Support pgbouncer's client_tls_sslmode using a SelfSigned Certifica…

…te (#65)

* first pass at pgbouncer client cert support

* switch to cluster_issuer

* enable validate

* create cert outside of this role

CHANGES.rst

@@ -3,6 +3,16 @@ caktus.django-k8s
 
 Changes
 -------
+
+v1.8.0 on October 24, 2023
+~~~~~~~~~~~~~~~~~~~~~
+
+* `k8s_pgbouncer_selfsigned_certificate_name`: add support mounting a
+  Certificate from the `k8s_na````¡mespace` to pgBouncer's `/etc/pgbouncer/ssl/`
+  directory to enable TLS mode to use for connections from clients
+  (`client_tls_sslmode`).
+
+
 v1.7.0 on September 27th, 2023
 ~~~~~~~~~~~~~~~~~~~~~
 

defaults/main.yml

@@ -88,6 +88,10 @@ k8s_pgbouncer_enabled: false
 k8s_pgbouncer_repo: "edoburu/pgbouncer"
 k8s_pgbouncer_version: "1.18.0"
 k8s_pgbouncer_replicas: 1
+# Mount a Certificate from the k8s_namespace to pgBouncer's /etc/pgbouncer/ssl/
+# directory to enable TLS mode to use for connections from clients
+# (client_tls_sslmode)
+k8s_pgbouncer_selfsigned_certificate_name: ""
 k8s_pgbouncer_service_type: ClusterIP
 # If service_type is LoadBalancer, you can optionally assign a fixed IP for your
 # load balancer (if suppported by the provider):

templates/pgbouncer.yaml.j2

@@ -52,8 +52,20 @@ spec:
         envFrom:
         - secretRef:
             name: "pgbouncer-secrets"
+{% if k8s_pgbouncer_selfsigned_certificate_name %}
+        volumeMounts:
+        - mountPath: "/etc/pgbouncer/ssl"
+          name: {{ k8s_pgbouncer_selfsigned_certificate_name }}
+          readOnly: true
+{% endif %}
         ports:
         - containerPort: 5432
+{% if k8s_pgbouncer_selfsigned_certificate_name %}
+      volumes:
+      - name: {{ k8s_pgbouncer_selfsigned_certificate_name }}
+        secret:
+          secretName: {{ k8s_pgbouncer_selfsigned_certificate_name }}
+{% endif %}
 ---
 apiVersion: v1
 kind: Service