/zz_generated.deepcopy.go: Generated file
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
egegunes
requested changes
Jul 13, 2026
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
egegunes
previously approved these changes
Jul 13, 2026
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
egegunes
approved these changes
Jul 14, 2026
Collaborator
commit: 60c2468 |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
CHANGE DESCRIPTION
Problem:
Fixes #1457
Users who want mTLS between clients and PgBouncer (
client_tls_sslmode: verify-ca|verify-fullorauth_type: cert) need PgBouncer to trust the CA that signed their client certificates. The operator only trusted the CA it manages itself. The sole workaround,spec.proxy.pgBouncer.customTLSSecret, switches the operator into manual mode: it stops generating and rotating the PgBouncer frontend certificate, forcing users to take over the entire PKI lifecycle just to trust one additional CA.Cause:
client_tls_ca_filein pgbouncer.ini points to a single file materialized frompgbouncer-frontend.ca-rootskey of the operator-managed Secret (automated mode) or theca.crtof the custom TLS Secret (manual mode). There was no API to extend that trust bundle, so the certificate PgBouncer*presents (server identity) and the CAs it accepts client certificates from were coupled to the same single CA.Solution:
Add
spec.proxy.pgBouncer.additionalTrustedCAs(a list of Secret references, keyca.crt). The operator appends the referenced PEM bundles to the PgBouncer frontend CA bundle:CHECKLIST
Jira
Needs Doc) and QA (Needs QA)?Tests
Config/Logging/Testability