setup database certificates by boddumanohar · Pull Request #623 · simplyblock/vela-controller

boddumanohar · 2026-02-20T16:00:48Z

The database connection endpoint connects to PGBouncer service. So the changes in PR sets up TLS termination for at PGBouncer.

As a part of this changes, we create the certificate:

Create the certificate as a part of Helm chart
update PGBouncer Config to require certificates
update vm.yaml definition with certificates

We first provision a temporary certificate (using the annotation: cert-manager.io/issue-temporary-certificate: "true") and then the certificate will be replaced by the actual lets encrypt certificate.

initially PSQL connection works.

root@pgbench2:/# psql "postgresql://postgres@db.01kjw123b90acqvn6ext0a7m4v.pr623.dev.kernel-labs.org:32138/postgres"
psql (17.8 (Debian 17.8-1.pgdg13+1), server 18.1)
WARNING: psql major version 17, server major version 18.
         Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.

postgres=> \q

but then it doesn't work verify-full mode.

root@pgbench2:/# psql "postgresql://postgres@db.01kjw123b90acqvn6ext0a7m4v.pr623.dev.kernel-labs.org:32138/postgres?sslmode=verify-full&sslrootcert=system"
psql: error: connection to server at "db.01kjw123b90acqvn6ext0a7m4v.pr623.dev.kernel-labs.org" (34.141.107.241), port 32138 failed: SSL error: certificate verify failed

after sometime it works again. Because the certificate will be replaced by lets encrypt's TLS secret

root@pgbench2:/# psql "postgresql://postgres@db.01kjw123b90acqvn6ext0a7m4v.pr623.dev.kernel-labs.org:32138/postgres?sslmode=verify-full&sslrootcert=system"
psql (17.8 (Debian 17.8-1.pgdg13+1), server 18.1)
WARNING: psql major version 17, server major version 18.
         Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.

postgres=> \q

and on the image logs

TLS explicitly required by configuration. Waiting for certificates...
Certificates found. Starting hot-reload watcher in background...
Certificates modified, reloading PgBouncer...

mxsrc

Small comment, otherwise it looks good.

src/deployment/charts/vela/templates/autoscaler/compose-config.yaml

boddumanohar requested review from mxsrc and noctarius February 20, 2026 16:01

boddumanohar force-pushed the db-certs branch from 7dc23c5 to 020a251 Compare February 23, 2026 11:09

boddumanohar marked this pull request as draft February 23, 2026 11:09

boddumanohar removed request for mxsrc and noctarius February 23, 2026 11:10

boddumanohar force-pushed the db-certs branch from 020a251 to 44338c9 Compare February 23, 2026 11:15

Base automatically changed from dev to main February 23, 2026 13:45

boddumanohar force-pushed the db-certs branch 2 times, most recently from 88994e4 to ac9354d Compare February 25, 2026 10:29

boddumanohar changed the base branch from main to dev February 25, 2026 10:29

boddumanohar force-pushed the db-certs branch 2 times, most recently from e059c1e to d052469 Compare February 26, 2026 03:26

boddumanohar marked this pull request as ready for review February 26, 2026 03:31

mxsrc force-pushed the dev branch from 9becda2 to f4b3837 Compare February 26, 2026 07:08

boddumanohar marked this pull request as draft February 26, 2026 12:09

Base automatically changed from dev to main February 27, 2026 14:33

boddumanohar changed the base branch from main to dev February 28, 2026 16:32

boddumanohar force-pushed the db-certs branch from d052469 to 72cd5b8 Compare February 28, 2026 18:04

boddumanohar added the deploy label Feb 28, 2026

boddumanohar temporarily deployed to dev February 28, 2026 18:07 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 1, 2026 02:18 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 1, 2026 02:27 — with GitHub Actions Inactive

boddumanohar marked this pull request as ready for review March 1, 2026 03:09

boddumanohar requested a review from mxsrc March 1, 2026 03:09

boddumanohar mentioned this pull request Mar 2, 2026

start without tls first and then load certificates again simplyblock/vela-os#22

Closed

boddumanohar temporarily deployed to dev March 2, 2026 10:27 — with GitHub Actions Inactive

boddumanohar closed this Mar 2, 2026

boddumanohar temporarily deployed to dev March 2, 2026 10:32 — with GitHub Actions Inactive

boddumanohar reopened this Mar 2, 2026

boddumanohar temporarily deployed to dev March 2, 2026 10:35 — with GitHub Actions Inactive

boddumanohar force-pushed the db-certs branch from 2df7b47 to 382232b Compare March 2, 2026 11:52

boddumanohar temporarily deployed to dev March 2, 2026 11:54 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 2, 2026 12:26 — with GitHub Actions Inactive

boddumanohar force-pushed the db-certs branch from bfc7b6f to 53fd935 Compare March 2, 2026 13:32

boddumanohar temporarily deployed to dev March 2, 2026 13:34 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 4, 2026 08:15 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 4, 2026 08:53 — with GitHub Actions Inactive

boddumanohar force-pushed the db-certs branch from bc916fe to 77ca709 Compare March 4, 2026 09:06

boddumanohar temporarily deployed to dev March 4, 2026 09:08 — with GitHub Actions Inactive

boddumanohar force-pushed the db-certs branch from 77ca709 to 2e8411d Compare March 4, 2026 09:09

boddumanohar temporarily deployed to dev March 4, 2026 09:11 — with GitHub Actions Inactive

mxsrc reviewed Mar 4, 2026

View reviewed changes

src/deployment/charts/vela/templates/autoscaler/compose-config.yaml Outdated Show resolved Hide resolved

setup database certificates

6ab4d3a

boddumanohar force-pushed the db-certs branch from 2e8411d to 6ab4d3a Compare March 4, 2026 09:49

boddumanohar temporarily deployed to dev March 4, 2026 09:50 — with GitHub Actions Inactive

This was referenced Mar 4, 2026

Add an option to enforce TLS being used when connecting to Postgres simplyblock/vela#258

Open

Add an option to enforce client certificates validation when connecting to Postgres simplyblock/vela#259

Open

boddumanohar requested a review from mxsrc March 4, 2026 10:52

mxsrc approved these changes Mar 4, 2026

View reviewed changes

boddumanohar merged commit a63381e into dev Mar 4, 2026
7 checks passed

boddumanohar deleted the db-certs branch March 4, 2026 11:23

boddumanohar temporarily deployed to dev March 4, 2026 11:23 — with GitHub Actions Inactive

noctarius mentioned this pull request Mar 4, 2026

Databases should be connected via TLS simplyblock/vela#169

Closed

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

setup database certificates#623

setup database certificates#623
boddumanohar merged 1 commit intodevfrom
db-certs

boddumanohar commented Feb 20, 2026 •

edited

Loading

Uh oh!

mxsrc left a comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

Conversation

boddumanohar commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

mxsrc left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

3 participants

boddumanohar commented Feb 20, 2026 •

edited

Loading