Add Support for Custom TLS Certificates in Connection Pooler

[jeremie-seguin]

This pull request is heavily inspired by this PR by @borchero and try to solve #1230 But do not include the additional annotations on the pgBouncer deployment.

The entrypoint.sh in pgbouncer docker image also need to be updated to use the certificates when present like so:

if [ -z "${CONNECTION_POOLER_CLIENT_TLS_CRT}" ]; then
    openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \
        -keyout /etc/ssl/certs/pgbouncer.key \
        -out /etc/ssl/certs/pgbouncer.crt
else
    ln ${CONNECTION_POOLER_CLIENT_TLS_CRT} /etc/ssl/certs/pgbouncer.crt
    ln ${CONNECTION_POOLER_CLIENT_TLS_KEY} /etc/ssl/certs/pgbouncer.key
fi

however the dockerfile of pgbouncer included in the operator does not seems to be public, is it accessible somewhere ?

If this solution is accepted, certificate renewal will need to be handled either on the operator side with a restart of the pooler deployment or directly on pgbouncer if the reload command is sufficient.

[FxKu]

CN=spilo.dummy.org

Can this be any string? Does it matter or should it be configurable?

[jeremie-seguin]

@FxKu The spilo.dummy.org is the value currently used in the self signed certificate of pgbouncer:master-24, it will not be used if a CONNECTION_POOLER_CLIENT_TLS_CRT is provided to the operator

[FxKu]

@jeremie-seguin I've changed entrypoint.sh like you've suggested. Can you bump the pgbouncer docker image tag to master-26, pls?

[FxKu]

@jeremie-seguin could you maybe cover the new feature in connection_pooler_test.go. Just a check that makes sure the volume section is there if tls options are specified in the manifest.

[jopadi]

👍

[FxKu]

👍

[FxKu]

Thanks @jeremie-seguin . We will add the unit test ourselves.