From 3ff49b7e473239ebcee7f7da1c3426bdbccdaaf5 Mon Sep 17 00:00:00 2001 From: Michael Highstead Date: Fri, 16 Aug 2024 11:24:55 -0400 Subject: [PATCH 1/2] Add server_tls to helm charts Adds server_tls, server certificates, and dns to the helm chart with defaults based on docs currently on the site with their same defaults. --- charts/pgcat/templates/secret.yaml | 4 ++++ charts/pgcat/values.yaml | 18 ++++++++++++++++++ 2 files changed, 22 insertions(+) diff --git a/charts/pgcat/templates/secret.yaml b/charts/pgcat/templates/secret.yaml index 05711ea9..fab017d5 100644 --- a/charts/pgcat/templates/secret.yaml +++ b/charts/pgcat/templates/secret.yaml @@ -25,6 +25,10 @@ stringData: tcp_keepalives_idle = {{ .Values.configuration.general.tcp_keepalives_idle }} tcp_keepalives_count = {{ .Values.configuration.general.tcp_keepalives_count }} tcp_keepalives_interval = {{ .Values.configuration.general.tcp_keepalives_interval }} + server_tls = {{ .Values.configuration.general.server_tls }} + verify_server_certificate = {{ .Values.configuration.verify_server_certificate }} + dns_cache_enabled = {{ .Values.configuration.general.dns_cache_enabled }} + dns_max_ttl = {{ .Values.configuration.general.dns_max_ttl }} {{- if and (ne .Values.configuration.general.tls_certificate "-") (ne .Values.configuration.general.tls_private_key "-") }} tls_certificate = "{{ .Values.configuration.general.tls_certificate }}" tls_private_key = "{{ .Values.configuration.general.tls_private_key }}" diff --git a/charts/pgcat/values.yaml b/charts/pgcat/values.yaml index 86be4104..dd40f64c 100644 --- a/charts/pgcat/values.yaml +++ b/charts/pgcat/values.yaml @@ -235,6 +235,24 @@ configuration: # Number of seconds between keepalive packets. tcp_keepalives_interval: 5 + # Enable TLS connections from PgCat to Postgres servers. Postgres has to be configured to support TLS, + # which is typical to be the case for Postgres distributed via package managers. + server_tls: false + + # If server_tls is enabled, validate that the server certificate is valid. This disallows connections + # for self-signed certificates which haven't been added to the root store on the machines running PgCat. + verify_server_certificate: false + + # If enabled, PgCat will resolve and cache DNS of Postgres servers, overriding default TTL provided by + # system DNS servers. This is useful when using DNS for configuring traffic routing to Postgres servers: + # if the IP resolved by the DNS query changed from its previously cached value, the connection pool will + # be automatically recreated with connections to the new Postgres server. + dns_cache_enabled: false + + # Maximum number of seconds to keep cached DNS values. Once this timeout expires, a DNS refresh is + # performed against all targets in the cache. + dns_max_ttl: 30 + ## pool ## configs are structured as pool. ## the pool_name is what clients use as database name when connecting From 8da9a647b3fad2a891736a9f965d994f9fced954 Mon Sep 17 00:00:00 2001 From: Michael Highstead Date: Fri, 16 Aug 2024 11:32:25 -0400 Subject: [PATCH 2/2] fix missing reference --- charts/pgcat/templates/secret.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/charts/pgcat/templates/secret.yaml b/charts/pgcat/templates/secret.yaml index fab017d5..1fb28997 100644 --- a/charts/pgcat/templates/secret.yaml +++ b/charts/pgcat/templates/secret.yaml @@ -26,7 +26,7 @@ stringData: tcp_keepalives_count = {{ .Values.configuration.general.tcp_keepalives_count }} tcp_keepalives_interval = {{ .Values.configuration.general.tcp_keepalives_interval }} server_tls = {{ .Values.configuration.general.server_tls }} - verify_server_certificate = {{ .Values.configuration.verify_server_certificate }} + verify_server_certificate = {{ .Values.configuration.general.verify_server_certificate }} dns_cache_enabled = {{ .Values.configuration.general.dns_cache_enabled }} dns_max_ttl = {{ .Values.configuration.general.dns_max_ttl }} {{- if and (ne .Values.configuration.general.tls_certificate "-") (ne .Values.configuration.general.tls_private_key "-") }}