feat: enable connection pooling unicorn

[mkm29]

Description

Support enabling connection pooling in porgres-operator, specifically for unicorn flavor. We simply create a pepr module that mutates the pooler deployment to add the necessary argument to the pod for specifying the ini config file to use.

Type of change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Other (security config, docs update, etc)

Checklist before merging

• Test, docs, adr added or updated as needed
• Contributor Guide Steps followed

[zachariahmiller]

Assuming there is literally no other way to accomplish this, which I am skeptical of without diving much deeper into this I would much rather see if the other pgbouncer image in chainguard's catalogue works or even use the -dev variant over this approach.

[mkm29]

I think a deep dive is critical here. The postgres-operator itself generates the pooler Deployment (per postgresql CR), there does not appear to be any templates that can be overriden so changes will need to be made to the Go code. In the meantime, this mutation addresses this issue.

All pgbouncer images on chainguard only have the pgbouncer binary as the entrypoint, with no args. If you inspect the upstream zalando pgbouncer image, the entrypoint is a script that uses envsubst to create the ini config file and then calls pgbouncer with this ini file as the only argument. This can be verified with:

docker image inspect registry.opensource.zalan.do/acid/pgbouncer:master-32 --format 'Entrypoint: {{.Config.Entrypoint}}{{"\n"}}{{.Config.Cmd}}'
# Entrypoint: [/bin/sh /entrypoint.sh]
# []

docker create --name zalano-pgbouncer registry.opensource.zalan.do/acid/pgbouncer:master-32
docker cp zalano-pgbouncer:/entrypoint.sh .
docker rm zalano-pgbouncer
cat entrypoint.sh
rm entrypoint.sh

entrypoint.sh

#!/bin/sh

set -ex

if [ "$PGUSER" = "postgres" ]; then
    echo "WARNING: pgbouncer will connect with a superuser privileges!"
    echo "You need to fix this as soon as possible."
fi

if [ -z "${CONNECTION_POOLER_CLIENT_TLS_CRT}" ]; then
    openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \
        -keyout /etc/ssl/certs/pgbouncer.key \
        -out /etc/ssl/certs/pgbouncer.crt
else
    ln -s ${CONNECTION_POOLER_CLIENT_TLS_CRT} /etc/ssl/certs/pgbouncer.crt
    ln -s ${CONNECTION_POOLER_CLIENT_TLS_KEY} /etc/ssl/certs/pgbouncer.key
    if [ ! -z "${CONNECTION_POOLER_CLIENT_CA_FILE}" ]; then
        ln -s ${CONNECTION_POOLER_CLIENT_CA_FILE} /etc/ssl/certs/ca.crt
    fi
fi

envsubst < /etc/pgbouncer/pgbouncer.ini.tmpl > /etc/pgbouncer/pgbouncer.ini
envsubst < /etc/pgbouncer/auth_file.txt.tmpl > /etc/pgbouncer/auth_file.txt

exec /bin/pgbouncer /etc/pgbouncer/pgbouncer.ini

You can verify that any CGR image defaults to just calling pgbouncer --help:

$ docker image inspect cgr.dev/defenseunicorns.com/pgbouncer:latest --format='Entrypoint: {{.Config.Entrypoint}}{{"\n"}}Cmd: {{.Config.Cmd}}'
# Entrypoint: [/usr/bin/pgbouncer]
# Cmd: [--help]

$ docker image inspect cgr.dev/defenseunicorns.com/pgbouncer:latest-dev --format='Entrypoint: {{.Config.Entrypoint}}{{"\n"}}Cmd: {{.Config.Cmd}}'
# Entrypoint: [/usr/bin/pgbouncer]
# Cmd: [--help]

I will move this PR to draft and work with the Zalando team to get the operator itself updated.

[zachariahmiller]

Okay. Working with the zalando team and/or chainguard is definitely the correct approach to this problem.

[zachariahmiller]

If you need something in the meantime, consider that it is probably possible to build this image with the necessary changes to match the zalando one internal to the repo and part of an onCreate action or otherwise and then use that.

It would be preferable to just get a solution using the upstream providers, but I am providing another alternative if it is time sensitive.

[mkm29]

thanks! tbh I prefer to wait for zalando to make it happen, so going to hold off until then