---
apiVersion: v1
kind: Namespace
metadata:
  name: pgbouncer

---
apiVersion: v1
kind: Secret
metadata:
  name: pgbouncer-users
  namespace: pgbouncer
type: Opaque
stringData:
  userlist.txt: |
    "example_user "md535412bdc28167fbcdcef2c25bafd2f21"

---
apiVersion: v1
kind: Secret
metadata:
  name: pgbouncer-tls
  namespace: pgbouncer
type: Opaque
data:
  data:
  ca.crt: <encrypted cert>
  client.crt: <encrypted cert>
  client.key: <encrypted key>
  server.crt: <encrypted cert>
  server.key: <encrypted key>

---
apiVersion: v1
kind: ConfigMap
metadata:
  name: pgbouncer-config
  namespace: pgbouncer
data:
  pgbouncer.ini: |
    [pgbouncer]
    listen_addr = 0.0.0.0
    listen_port = 6432
    auth_type = md5
    auth_file = /etc/pgbouncer/userlist.txt
    # admin_users = admin
    pool_mode = transaction
    max_client_conn = 100
    default_pool_size = 20
    ignore_startup_parameters = extra_float_digits

    log_connections = 1
    log_disconnections = 1
    log_pooler_errors = 1
    log_stats = 1
    verbose = 0
    pidfile = /var/run/pgbouncer/pgbouncer.pid

    # TLS backend: PgBouncer → PostgreSQL
    server_tls_sslmode = verify-ca
    server_tls_ca_file = /etc/pgbouncer/tls/ca.crt
    server_tls_cert_file = /etc/pgbouncer/tls/client.crt
    server_tls_key_file = /etc/pgbouncer/tls/client.key
    server_tls_protocols = secure

    # TLS frontend
    client_tls_sslmode = require
    client_tls_key_file = /etc/pgbouncer/tls/server.key
    client_tls_cert_file = /etc/pgbouncer/tls/server.crt
    client_tls_ca_file = /etc/pgbouncer/tls/ca.crt
    client_tls_protocols = secure

    [databases]
    <example_db> = host=<example_host> port=5432 pool_mode=session dbname=<example_db> auth_user="<example_user>"
       
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: pgbouncer-deployment
  namespace: pgbouncer
spec:
  replicas: 2
  selector:
    matchLabels:
      app: pgbouncer
  template:
    metadata:
      labels:
        app: pgbouncer
    spec:
      containers:
      - name: pgbouncer
        image: sourcecode.confdroid.com/confdroid/confdroid_pgbouncer:latest
        imagePullPolicy: IfNotPresent
        ports:
          - containerPort: 6432
        volumeMounts:
          - name: config
            mountPath: /etc/pgbouncer/pgbouncer.ini
            subPath: pgbouncer.ini
            readOnly: true
          - name: users
            mountPath: /etc/pgbouncer/userlist.txt
            subPath: userlist.txt
            readOnly: true
          - name: tls
            mountPath: /etc/pgbouncer/tls
            readOnly: true

        livenessProbe:
          tcpSocket:
            port: 6432
          initialDelaySeconds: 5
          periodSeconds: 10

        readinessProbe:
          tcpSocket:
            port: 6432
          initialDelaySeconds: 5
          periodSeconds: 10

      volumes:
        - name: config
          configMap:
            name: pgbouncer-config
        - name: users
          secret:
            secretName: pgbouncer-users
        - name: tls
          secret:
            secretName: pgbouncer-tls

---
apiVersion: v1
kind: Service
metadata:
  name: pgbouncer-service
  namespace: pgbouncer
spec:
  selector:
    app: pgbouncer
  ports:
    - name: pgbouncer_port
      port: 6432 
      targetPort: 6432
      protocol: TCP