Intial commit.

Dockerfile

@@ -0,0 +1,22 @@
+FROM --platform=${TARGETPLATFORM} alpine:3.13
+
+ARG TARGETPLATFORM
+ARG BUILDPLATFORM
+
+RUN apk --update add libevent openssl c-ares gettext ca-certificates pgbouncer
+
+WORKDIR /
+
+RUN addgroup -S pgbouncer  \
+	&& adduser -S pgbouncer  \
+	&& mkdir -p /etc/pgbouncer /var/log/pgbouncer /var/run/pgbouncer
+
+COPY pgbouncer.ini.tmpl /etc/pgbouncer/
+COPY auth_file.txt.tmpl /etc/pgbouncer/
+COPY entrypoint.sh /
+
+RUN chown -R pgbouncer:pgbouncer /var/log/pgbouncer /var/run/pgbouncer /etc/pgbouncer /etc/ssl/certs \
+    && chmod +x /entrypoint.sh
+    
+USER pgbouncer:pgbouncer
+ENTRYPOINT ["/bin/sh", "/entrypoint.sh"]

auth_file.txt.tmpl

@@ -0,0 +1,2 @@
+"$PGUSER" "$PGPASSWORD"
+"$STATS_USER" "$STATS_PASSWORD"

entrypoint.sh

@@ -0,0 +1,17 @@
+#!/bin/sh
+
+set -ex
+
+if [ "$PGUSER" = "postgres" ]; then
+    echo "WARNING: pgbouncer will connect with a superuser privileges!"
+    echo "You need to fix this as soon as possible."
+fi
+
+openssl req -nodes -new -x509 -subj /CN=spilo.dummy.org \
+    -keyout /etc/ssl/certs/pgbouncer.key \
+    -out /etc/ssl/certs/pgbouncer.crt
+
+envsubst < /etc/pgbouncer/pgbouncer.ini.tmpl > /etc/pgbouncer/pgbouncer.ini
+envsubst < /etc/pgbouncer/auth_file.txt.tmpl > /etc/pgbouncer/auth_file.txt
+
+exec /usr/bin/pgbouncer /etc/pgbouncer/pgbouncer.ini

pgbouncer.ini.tmpl

@@ -0,0 +1,57 @@
+# vim: set ft=dosini:
+
+[databases]
+* = host=$PGHOST port=$PGPORT auth_user=$PGUSER
+
+[pgbouncer]
+pool_mode = $CONNECTION_POOLER_MODE
+listen_port = $CONNECTION_POOLER_PORT
+listen_addr = *
+auth_type = plain
+auth_file = /etc/pgbouncer/auth_file.txt
+admin_users = $PGUSER
+stats_users = $STATS_USER
+auth_query = SELECT * FROM $PGSCHEMA.user_lookup($1)
+logfile = /var/log/pgbouncer/pgbouncer.log
+pidfile = /var/run/pgbouncer/pgbouncer.pid
+
+server_tls_sslmode = require
+server_tls_ca_file = /etc/ssl/certs/pgbouncer.crt
+server_tls_protocols = secure
+client_tls_sslmode = require
+client_tls_key_file = /etc/ssl/certs/pgbouncer.key
+client_tls_cert_file = /etc/ssl/certs/pgbouncer.crt
+
+log_connections = 0
+log_disconnections = 0
+
+# How many server connections to allow per user/database pair.
+default_pool_size = $CONNECTION_POOLER_DEFAULT_SIZE
+
+# Add more server connections to pool if below this number. Improves behavior
+# when usual load comes suddenly back after period of total inactivity.
+min_pool_size = $CONNECTION_POOLER_MIN_SIZE
+
+# How many additional connections to allow to a pool
+reserve_pool_size = $CONNECTION_POOLER_RESERVE_SIZE
+
+# Maximum number of client connections allowed.
+max_client_conn = $CONNECTION_POOLER_MAX_CLIENT_CONN
+
+# Do not allow more than this many connections per database (regardless of
+# pool, i.e. user)
+max_db_connections = $CONNECTION_POOLER_MAX_DB_CONN
+
+# If a client has been in "idle in transaction" state longer, it will be
+# disconnected. [seconds]
+idle_transaction_timeout = 600
+
+# If login failed, because of failure from connect() or authentication that
+# pooler waits this much before retrying to connect. Default is 15. [seconds]
+server_login_retry = 5
+
+# To ignore extra parameter in startup packet. By default only 'database' and
+# 'user' are allowed, all others raise error.  This is needed to tolerate
+# overenthusiastic JDBC wanting to unconditionally set 'extra_float_digits=2'
+# in startup packet.
+ignore_startup_parameters = extra_float_digits,options