Skip to content

Add support for additional trusted CAs in PGBouncer #172

Open
Feature
Open
Add support for additional trusted CAs in PGBouncer#172
Feature
Labels
DevOpsPGLabel for PostgreSQLProposed
@hors

Description

@hors
hors
opened on Apr 7, 2026

Community Note

  • Please vote on this issue by adding a 👍 reaction to the original issue to help the community and maintainers prioritize this request
  • Please do not leave "+1" or "me too" comments, they generate extra noise for issue followers and do not help prioritize the request
  • If you are interested in working on this issue or have submitted a pull request, please leave a comment

Tell us about the feature
Allow users to provide additional CA certificates that PGBouncer will trust for client TLS verification, while keeping the operator's automatic certificate management intact. Today users face an all-or-nothing choice — this feature removes that constraint.

Which product(s) is this request for?
Operators, PostgreSQL

Tell us about the problem
PGBouncer client TLS is configured with a single client_tls_ca_file. The operator today generates this file automatically (internal PKI or cert-manager), but the only way to trust external clients using a custom CA is to set customTLSSecret, which switches the operator into fully manual TLS mode, requiring the user to manage the entire PKI lifecycle (certificate rotation, key management, etc.).

Acceptance Criteria

  • - additionalTrustedCAs field accepted in spec.proxy.pgBouncer
  • - CA certificates from referenced Secrets are appended to the operator-generated CA in the PGBouncer Secret
  • - Clients presenting certificates signed by an additional trusted CA can connect successfully
  • - Clients presenting certificates signed by the operator's own CA still connect successfully (no regression)
  • - Updating a referenced CA Secret triggers re-reconciliation and CA bundle rebuild
  • - Validation error when a referenced Secret does not exist or does not contain ca.crt
  • - Works correctly when customTLSSecret is also set
  • - E2E test: connect with client cert signed by external CA → success
  • - E2E test: connect with client cert signed by operator CA → still succeeds
  • - E2E test: connect with client cert signed by untrusted CA → rejected
  • - Documentation: example Secret format, YAML snippet, rotation guidance

References
Issue #1457
PGBouncer TLS config docs (client_tls_ca_file)
PEM certificate bundle concatenation
internal/pgbouncer/certificates.go — current TLS constants and paths
internal/pgbouncer/reconcile.go — Secret() and Pod() functions to modify

Metadata

Metadata

Assignees

No one assigned

    Labels

    DevOpsPGLabel for PostgreSQLProposed

    Type

    Feature

    Projects

    Percona Kubernetes Operators Roadmap

    Status

    Researching

    Milestone

    No milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions