PGBouncer missing client_tls_ca_file
Summary
PGBouncer configuration missing client_tls_ca_file parameter resulting in WARNING TLS handshake error: handshake failed: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failed when attempting to connect using sslmode=prefer (or require).
Current Behaviour
When generating a self-signed certificate and issuer to use with a SGCluster, there is no way to specify the root ca. This causes the XX-ssl secret to not include the ca.crt file from the generated secret. It also prevents the client_tls_ca_file parameter from being added to the pgbouncer.ini file.
Steps to reproduce
- Install cert-manager
- Create a
ClusterIssuer
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}- Create a
Certificate
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: postgres-tls
spec:
commonName: postgres-tls
secretName: postgres-tls
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-issuer
kind: ClusterIssuer
group: cert-manager.io- Create an
SGClusterwith pooling and ssl enabled
ssl:
enabled: true
certificateSecretKeySelector:
name: postgres-tls
key: 'tls.crt'
privateKeySecretKeySelector:
name: postgres-tls
key: 'tls.key'- Attempt to connect to the pgbouncer cluster using the certificate, which should result in
WARNING TLS handshake error: handshake failed: error:1417C086:SSL routines:tls_process_client_certificate:certificate verify failederror
Possible Solution
Add caSecretKeySelector to allow passing in a secret selector for the root ca file. If it is provided, then append the client_tls_ca_file parameter to the pgbouncer.ini file.
Environment
- StackGres version: 1.17.1
- Kubernetes version: v1.31.5+k3s1
- Cloud provider or hardware configuration: k3d on local hardware