Add Support for Custom TLS Certificates in Connection Pooler (#2146)

* add volume with custom TLS config to pooler deployment * bump pg bouncer image tag which support new feature Co-authored-by: Jérémie Seguin <jeremie.seguin@malt.com>
2023-01-09 17:16:00 +01:00 · 2023-01-09 17:16:00 +01:00 · 3139c1f3d0
parent 625e804dc4
commit 3139c1f3d0
7 changed files with 54 additions and 6 deletions
--- a/charts/postgres-operator/crds/operatorconfigurations.yaml
+++ b/charts/postgres-operator/crds/operatorconfigurations.yaml
@ -631,7 +631,7 @@ spec:
                    default: "pooler"
                  connection_pooler_image:
                    type: string
-                    default: "registry.opensource.zalan.do/acid/pgbouncer:master-24"
+                    default: "registry.opensource.zalan.do/acid/pgbouncer:master-26"
                  connection_pooler_max_db_connections:
                    type: integer
                    default: 60
--- a/charts/postgres-operator/values.yaml
+++ b/charts/postgres-operator/values.yaml
@ -412,7 +412,7 @@ configConnectionPooler:
  # db user for pooler to use
  connection_pooler_user: "pooler"
  # docker image
-  connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-24"
+  connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-26"
  # max db connections the pooler should hold
  connection_pooler_max_db_connections: 60
  # default pooling mode
--- a/manifests/configmap.yaml
+++ b/manifests/configmap.yaml
@ -17,7 +17,7 @@ data:
  # connection_pooler_default_cpu_request: "500m"
  # connection_pooler_default_memory_limit: 100Mi
  # connection_pooler_default_memory_request: 100Mi
-  connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-24"
+  connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-26"
  # connection_pooler_max_db_connections: 60
  # connection_pooler_mode: "transaction"
  # connection_pooler_number_of_instances: 2
--- a/manifests/minimal-fake-pooler-deployment.yaml
+++ b/manifests/minimal-fake-pooler-deployment.yaml
@ -23,7 +23,7 @@ spec:
      serviceAccountName: postgres-operator
      containers:
      - name: postgres-operator
-        image: registry.opensource.zalan.do/acid/pgbouncer:master-24
+        image: registry.opensource.zalan.do/acid/pgbouncer:master-26
        imagePullPolicy: IfNotPresent
        resources:
          requests:
--- a/manifests/operatorconfiguration.crd.yaml
+++ b/manifests/operatorconfiguration.crd.yaml
@ -629,7 +629,7 @@ spec:
                    default: "pooler"
                  connection_pooler_image:
                    type: string
-                    default: "registry.opensource.zalan.do/acid/pgbouncer:master-24"
+                    default: "registry.opensource.zalan.do/acid/pgbouncer:master-26"
                  connection_pooler_max_db_connections:
                    type: integer
                    default: 60
--- a/manifests/postgresql-operator-default-configuration.yaml
+++ b/manifests/postgresql-operator-default-configuration.yaml
@ -201,7 +201,7 @@ configuration:
    connection_pooler_default_cpu_request: "500m"
    connection_pooler_default_memory_limit: 100Mi
    connection_pooler_default_memory_request: 100Mi
-    connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-24"
+    connection_pooler_image: "registry.opensource.zalan.do/acid/pgbouncer:master-26"
    # connection_pooler_max_db_connections: 60
    connection_pooler_mode: "transaction"
    connection_pooler_number_of_instances: 2
--- a/pkg/cluster/connection_pooler.go
+++ b/pkg/cluster/connection_pooler.go
@ -3,6 +3,7 @@ package cluster
 import (
 	"context"
 	"fmt"
+	"path/filepath"
 	"strings"
 	"time"

@ -336,6 +337,52 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) (
 		},
 	}

+	// If the cluster has custom TLS certificates configured, we do the following:
+	//  1. Add environment variables to tell pgBouncer where to find the TLS certificates
+	//  2. Reference the secret in a volume
+	//  3. Mount the volume to the container at /tls
+	poolerVolumes := []v1.Volume{}
+	if spec.TLS != nil && spec.TLS.SecretName != "" {
+		// Env vars
+		crtFile := spec.TLS.CertificateFile
+		keyFile := spec.TLS.PrivateKeyFile
+		if crtFile == "" {
+			crtFile = "tls.crt"
+		}
+		if keyFile == "" {
+			crtFile = "tls.key"
+		}
+
+		envVars = append(
+			envVars,
+			v1.EnvVar{
+				Name: "CONNECTION_POOLER_CLIENT_TLS_CRT", Value: filepath.Join("/tls", crtFile),
+			},
+			v1.EnvVar{
+				Name: "CONNECTION_POOLER_CLIENT_TLS_KEY", Value: filepath.Join("/tls", keyFile),
+			},
+		)
+
+		// Volume
+		mode := int32(0640)
+		volume := v1.Volume{
+			Name: "tls",
+			VolumeSource: v1.VolumeSource{
+				Secret: &v1.SecretVolumeSource{
+					SecretName:  spec.TLS.SecretName,
+					DefaultMode: &mode,
+				},
+			},
+		}
+		poolerVolumes = append(poolerVolumes, volume)
+
+		// Mount
+		poolerContainer.VolumeMounts = []v1.VolumeMount{{
+			Name:      "tls",
+			MountPath: "/tls",
+		}}
+	}
+
 	tolerationsSpec := tolerations(&spec.Tolerations, c.OpConfig.PodToleration)

 	podTemplate := &v1.PodTemplateSpec{
@ -348,6 +395,7 @@ func (c *Cluster) generateConnectionPoolerPodTemplate(role PostgresRole) (
 			TerminationGracePeriodSeconds: &gracePeriod,
 			Containers:                    []v1.Container{poolerContainer},
 			Tolerations:                   tolerationsSpec,
+			Volumes:                       poolerVolumes,
 		},
 	}