pgdogdev · levkk · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026 · Apr 21, 2026
diff --git a/Chart.yaml b/Chart.yaml
@@ -1,4 +1,4 @@
 apiVersion: v1
 name: pgdog
-version: v0.51
+version: v0.52
 appVersion: "0.1.37"
diff --git a/files/rds-global-bundle-gov.pem b/files/rds-global-bundle-gov.pem
diff --git a/files/rds-global-bundle.pem b/files/rds-global-bundle.pem
diff --git a/templates/config.yaml b/templates/config.yaml
@@ -32,15 +32,22 @@ data:
         {{- if .Values.readWriteSplit }}
         read_write_split          =   {{ .Values.readWriteSplit | quote }}
         {{- end }}
+        {{- if .Values.tlsGenerateSelfSignedCert }}
+        tls_certificate           =   "/etc/pgdog-tls/tls.crt"
+        tls_private_key           =   "/etc/pgdog-tls/tls.key"
+        {{- else }}
         {{- if .Values.tlsCertificate }}
         tls_certificate           =   {{ .Values.tlsCertificate | quote }}
         {{- end }}
         {{- if .Values.tlsPrivateKey }}
         tls_private_key           =   {{ .Values.tlsPrivateKey | quote }}
         {{- end }}
+        {{- end }}
         tls_client_required       =   {{ .Values.tlsClientRequired | default "false" }}
         tls_verify                =   {{ .Values.tlsVerify | default "prefer" | quote }}
-        {{- if .Values.tlsServerCaCertificate }}
+        {{- if and .Values.rdsCertificateBundle .Values.rdsCertificateBundle.enabled }}
+        tls_server_ca_certificate =   "/etc/pgdog-rds-ca/rds-ca-bundle.pem"
+        {{- else if .Values.tlsServerCaCertificate }}
         tls_server_ca_certificate =   {{ .Values.tlsServerCaCertificate | quote }}
         {{- end}}
         shutdown_timeout          =   {{ include "pgdog.intval" (.Values.shutdownTimeout | default "60_000") }}

diff --git a/templates/deployment.yaml b/templates/deployment.yaml
@@ -118,6 +118,16 @@ spec:
               mountPath: /etc/pgdog
             - name: users
               mountPath: /etc/secrets/pgdog
+            {{- if .Values.tlsGenerateSelfSignedCert }}
+            - name: tls
+              mountPath: /etc/pgdog-tls
+              readOnly: true
+            {{- end }}
+            {{- if and .Values.rdsCertificateBundle .Values.rdsCertificateBundle.enabled }}
+            - name: rds-ca
+              mountPath: /etc/pgdog-rds-ca
+              readOnly: true
+            {{- end }}
             {{- with .Values.extraVolumeMounts }}
             {{- toYaml . | nindent 12 }}
             {{- end }}
@@ -178,6 +188,16 @@ spec:
         - name: prom
           configMap:
             name: {{ include "pgdog.fullname" . }}-prom
+        {{- if .Values.tlsGenerateSelfSignedCert }}
+        - name: tls
+          secret:
+            secretName: {{ include "pgdog.fullname" . }}-tls
+        {{- end }}
+        {{- if and .Values.rdsCertificateBundle .Values.rdsCertificateBundle.enabled }}
+        - name: rds-ca
+          configMap:
+            name: {{ include "pgdog.fullname" . }}-rds-ca
+        {{- end }}
         {{- with .Values.extraVolumes }}
         {{- toYaml . | nindent 8 }}
         {{- end }}

diff --git a/templates/rds-ca-config.yaml b/templates/rds-ca-config.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.rdsCertificateBundle.enabled }}
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "pgdog.fullname" . }}-rds-ca
+  labels:
+    {{- include "pgdog.labels" . | nindent 4 }}
+data:
+  {{- if eq (.Values.rdsCertificateBundle.type | default "global") "govcloud" }}
+  rds-ca-bundle.pem: |
+{{ .Files.Get "files/rds-global-bundle-gov.pem" | indent 4 }}
+  {{- else }}
+  rds-ca-bundle.pem: |
+{{ .Files.Get "files/rds-global-bundle.pem" | indent 4 }}
+  {{- end }}
+{{- end }}
diff --git a/templates/tls-secret.yaml b/templates/tls-secret.yaml
@@ -0,0 +1,16 @@
+{{- if .Values.tlsGenerateSelfSignedCert }}
+{{- $fullname := include "pgdog.fullname" . }}
+{{- $cert := genSelfSignedCert $fullname nil (list "localhost" $fullname (printf "%s.%s.svc.cluster.local" $fullname .Release.Namespace)) 3650 }}
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ $fullname }}-tls
+  labels:
+    {{- include "pgdog.labels" . | nindent 4 }}
+type: kubernetes.io/tls
+stringData:
+  tls.crt: |
+{{ $cert.Cert | indent 4 }}
+  tls.key: |
+{{ $cert.Key | indent 4 }}
+{{- end }}
diff --git a/test/values-rds-tls.yaml b/test/values-rds-tls.yaml
@@ -0,0 +1,4 @@
+# Test RDS certificate bundle configuration
+rdsCertificateBundle:
+  enabled: true
+  type: global
diff --git a/test/values-tls-generate.yaml b/test/values-tls-generate.yaml
@@ -0,0 +1,2 @@
+# Test auto-generated self-signed TLS certificate
+tlsGenerateSelfSignedCert: true
diff --git a/values.yaml b/values.yaml
@@ -520,6 +520,23 @@ control:
 # lsnCheckDelay: 0        # Set to 0 to start LSN monitoring immediately
 # lsnCheckInterval: 1000  # How frequently to re-fetch replication status
 
+# tlsGenerateSelfSignedCert generates a self-signed TLS certificate and private
+# key on chart installation and stores them as a Kubernetes Secret.
+# When enabled, tls_certificate and tls_private_key are automatically configured
+# in pgdog.toml, so you don't need to set tlsCertificate/tlsPrivateKey manually.
+# Note: certificates are regenerated on every helm upgrade.
+# tlsGenerateSelfSignedCert: false
+
+# rdsCertificateBundle includes the AWS RDS CA certificate bundle so pgdog can
+# verify TLS connections to RDS/Aurora instances. When enabled,
+# tls_server_ca_certificate is automatically configured in pgdog.toml.
+# See: https://docs.aws.amazon.com/AmazonRDS/latest/UserGuide/UsingWithRDS.SSL.html
+rdsCertificateBundle:
+  # enabled controls whether to mount the RDS CA bundle
+  enabled: false
+  # type selects which bundle to use: "global" (all commercial regions) or "govcloud"
+  type: global
+
 # TCP keep-alive configuration (optional)
 # These settings control socket-level keep-alive behavior.
 # All time values are in milliseconds.
Original file line number	Diff line number	Diff line change
		@@ -0,0 +1,2 @@
		# Test auto-generated self-signed TLS certificate
		tlsGenerateSelfSignedCert: true