Connection pooling v1
EDB Postgres for Kubernetes provides native support for connection pooling with
PgBouncer, one of the most popular open source
connection poolers for PostgreSQL, through the Pooler
custom resource definition (CRD).
In brief, a pooler in EDB Postgres for Kubernetes is a deployment of PgBouncer pods that sits
between your applications and a PostgreSQL service, for example, the rw
service. It creates a separate, scalable, configurable, and highly available
database access layer.
Architecture
The following diagram highlights how introducing a database access layer based on PgBouncer changes the architecture of EDB Postgres for Kubernetes. Instead of directly connecting to the PostgreSQL primary service, applications can connect to the equivalent service for PgBouncer. This ability enables reuse of existing connections for faster performance and better resource management on the PostgreSQL side.
Quick start
This example helps to show how EDB Postgres for Kubernetes implements a PgBouncer pooler:
Important
The pooler name can't be the same as any cluster name in the same namespace.
This example creates a Pooler
resource called pooler-example-rw
that's strictly associated with the Postgres Cluster
resource called
cluster-example
. It points to the primary, identified by the read/write
service (rw
, therefore cluster-example-rw
).
The Pooler
resource must live in the same namespace as the Postgres cluster.
It consists of a Kubernetes deployment of 3 pods running the
latest stable image of PgBouncer,
configured with the session
pooling mode
and accepting up to 1000 connections each. The default pool size is 10
user/database pairs toward PostgreSQL.
Important
The Pooler
resource sets only the *
fallback database in PgBouncer. This setting means that
that all parameters in the connection strings passed from the client are
relayed to the PostgreSQL server. For details, see "Section [databases]"
in the PgBouncer documentation.
EDB Postgres for Kubernetes also creates a secret with the same name as the pooler containing the configuration files used with PgBouncer.
API reference
For details, see PgBouncerSpec
in the API reference.
Pooler resource lifecycle
Pooler
resources aren't cluster-managed resources. You create poolers
manually when they're needed. You can also deploy multiple poolers per
PostgreSQL cluster.
What's important is that the life cycles of the Cluster
and the Pooler
resources are currently independent. Deleting the cluster doesn't imply the
deletion of the pooler, and vice versa.
Important
Once you know how a pooler works, you have full freedom in terms of possible architectures. You can have clusters without poolers, clusters with a single pooler, or clusters with several poolers, that is, one per application.
Important
When the operator is upgraded, the pooler pods will undergo a rolling upgrade. This is necessary to ensure that the instance manager within the pooler pods is also upgraded.
Security
Any PgBouncer pooler is transparently integrated with EDB Postgres for Kubernetes support for in-transit encryption by way of TLS connections, both on the client (application) and server (PostgreSQL) side of the pool.
Specifically, PgBouncer reuses the certificates of the PostgreSQL server. It
also uses TLS client certificate authentication to connect to the PostgreSQL
server to run the auth_query
for clients' password authentication (see
Authentication).
Containers run as the pgbouncer system user, and access to the pgbouncer
database is allowed only by way of local connections, through peer authentication.
Certificates
By default, a PgBouncer pooler uses the same certificates that are used by the cluster. However, if you provide those certificates, the pooler accepts secrets with the following formats:
- Basic Auth
- TLS
- Opaque
In the Opaque case, it looks for the following specific keys that need to be used:
- tls.crt
- tls.key
So you can treat this secret as a TLS secret, and start from there.
Authentication
Password-based authentication is the only supported method for clients of PgBouncer in EDB Postgres for Kubernetes.
Internally, the implementation relies on PgBouncer's auth_user
and
auth_query
options. Specifically, the operator:
- Creates a standard user called
cnp_pooler_pgbouncer
in the PostgreSQL server - Creates the lookup function in the
postgres
database and grants execution privileges to the cnp_pooler_pgbouncer user (PoLA) - Issues a TLS certificate for this user
- Sets
cnp_pooler_pgbouncer
as theauth_user
- Configures PgBouncer to use the TLS certificate to authenticate
cnp_pooler_pgbouncer
against the PostgreSQL server - Removes all the above when it detects that a cluster doesn't have any pooler associated to it
Important
If you specify your own secrets, the operator doesn't automatically integrate the pooler.
To manually integrate the pooler, if you specified your own secrets, you must run the following queries from inside your cluster.
First, you must create the role:
Then, for each application database, grant the permission for
cnp_pooler_pgbouncer
to connect to it:
Finally, as a superuser connect in each application database, and then create the authentication function inside each of the application databases:
Important
Given that user_search
is a SECURITY DEFINER
function, you need to
create it through a role with SUPERUSER
privileges, such as the postgres
user.
Pod templates
You can take advantage of pod templates specification in the template
section of a Pooler
resource. For details, see
PoolerSpec
in the API reference.
Using templates, you can configure pods as you like, including fine control
over affinity and anti-affinity rules for pods and nodes. By default,
containers use images from quay.io/enterprisedb/pgbouncer
.
This example shows Pooler
specifying `PodAntiAffinity``:
Note
Explicitly set .spec.template.spec.containers
to []
when not modified,
as it's a required field for a PodSpec
. If .spec.template.spec.containers
isn't set, the Kubernetes api-server returns the following error when trying to
apply the manifest:error validating "pooler.yaml": error validating data:
ValidationError(Pooler.spec.template.spec): missing required field
"containers"
This example sets resources and changes the used image:
Service Template
Sometimes, your pooler will require some different labels, annotations, or even change
the type of the service, you can achieve that by using the serviceTemplate
field:
The operator by default adds a ServicePort
with the following data:
Warning
Specifying a ServicePort
with the name pgbouncer
or the port 5432
will prevent the default ServicePort
from being added.
This because ServicePort
entries with the same name
or port
are not allowed on Kubernetes and result in errors.
High availability (HA)
Because of Kubernetes' deployments, you can configure your pooler to run on a
single instance or over multiple pods. The exposed service makes sure that your
clients are randomly distributed over the available pods running PgBouncer,
which then manages and reuses connections toward the underlying server (if
using the rw
service) or servers (if using the ro
service with multiple
replicas).
Warning
If your infrastructure spans multiple availability zones with high latency across them, be aware of network hops. Consider, for example, the case of your application running in zone 2, connecting to PgBouncer running in zone 3, and pointing to the PostgreSQL primary in zone 1.
PgBouncer configuration options
The operator manages most of the configuration options for PgBouncer, allowing you to modify only a subset of them.
Warning
You are responsible for correctly setting the value of each option, as the operator doesn't validate them.
These are the PgBouncer options you can customize, with links to the PgBouncer documentation for each parameter. Unless stated otherwise, the default values are the ones directly set by PgBouncer.
application_name_add_host
autodb_idle_timeout
client_idle_timeout
client_login_timeout
default_pool_size
disable_pqexec
idle_transaction_timeout
ignore_startup_parameters
: to be appended toextra_float_digits,options
- required by CNPlog_connections
log_disconnections
log_pooler_errors
log_stats
: by default disabled (0
), given that statistics are already collected by the Prometheus export as described in the "Monitoring" section belowmax_client_conn
max_db_connections
max_prepared_statements
max_user_connections
min_pool_size
query_timeout
query_wait_timeout
reserve_pool_size
reserve_pool_timeout
server_check_delay
server_check_query
server_connect_timeout
server_fast_close
server_idle_timeout
server_lifetime
server_login_retry
server_reset_query
server_reset_query_always
server_round_robin
stats_period
tcp_keepalive
tcp_keepcnt
tcp_keepidle
tcp_keepintvl
tcp_user_timeout
verbose
Customizations of the PgBouncer configuration are written declaratively in the
.spec.pgbouncer.parameters
map.
The operator reacts to the changes in the pooler specification, and every PgBouncer instance reloads the updated configuration without disrupting the service.
Warning
Every PgBouncer pod has the same configuration, aligned with the parameters in the specification. A mistake in these parameters might disrupt the operability of the whole pooler. The operator doesn't validate the value of any option.
Monitoring
The PgBouncer implementation of the Pooler
comes with a default
Prometheus exporter. It makes available several
metrics having the cnp_pgbouncer_
prefix by running:
SHOW LISTS
(prefix:cnp_pgbouncer_lists
)SHOW POOLS
(prefix:cnp_pgbouncer_pools
)SHOW STATS
(prefix:cnp_pgbouncer_stats
)
Like the EDB Postgres for Kubernetes instance, the exporter runs on port
9127
of each pod running PgBouncer and also provides metrics related to the
Go runtime (with the prefix go_*
).
Info
You can inspect the exported metrics on a pod running PgBouncer. For instructions, see
How to inspect the exported metrics.
Make sure that you use the correct IP and the 9127
port.
This example shows the output for cnp_pgbouncer
metrics:
As for clusters, a specific pooler can be monitored using the
Prometheus operator's resource
PodMonitor.
A PodMonitor
correctly pointing to a pooler can be created by the operator by setting
.spec.monitoring.enablePodMonitor
to true
in the Pooler
resource. The default is false
.
Important
Any change to PodMonitor
created automatically is overridden by the
operator at the next reconciliation cycle. If you need to customize it, you can
do so as shown in the following example.
To deploy a PodMonitor
for a specific pooler manually, you can define it as
follows and change it as needed:
Logging
Logs are directly sent to standard output, in JSON format, like in the following example:
Pausing connections
The Pooler
specification allows you to take advantage of PgBouncer's PAUSE
and RESUME
commands, using only declarative configuration. You can ado this
using the paused
option, which by default is set to false
. When set to
true
, the operator internally invokes the PAUSE
command in PgBouncer,
which:
- Closes all active connections toward the PostgreSQL server, after waiting for the queries to complete
- Pauses any new connection coming from the client
When the paused
option is reset to false
, the operator invokes the
RESUME
command in PgBouncer, reopening the taps toward the PostgreSQL
service defined in the Pooler
resource.
PAUSE
For more information, see
PAUSE
in the PgBouncer documentation.
Important
In future versions, the switchover operation will be fully integrated
with the PgBouncer pooler and take advantage of the PAUSE
/RESUME
features to reduce the perceived downtime by client applications.
Currently, you can achieve the same results by setting the paused
attribute to true
, issuing the switchover command through the
cnp
plugin, and then restoring the paused
attribute to false
.
Limitations
Single PostgreSQL cluster
The current implementation of the pooler is designed to work as part of a specific EDB Postgres for Kubernetes cluster (a service). It isn't currently possible to create a pooler that spans multiple clusters.
Controlled configurability
EDB Postgres for Kubernetes transparently manages several configuration options that are used
for the PgBouncer layer to communicate with PostgreSQL. Such options aren't
configurable from outside and include TLS certificates, authentication
settings, the databases
section, and the users
section. Also, considering
the specific use case for the single PostgreSQL cluster, the adopted criteria
is to explicitly list the options that can be configured by users.
Note
The adopted solution likely addresses the majority of use cases. It leaves room for the future implementation of a separate operator for PgBouncer to complete the gamma with more advanced and customized scenarios.