diff --git a/modules/kubernetes/authentik/pgbouncer.ini b/modules/kubernetes/authentik/pgbouncer.ini new file mode 100644 index 00000000..e3dc4e4f --- /dev/null +++ b/modules/kubernetes/authentik/pgbouncer.ini @@ -0,0 +1,14 @@ +[databases] +authentik = host=postgresql.dbaas port=5432 dbname=authentik user=authentik password=${password} + +[pgbouncer] +listen_addr = 0.0.0.0 +listen_port = 6432 +auth_type = md5 +auth_file = /etc/pgbouncer/userlist.txt +pool_mode = transaction +max_client_conn = 200 +default_pool_size = 20 +reserve_pool_size = 5 +reserve_pool_timeout = 5 +ignore_startup_parameters = extra_float_digits diff --git a/modules/kubernetes/authentik/pgbouncer.tf b/modules/kubernetes/authentik/pgbouncer.tf new file mode 100644 index 00000000..24620f6d --- /dev/null +++ b/modules/kubernetes/authentik/pgbouncer.tf @@ -0,0 +1,118 @@ +resource "kubernetes_config_map" "pgbouncer_config" { + metadata { + name = "pgbouncer-config" + namespace = "authentik" + } + + data = { + "pgbouncer.ini" = templatefile("${path.module}/pgbouncer.ini", { password = var.postgres_password }) + } +} + +# --- 2️⃣ Secret for user credentials --- +resource "kubernetes_secret" "pgbouncer_auth" { + metadata { + name = "pgbouncer-auth" + namespace = "authentik" + } + + data = { + "userlist.txt" = templatefile("${path.module}/userlist.txt", { password = var.postgres_password }) + } + + type = "Opaque" +} + +# --- 3️⃣ Deployment --- +resource "kubernetes_deployment" "pgbouncer" { + metadata { + name = "pgbouncer" + namespace = "authentik" + labels = { + app = "pgbouncer" + } + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "pgbouncer" + } + } + + template { + metadata { + labels = { + app = "pgbouncer" + } + } + + spec { + container { + name = "pgbouncer" + image = "edoburu/pgbouncer:latest" + image_pull_policy = "IfNotPresent" + + port { + container_port = 6432 + } + + volume_mount { + name = "config" + mount_path = "/etc/pgbouncer/pgbouncer.ini" + sub_path = "pgbouncer.ini" + } + + volume_mount { + name = "auth" + mount_path = "/etc/pgbouncer/userlist.txt" + sub_path = "userlist.txt" + } + + env { + name = "DATABASES_AUTHENTIK" + value = "host=postgres port=5432 dbname=authentik user=authentik password=${var.postgres_password}" + } + } + + volume { + name = "config" + config_map { + name = kubernetes_config_map.pgbouncer_config.metadata[0].name + } + } + + volume { + name = "auth" + secret { + secret_name = kubernetes_secret.pgbouncer_auth.metadata[0].name + } + } + } + } + } +} + +# --- 4️⃣ Service --- +resource "kubernetes_service" "pgbouncer" { + metadata { + name = "pgbouncer" + namespace = "authentik" + } + + spec { + selector = { + app = "pgbouncer" + } + + port { + port = 6432 + target_port = 6432 + protocol = "TCP" + } + + type = "ClusterIP" + } +} diff --git a/modules/kubernetes/authentik/userlist.txt b/modules/kubernetes/authentik/userlist.txt new file mode 100644 index 00000000..024c3864 --- /dev/null +++ b/modules/kubernetes/authentik/userlist.txt @@ -0,0 +1 @@ +"authentik" "${password}" diff --git a/modules/kubernetes/authentik/values.yaml b/modules/kubernetes/authentik/values.yaml index b6a42960..df59f811 100644 --- a/modules/kubernetes/authentik/values.yaml +++ b/modules/kubernetes/authentik/values.yaml @@ -6,7 +6,9 @@ authentik: error_reporting: enabled: true postgresql: - host: postgresql.dbaas + # host: postgresql.dbaas + host: pgbouncer.authentik + port: 6432 user: authentik password: ${postgres_password} redis: