Trusted Postgres Architect 23.40.0 release notes v23.40.0

Released: 2 October 2025

New features, enhancements, bug fixes, and other changes in Trusted Postgres Architect 23.40.0 include the following:

Enhancements

DescriptionAddresses
Added support for upgrading EDB Postgres Distributed (PGD) v5 clusters to v6.

TPA now provides a workflow for upgrading an existing PGD-Always-ON cluster to a PGD-X cluster. Due to the significant differences between these architectures, this is a multi-step process whereby you must first upgrade to PGD 5.9, then enable connection manager, then finally upgrade to PGD 6. This process will be further automated in a future TPA release. Please refer to the TPA docs for full details.

Extended support for configuring PGD-S clusters.

TPA now supports a full set of dedicated options for configuring a PGD-S cluster. The --layout option can be set to standard for a one-location ornear-far for a two-location layout. The --add-subscriber-only-nodes option adds up to 10 subscriber-only nodes. The --read-write-port, --read-only-port, --http-port, and --use-https options control Connection Manager's ports and HTTP API.

Introduced a pgd-proxy-config hook.

Introduced a hook to run tasks from pgd-proxy-config.yml at the end of PGD Proxy config, after core directories and files are set but before the PGD Proxy service starts. Developers of the hook must ensure task idempotency. This hook will come in handy for various post-configuration tasks e.g. making adjustments to PGD Proxy configuration not supported by TPA interface and other relevant cluster-specific settings.

49911
Added three release.vip.* properties for EFM 5.1 and above.

Starting with EFM 5.1, there will be three new properties that control the timing of when the VIP is released by the primary agent (if a VIP is used). This allows the user to avoid having the VIP released at the same time new database connections are being made, which can lead to connection failures and a failure of switchover in some environments. The new properties are: release.vip.backgroundrelease.vip.pre.wait and release.vip.post.wait.

TPA now allows the RSA key size to be set for certificates.

Added a variable postgres_rsa_key_size, (default value is 2048) that can configure the size of the RSA key size for self-signed TLS keys and certificates later used on the docker clusters.

Added a variable called pem_rsa_key_size, (default value is 4096) that can configure the size of the RSA key size for self-signed TLS key and certificate later used on the PEM Server.

Added a variable called pem_db_ca_certificate_key_size, (default value is 4096) that can configure the size of the database CA RSA key size used on the PEM Server.

Added a variable called ha_proxy_dhparams_key_size, (default value is 2048) that can configure the size of the RSA key size used for ssl-dh-param-file within haproxy. Added a variable called openvpn_rsa_key_size, (default value is 4096) that can configure the size of the RSA key size for self-signed TLS key and certificate later used on OpenVPN.

Added a variable called openvpn_dhparams_numbits_size, (default value is 2048) that can configure the number of the DH numbits in dh2048.pem.

Documented how TPA generates Postgres server TLS certificates and keys and how to override this.

Previously, the TPA docs mentioned that TPA generates default certs but not their names or paths. This change adds that information and also explains how to replace these files with your own. We now document the previously undocumentedssl_* cluster vars for this purpose. The new content is placed in postgresql.conf.mdand linked from the original location postgres_user.md.

52049

Changes

DescriptionAddresses
TPA now supports EPAS clusters with repmgr as failover manager.

Until now, this combination wasn't supported by EDB. This support starts with EPAS 14 and is available as of now up to EPAS 17.

Bug Fixes

DescriptionAddresses
Fixed an issue whereby backup wasn't configured in PGD 6 clusters.

Previously, when creating a new configuration for PGD 6, the barman node created wasn't used by any node. This change ensures that when running "tpaexec configure" for PGD6 based architectures, each barman node configured will be used by a BDR node in the same location.

Fixed support for update_host variable on PGD-Always-ON.

TPA is now able to honor the update_hosts option for minor Postgres and minor PGD5 upgrades when using PGD-Always-ON architecture. By specifying the update_hosts option in thetpaexec upgrade command, TPA will now upgrade this subset of nodes and leave the remaining nodes on the currently installed versions. This allows for more controlled upgrade that can be split into multiple runs in order to better control and test the cluster along the upgrade process. When using this feature keep in mind best practices such as updating write leaders last and testing in a dev/staging environment first.

52558, 45181
HAProxy health checks now correctly use HTTPS for SSL-enabled Patroni clusters.

Fixed a bug whereby HAProxy was incorrectly configured to use HTTP for health checks against Patroni nodes, even when the Patroni REST API was secured with SSL (patroni_ssl_enabled: true). This misconfiguration caused health checks to fail, leading HAProxy to mark healthy Patroni nodes as down. The HAProxy configuration logic has been updated to use check-ssl verify none when patroni_ssl_enabledis true, ensuring that health checks are correctly performed over HTTPS.'

Fixed an issue with pgaudit extension when used with edbpge Postgres.

Previously, adding pgaudit to the list of Postgres extensions with theedbpge Postgres flavour would fail because the dictionary for handling recognized extensions was missing an entry for edbpge and its corresponding package names. This entry has been added, and additional logic incorporated to handle naming change for pgaudit packages from version 16 onwards.

Fixed an issue where global proxy routing was not set up correctly in PGD 5.9.

When creating a new configuration file via 'tpaexec configure -a PGD-Always-ON --pgd-proxy-routing global (...)', the configuration by default will create a top group node with enable_proxy_routing & enable_raft equal to true, and subgroups enable_proxy_routing & enable_raft equal to false. When creating a new configuration file via 'tpaexec configure -a PGD-Always-ON --pgd-proxy-routing local (...)', the configuration by default will create a top group node with enable_proxy_routing equal to false & enable_raft equal to true, subgroups have enable_proxy_routing & enable_raft equal to true. and subgroups enable_proxy_routing & enable_raft equal to false.

TPA will now correctly skip the postgres/pgpass task on PEM-agent Barman nodes

The postgres/pgpass task runs on Postgres nodes with the pem-agent role in order to add the postgres_user to the .pgpass file in this user's home directory. In previous versions, the task would also attempt to run on Barman nodes that have the pem-agent role. This would fail since the directory does not exist. This task is now excluded for Barman nodes.