Check TLS communication to the cluster¶

You can check TLS communication using psql, the standard interactive terminal-based frontend to PostgreSQL.

For this purpose, we will create a pg-client Deployment, which includes the necessary tools. We will use the existing Secret object with the TLS certificates, generated by the Operator.

Follow these steps:

Export the namespace as the environment variable to simplify further configuration:
```
export NAMESPACE=<postgres-operator>
```

List the Secret objects:

kubectl get secrets -n $NAMESPACE

Expected output

cluster1-cluster-ca-cert        Opaque   2      37m
cluster1-cluster-cert           Opaque   3      37m
cluster1-instance1-5nlp-certs   Opaque   6      37m
cluster1-instance1-8rks-certs   Opaque   6      37m
cluster1-instance1-z5tz-certs   Opaque   6      37m
cluster1-pgbackrest             Opaque   5      37m
cluster1-pgbouncer              Opaque   6      37m
cluster1-pguser-cluster1        Opaque   12     37m
cluster1-replication-cert       Opaque   3      37m

The secret with TLS certificates is <cluster-name>-cluster-ca-cert (cluster1-cluster-ca-cert by default).

Create a deployment. Replace the placeholders in the following command with your values:

Replace the <cluster-name> placeholder with your actual cluster name
Specify the Secret object with the TLS certificate from step 2
Specify the CA certificate file for the volumeMounts.name and volumes.name options. This file is used to mount the root CA certificate into the container so that client tools like psql can verify the server’s certificate. To view the file name, run kubectl get secret <cluster-name>-cluster-ca-cert -o yaml -n $NAMESPACE command.

cat <<EOF | kubectl apply -n $NAMESPACE -f -
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pg-client
spec:
  replicas: 1
  selector:
    matchLabels:
      name: pg-client
  template:
    metadata:
      labels:
        name: pg-client
    spec:
      containers:
        - name: pg-client
          image: percona/percona-distribution-postgresql:17.9-1
          imagePullPolicy: Always
          command:
          - sleep
          args:
          - "100500"
          volumeMounts:
            - name: root
              mountPath: "/tmp/tls"
      volumes:
      - name: root
        secret:
          secretName: <cluster-name>-cluster-ca-cert
          items:
          - key: root.crt
            path: root.crt
            mode: 0777
EOF

Retrieve the pgBouncer URI to connect to PostgreSQL. It is stored in the Secret object with user credentials: <cluster-name>-pguser-<db-name>. The default value is cluster1-pguser-cluster1. Run the following command and replace the cluster1-pguser-cluster1 Secret name with your value:
```
kubectl get secret cluster1-pguser-cluster1 -o jsonpath='{.data.pgbouncer-uri}' -n $NAMESPACE | base64 --decode
```
Sample output

```text postgresql://cluster1:@cluster1-pgbouncer.default.svc:5432/cluster1

Now get shell access to the newly created container:

kubectl exec -it deployment/pg-client -- bash -il

Expected output

[postgres@pg-client-54b449898f-ztlrh /]$

Launch the psql interactive terminal to check connectivity over the encrypted channel. Make sure to use your cluster name, the pgBouncer URL you retrieved at the previous step, and the CA certificate you provided when you created the pg-client deployment:
```
PGSSLMODE=verify-ca PGSSLROOTCERT=/tmp/tls/root.crt psql 'postgresql://cluster1:<password>@cluster1-pgbouncer.default.svc:5432/cluster1'
```
Now you should see the prompt of PostgreSQL interactive terminal:
```
psql (17.9-1)
Type "help" for help.
cluster1=>
```

Last update: March 26, 2026
Created: March 26, 2026