From 75aa863eeb860795613da7ee4dcec86100c0ee9b Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Wed, 8 Oct 2025 21:56:03 +0000 Subject: [PATCH] add pgbouncer in front of authentik to reduce postgres connections [ci skip] --- modules/kubernetes/authentik/pgbouncer.ini | 14 +++ modules/kubernetes/authentik/pgbouncer.tf | 118 +++++++++++++++++++++ modules/kubernetes/authentik/userlist.txt | 1 + modules/kubernetes/authentik/values.yaml | 4 +- 4 files changed, 136 insertions(+), 1 deletion(-) create mode 100644 modules/kubernetes/authentik/pgbouncer.ini create mode 100644 modules/kubernetes/authentik/pgbouncer.tf create mode 100644 modules/kubernetes/authentik/userlist.txt diff --git a/modules/kubernetes/authentik/pgbouncer.ini b/modules/kubernetes/authentik/pgbouncer.ini new file mode 100644 index 00000000..e3dc4e4f --- /dev/null +++ b/modules/kubernetes/authentik/pgbouncer.ini @@ -0,0 +1,14 @@ +[databases] +authentik = host=postgresql.dbaas port=5432 dbname=authentik user=authentik password=${password} + +[pgbouncer] +listen_addr = 0.0.0.0 +listen_port = 6432 +auth_type = md5 +auth_file = /etc/pgbouncer/userlist.txt +pool_mode = transaction +max_client_conn = 200 +default_pool_size = 20 +reserve_pool_size = 5 +reserve_pool_timeout = 5 +ignore_startup_parameters = extra_float_digits diff --git a/modules/kubernetes/authentik/pgbouncer.tf b/modules/kubernetes/authentik/pgbouncer.tf new file mode 100644 index 00000000..24620f6d --- /dev/null +++ b/modules/kubernetes/authentik/pgbouncer.tf @@ -0,0 +1,118 @@ +resource "kubernetes_config_map" "pgbouncer_config" { + metadata { + name = "pgbouncer-config" + namespace = "authentik" + } + + data = { + "pgbouncer.ini" = templatefile("${path.module}/pgbouncer.ini", { password = var.postgres_password }) + } +} + +# --- 2️⃣ Secret for user credentials --- +resource "kubernetes_secret" "pgbouncer_auth" { + metadata { + name = "pgbouncer-auth" + namespace = "authentik" + } + + data = { + "userlist.txt" = templatefile("${path.module}/userlist.txt", { password = var.postgres_password }) + } + + type = "Opaque" +} + +# --- 3️⃣ Deployment --- +resource "kubernetes_deployment" "pgbouncer" { + metadata { + name = "pgbouncer" + namespace = "authentik" + labels = { + app = "pgbouncer" + } + } + + spec { + replicas = 1 + + selector { + match_labels = { + app = "pgbouncer" + } + } + + template { + metadata { + labels = { + app = "pgbouncer" + } + } + + spec { + container { + name = "pgbouncer" + image = "edoburu/pgbouncer:latest" + image_pull_policy = "IfNotPresent" + + port { + container_port = 6432 + } + + volume_mount { + name = "config" + mount_path = "/etc/pgbouncer/pgbouncer.ini" + sub_path = "pgbouncer.ini" + } + + volume_mount { + name = "auth" + mount_path = "/etc/pgbouncer/userlist.txt" + sub_path = "userlist.txt" + } + + env { + name = "DATABASES_AUTHENTIK" + value = "host=postgres port=5432 dbname=authentik user=authentik password=${var.postgres_password}" + } + } + + volume { + name = "config" + config_map { + name = kubernetes_config_map.pgbouncer_config.metadata[0].name + } + } + + volume { + name = "auth" + secret { + secret_name = kubernetes_secret.pgbouncer_auth.metadata[0].name + } + } + } + } + } +} + +# --- 4️⃣ Service --- +resource "kubernetes_service" "pgbouncer" { + metadata { + name = "pgbouncer" + namespace = "authentik" + } + + spec { + selector = { + app = "pgbouncer" + } + + port { + port = 6432 + target_port = 6432 + protocol = "TCP" + } + + type = "ClusterIP" + } +} diff --git a/modules/kubernetes/authentik/userlist.txt b/modules/kubernetes/authentik/userlist.txt new file mode 100644 index 00000000..024c3864 --- /dev/null +++ b/modules/kubernetes/authentik/userlist.txt @@ -0,0 +1 @@ +"authentik" "${password}" diff --git a/modules/kubernetes/authentik/values.yaml b/modules/kubernetes/authentik/values.yaml index b6a42960..df59f811 100644 --- a/modules/kubernetes/authentik/values.yaml +++ b/modules/kubernetes/authentik/values.yaml @@ -6,7 +6,9 @@ authentik: error_reporting: enabled: true postgresql: - host: postgresql.dbaas + # host: postgresql.dbaas + host: pgbouncer.authentik + port: 6432 user: authentik password: ${postgres_password} redis: