Skip to content

Add an option to enforce client certificates validation when connecting to Postgres #259

New issue
New issue
Open
Open
Add an option to enforce client certificates validation when connecting to Postgres#259
Labels
enhancementNew feature or requestvela-branch-servicesvela-controllerIssue is related to vela-controllervela-studioIssue is related to vela-studio or vela-studio-backend
Milestone
Other Backlog
@noctarius

Description

@noctarius
noctarius
opened on Mar 4, 2026

With simplyblock/vela-controller#623 we implemented the option to support TLS certificates at the server-side with PGBouncer. The database is brought up non-encrypted first. At the same time a certificate (ACME protocol) is requested. Whenever the certificate is issued, PGBouncer is reconfigured and reloaded.

In #258 we will add the option to enforce encrypted PG connections when connecting to the database.

This issue adds another user configuration option to enforce client certificates when connecting to the database. That means, the client has to present a valid client certificate when connecting, otherwise the connection is denied.

The change requires changes on vela-controller and vela-studio. The user must have the option to provide a CA certificate to verify the client certificate. The CA certificate needs to stored in the branch settings and needs to be updatable (which also forces a PGBouncer reload after updating the CA certificate).

Metadata

Metadata

Assignees

No one assigned

    Labels

    enhancementNew feature or requestvela-branch-servicesvela-controllerIssue is related to vela-controllervela-studioIssue is related to vela-studio or vela-studio-backend

    Type

    No type

    Projects

    No projects

    Milestone

    Relationships

    None yet

    Development

    No branches or pull requests

    Issue actions