Add PGBouncer TLS & Reconfigure TLS (#736)

Signed-off-by: Hiranmoy Das Chowdhury <[email protected]>

docs/examples/pgbouncer/reconfigure-tls/add-tls.yaml

@@ -0,0 +1,24 @@
+apiVersion: ops.kubedb.com/v1alpha1
+kind: PgBouncerOpsRequest
+metadata:
+  name: add-tls
+  namespace: demo
+spec:
+  type: ReconfigureTLS
+  databaseRef:
+    name: pb
+  tls:
+    sslMode: verify-full
+    clientAuthMode: md5
+    issuerRef:
+      name: pb-issuer
+      kind: Issuer
+      apiGroup: "cert-manager.io"
+    certificates:
+      - alias: client
+        subject:
+          organizations:
+            - pgbouncer
+          organizationalUnits:
+            - client
+  apply: Always

docs/examples/pgbouncer/reconfigure-tls/change-issuer.yaml

@@ -0,0 +1,14 @@
+apiVersion: ops.kubedb.com/v1alpha1
+kind: PgBouncerOpsRequest
+metadata:
+  name: change-issuer
+  namespace: demo
+spec:
+  type: ReconfigureTLS
+  databaseRef:
+    name: pb
+  tls:
+    issuerRef:
+      name: pb-new-issuer
+      kind: Issuer
+      apiGroup: "cert-manager.io"

docs/examples/pgbouncer/reconfigure-tls/issuer.yaml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: pb-issuer
+  namespace: demo
+spec:
+  ca:
+    secretName: pgbouncer-ca

docs/examples/pgbouncer/reconfigure-tls/new-issuer.yaml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: pb-new-issuer
+  namespace: demo
+spec:
+  ca:
+    secretName: pgbouncer-new-ca

docs/examples/pgbouncer/reconfigure-tls/pb.yaml

@@ -0,0 +1,23 @@
+apiVersion: kubedb.com/v1
+kind: PgBouncer
+metadata:
+  name: pb
+  namespace: demo
+spec:
+  replicas: 1
+  version: "1.18.0"
+  database:
+    syncUsers: true
+    databaseName: "postgres"
+    databaseRef:
+      name: "ha-postgres"
+      namespace: demo
+  connectionPool:
+    poolMode: session
+    port: 5432
+    reservePoolSize: 5
+    maxClientConnections: 87
+    defaultPoolSize: 2
+    minPoolSize: 1
+    authType: md5
+  deletionPolicy: WipeOut

docs/examples/pgbouncer/reconfigure-tls/remove-tls.yaml

@@ -0,0 +1,14 @@
+apiVersion: ops.kubedb.com/v1alpha1
+kind: PgBouncerOpsRequest
+metadata:
+  name: remove-tls
+  namespace: demo
+spec:
+  type: ReconfigureTLS
+  databaseRef:
+    name: pb
+  tls:
+    clientAuthMode: md5
+    remove: true
+  timeout: 5m
+  apply: IfReady

docs/examples/pgbouncer/reconfigure-tls/rotate-tls.yaml

@@ -0,0 +1,11 @@
+apiVersion: ops.kubedb.com/v1alpha1
+kind: PgBouncerOpsRequest
+metadata:
+  name: rotate-tls
+  namespace: demo
+spec:
+  type: ReconfigureTLS
+  databaseRef:
+    name: pb
+  tls:
+    rotateCertificates: true

docs/examples/pgbouncer/tls/issuer.yaml

@@ -0,0 +1,8 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: pgbouncer-ca-issuer
+  namespace: demo
+spec:
+  ca:
+    secretName: pgbouncer-ca

docs/examples/pgbouncer/tls/pgbouncer-ssl.yaml

@@ -0,0 +1,38 @@
+apiVersion: kubedb.com/v1
+kind: PgBouncer
+metadata:
+  name: pb-tls
+  namespace: demo
+spec:
+  replicas: 1
+  version: "1.18.0"
+  database:
+    syncUsers: true
+    databaseName: "postgres"
+    databaseRef:
+      name: "pg"
+      namespace: demo
+  connectionPool:
+    poolMode: session
+    port: 5432
+    reservePoolSize: 5
+    maxClientConnections: 87
+    defaultPoolSize: 2
+    minPoolSize: 1
+    authType: md5
+  deletionPolicy: WipeOut
+  sslMode: verify-ca
+  tls:
+    issuerRef:
+      apiGroup: cert-manager.io
+      name: pb-ca-issuer
+      kind: Issuer
+    certificates:
+      - alias: server
+        subject:
+          organizations:
+            - kubedb:server
+        dnsNames:
+          - localhost
+        ipAddresses:
+          - "127.0.0.1"

docs/guides/pgbouncer/reconfigure-tls/_index.md

@@ -0,0 +1,10 @@
+---
+title: Reconfigure PgBouncer TLS/SSL
+menu:
+  docs_{{ .version }}:
+    identifier: pb-reconfigure-tls
+    name: Reconfigure TLS/SSL
+    parent: pb-pgbouncer-guides
+    weight: 46
+menu_name: docs_{{ .version }}
+---

docs/guides/pgbouncer/reconfigure-tls/overview.md

@@ -0,0 +1,54 @@
+---
+title: Reconfiguring TLS of PgBouncer
+menu:
+  docs_{{ .version }}:
+    identifier: pb-reconfigure-tls-overview
+    name: Overview
+    parent: pb-reconfigure-tls
+    weight: 10
+menu_name: docs_{{ .version }}
+section_menu_id: guides
+---
+
+> New to KubeDB? Please start [here](/docs/README.md).
+
+# Reconfiguring TLS of PgBouncer
+
+This guide will give an overview on how KubeDB Ops-manager operator reconfigures TLS configuration i.e. add TLS, remove TLS, update issuer/cluster issuer or Certificates and rotate the certificates of a `PgBouncer`.
+
+## Before You Begin
+
+- You should be familiar with the following `KubeDB` concepts:
+  - [PgBouncer](/docs/guides/pgbouncer/concepts/pgbouncer.md)
+  - [PgBouncerOpsRequest](/docs/guides/pgbouncer/concepts/opsrequest.md)
+
+## How Reconfiguring PgBouncer TLS Configuration Process Works
+
+The following diagram shows how KubeDB Ops-manager operator reconfigures TLS of a `PgBouncer`. Open the image in a new tab to see the enlarged version.
+
+<figure align="center">
+  <img alt="Reconfiguring TLS process of PgBouncer" src="/docs/images/day-2-operation/pgbouncer/pb-reconfigure-tls.png">
+<figcaption align="center">Fig: Reconfiguring TLS process of PgBouncer</figcaption>
+</figure>
+
+The Reconfiguring PgBouncer TLS process consists of the following steps:
+
+1. At first, a user creates a `PgBouncer` Custom Resource Object (CRO).
+
+2. `KubeDB` Provisioner  operator watches the `PgBouncer` CRO.
+
+3. When the operator finds a `PgBouncer` CR, it creates `PetSet` and related necessary stuff like secrets, services, etc.
+
+4. Then, in order to reconfigure the TLS configuration of the `PgBouncer` the user creates a `PgBouncerOpsRequest` CR with desired information.
+
+5. `KubeDB` Ops-manager operator watches the `PgBouncerOpsRequest` CR.
+
+6. When it finds a `PgBouncerOpsRequest` CR, it pauses the `PgBouncer` object which is referred from the `PgBouncerOpsRequest`. So, the `KubeDB` Provisioner  operator doesn't perform any operations on the `PgBouncer` object during the reconfiguring TLS process.  
+
+7. Then the `KubeDB` Ops-manager operator will add, remove, update or rotate TLS configuration based on the Ops Request yaml.
+
+8. Then the `KubeDB` Ops-manager operator will restart all the Pods of the pgbouncer so that they restart with the new TLS configuration defined in the `PgBouncerOpsRequest` CR.
+
+9. After the successful reconfiguring of the `PgBouncer` TLS, the `KubeDB` Ops-manager operator resumes the `PgBouncer` object so that the `KubeDB` Provisioner  operator resumes its usual operations.
+
+In the next docs, we are going to show a step-by-step guide on reconfiguring TLS configuration of a PgBouncer using `PgBouncerOpsRequest` CRD.