postgres-operator icon indicating copy to clipboard operation
postgres-operator copied to clipboard

Published 20 hours ago verified publisher icon zalando

Add Support for Custom TLS Certificates in Connection Pooler

Open borchero opened this issue 5 years ago • 10 comments

Fixes #1230 Dockerfile for new pgBouncer image: https://github.com/borchero/pgbouncer

borchero avatar Nov 25 '20 14:11 borchero

Thank @borchero for your contribution. We have just merged the inherited annotation feature to allow passing annotations from the postgres manifest down to child resources. You can also use the downscaler_annotations option to only inherit annotations to the deployment and statefulset. I think, you can use this rather than adding yet another field. Could you strip back this PR then to only the TLS passing to pooler?

FxKu avatar Dec 15 '20 11:12 FxKu

Removing pooler-specific annotations is a hacky solution imo. The reason for these annotations is to allow external operators to reload the pooler Pods once the TLS secret changes. When using downscaler_annotations, my understanding is that these annotations are also added to the Postgres StatefulSet.

Unfortunately, this means that these "reloading" annotations also trigger a redeploy of the Postgres Pods although they handle hot reloading internally.

borchero avatar Dec 15 '20 12:12 borchero

@borchero I would like to see this added to the operator config, don#t you agree? this seems like a potential global config for all poolers?

Jan-M avatar Dec 16 '20 14:12 Jan-M

Yes, that sounds reasonable. So can I update the PR with pooler specific annotations in the operator config?

borchero avatar Dec 16 '20 14:12 borchero

Sure, you can add it here.

There are a few more places where you have to reflect the change. See our short docs on this topic.

FxKu avatar Dec 16 '20 14:12 FxKu

This is a feature we are interested in. @borchero do you still have plans to work on this at some point? If not, I would be happy to take a stab at rebasing on master and making the requested changes for pooler annotations.

bchrobot avatar Apr 29 '22 11:04 bchrobot

Hey @bchrobot I don't currently need the functionality anymore, so I'm unlikely to work on it soon ... feel free to take over!

borchero avatar May 03 '22 13:05 borchero

Really interested in this too, in fact we consider it to be more a bugfix than a feature as we can’t use MTLS through pgBouncer because of this. Looking at the two years old comments @FxKu I’m not sure what is still to be done. @bchrobot have you already start to work on that ? We’re gonna need that soon and we’d be glad to lend a hand.

Dayde avatar May 18 '22 14:05 Dayde

Should I open another PR ? I’ve rebased the branch but I can’t push it here. A brief sum up of what’s left to do in your opinion would be really nice :pray:

Dayde avatar Jun 27 '22 15:06 Dayde

@bchrobot have you already start to work on that ? We’re gonna need that soon and we’d be glad to lend a hand.

I have not made any progress and will not have time to work on this until November. A new PR is probably the easiest path forward.

bchrobot avatar Jul 04 '22 18:07 bchrobot

Closing this in favor of #2146.

borchero avatar Jan 03 '23 12:01 borchero