Skip to content

K8SPG-952 | allow specifying trusted CAs for pgbouncer frontend#1676

Open
mayankshah1607 wants to merge 13 commits into
mainfrom
K8SPG-952
Open

K8SPG-952 | allow specifying trusted CAs for pgbouncer frontend#1676
mayankshah1607 wants to merge 13 commits into
mainfrom
K8SPG-952

Conversation

@mayankshah1607

@mayankshah1607 mayankshah1607 commented Jul 10, 2026

Copy link
Copy Markdown
Member

CHANGE DESCRIPTION

Problem:

Fixes #1457

Users who want mTLS between clients and PgBouncer (client_tls_sslmode: verify-ca|verify-full or auth_type: cert) need PgBouncer to trust the CA that signed their client certificates. The operator only trusted the CA it manages itself. The sole workaround, spec.proxy.pgBouncer.customTLSSecret, switches the operator into manual mode: it stops generating and rotating the PgBouncer frontend certificate, forcing users to take over the entire PKI lifecycle just to trust one additional CA.

Cause:
client_tls_ca_file in pgbouncer.ini points to a single file materialized from pgbouncer-frontend.ca-roots key of the operator-managed Secret (automated mode) or the ca.crt of the custom TLS Secret (manual mode). There was no API to extend that trust bundle, so the certificate PgBouncer*presents (server identity) and the CAs it accepts client certificates from were coupled to the same single CA.

Solution:
Add spec.proxy.pgBouncer.additionalTrustedCAs (a list of Secret references, key ca.crt). The operator appends the referenced PEM bundles to the PgBouncer frontend CA bundle:

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported PG version?
  • Does the change support oldest and newest supported Kubernetes version?

Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>

Copilot AI left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR adds support for configuring extra trusted CA bundles for the PgBouncer frontend TLS verification path, allowing mTLS client certs signed by external CAs while retaining operator-managed PKI for the cluster.

Changes:

  • Adds additionalTrustedCAs to the PgBouncer spec (both upstream and percona APIs) and propagates it through conversions/deep-copies.
  • Updates PgBouncer secret reconciliation to append additional CA bundle bytes into the frontend CA bundle (and adjusts pod volume projections for “custom TLS secret + additional CAs”).
  • Adds targeted unit tests covering bundle concatenation behavior and manual/custom TLS interactions; updates CRD/bundle manifests.

Reviewed changes

Copilot reviewed 13 out of 16 changed files in this pull request and generated 1 comment.

Show a summary per file
File Description
pkg/apis/upstream.pgv2.percona.com/v1beta1/zz_generated.deepcopy.go DeepCopy support for the new AdditionalTrustedCAs slice.
pkg/apis/upstream.pgv2.percona.com/v1beta1/pgbouncer_types.go Adds additionalTrustedCAs to the upstream PgBouncer API type.
pkg/apis/pgv2.percona.com/v2/zz_generated.deepcopy.go DeepCopy support for AdditionalTrustedCAs in the percona API.
pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go Adds additionalTrustedCAs to percona API and maps it into the upstream Crunchy spec (ToCrunchy).
internal/pgbouncer/reconcile.go Appends additional CA bytes into the generated/managed frontend CA bundle; updates projected volume sources to handle custom TLS + merged CA bundle mounting.
internal/pgbouncer/reconcile_test.go Adds tests for CA bundle appending and custom TLS + additional CAs behavior; updates Secret() calls for new signature.
internal/pgbouncer/certificates.go Extends frontend certificate volume projections to support mounting merged CA bundle from operator Secret when custom TLS is used with additional CAs; adds helper for CA key remapping.
internal/pgbouncer/certificates_test.go Updates existing projection tests and adds coverage for “custom TLS + additional CAs” projection behavior and CA-key remapping helper.
internal/controller/postgrescluster/pgbouncer.go Fetches referenced CA Secrets and passes their bytes into PgBouncer Secret reconciliation; introduces getAdditionalTrustedCAs.
internal/controller/postgrescluster/pgbouncer_test.go Adds tests for getAdditionalTrustedCAs (including custom TLS CA prepending and not-found handling).
deploy/cw-bundle.yaml CRD schema update for additionalTrustedCAs.
deploy/crd.yaml CRD schema update for additionalTrustedCAs.
deploy/bundle.yaml CRD schema update for additionalTrustedCAs.
config/crd/bases/upstream.pgv2.percona.com_postgresclusters.yaml Base CRD schema update for additionalTrustedCAs.
config/crd/bases/pgv2.percona.com_perconapgclusters.yaml Base CRD schema update for additionalTrustedCAs.
build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml Generated CRD schema update for additionalTrustedCAs.
Files not reviewed (2)
  • pkg/apis/pgv2.percona.com/v2/zz_generated.deepcopy.go: Generated file
  • pkg/apis/upstream.pgv2.percona.com/v1beta1/zz_generated.deepcopy.go: Generated file

Comment thread internal/controller/postgrescluster/pgbouncer.go Outdated
mayankshah1607 and others added 5 commits July 10, 2026 13:24
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Comment thread e2e-tests/tests/pgbouncer-mtls/04-add-trusted-ca.yaml Outdated
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
@mayankshah1607 mayankshah1607 requested a review from egegunes July 13, 2026 07:35
egegunes
egegunes previously approved these changes Jul 13, 2026
mayankshah1607 and others added 2 commits July 14, 2026 10:05
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
Signed-off-by: Mayank Shah <mayank.shah@percona.com>
@mayankshah1607 mayankshah1607 requested a review from egegunes July 14, 2026 05:07
@JNKPercona

Copy link
Copy Markdown
Collaborator
Test Name Result Time
backup-enable-disable passed 00:00:00
builtin-extensions passed 00:00:00
cert-manager-tls passed 00:00:00
custom-envs passed 00:00:00
custom-tls passed 00:00:00
database-init-sql passed 00:00:00
demand-backup passed 00:00:00
demand-backup-offline-snapshot passed 00:00:00
dynamic-configuration passed 00:00:00
finalizers passed 00:00:00
init-deploy passed 00:00:00
huge-pages passed 00:00:00
major-upgrade-14-to-15 passed 00:00:00
major-upgrade-15-to-16 passed 00:00:00
major-upgrade-16-to-17 passed 00:00:00
major-upgrade-17-to-18 passed 00:00:00
ldap passed 00:00:00
ldap-tls passed 00:00:00
monitoring passed 00:00:00
monitoring-pmm3 passed 00:00:00
one-pod passed 00:00:00
operator-self-healing passed 00:00:00
pgbouncer-mtls passed 00:00:00
pitr passed 00:00:00
scaling passed 00:06:30
scheduled-backup passed 00:00:00
self-healing passed 00:00:00
sidecars passed 00:00:00
standby-pgbackrest passed 00:00:00
standby-streaming passed 00:00:00
start-from-backup passed 00:00:00
tablespaces passed 00:00:00
telemetry-transfer passed 00:00:00
upgrade-consistency passed 00:00:00
upgrade-minor passed 00:00:00
users passed 00:00:00
migration-from-crunchy-standby passed 00:00:00
migration-from-crunchy-pv passed 00:00:00
migration-from-crunchy-backup-restore passed 00:00:00
Summary Value
Tests Run 39/39
Job Duration 00:29:54
Total Test Time 00:06:30

commit: 60c2468
image: perconalab/percona-postgresql-operator:PR-1676-60c24687d

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

Add additional trusted CAs to PGBouncer

4 participants