feat: enable connection pooling unicorn#201
Conversation
- Add support for enabling connection pooling in the PostgreSQL Helm chart. - Introduce a new Pepr module to mutate pooler deployments and reconcile userlist secrets. - Update Helm templates to include a static pgbouncer.ini ConfigMap for FIPS compliance. - Modify Zarf configuration to deploy the new Pepr module only for the unicorn flavor. - Remove outdated design and implementation plans from documentation. - Add tests for the new functionality, ensuring proper deployment and configuration of the pooler.
|
|
||
| ## Decision | ||
|
|
||
| We ship a [Pepr](https://github.com/defenseunicorns/pepr) module (`src/pepr`, capability `pgbouncer-pooler`), bundled as a manifest in the `unicorn` component, that: |
There was a problem hiding this comment.
Assuming there is literally no other way to accomplish this, which I am skeptical of without diving much deeper into this I would much rather see if the other pgbouncer image in chainguard's catalogue works or even use the -dev variant over this approach.
There was a problem hiding this comment.
I think a deep dive is critical here. The postgres-operator itself generates the pooler Deployment (per postgresql CR), there does not appear to be any templates that can be overriden so changes will need to be made to the Go code. In the meantime, this mutation addresses this issue.
All pgbouncer images on chainguard only have the pgbouncer binary as the entrypoint, with no args. If you inspect the upstream zalando pgbouncer image, the entrypoint is a script that uses envsubst to create the ini config file and then calls pgbouncer with this ini file as the only argument. This can be verified with:
docker image inspect registry.opensource.zalan.do/acid/pgbouncer:master-32 --format 'Entrypoint: {{.Config.Entrypoint}}{{"\n"}}{{.Config.Cmd}}'
# Entrypoint: [/bin/sh /entrypoint.sh]
# []
docker create --name zalano-pgbouncer registry.opensource.zalan.do/acid/pgbouncer:master-32
docker cp zalano-pgbouncer:/entrypoint.sh .
docker rm zalano-pgbouncer
cat entrypoint.sh
rm entrypoint.shentrypoint.sh
#!/bin/sh
set -ex
if [ "$PGUSER" = "postgres" ]; then
echo "WARNING: pgbouncer will connect with a superuser privileges!"
echo "You need to fix this as soon as possible."
fi
if [ -z "${CONNECTION_POOLER_CLIENT_TLS_CRT}" ]; then
openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \
-keyout /etc/ssl/certs/pgbouncer.key \
-out /etc/ssl/certs/pgbouncer.crt
else
ln -s ${CONNECTION_POOLER_CLIENT_TLS_CRT} /etc/ssl/certs/pgbouncer.crt
ln -s ${CONNECTION_POOLER_CLIENT_TLS_KEY} /etc/ssl/certs/pgbouncer.key
if [ ! -z "${CONNECTION_POOLER_CLIENT_CA_FILE}" ]; then
ln -s ${CONNECTION_POOLER_CLIENT_CA_FILE} /etc/ssl/certs/ca.crt
fi
fi
envsubst < /etc/pgbouncer/pgbouncer.ini.tmpl > /etc/pgbouncer/pgbouncer.ini
envsubst < /etc/pgbouncer/auth_file.txt.tmpl > /etc/pgbouncer/auth_file.txt
exec /bin/pgbouncer /etc/pgbouncer/pgbouncer.iniYou can verify that any CGR image defaults to just calling pgbouncer --help:
$ docker image inspect cgr.dev/defenseunicorns.com/pgbouncer:latest --format='Entrypoint: {{.Config.Entrypoint}}{{"\n"}}Cmd: {{.Config.Cmd}}'
# Entrypoint: [/usr/bin/pgbouncer]
# Cmd: [--help]
$ docker image inspect cgr.dev/defenseunicorns.com/pgbouncer:latest-dev --format='Entrypoint: {{.Config.Entrypoint}}{{"\n"}}Cmd: {{.Config.Cmd}}'
# Entrypoint: [/usr/bin/pgbouncer]
# Cmd: [--help]I will move this PR to draft and work with the Zalando team to get the operator itself updated.
There was a problem hiding this comment.
Okay. Working with the zalando team and/or chainguard is definitely the correct approach to this problem.
There was a problem hiding this comment.
If you need something in the meantime, consider that it is probably possible to build this image with the necessary changes to match the zalando one internal to the repo and part of an onCreate action or otherwise and then use that.
It would be preferable to just get a solution using the upstream providers, but I am providing another alternative if it is time sensitive.
There was a problem hiding this comment.
thanks! tbh I prefer to wait for zalando to make it happen, so going to hold off until then
3 participants
Description
Support enabling connection pooling in porgres-operator, specifically for unicorn flavor. We simply create a pepr module that mutates the pooler deployment to add the necessary argument to the pod for specifying the ini config file to use.
Type of change
Checklist before merging