add support for TLS in CNPG

tangledbytes · tangledbytes · commit 7c2e36e00b82 · 2026-06-16T17:53:09.000+05:30
Signed-off-by: Utkarsh Srivastava &lt;srivastavautkarsh8097@gmail.com&gt;
diff --git a/deploy/internal/deployment-endpoint.yaml b/deploy/internal/deployment-endpoint.yaml
@@ -142,6 +142,7 @@ spec:
             - name: POSTGRES_CONNECTION_STRING
             - name: POSTGRES_SSL_REQUIRED
             - name: POSTGRES_SSL_UNAUTHORIZED
+            - name: PGSSLROOTCERT
             - name: POSTGRES_HOST_PATH
             - name: POSTGRES_USER_PATH
             - name: POSTGRES_PASSWORD_PATH
diff --git a/deploy/internal/statefulset-core.yaml b/deploy/internal/statefulset-core.yaml
@@ -128,6 +128,7 @@ spec:
             - name: POSTGRES_CONNECTION_STRING
             - name: POSTGRES_SSL_REQUIRED
             - name: POSTGRES_SSL_UNAUTHORIZED
+            - name: PGSSLROOTCERT
             - name: POSTGRES_HOST_PATH
             - name: POSTGRES_USER_PATH
             - name: POSTGRES_PASSWORD_PATH
diff --git a/pkg/bundle/deploy.go b/pkg/bundle/deploy.go
@@ -4343,7 +4343,7 @@ data:
     shared_preload_libraries = 'pg_stat_statements'
 `
 
-const Sha256_deploy_internal_deployment_endpoint_yaml = "558ec22578b22c3ac3a6d6b72fa95a7122739014ded0a73adbac319aa4457aed"
+const Sha256_deploy_internal_deployment_endpoint_yaml = "056b9894f53b6138d5bcc34f9a99fdb14604a47828f8110099106d99bff74488"
 
 const File_deploy_internal_deployment_endpoint_yaml = `apiVersion: apps/v1
 kind: Deployment
@@ -4489,6 +4489,7 @@ spec:
             - name: POSTGRES_CONNECTION_STRING
             - name: POSTGRES_SSL_REQUIRED
             - name: POSTGRES_SSL_UNAUTHORIZED
+            - name: PGSSLROOTCERT
             - name: POSTGRES_HOST_PATH
             - name: POSTGRES_USER_PATH
             - name: POSTGRES_PASSWORD_PATH
@@ -5581,7 +5582,7 @@ spec:
       noobaa-s3-svc: "true"
 `
 
-const Sha256_deploy_internal_statefulset_core_yaml = "4ef493f94d8f81746f9d8904085de093b4ed37ee15d0767cc563f7aa89c86de8"
+const Sha256_deploy_internal_statefulset_core_yaml = "0618df416c1406b53303a8365a64d6e59213e5c0316722ccefdd9d3ef8f22718"
 
 const File_deploy_internal_statefulset_core_yaml = `apiVersion: apps/v1
 kind: StatefulSet
@@ -5713,6 +5714,7 @@ spec:
             - name: POSTGRES_CONNECTION_STRING
             - name: POSTGRES_SSL_REQUIRED
             - name: POSTGRES_SSL_UNAUTHORIZED
+            - name: PGSSLROOTCERT
             - name: POSTGRES_HOST_PATH
             - name: POSTGRES_USER_PATH
             - name: POSTGRES_PASSWORD_PATH
diff --git a/pkg/system/db_reconciler.go b/pkg/system/db_reconciler.go
@@ -32,6 +32,8 @@ const (
 	defaultCalcMemoryKB     = int64(16 * 1024 * 1024) // 16GB in KB — used when DBResources not specified
 	defaultCalcCPU          = int64(4)                // used when DBResources not specified
 	defaultFailoverDelaySec = int32(30)
+
+	cnpgCAMountPath = "/etc/cnpg-ca"
 )
 
 // ReconcileCNPGCluster reconciles the CNPG cluster
@@ -303,6 +305,15 @@ func (r *Reconciler) reconcileClusterSpec(dbSpec *nbv1.NooBaaDBSpec) error {
 		Enabled: true,
 	}
 
+	if r.CNPGCluster.Spec.Certificates == nil {
+		r.CNPGCluster.Spec.Certificates = &cnpgv1.CertificatesConfiguration{}
+	}
+	r.CNPGCluster.Spec.Certificates.ServerAltDNSNames = []string{
+		r.ServiceDbPg.Name,
+		r.ServiceDbPg.Name + "." + r.Request.Namespace,
+		r.ServiceDbPg.Name + "." + r.Request.Namespace + ".svc",
+	}
+
 	r.CNPGCluster.Spec.FailoverDelay = defaultFailoverDelaySec
 
 	r.setPostgresConfig()
@@ -610,6 +621,17 @@ func (r *Reconciler) setPostgresConfig() {
 	}
 	r.cnpgLog("PGTune config: memory=%dKB, cpu=%d, endpoints=%d", totalMemoryKB, cpuNum, endpointMaxCount)
 
+	// propagate TLS security settings to the PostgreSQL server
+	tlsSec := r.NooBaa.Spec.Security.APIServerSecurity
+	if tlsSec != nil && !util.IsTLSConfigDisabled() {
+		if tlsSec.TLSMinVersion != nil {
+			overrideParameters["ssl_min_protocol_version"] = string(*tlsSec.TLSMinVersion)
+		}
+		if len(tlsSec.TLSCiphers) > 0 {
+			overrideParameters["ssl_ciphers"] = util.MapCiphersToOpenSSL(tlsSec.TLSCiphers)
+		}
+	}
+
 	// apply any user-specified DBConf overrides on top of the calculated values
 	if r.NooBaa.Spec.DBSpec.DBConf != nil {
 		for k, v := range r.NooBaa.Spec.DBSpec.DBConf {
@@ -843,6 +865,10 @@ func (r *Reconciler) getClusterSecretName() string {
 	return r.CNPGCluster.Name + "-app"
 }
 
+func (r *Reconciler) getClusterCASecretName() string {
+	return r.CNPGCluster.GetServerCASecretName()
+}
+
 func (r *Reconciler) cnpgLog(format string, args ...interface{}) {
 	r.Logger.Infof("cnpg:: "+format, args...)
 }
@@ -891,6 +917,7 @@ func (r *Reconciler) wasClusterSpecChanged(existingClusterSpec *cnpgv1.ClusterSp
 		!reflect.DeepEqual(existingClusterSpec.Monitoring, r.CNPGCluster.Spec.Monitoring) ||
 		!reflect.DeepEqual(existingClusterSpec.PostgresConfiguration.Parameters, r.CNPGCluster.Spec.PostgresConfiguration.Parameters) ||
 		!reflect.DeepEqual(existingClusterSpec.Backup, r.CNPGCluster.Spec.Backup) ||
+		!reflect.DeepEqual(existingClusterSpec.Certificates, r.CNPGCluster.Spec.Certificates) ||
 		existingClusterSpec.PriorityClassName != r.CNPGCluster.Spec.PriorityClassName ||
 		existingClusterSpec.FailoverDelay != r.CNPGCluster.Spec.FailoverDelay
 }
diff --git a/pkg/system/phase2_creating.go b/pkg/system/phase2_creating.go
@@ -577,13 +577,17 @@ func (r *Reconciler) setDesiredCoreEnv(c *corev1.Container) {
 			c.Env[j].Value = ""
 			c.Env[j].ValueFrom = nil
 		case "POSTGRES_SSL_REQUIRED":
-			if r.NooBaa.Spec.ExternalPgSSLRequired {
+			if r.NooBaa.Spec.ExternalPgSSLRequired || r.shouldReconcileCNPGCluster() {
 				c.Env[j].Value = "true"
 			}
 		case "POSTGRES_SSL_UNAUTHORIZED":
 			if r.NooBaa.Spec.ExternalPgSSLUnauthorized {
 				c.Env[j].Value = "true"
 			}
+		case "PGSSLROOTCERT":
+			if r.shouldReconcileCNPGCluster() {
+				c.Env[j].Value = cnpgCAMountPath + "/ca.crt"
+			}
 
 		case "POSTGRES_DBNAME_PATH":
 			c.Env[j].Value = postgresSecretMountPath + "/dbname"
@@ -702,11 +706,18 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 			}
 
 			if r.shouldReconcileCNPGCluster() {
-				dbSecretVolumeMounts := []corev1.VolumeMount{{
-					Name:      r.CNPGCluster.Name,
-					MountPath: postgresSecretMountPath,
-					ReadOnly:  true,
-				}}
+				dbSecretVolumeMounts := []corev1.VolumeMount{
+					{
+						Name:      r.CNPGCluster.Name,
+						MountPath: postgresSecretMountPath,
+						ReadOnly:  true,
+					},
+					{
+						Name:      r.CNPGCluster.Name + "-ca",
+						MountPath: cnpgCAMountPath,
+						ReadOnly:  true,
+					},
+				}
 				util.MergeVolumeMountList(&c.VolumeMounts, &dbSecretVolumeMounts)
 			} else if r.NooBaa.Spec.ExternalPgSecret != nil {
 				dbSecretVolumeMounts := []corev1.VolumeMount{{
@@ -889,14 +900,28 @@ func (r *Reconciler) SetDesiredCoreApp() error {
 	}
 
 	if r.shouldReconcileCNPGCluster() {
-		dbSecretVolumes := []corev1.Volume{{
-			Name: r.CNPGCluster.Name,
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: r.getClusterSecretName(),
+		dbSecretVolumes := []corev1.Volume{
+			{
+				Name: r.CNPGCluster.Name,
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: r.getClusterSecretName(),
+					},
 				},
 			},
-		}}
+			{
+				Name: r.CNPGCluster.Name + "-ca",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: r.getClusterCASecretName(),
+						Items: []corev1.KeyToPath{{
+							Key:  "ca.crt",
+							Path: "ca.crt",
+						}},
+					},
+				},
+			},
+		}
 		util.MergeVolumeList(&podSpec.Volumes, &dbSecretVolumes)
 	} else if r.NooBaa.Spec.ExternalPgSecret != nil {
 		externalPgVolumes := []corev1.Volume{{
diff --git a/pkg/system/phase4_configuring.go b/pkg/system/phase4_configuring.go
@@ -554,11 +554,18 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container
 	container.VolumeMounts = r.DefaultDeploymentEndpoint.Containers[0].VolumeMounts
 
 	if r.shouldReconcileCNPGCluster() {
-		dbSecretVolumeMounts := []corev1.VolumeMount{{
-			Name:      r.CNPGCluster.Name,
-			MountPath: postgresSecretMountPath,
-			ReadOnly:  true,
-		}}
+		dbSecretVolumeMounts := []corev1.VolumeMount{
+			{
+				Name:      r.CNPGCluster.Name,
+				MountPath: postgresSecretMountPath,
+				ReadOnly:  true,
+			},
+			{
+				Name:      r.CNPGCluster.Name + "-ca",
+				MountPath: cnpgCAMountPath,
+				ReadOnly:  true,
+			},
+		}
 		util.MergeVolumeMountList(&container.VolumeMounts, &dbSecretVolumeMounts)
 	} else if r.NooBaa.Spec.ExternalPgSecret != nil {
 		dbSecretVolumeMounts := []corev1.VolumeMount{{
@@ -726,14 +733,28 @@ func (r *Reconciler) setDesiredEndpointMounts(podSpec *corev1.PodSpec, container
 	}
 
 	if r.shouldReconcileCNPGCluster() {
-		dbSecretVolumes := []corev1.Volume{{
-			Name: r.CNPGCluster.Name,
-			VolumeSource: corev1.VolumeSource{
-				Secret: &corev1.SecretVolumeSource{
-					SecretName: r.getClusterSecretName(),
+		dbSecretVolumes := []corev1.Volume{
+			{
+				Name: r.CNPGCluster.Name,
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: r.getClusterSecretName(),
+					},
 				},
 			},
-		}}
+			{
+				Name: r.CNPGCluster.Name + "-ca",
+				VolumeSource: corev1.VolumeSource{
+					Secret: &corev1.SecretVolumeSource{
+						SecretName: r.getClusterCASecretName(),
+						Items: []corev1.KeyToPath{{
+							Key:  "ca.crt",
+							Path: "ca.crt",
+						}},
+					},
+				},
+			},
+		}
 		util.MergeVolumeList(&podSpec.Volumes, &dbSecretVolumes)
 	} else if r.NooBaa.Spec.ExternalPgSecret != nil {
 		externalPgVolumes := []corev1.Volume{{
