diff --git a/components/nautobot/cloudnative-postgres-nautobot.yaml b/components/nautobot/cloudnative-postgres-nautobot.yaml index 76cc96963..dd4971c4c 100644 --- a/components/nautobot/cloudnative-postgres-nautobot.yaml +++ b/components/nautobot/cloudnative-postgres-nautobot.yaml @@ -7,7 +7,7 @@ metadata: # do not allow ArgoCD to delete our DB argocd.argoproj.io/sync-options: Delete=false spec: - imageName: ghcr.io/cloudnative-pg/postgresql:15.5 + imageName: ghcr.io/cloudnative-pg/postgresql:17.9-system-bullseye instances: 3 storage: size: 20Gi diff --git a/docs/deploy-guide/components/nautobot-worker.md b/docs/deploy-guide/components/nautobot-worker.md index 207bbe07c..f65bf4130 100644 --- a/docs/deploy-guide/components/nautobot-worker.md +++ b/docs/deploy-guide/components/nautobot-worker.md @@ -442,6 +442,7 @@ operator guide. | Variable | Where Set | Purpose | |---|---|---| | `NAUTOBOT_DB_SSLMODE` | Both global and site values | Controls PostgreSQL SSL mode. Set to `verify-ca` for mTLS on all pods. | +| `NAUTOBOT_DB_SSLNEGOTIATION` | Optional in global and site values | If set to `direct`, starts the TLS handshake immediately after TCP connect. Requires PostgreSQL/libpq 17+ and `NAUTOBOT_DB_SSLMODE=require` or stronger. | | `NAUTOBOT_DB_SSLCERT` | Optional override | Path to client cert for PG (default: `/etc/nautobot/mtls/tls.crt`) | | `NAUTOBOT_DB_SSLKEY` | Optional override | Path to client key for PG (default: `/etc/nautobot/mtls/tls.key`) | | `NAUTOBOT_DB_SSLROOTCERT` | Optional override | Path to CA cert for PG (default: `/etc/nautobot/mtls/ca.crt`) | diff --git a/docs/operator-guide/nautobot.md b/docs/operator-guide/nautobot.md index a70ccc077..61d6a131e 100644 --- a/docs/operator-guide/nautobot.md +++ b/docs/operator-guide/nautobot.md @@ -110,6 +110,10 @@ All pods (global and site) must set `NAUTOBOT_DB_SSLMODE=verify-ca` in their `extraEnvVars` and have the mTLS client cert volume mounted at `/etc/nautobot/mtls/`. +`NAUTOBOT_DB_SSLNEGOTIATION` is optional. If set to `direct`, the shared +config passes `sslnegotiation=direct` to libpq. This requires +PostgreSQL/libpq 17+ and `NAUTOBOT_DB_SSLMODE=require` or stronger. + ### Verifying the Certificate Chain To confirm the CNPG cluster is using the correct CA for client cert