setup database certificates by boddumanohar · Pull Request #623 · simplyblock/vela-controller

boddumanohar · 2026-02-20T16:00:48Z

The database connection endpoint connects to PGBouncer service. So the changes in PR sets up TLS termination for at PGBouncer.

As a part of this changes, we create the certificate:

Create the certificate as a part of Helm chart
update PGBouncer Config to require certificates
update vm.yaml definition with certificates

On the vela-os side, we first start the PGBouncer without TLS and the then certificates are available, we reload the PGbouncer with Certificates.

It can be observed below that the PGBouncer has intially connect in TLS mode and after a minute, it's connected with TLS.

root@pgbench2:/# psql "postgresql://postgres:itoanlI07fcVZ7vT@db.01kjkn4mby3sft1eqpc4nx0z2f.pr623.dev.kernel-labs.org:31672/postgres"
psql (17.8 (Debian 17.8-1.pgdg13+1), server 18.1)
WARNING: psql major version 17, server major version 18.
         Some psql features might not work.
Type "help" for help.

postgres=> \q
root@pgbench2:/# psql "postgresql://postgres:itoanlI07fcVZ7vT@db.01kjkn4mby3sft1eqpc4nx0z2f.pr623.dev.kernel-labs.org:31672/postgres"
psql (17.8 (Debian 17.8-1.pgdg13+1), server 18.1)
WARNING: psql major version 17, server major version 18.
         Some psql features might not work.
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off, ALPN: postgresql)
Type "help" for help.

postgres=> \q

and on the vela-os side (PR: simplyblock/vela-os#22)

Waiting for certificates...
01/Mar/2026:02:55:56 +0000: Starting PostgREST 14.3...
01/Mar/2026:02:55:56 +0000: API server listening on 0.0.0.0:3000
01/Mar/2026:02:55:56 +0000: Listening for database notifications on the "pgrst" channel
01/Mar/2026:02:55:56 +0000: Successfully connected to PostgreSQL 18.1 on x86_64-linux, compiled by gcc-14.3.0, 64-bit
01/Mar/2026:02:55:56 +0000: Connection Pool initialized with a maximum size of 10 connections
01/Mar/2026:02:55:56 +0000: Config reloaded
01/Mar/2026:02:55:56 +0000: Schema cache queried in 927.6 milliseconds
01/Mar/2026:02:55:56 +0000: Schema cache loaded 3 Relations, 2 Relationships, 4 Functions, 0 Domain Representations, 4 Media Type Handlers, 1196 Timezones
01/Mar/2026:02:55:56 +0000: Schema cache loaded in 7.7 milliseconds
Certificates found. Enabling TLS and reloading PgBouncer...

we wait for certificate and then load then when they become available.

boddumanohar requested review from mxsrc and noctarius February 20, 2026 16:01

boddumanohar force-pushed the db-certs branch from 7dc23c5 to 020a251 Compare February 23, 2026 11:09

boddumanohar marked this pull request as draft February 23, 2026 11:09

boddumanohar removed request for mxsrc and noctarius February 23, 2026 11:10

boddumanohar force-pushed the db-certs branch from 020a251 to 44338c9 Compare February 23, 2026 11:15

Base automatically changed from dev to main February 23, 2026 13:45

boddumanohar force-pushed the db-certs branch 2 times, most recently from 88994e4 to ac9354d Compare February 25, 2026 10:29

boddumanohar changed the base branch from main to dev February 25, 2026 10:29

boddumanohar force-pushed the db-certs branch 2 times, most recently from e059c1e to d052469 Compare February 26, 2026 03:26

boddumanohar marked this pull request as ready for review February 26, 2026 03:31

mxsrc force-pushed the dev branch from 9becda2 to f4b3837 Compare February 26, 2026 07:08

boddumanohar marked this pull request as draft February 26, 2026 12:09

Base automatically changed from dev to main February 27, 2026 14:33

boddumanohar changed the base branch from main to dev February 28, 2026 16:32

boddumanohar force-pushed the db-certs branch from d052469 to 72cd5b8 Compare February 28, 2026 18:04

boddumanohar added the deploy label Feb 28, 2026

boddumanohar temporarily deployed to dev February 28, 2026 18:07 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 1, 2026 02:18 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 1, 2026 02:27 — with GitHub Actions Inactive

boddumanohar marked this pull request as ready for review March 1, 2026 03:09

boddumanohar requested a review from mxsrc March 1, 2026 03:09

boddumanohar mentioned this pull request Mar 2, 2026

start without tls first and then load certificates again simplyblock/vela-os#22

Open

boddumanohar temporarily deployed to dev March 2, 2026 10:27 — with GitHub Actions Inactive

boddumanohar closed this Mar 2, 2026

boddumanohar temporarily deployed to dev March 2, 2026 10:32 — with GitHub Actions Inactive

boddumanohar reopened this Mar 2, 2026

boddumanohar temporarily deployed to dev March 2, 2026 10:35 — with GitHub Actions Inactive

setup database certificates

382232b

boddumanohar force-pushed the db-certs branch from 2df7b47 to 382232b Compare March 2, 2026 11:52

boddumanohar temporarily deployed to dev March 2, 2026 11:54 — with GitHub Actions Inactive

boddumanohar temporarily deployed to dev March 2, 2026 12:26 — with GitHub Actions Inactive

update image

53fd935

boddumanohar force-pushed the db-certs branch from bfc7b6f to 53fd935 Compare March 2, 2026 13:32

boddumanohar temporarily deployed to dev March 2, 2026 13:34 — with GitHub Actions Inactive

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

setup database certificates#623

setup database certificates#623
boddumanohar wants to merge 2 commits intodevfrom
db-certs

boddumanohar commented Feb 20, 2026 •

edited

Loading

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

Conversation

boddumanohar commented Feb 20, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

Reviewers

Assignees

Labels

Projects

Milestone

Development

Uh oh!

1 participant

boddumanohar commented Feb 20, 2026 •

edited

Loading