root: support db pool (#13534)

Author: rissson

authentik/lib/config.py

@@ -356,6 +356,14 @@ def redis_url(db: int) -> str:
 def django_db_config(config: ConfigLoader | None = None) -> dict:
     if not config:
         config = CONFIG
+
+    pool_options = False
+    use_pool = config.get_bool("postgresql.use_pool", False)
+    if use_pool:
+        pool_options = config.get_dict_from_b64_json("postgresql.pool_options", True)
+        if not pool_options:
+            pool_options = True
+
     db = {
         "default": {
             "ENGINE": "authentik.root.db",
@@ -369,6 +377,7 @@ def django_db_config(config: ConfigLoader | None = None) -> dict:
                 "sslrootcert": config.get("postgresql.sslrootcert"),
                 "sslcert": config.get("postgresql.sslcert"),
                 "sslkey": config.get("postgresql.sslkey"),
+                "pool": pool_options,
             },
             "CONN_MAX_AGE": config.get_optional_int("postgresql.conn_max_age", 0),
             "CONN_HEALTH_CHECKS": config.get_bool("postgresql.conn_health_checks", False),

authentik/lib/default.yml

@@ -21,6 +21,7 @@ postgresql:
   user: authentik
   port: 5432
   password: "env://POSTGRES_PASSWORD"
+  use_pool: False
   test:
     name: test_authentik
   default_schema: public

authentik/lib/tests/test_config.py

@@ -217,6 +217,7 @@ def test_db_default(self):
                     "HOST": "foo",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -267,6 +268,7 @@ def test_db_read_replicas(self):
                     "HOST": "foo",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -285,6 +287,7 @@ def test_db_read_replicas(self):
                     "HOST": "bar",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -333,6 +336,7 @@ def test_db_read_replicas_pgbouncer(self):
                     "HOST": "foo",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -351,6 +355,7 @@ def test_db_read_replicas_pgbouncer(self):
                     "HOST": "bar",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -394,6 +399,7 @@ def test_db_read_replicas_pgpool(self):
                     "HOST": "foo",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -412,6 +418,7 @@ def test_db_read_replicas_pgpool(self):
                     "HOST": "bar",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -451,6 +458,7 @@ def test_db_read_replicas_diff_ssl(self):
                     "HOST": "foo",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "foo",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -469,6 +477,7 @@ def test_db_read_replicas_diff_ssl(self):
                     "HOST": "bar",
                     "NAME": "foo",
                     "OPTIONS": {
+                        "pool": False,
                         "sslcert": "bar",
                         "sslkey": "foo",
                         "sslmode": "foo",
@@ -484,3 +493,87 @@ def test_db_read_replicas_diff_ssl(self):
                 },
             },
         )
+
+    def test_db_pool(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": True,
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )
+
+    def test_db_pool_options(self):
+        """Test DB Config with pool"""
+        config = ConfigLoader()
+        config.set("postgresql.host", "foo")
+        config.set("postgresql.name", "foo")
+        config.set("postgresql.user", "foo")
+        config.set("postgresql.password", "foo")
+        config.set("postgresql.port", "foo")
+        config.set("postgresql.test.name", "foo")
+        config.set("postgresql.use_pool", True)
+        config.set(
+            "postgresql.pool_options",
+            base64.b64encode(
+                dumps(
+                    {
+                        "max_size": 15,
+                    }
+                ).encode()
+            ).decode(),
+        )
+        conf = django_db_config(config)
+        self.assertEqual(
+            conf,
+            {
+                "default": {
+                    "ENGINE": "authentik.root.db",
+                    "HOST": "foo",
+                    "NAME": "foo",
+                    "OPTIONS": {
+                        "pool": {
+                            "max_size": 15,
+                        },
+                        "sslcert": None,
+                        "sslkey": None,
+                        "sslmode": None,
+                        "sslrootcert": None,
+                    },
+                    "PASSWORD": "foo",
+                    "PORT": "foo",
+                    "TEST": {"NAME": "foo"},
+                    "USER": "foo",
+                    "CONN_MAX_AGE": 0,
+                    "CONN_HEALTH_CHECKS": False,
+                    "DISABLE_SERVER_SIDE_CURSORS": False,
+                }
+            },
+        )

pyproject.toml

@@ -47,7 +47,7 @@ dependencies = [
     "opencontainers",
     "packaging",
     "paramiko",
-    "psycopg[c]",
+    "psycopg[c, pool]",
     "pydantic",
     "pydantic-scim",
     "pyjwt",

uv.lock

@@ -19,6 +19,8 @@ Previously, sessions were stored by default in the cache. Now, they are stored i
 
 ## New features
 
+### Postgres pool
+
 ## Upgrading
 
 This release does not introduce any new requirements. You can follow the upgrade instructions below; for more detailed information about upgrading authentik, refer to our [Upgrade documentation](../../install-config/upgrade.mdx).