Skip to content

Enable mTLS for PG sources#4468

Open
pfcoperez wants to merge 6 commits into
mainfrom
DBI-793/connectors/prostgres/tls/mutual-authentication
Open

Enable mTLS for PG sources#4468
pfcoperez wants to merge 6 commits into
mainfrom
DBI-793/connectors/prostgres/tls/mutual-authentication

Conversation

@pfcoperez

@pfcoperez pfcoperez commented Jun 22, 2026

Copy link
Copy Markdown
Member

This Pull Request allows user to add client authentication (PeerDB acting as client here) through mTLS by expanding the PG configuration contract to optionally include the client private certificate and its key.

It also includes PeerDB UI changes.

Part of: https://linear.app/clickhouse/issue/DBI-793

@pfcoperez pfcoperez self-assigned this Jun 22, 2026
@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: The flow/e2e package hit its exact 1200s global test timeout on a single unrelated MySQL matrix shard with no panic, data race, assertion failure, or TLS error — the classic signature of a flaky e2e timeout rather than a regression from this mTLS-for-Postgres PR.
Confidence: 0.78

✅ Automatically retrying the workflow

View workflow run

@codecov

codecov Bot commented Jun 22, 2026

Copy link
Copy Markdown

⚠️ JUnit XML file not found

The CLI was unable to find any JUnit XML files to upload.
For more help, visit our troubleshooting guide.

@github-actions

Copy link
Copy Markdown
Contributor

🔄 Flaky Test Detected

Analysis: The maria/8.0 job failed at the Docker setup step with a transient Docker Hub registry network error pulling the MariaDB image (exit code 125) before any test ran, indicating infrastructure flakiness rather than a code bug.
Confidence: 0.97

✅ Automatically retrying the workflow

View workflow run

@pfcoperez pfcoperez force-pushed the DBI-793/connectors/prostgres/tls/mutual-authentication branch from 10279e4 to 50d32ed Compare June 26, 2026 10:56
@pfcoperez pfcoperez marked this pull request as ready for review June 26, 2026 10:58
@pfcoperez pfcoperez requested a review from a team as a code owner June 26, 2026 10:58
@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: All matrix jobs fail deterministically with a shell "syntax error: unexpected end of file" in the CI catalog-setup step before any test runs, indicating a real malformed-workflow-script bug, not flakiness.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: The CI setup step "create postgres extensions...setup catalog database" fails deterministically with a shell "syntax error: unexpected end of file" — caused by an inline # comment the mTLS PR added inside a &&-chained command — so tests never ran; this is a real bug in the PR's setup script, not a flaky test.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@github-actions

Copy link
Copy Markdown
Contributor

❌ Test Failure

Analysis: A deterministic bash syntax error ("unexpected end of file") in the CI setup step fails identically across all matrix jobs before any test runs, indicating a real malformed-workflow bug rather than a flaky test.
Confidence: 0.97

⚠️ This appears to be a real bug - manual intervention needed

View workflow run

@claude

claude Bot commented Jun 26, 2026

Copy link
Copy Markdown

Code review

No issues found. Checked for bugs and CLAUDE.md compliance.

@pfcoperez pfcoperez force-pushed the DBI-793/connectors/prostgres/tls/mutual-authentication branch from 50d32ed to ddb4782 Compare June 26, 2026 11:09
@pfcoperez pfcoperez force-pushed the DBI-793/connectors/prostgres/tls/mutual-authentication branch from ddb4782 to e2fcbe1 Compare June 30, 2026 10:05
t.Parallel()

if _, ok := internal.GetMutualTLSPostgresConfigFromEnv(); !ok {
t.Skip("mutual-TLS Postgres fixtures not configured; " +

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This would silently skip if something becomes unset. If it's possible to test locally, can just require them, if not, can follow the FLOW_TESTS_RDS_IAM_AUTH_SKIP=true pattern

Comment thread protos/peers.proto

message ClientTlsConfig {
string certificate = 1 [(peerdb_redacted) = true];
string private_key = 2 [(peerdb_redacted) = true];

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Add to APITestSuite.TestSchemaEndpoints? At least as a test that nested redacted fields are respected

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants