Skip to content

K8SPG-683 support ldap pgbouncer#1490

Merged
gkech merged 8 commits into
mainfrom
K8SPG-683-pgbouncer
Mar 13, 2026
Merged

K8SPG-683 support ldap pgbouncer#1490
gkech merged 8 commits into
mainfrom
K8SPG-683-pgbouncer

Conversation

@gkech
Copy link
Copy Markdown
Contributor

@gkech gkech commented Mar 10, 2026
edited
Loading

CHANGE DESCRIPTION

Problem:

Enables LDAP-authenticated PostgreSQL users to connect via PgBouncer by configuring PgBouncer to use its native LDAP HBA support (introduced in PgBouncer 1.25.0).

For checking the version we are currently using, run the following command:

docker run --rm --platform linux/amd64 --entrypoint="" docker.io/perconalab/percona-postgresql-operator:main-pgbouncer17 pgbouncer --version

Added connection checks to ldap/03-verify-ldap-auth.yaml and ldap-tls/04-verify-ldaps-auth.yaml. They verify that a user with a valid LDAP password can connect through PgBouncer and that a wrong password is rejected.

Cause:
Short explanation of the root cause of the issue if applicable.

Solution:
Short explanation of the solution we are providing with this PR.

CHECKLIST

Jira

  • Is the Jira ticket created and referenced properly?
  • Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
  • Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

  • Is an E2E test/test case added for the new feature/change?
  • Are unit tests added where appropriate?

Config/Logging/Testability

  • Are all needed new/changed options added to default YAML files?
  • Are all needed new/changed options added to the Helm Chart?
  • Did we add proper logging messages for operator actions?
  • Did we ensure compatibility with the previous version or cluster upgrade process?
  • Does the change support oldest and newest supported PG version?
  • Does the change support oldest and newest supported Kubernetes version?

@gkech gkech marked this pull request as ready for review March 10, 2026 16:54
@egegunes egegunes added this to the v2.9.0 milestone Mar 11, 2026
egegunes
egegunes previously approved these changes Mar 11, 2026
View reviewed changes
mayankshah1607
mayankshah1607 reviewed Mar 12, 2026
View reviewed changes
Comment thread internal/pgbouncer/config.go
// pg_hba.conf (see https://github.com/pgbouncer/pgbouncer/pull/731). PgBouncer
// authenticates the client against the LDAP server directly, then uses the
// received cleartext credential for the server-side PostgreSQL connection.
func pgbouncerHBAFileContents(cluster *v1beta1.PostgresCluster) string {
Copy link
Copy Markdown
Member

@mayankshah1607 mayankshah1607 Mar 12, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shall we add a unit test for this?

mayankshah1607
mayankshah1607 previously approved these changes Mar 12, 2026
View reviewed changes
egegunes
egegunes requested changes Mar 13, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

@egegunes egegunes left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@gkech ldap test has a problem

@gkech
Copy link
Copy Markdown
Contributor Author

gkech commented Mar 13, 2026

@gkech ldap test has a problem

Screenshot 2026-03-13 at 2 10 48 PM

@JNKPercona
Copy link
Copy Markdown
Collaborator

JNKPercona commented Mar 13, 2026

Test Name Result Time
backup-enable-disable passed 00:11:23
builtin-extensions passed 00:05:36
cert-manager-tls passed 00:05:43
custom-envs passed 00:19:30
custom-extensions passed 00:14:08
custom-tls passed 00:08:57
database-init-sql passed 00:02:33
demand-backup passed 00:24:38
demand-backup-offline-snapshot passed 00:13:23
dynamic-configuration passed 00:03:11
finalizers passed 00:03:46
init-deploy passed 00:03:41
huge-pages passed 00:03:14
ldap passed 00:03:46
ldap-tls passed 00:04:47
monitoring passed 00:07:29
monitoring-pmm3 passed 00:09:41
one-pod passed 00:07:06
operator-self-healing passed 00:10:17
pg-tde passed 00:09:16
pitr passed 00:12:05
scaling passed 00:06:06
scheduled-backup passed 00:28:05
self-healing passed 00:08:58
sidecars passed 00:02:45
standby-pgbackrest passed 00:12:15
standby-streaming passed 00:09:28
start-from-backup passed 00:11:10
tablespaces passed 00:06:37
telemetry-transfer passed 00:04:39
upgrade-consistency passed 00:06:41
upgrade-minor passed 00:05:56
users passed 00:04:34
Summary Value
Tests Run 33/33
Job Duration 01:35:54
Total Test Time 04:51:39

commit: 39e4bf7
image: perconalab/percona-postgresql-operator:PR-1490-39e4bf70e

@gkech gkech merged commit 08253e1 into main Mar 13, 2026
16 checks passed
@gkech gkech deleted the K8SPG-683-pgbouncer branch March 13, 2026 14:07
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@egegunes egegunes egegunes approved these changes

@nmarukovich nmarukovich nmarukovich approved these changes

@mayankshah1607 mayankshah1607 mayankshah1607 approved these changes

@jvpasinatto jvpasinatto Awaiting requested review from jvpasinatto jvpasinatto is a code owner

@eleo007 eleo007 Awaiting requested review from eleo007 eleo007 is a code owner

@valmiranogueira valmiranogueira Awaiting requested review from valmiranogueira valmiranogueira is a code owner

@pooknull pooknull Awaiting requested review from pooknull pooknull is a code owner

@oksana-grishchenko oksana-grishchenko Awaiting requested review from oksana-grishchenko oksana-grishchenko is a code owner

@hors hors Awaiting requested review from hors hors is a code owner

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

v2.9.0

Development

Successfully merging this pull request may close these issues.

5 participants

@gkech @JNKPercona @egegunes @nmarukovich @mayankshah1607