PgBouncer does not use Custom TLS Certificate

[borchero]

• Which image of the operator are you using? registry.opensource.zalan.do/acid/postgres-operator:v1.5.0
• Where do you run it - cloud or metal? Kubernetes or OpenShift? GKE
• Are you running Postgres Operator in production? no
• Type of issue? Bug/Feature

The Postgres Operator currently supports setting custom TLS certificates. However, regardless of whether this option is set, the pooler (pgBouncer) generates its own self-signed TLS certificates. This is a problem when clients try to verify the presented TLS certificate.

In order to make this work, at least two things have to be done:

• The operator must mount the TLS secret into the pooler Pods
• The pooler image must use the TLS certificates that are mounted by the secret instead of generating its own certificates

As I'm not completely familiar with pgBouncer, it might also be necessary to periodically check for certificate changes and reload the Pods if something has changed. If pgBouncer implements hot reloads, this code should reside in the pooler image. Otherwise, the operator should watch the TLS secret and redeploy the pooler deployment to prevent all Pods from restarting simultaneously.

[Jan-M]

Hi @borchero thanks for raising these open issues around the connection pooler. The use of custom TLS certificates was contributed by the community as this is a feature we do not use our selves. For the connection pooler I do understand the same need and also think your approach sounds right. So would be open to receive and look at a PR adding this to the connection pooler deployment, too. That would be step one.

We can assess internally or also via PR how to add this to the provided pgbouncer Docker image as step 2, as this could also just be adjusted by you using some overwrite image.

The last step about certificates changing and running out of "valid" time one may consider in step 2 or keep in future work, one can always delete pods to reload certs.

[borchero]

Sounds good, I will submit a PR soon. Regarding the reload of the TLS certificate, I found that pgBouncer is not able to perform hot reloads (at least it seems so).

For the moment, I would therefore refrain from implementing custom code for certificate reloads and rather allow setting annotations on the pooler deployment. Thus, external solutions like this one can be used to trigger redeploys of all pooler Pods.

[FxKu]

TLS is now used by pooler deployment as well.