Skip to content

feat(security): authenticate operator calls to the instance manager with mutual TLS#10579

Draft
leonardoce wants to merge 1 commit into
cloudnative-pg:mainfrom
leonardoce:mtls
Draft

feat(security): authenticate operator calls to the instance manager with mutual TLS#10579
leonardoce wants to merge 1 commit into
cloudnative-pg:mainfrom
leonardoce:mtls

Conversation

@leonardoce
Copy link
Copy Markdown
Contributor

@leonardoce leonardoce commented Apr 30, 2026

The instance manager's remote webserver previously had no caller authentication, meaning any process with access to the pod network could access the endpoints.

The operator now generates an in-memory ECDSA P-256 client certificate on startup and reconciles its SHA-256 public key fingerprint into the cluster status. The instance manager reads the expected fingerprint from its cached cluster object and rejects requests to sensitive endpoints that do not present a matching certificate.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 30, 2026

Warning

Linked issue missing.

Reference one in the PR body using a keyword (Closes / Fixes / Resolves / Refs / See) followed by #<issue_id> or owner/repo#<issue_id>.

Alternatively, apply the no-issue label to skip this check.

@cnpg-bot cnpg-bot added backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.28 release-1.29 labels Apr 30, 2026
@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 30, 2026

❗ By default, the pull request is configured to backport to all release branches.

  • To stop backporting this pr, remove the label: backport-requested ◀️ or add the label 'do not backport'
  • To stop backporting this pr to a certain release branch, remove the specific branch label: release-x.y

@leonardoce leonardoce added do not backport This PR must not be backported - it will be in the next minor release and removed backport-requested ◀️ This pull request should be backported to all supported releases release-1.25 release-1.28 release-1.29 labels Apr 30, 2026
@leonardoce leonardoce force-pushed the mtls branch 3 times, most recently from c160480 to fb3b6ce Compare April 30, 2026 10:42
@leonardoce
feat(security): authenticate operator calls to the instance manager w…
531645c 
…ith mutual TLS

The instance manager's remote webserver previously had no caller authentication,
meaning any process with access to the pod network could trigger backups, instance
manager upgrades, or WAL archival operations.

The operator now generates an in-memory ECDSA P-256 client certificate on startup
and reconciles its SHA-256 public key fingerprint into the cluster status. The
instance manager reads the expected fingerprint from its cached cluster object and
rejects requests to sensitive endpoints that do not present a matching certificate.

Signed-off-by: Leonardo Cecchi <leonardo.cecchi@enterprisedb.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@jsilvela jsilvela Awaiting requested review from jsilvela jsilvela will be requested when the pull request is marked ready for review jsilvela is a code owner

@NiccoloFei NiccoloFei Awaiting requested review from NiccoloFei NiccoloFei will be requested when the pull request is marked ready for review NiccoloFei is a code owner

@litaocdl litaocdl Awaiting requested review from litaocdl litaocdl will be requested when the pull request is marked ready for review litaocdl is a code owner

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

do not backport This PR must not be backported - it will be in the next minor release

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@leonardoce @cnpg-bot