build multi-arch pooler image

.github/workflows/publish_ghcr_image.yaml

@@ -3,6 +3,7 @@ name: Publish multiarch postgres-operator images on ghcr.io
 env:
   REGISTRY: ghcr.io
   IMAGE_NAME: ${{ github.repository }}
+  IMAGE_NAME_POOLER: ${{ github.repository }}-pooler
   IMAGE_NAME_UI: ${{ github.repository }}-ui
 
 on:
@@ -34,6 +35,12 @@ jobs:
             OPERATOR_IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${GITHUB_REF/refs\/tags\//}"
             echo "OPERATOR_IMAGE=$OPERATOR_IMAGE" >> $GITHUB_OUTPUT
 
+      - name: Define pooler image name
+        id: image_pooler
+        run: |
+            POOLER_IMAGE="${{ env.REGISTRY }}/${{ env.IMAGE_NAME_POOLER }}:${GITHUB_REF/refs\/tags\//}"
+            echo "POOLER_IMAGE=$POOLER_IMAGE" >> $GITHUB_OUTPUT
+
       - name: Define UI image name
         id: image_ui
         run: |
@@ -69,6 +76,15 @@ jobs:
           tags: "${{ steps.image.outputs.OPERATOR_IMAGE }}"
           platforms: linux/amd64,linux/arm64
 
+      - name: Build and push multiarch pooler image to ghcr
+        uses: docker/build-push-action@v3
+        with:
+          context: pooler
+          push: true
+          build-args: BASE_IMAGE=alpine:3.19
+          tags: "${{ steps.image_pooler.outputs.POOLER_IMAGE }}"
+          platforms: linux/amd64,linux/arm64
+
       - name: Build and push multiarch ui image to ghcr
         uses: docker/build-push-action@v3
         with:

delivery.yaml

@@ -42,6 +42,33 @@ pipeline:
                     -f docker/Dockerfile \
                     --push .
 
+  - id: build-pooler
+    env:
+      <<: *BUILD_ENV
+    type: script
+    vm_config:
+      type: linux
+
+    commands:
+      - desc: Build image
+        cmd: |
+          cd pooler
+          if [ -z ${CDP_SOURCE_BRANCH} ]; then
+            IMAGE=${MULTI_ARCH_REGISTRY}/postgres-operator-pooler
+          else
+            IMAGE=${MULTI_ARCH_REGISTRY}/postgres-operator-pooler-test
+          fi
+
+          docker buildx create --config /etc/cdp-buildkitd.toml --driver-opt network=host --bootstrap --use
+          docker buildx build --platform "linux/amd64,linux/arm64" \
+                    --build-arg BASE_IMAGE="${ALPINE_BASE_IMAGE}" \
+                    -t "${IMAGE}:${CDP_BUILD_VERSION}" \
+                    --push .
+
+          if [ -z ${CDP_SOURCE_BRANCH} ]; then
+            cdp-promote-image ${IMAGE}:${CDP_BUILD_VERSION}
+          fi
+
   - id: build-operator-ui
     env:
       <<: *BUILD_ENV

go.sum

@@ -71,8 +71,6 @@ github.com/kr/pty v1.1.1/go.mod h1:pFQYn66WHrOpPYNljwOMqo10TkYh1fy3cYio2l3bCsQ=
 github.com/kr/text v0.1.0/go.mod h1:4Jbv+DJW3UT/LiOwJeYQe1efqtUx/iVham/4vfdArNI=
 github.com/kr/text v0.2.0 h1:5Nx0Ya0ZqY2ygV366QzturHI13Jq95ApcVaJBhpS+AY=
 github.com/kr/text v0.2.0/go.mod h1:eLer722TekiGuMkidMxC/pM04lWEeraHUUmBw8l2grE=
-github.com/lib/pq v1.10.9 h1:YXG7RB+JIjhP29X+OtkiDnYaXQwpS4JEWq7dtCCRUEw=
-github.com/lib/pq v1.10.9/go.mod h1:AlVN5x4E4T544tWzH6hKfbfQvm3HdbOxrmggDNAPY9o=
 github.com/lib/pq v1.11.2 h1:x6gxUeu39V0BHZiugWe8LXZYZ+Utk7hSJGThs8sdzfs=
 github.com/lib/pq v1.11.2/go.mod h1:/p+8NSbOcwzAEI7wiMXFlgydTwcgTr3OSKMsD2BitpA=
 github.com/mailru/easyjson v0.7.7 h1:UGYAvKxe3sBsEDzO8ZeWOSlIQfWFlxbzLZe7hwFURr0=
@@ -113,8 +111,6 @@ github.com/r3labs/diff v1.1.0/go.mod h1:7WjXasNzi0vJetRcB/RqNl5dlIsmXcTTLmF5IoH6
 github.com/rogpeppe/go-internal v1.12.0 h1:exVL4IDcn6na9z1rAb56Vxr+CgyK3nn3O+epU5NdKM8=
 github.com/rogpeppe/go-internal v1.12.0/go.mod h1:E+RYuTGaKKdloAfM02xzb0FW3Paa99yedzYV+kq4uf4=
 github.com/russross/blackfriday/v2 v2.1.0/go.mod h1:+Rmxgy9KzJVeS9/2gXHxylqXiyQDYRxCVz55jmeOWTM=
-github.com/sirupsen/logrus v1.9.3 h1:dueUQJ1C2q9oE3F7wvmSGAaVtTmUizReu6fjN8uqzbQ=
-github.com/sirupsen/logrus v1.9.3/go.mod h1:naHLuLoDiP4jHNo9R0sCBMtWGeIprob74mVsIT4qYEQ=
 github.com/sirupsen/logrus v1.9.4 h1:TsZE7l11zFCLZnZ+teH4Umoq5BhEIfIzfRDZ1Uzql2w=
 github.com/sirupsen/logrus v1.9.4/go.mod h1:ftWc9WdOfJ0a92nsE2jF5u5ZwH8Bv2zdeOC42RjbV2g=
 github.com/spf13/cobra v1.9.1 h1:CXSaggrXdbHK9CF+8ywj8Amf7PBRmPCOJugH954Nnlo=
@@ -126,7 +122,6 @@ github.com/stretchr/objx v0.4.0/go.mod h1:YvHI0jy2hoMjB+UWwv71VJQ9isScKT/TqJzVSS
 github.com/stretchr/objx v0.5.0/go.mod h1:Yh+to48EsGEfYuaHDzXPcE3xhTkx73EhmCGUpEOglKo=
 github.com/stretchr/testify v1.3.0/go.mod h1:M5WIy9Dh21IEIfnGCwXGc5bZfKNJtfHm1UVUgZn+9EI=
 github.com/stretchr/testify v1.5.1/go.mod h1:5W2xD1RspED5o8YsWQXVCued0rvSQ+mT+I5cxcmMvtA=
-github.com/stretchr/testify v1.7.0/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.7.1/go.mod h1:6Fq8oRcR53rry900zMqJjRRixrwX3KX962/h/Wwjteg=
 github.com/stretchr/testify v1.8.0/go.mod h1:yNjHg4UonilssWZ8iaSj1OCr/vHnekPRkoO+kdMU+MU=
 github.com/stretchr/testify v1.8.1/go.mod h1:w2LPCIKwWwSfY2zedu0+kehJoqGctiVI29o6fzry7u4=
@@ -170,7 +165,6 @@ golang.org/x/sys v0.0.0-20200930185726-fdedc70b468f/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20201119102817-f84b799fce68/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210330210617-4fbd30eecc44/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20210510120138-977fb7262007/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
-golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.0.0-20220811171246-fbc7d0a398ab/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.6.0/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
 golang.org/x/sys v0.38.0 h1:3yZWxaJjBmCWXqhN1qh02AkOnCQ1poK6oF+a7xWL6Gc=

pooler/Dockerfile

@@ -0,0 +1,47 @@
+ARG BASE_IMAGE=alpine:3.19
+FROM ${BASE_IMAGE} AS build_stage
+
+RUN apk --update add \
+    autoconf automake build-base c-ares-dev git libevent-dev libtool m4 \
+    openssl-dev py3-docutils py3-pip python3
+
+WORKDIR /src
+
+RUN git clone \
+    --single-branch \
+    --branch=stable-1.23 \
+    --depth 1 \
+    https://github.com/pgbouncer/pgbouncer.git .
+
+RUN git submodule init && git submodule update
+
+RUN ./autogen.sh && \
+    ./configure --prefix=/pgbouncer --with-libevent=/usr/lib && \
+    sed -i '/dist_man_MANS/d' Makefile && \
+    make && \
+    make install
+
+FROM ${BASE_IMAGE}
+
+RUN apk -U upgrade --no-cache \
+    && apk --no-cache add bash c-ares ca-certificates gettext libevent openssl postgresql-client
+
+RUN addgroup -g 101 -S pgbouncer && \
+    adduser -u 100 -S pgbouncer -G pgbouncer && \
+    mkdir -p /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer /etc/ssl/certs
+
+COPY --from=build_stage /pgbouncer/bin/pgbouncer /bin/pgbouncer
+COPY pgbouncer.ini.tmpl auth_file.txt.tmpl /etc/pgbouncer/
+COPY entrypoint.sh /entrypoint.sh
+
+RUN chown -R pgbouncer:pgbouncer \
+    /var/log/pgbouncer \
+    /var/run/pgbouncer \
+    /etc/pgbouncer \
+    /etc/ssl/certs \
+    && chmod +x /entrypoint.sh
+
+USER pgbouncer:pgbouncer
+WORKDIR /etc/pgbouncer
+
+ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]

pooler/auth_file.txt.tmpl

@@ -0,0 +1 @@
+"$PGUSER" "$PGPASSWORD"

pooler/entrypoint.sh

@@ -0,0 +1,20 @@
+#!/bin/sh
+
+set -ex
+
+if [ -z "${CONNECTION_POOLER_CLIENT_TLS_CRT}" ]; then
+    openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \
+        -keyout /etc/ssl/certs/pgbouncer.key \
+        -out /etc/ssl/certs/pgbouncer.crt
+else
+    ln -s ${CONNECTION_POOLER_CLIENT_TLS_CRT} /etc/ssl/certs/pgbouncer.crt
+    ln -s ${CONNECTION_POOLER_CLIENT_TLS_KEY} /etc/ssl/certs/pgbouncer.key
+    if [ ! -z "${CONNECTION_POOLER_CLIENT_CA_FILE}" ]; then
+        ln -s ${CONNECTION_POOLER_CLIENT_CA_FILE} /etc/ssl/certs/ca.crt
+    fi
+fi
+
+envsubst < /etc/pgbouncer/pgbouncer.ini.tmpl > /etc/pgbouncer/pgbouncer.ini
+envsubst < /etc/pgbouncer/auth_file.txt.tmpl > /etc/pgbouncer/auth_file.txt
+
+exec /bin/pgbouncer /etc/pgbouncer/pgbouncer.ini

pooler/pgbouncer.ini.tmpl

@@ -0,0 +1,70 @@
+# vim: set ft=dosini:
+
+[databases]
+* = host=$PGHOST port=$PGPORT auth_user=$PGUSER
+postgres = host=$PGHOST port=$PGPORT auth_user=$PGUSER
+
+[pgbouncer]
+pool_mode = $CONNECTION_POOLER_MODE
+listen_port = $CONNECTION_POOLER_PORT
+listen_addr = *
+auth_type = md5
+auth_file = /etc/pgbouncer/auth_file.txt
+auth_dbname = postgres
+admin_users = $PGUSER
+stats_users_prefix = robot_
+auth_query = SELECT * FROM $PGSCHEMA.user_lookup($1)
+logfile = /var/log/pgbouncer/pgbouncer.log
+pidfile = /var/run/pgbouncer/pgbouncer.pid
+
+server_tls_sslmode = require
+server_tls_ca_file = /etc/ssl/certs/pgbouncer.crt
+server_tls_protocols = secure
+client_tls_sslmode = require
+client_tls_key_file = /etc/ssl/certs/pgbouncer.key
+client_tls_cert_file = /etc/ssl/certs/pgbouncer.crt
+
+log_connections = 0
+log_disconnections = 0
+
+# Number of prepared statements to cache on a server connection (zero value
+# disables support of prepared statements).
+max_prepared_statements = 200
+
+# How many server connections to allow per user/database pair.
+default_pool_size = $CONNECTION_POOLER_DEFAULT_SIZE
+
+# Add more server connections to pool if below this number. Improves behavior
+# when usual load comes suddenly back after period of total inactivity.
+#
+# NOTE: This value is per pool, i.e. a pair of (db, user), not a global one.
+# Which means on the higher level it has to be calculated from the max allowed
+# database connections and number of databases and users. If not taken into
+# account, then for too many users or databases PgBouncer will go crazy
+# opening/evicting connections. For now disable it.
+#
+# min_pool_size = $CONNECTION_POOLER_MIN_SIZE
+
+# How many additional connections to allow to a pool
+reserve_pool_size = $CONNECTION_POOLER_RESERVE_SIZE
+
+# Maximum number of client connections allowed.
+max_client_conn = $CONNECTION_POOLER_MAX_CLIENT_CONN
+
+# Do not allow more than this many connections per database (regardless of
+# pool, i.e. user)
+max_db_connections = $CONNECTION_POOLER_MAX_DB_CONN
+
+# If a client has been in "idle in transaction" state longer, it will be
+# disconnected. [seconds]
+idle_transaction_timeout = 600
+
+# If login failed, because of failure from connect() or authentication that
+# pooler waits this much before retrying to connect. Default is 15. [seconds]
+server_login_retry = 5
+
+# To ignore extra parameter in startup packet. By default only 'database' and
+# 'user' are allowed, all others raise error.  This is needed to tolerate
+# overenthusiastic JDBC wanting to unconditionally set 'extra_float_digits=2'
+# in startup packet.
+ignore_startup_parameters = extra_float_digits,options