Skip to content

feat(pooler): allow configuration of advanced TLS cipher settings#9571

Merged
leonardoce merged 3 commits intocloudnative-pg:mainfrom
alex1989hu:feat/pooler-cipher-tlsv13
Mar 9, 2026
Merged

feat(pooler): allow configuration of advanced TLS cipher settings#9571
leonardoce merged 3 commits intocloudnative-pg:mainfrom
alex1989hu:feat/pooler-cipher-tlsv13

Conversation

@alex1989hu
Copy link
Contributor

@alex1989hu alex1989hu commented Dec 25, 2025
edited by gbartolini
Loading

The operator now supports overriding specific TLS cipher parameters in the PgBouncer configuration. Previously, these were rejected by the internal validation schema.

Supported parameters:

  • client_tls_ciphers
  • client_tls13_ciphers (requires PgBouncer 1.25+)
  • server_tls13_ciphers (requires PgBouncer 1.25+)

Note: Users are responsible for ensuring their PgBouncer image version supports these settings to avoid configuration errors.

Closes #9570

@alex1989hu alex1989hu requested review from a team and jsilvela as code owners December 25, 2025 12:07
@dosubot dosubot bot added the size:XS This PR changes 0-9 lines, ignoring generated files. label Dec 25, 2025
@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.27 release-1.28 labels Dec 25, 2025
@github-actions
Copy link
Contributor

github-actions bot commented Dec 25, 2025

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@dosubot dosubot bot added the enhancement 🪄 New feature or request label Dec 25, 2025
@dosubot dosubot bot added the lgtm This PR has been approved by a maintainer label Dec 26, 2025
@sxd sxd self-requested a review December 26, 2025 14:08
@alex1989hu alex1989hu force-pushed the feat/pooler-cipher-tlsv13 branch from 400aaa0 to 32eb59c Compare March 5, 2026 21:45
@gbartolini
Copy link
Contributor

gbartolini commented Mar 5, 2026

Can you please mention that those features require pgBouncer 1.25 somehow?

@dosubot dosubot bot added size:S This PR changes 10-29 lines, ignoring generated files. and removed size:XS This PR changes 0-9 lines, ignoring generated files. labels Mar 5, 2026
@gbartolini
Copy link
Contributor

gbartolini commented Mar 5, 2026

/test

@github-actions
Copy link
Contributor

github-actions bot commented Mar 5, 2026

@gbartolini, here's the link to the E2E on CNPG workflow run: https://github.com/cloudnative-pg/cloudnative-pg/actions/runs/22741659428

@cnpg-bot cnpg-bot added the ok to merge 👌 This PR can be merged label Mar 6, 2026
@gbartolini gbartolini changed the title feat(pooler): make more tls cipher-related parameters configurable feat(pooler): allow configuration of advanced TLS cipher settings Mar 6, 2026
alex1989hu and others added 3 commits March 9, 2026 10:15
@alex1989hu @leonardoce
feat(pooler): make more tls cipher-related parameters configurable
ce4ed6b 
The operator now allows overriding `client_tls_ciphers`, `client_tls13_ciphers`,
and `server_tls13_ciphers`, which were previously rejected. These
options were added to PgBouncer 1.25.0.

Signed-off-by: Alex Szakaly <[email protected]>
@alex1989hu @leonardoce
docs(pooler): add PgBouncer version requirement to tls13_ciphers options
e2cfb0c 
Signed-off-by: Alex Szakaly <[email protected]>
@gbartolini @leonardoce
docs: review
eccc1da 
Signed-off-by: Gabriele Bartolini <[email protected]>
@leonardoce leonardoce force-pushed the feat/pooler-cipher-tlsv13 branch from afae163 to eccc1da Compare March 9, 2026 09:15
@leonardoce leonardoce merged commit f97b08e into cloudnative-pg:main Mar 9, 2026
32 checks passed
cnpg-bot pushed a commit that referenced this pull request Mar 9, 2026
@alex1989hu @gbartolini
feat(pooler): allow configuration of advanced TLS cipher settings (#9571
4df0daf 
)

The operator now supports overriding specific TLS cipher parameters in
the PgBouncer configuration. Previously, these were rejected by the
internal validation schema.

Supported parameters:

- `client_tls_ciphers`
- `client_tls13_ciphers` (requires PgBouncer 1.25+)
- `server_tls13_ciphers` (requires PgBouncer 1.25+)

Note: Users are responsible for ensuring their PgBouncer image version
supports these settings to avoid configuration errors.

Closes #9570

Signed-off-by: Alex Szakaly <[email protected]>
Signed-off-by: Gabriele Bartolini <[email protected]>
Co-authored-by: Gabriele Bartolini <[email protected]>
(cherry picked from commit f97b08e)
@github-actions github-actions bot mentioned this pull request Mar 9, 2026
Closed
leonardoce pushed a commit that referenced this pull request Mar 9, 2026
@alex1989hu @gbartolini @leonardoce
feat(pooler): allow configuration of advanced TLS cipher settings (#9571
4ea836a 
)

The operator now supports overriding specific TLS cipher parameters in
the PgBouncer configuration. Previously, these were rejected by the
internal validation schema.

Supported parameters:

- `client_tls_ciphers`
- `client_tls13_ciphers` (requires PgBouncer 1.25+)
- `server_tls13_ciphers` (requires PgBouncer 1.25+)

Note: Users are responsible for ensuring their PgBouncer image version
supports these settings to avoid configuration errors.

Closes #9570

Signed-off-by: Alex Szakaly <[email protected]>
Signed-off-by: Gabriele Bartolini <[email protected]>
Co-authored-by: Gabriele Bartolini <[email protected]>
(cherry picked from commit f97b08e)
leonardoce pushed a commit that referenced this pull request Mar 9, 2026
@alex1989hu @gbartolini @leonardoce
feat(pooler): allow configuration of advanced TLS cipher settings (#9571
414686b 
)

The operator now supports overriding specific TLS cipher parameters in
the PgBouncer configuration. Previously, these were rejected by the
internal validation schema.

Supported parameters:

- `client_tls_ciphers`
- `client_tls13_ciphers` (requires PgBouncer 1.25+)
- `server_tls13_ciphers` (requires PgBouncer 1.25+)

Note: Users are responsible for ensuring their PgBouncer image version
supports these settings to avoid configuration errors.

Closes #9570

Signed-off-by: Alex Szakaly <[email protected]>
Signed-off-by: Gabriele Bartolini <[email protected]>
Co-authored-by: Gabriele Bartolini <[email protected]>
(cherry picked from commit f97b08e)
(cherry picked from commit 4ea836a)
mnencia pushed a commit that referenced this pull request Mar 9, 2026
@alex1989hu @gbartolini @mnencia
feat(pooler): allow configuration of advanced TLS cipher settings (#9571
19b3f6a 
)

The operator now supports overriding specific TLS cipher parameters in
the PgBouncer configuration. Previously, these were rejected by the
internal validation schema.

Supported parameters:

- `client_tls_ciphers`
- `client_tls13_ciphers` (requires PgBouncer 1.25+)
- `server_tls13_ciphers` (requires PgBouncer 1.25+)

Note: Users are responsible for ensuring their PgBouncer image version
supports these settings to avoid configuration errors.

Closes #9570

Signed-off-by: Alex Szakaly <[email protected]>
Signed-off-by: Gabriele Bartolini <[email protected]>
Co-authored-by: Gabriele Bartolini <[email protected]>
(cherry picked from commit f97b08e)
mnencia pushed a commit that referenced this pull request Mar 9, 2026
@alex1989hu @gbartolini @mnencia
feat(pooler): allow configuration of advanced TLS cipher settings (#9571
bb33c5f 
)

The operator now supports overriding specific TLS cipher parameters in
the PgBouncer configuration. Previously, these were rejected by the
internal validation schema.

Supported parameters:

- `client_tls_ciphers`
- `client_tls13_ciphers` (requires PgBouncer 1.25+)
- `server_tls13_ciphers` (requires PgBouncer 1.25+)

Note: Users are responsible for ensuring their PgBouncer image version
supports these settings to avoid configuration errors.

Closes #9570

Signed-off-by: Alex Szakaly <[email protected]>
Signed-off-by: Gabriele Bartolini <[email protected]>
Co-authored-by: Gabriele Bartolini <[email protected]>
(cherry picked from commit f97b08e)
(cherry picked from commit 4ea836a)
@alex1989hu alex1989hu deleted the feat/pooler-cipher-tlsv13 branch March 9, 2026 21:20
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@gbartolini gbartolini gbartolini approved these changes

@leonardoce leonardoce leonardoce approved these changes

@jsilvela jsilvela Awaiting requested review from jsilvela jsilvela is a code owner

@sxd sxd Awaiting requested review from sxd

Assignees

No one assigned

Labels

backport-requested ◀️ This pull request should be backported to all supported releases enhancement 🪄 New feature or request lgtm This PR has been approved by a maintainer ok to merge 👌 This PR can be merged release-1.25 release-1.27 release-1.28 size:S This PR changes 10-29 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

[Feature]: Configurable PgBouncer TLS cipher parameters

5 participants

@alex1989hu @gbartolini @sxd @leonardoce @cnpg-bot