PgBouncer K8s
- Canonical
- Databases
Channel | Revision | Published | Runs on |
---|---|---|---|
1/stable | 269 | 11 Sep 2024 | |
1/stable | 268 | 11 Sep 2024 | |
1/candidate | 269 | 09 Sep 2024 | |
1/candidate | 268 | 09 Sep 2024 | |
1/beta | 269 | 09 Sep 2024 | |
1/beta | 268 | 09 Sep 2024 | |
1/edge | 348 | Yesterday | |
1/edge | 347 | Yesterday |
juju deploy pgbouncer-k8s --channel 1/edge
Deploy Kubernetes operators easily with Juju, the Universal Operator Lifecycle Manager. Need a Kubernetes cluster? Install MicroK8s to create a full CNCF-certified Kubernetes system in under 60 seconds.
Platform:
How to enable encryption
PgBouncer will enable encrypted connections by default with self generated certificates. Though also by default, connecting clients can disable encryption by setting the connection ssl-mode as disabled.
When related with the tls-certificates-operator
the charmed operator for PgBouncer will require that every client connection (new and running connections) use encryption, rendering an error when attempting to establish an unencrypted connection.
Note: The TLS settings here are for self-signed-certificates which are not recommended for production clusters, the
tls-certificates-operator
charm offers a variety of configurations, read more on the TLS charm here
Enable TLS
# deploy the TLS charm
juju deploy tls-certificates-operator --channel legacy/stable
# add the necessary configurations for TLS
juju config tls-certificates-operator generate-self-signed-certificates="true" ca-common-name="Test CA"
# to enable TLS relate the two applications
juju relate tls-certificates-operator pgbouncer-k8s
Manage keys
Updates to private keys for certificate signing requests (CSR) can be made via the set-tls-private-key
action. Note passing keys to external/internal keys should only be done with base64 -w0
not cat
. With three routers this schema should be followed:
- Generate a shared internal (private) key:
openssl genrsa -out internal-key.pem 3072
- apply newly generated internal key on each unit:
juju run pgbouncer-k8s/0 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run pgbouncer-k8s/1 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
juju run pgbouncer-k8s/2 set-tls-private-key "internal-key=$(base64 -w0 internal-key.pem)"
- updates can also be done with auto-generated keys with:
juju run pgbouncer-k8s/0 set-tls-private-key
juju run pgbouncer-k8s/1 set-tls-private-key
juju run pgbouncer-k8s/2 set-tls-private-key
Disable TLS
To disable TLS, remove the relation:
juju remove-relation tls-certificates-operator pgbouncer-k8s