Feature Request: Add Helm values for PgBouncer directory permissions customization
Problem Statement
When using the Zalando Postgres Operator with Iron Bank hardened container images (or other custom base images), PgBouncer pods can fail due to permission issues on /etc/pgbouncer, /var/log/pgbouncer, and /var/run/pgbouncer directories.
The operator's pooler-connection-sidecar container runs as the same UID as the PgBouncer container (UID 100) and writes TLS certificates to /etc/pgbouncer at runtime. If the base image has these directories configured as read-only or with incompatible permissions, PgBouncer fails with CrashLoopBackOff.
Current Workaround
Users must build custom PgBouncer images with modified permissions:
FROM registry1.dso.mil/ironbank/opensource/pgbouncer/pgbouncer:1.24.0
# Make directories writable by pgbouncer user (UID 100, GID 101)
RUN chown -R 100:101 /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer \
&& chmod 0750 /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer
USER 100:101Proposed Solution
Add Helm values similar to Spilo's pod environment variable support to allow customizing PgBouncer directory permissions without requiring custom images.
For example:
connectionPooler:
podEnvironmentConfigMap: pgbouncer-config
podEnvironmentSecret: pgbouncer-secrets
initContainers:
- name: fix-permissions
image: busybox:latest
command: ['sh', '-c', 'chown -R 100:101 /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer && chmod 0750 /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer']
volumeMounts:
- name: pgbouncer-config
mountPath: /etc/pgbouncer
- name: pgbouncer-logs
mountPath: /var/log/pgbouncer
- name: pgbouncer-run
mountPath: /var/run/pgbouncerOr add specific Helm values:
connectionPooler:
directoryPermissions:
enabled: true
uid: 100
gid: 101
mode: "0750"
paths:
- /etc/pgbouncer
- /var/log/pgbouncer
- /var/run/pgbouncerBenefits
- Iron Bank Compliance: Supports hardened container images without custom builds
- Flexibility: Users can adapt to different base image security policies
- Consistency: Matches existing Spilo customization patterns in the operator
- Maintainability: Eliminates need for maintaining custom image builds
Environment
- Zalando Postgres Operator: v1.15.0
- Base Image: Iron Bank PgBouncer 1.24.0
- Kubernetes: 1.31
Related Issues
This is similar to how Spilo supports podEnvironmentConfigMap and podEnvironmentSecret for customization without requiring custom images.
Feature Request: Add Helm values for PgBouncer directory permissions customization
Problem Statement
When using the Zalando Postgres Operator with Iron Bank hardened container images (or other custom base images), PgBouncer pods can fail due to permission issues on
/etc/pgbouncer,/var/log/pgbouncer, and/var/run/pgbouncerdirectories.The operator's
pooler-connection-sidecarcontainer runs as the same UID as the PgBouncer container (UID 100) and writes TLS certificates to/etc/pgbouncerat runtime. If the base image has these directories configured as read-only or with incompatible permissions, PgBouncer fails withCrashLoopBackOff.Current Workaround
Users must build custom PgBouncer images with modified permissions:
Proposed Solution
Add Helm values similar to Spilo's pod environment variable support to allow customizing PgBouncer directory permissions without requiring custom images.
For example:
Or add specific Helm values:
Benefits
Environment
Related Issues
This is similar to how Spilo supports
podEnvironmentConfigMapandpodEnvironmentSecretfor customization without requiring custom images.