Skip to content

reload PGBouncer when certificates change#20

Merged
boddumanohar merged 1 commit intomainfrom
hotreload-certs
Feb 26, 2026
Merged

reload PGBouncer when certificates change#20
boddumanohar merged 1 commit intomainfrom
hotreload-certs

Conversation

@boddumanohar
Copy link
Member

@boddumanohar boddumanohar commented Feb 23, 2026
edited
Loading

Changes

  • Install inotify-tools
  • when client_tls_sslmode = require is enabled on the configuration file, the files /vela/certs/tls.key and /vela/certs/tls.crt are required to start PGBouncer.
  • reload PGBouncer when something changes in /vela/certs

testing

Have manually rotated the certificate and PGBouncer got reloaded when the certificate changed

kubectl -n vela-01kj77ew3bwsv7p8bt7x04jt8h logs vela-autoscaler-vm-spscz | grep "Certificates modified"
Certificates modified, reloading PgBouncer...

@boddumanohar boddumanohar marked this pull request as ready for review February 24, 2026 14:12
@boddumanohar boddumanohar changed the title hotreload pgbouncer certs reload PGBouncer when certificates change Feb 24, 2026
noctarius
noctarius reviewed Feb 24, 2026
View reviewed changes
prototype/package/pgbouncer/pgbouncer-server Outdated
(
while true; do
inotifywait -e modify,create,delete,move,attrib /vela/certs
echo "Certificates modified, reloading PgBouncer..."
Copy link
Collaborator

@noctarius noctarius Feb 24, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Have you made sure there isn't any weird behavior which may reload this endlessly? Like the attributes (for example modification or access time) updating constantly?

Copy link
Member Author

@boddumanohar boddumanohar Feb 24, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

let me check and get back on this

Copy link
Member Author

@boddumanohar boddumanohar Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

updated the logic to also compare the checksums. And also to make the VM backward compatible, I've added the check to look for certificates only when client_tls_sslmode=require in the Postgres configuration.

mxsrc
mxsrc reviewed Feb 25, 2026
View reviewed changes
Copy link
Contributor

@mxsrc mxsrc left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I realize you implemented the checksum comparison to accommodate chris' comment, I think it's not necessary. Iirc, the modify events don't trigger on metadata, so adding a short sleep after reloading should be sufficient to avoid the concern. Or did you see other behavior in your testing?

prototype/package/pgbouncer/pgbouncer-server
(
last_checksum=""
while true; do
inotifywait -e modify,create,delete,move /vela/certs > /dev/null 2>&1
Copy link
Contributor

@mxsrc mxsrc Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Are the events correct here? I imagine that if something accidentally deletes or moves tls.{key,crt}, the script will fail. Can we only wait for the actual files we use, and for modify events or does something speak against that?

Copy link
Member Author

@boddumanohar boddumanohar Feb 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think it's a good idea to look for modifications to the files /vela/certs/tls.key and /vela/certs/tls.crt only. Instead of the entire folder

EDIT: Tried this didn't work. Probably due to the fact that k8s secrets are symlinks to an other folder.

Copy link
Member Author

@boddumanohar boddumanohar Feb 25, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

If the files are accidentally deleted, the loop triggers and sends SIGHUP to PGBouncer. But PgBouncer logs an error but keeps running with the old (currently loaded in-memory) configuration and certificates.

So I guess it's okay delete part of the event.

Copy link
Contributor

@mxsrc mxsrc Feb 25, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes sense, thanks for checking. Could you maybe this as a comment to avoid confusion?

@boddumanohar
Copy link
Member Author

boddumanohar commented Feb 25, 2026

I don't have a way to test out Chris' comment. So I've removed attrib from the events list and thought checksum could act as an additional guard. But it seems unnecessary as removing the attrib event itself is sufficient.

@mxsrc
Copy link
Contributor

mxsrc commented Feb 25, 2026

Great, good to go from my end, just the comment about the comment would be still nice to have :)

@boddumanohar boddumanohar merged commit 50df863 into main Feb 26, 2026
1 check passed
@boddumanohar boddumanohar deleted the hotreload-certs branch February 26, 2026 02:40
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@mxsrc mxsrc mxsrc approved these changes

@noctarius noctarius Awaiting requested review from noctarius

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@boddumanohar @mxsrc @noctarius