PgBouncer K8s

Channel Revision Published Runs on
1/stable 269 11 Sep 2024
Ubuntu 22.04
1/stable 268 11 Sep 2024
Ubuntu 22.04
1/candidate 360 Today
Ubuntu 22.04
1/candidate 359 Today
Ubuntu 22.04
1/beta 360 16 Dec 2024
Ubuntu 22.04
1/beta 359 16 Dec 2024
Ubuntu 22.04
1/edge 360 04 Dec 2024
Ubuntu 22.04
1/edge 359 04 Dec 2024
Ubuntu 22.04
juju deploy pgbouncer-k8s --channel 1/stable
Show information

Platform:

How to enable encryption

PgBouncer will enable encrypted connections by default with self generated certificates. Though also by default, connecting clients can disable encryption by setting the connection ssl-mode as disabled. When related with the tls-certificates-operator the charmed operator for PgBouncer will require that every client connection (new and running connections) use encryption, rendering an error when attempting to establish an unencrypted connection.

Note: The TLS settings here are for self-signed-certificates which are not recommended for production clusters, the tls-certificates-operator charm offers a variety of configurations, read more on the TLS charm here

Enable TLS

# deploy the TLS charm
juju deploy tls-certificates-operator --channel legacy/stable

# add the necessary configurations for TLS
juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Test CA"

# to enable TLS relate the two applications
juju relate tls-certificates-operator pgbouncer-k8s

Manage keys

Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key action. Note passing keys to external/internal keys should only be done with base64 -w0 not cat. With three routers this schema should be followed:

  • Generate a shared internal (private) key:
openssl genrsa -out internal-key.pem 3072
  • apply newly generated internal key on each unit:
juju run pgbouncer-k8s/0 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run pgbouncer-k8s/1 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run pgbouncer-k8s/2 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
  • updates can also be done with auto-generated keys with:
juju run pgbouncer-k8s/0 set-tls-private-key
juju run pgbouncer-k8s/1 set-tls-private-key
juju run pgbouncer-k8s/2 set-tls-private-key

Disable TLS

To disable TLS, remove the relation:

juju remove-relation tls-certificates-operator pgbouncer-k8s

Help improve this document in the forum (guidelines). Last updated 1 year, 1 month ago.