wip

Author: jwnx

internal/controller/postgrescluster/pgbouncer.go

@@ -54,6 +54,11 @@ func (r *Reconciler) reconcilePGBouncer(
 	if err == nil {
 		err = r.reconcilePGBouncerInPostgreSQL(ctx, cluster, instances, secret)
 	}
+	if err == nil {
+		// Trigger RECONNECT if primary has changed to force new server connections.
+		// This prevents stale connections from routing traffic to a demoted replica.
+		err = r.reconcilePGBouncerReconnect(ctx, cluster, instances)
+	}
 	return err
 }
 
@@ -584,3 +589,100 @@ func (r *Reconciler) reconcilePGBouncerPodDisruptionBudget(
 	}
 	return err
 }
+
+// reconcilePGBouncerReconnect triggers a RECONNECT command on all PgBouncer
+// pods when the primary has changed. This forces PgBouncer to establish new
+// server connections to the correct primary, preventing stale connections
+// from routing traffic to a demoted replica after failover.
+//
+// Note: RECONNECT closes server connections when they are "released" according
+// to the pool mode. In transaction mode, this happens after each transaction.
+// In session mode, this happens when the client disconnects - so persistent
+// clients may continue hitting the old primary until they reconnect.
+func (r *Reconciler) reconcilePGBouncerReconnect(
+	ctx context.Context, cluster *v1beta1.PostgresCluster,
+	instances *observedInstances,
+) error {
+	log := logging.FromContext(ctx)
+
+	// Skip if PgBouncer is disabled
+	if cluster.Spec.Proxy == nil || cluster.Spec.Proxy.PGBouncer == nil {
+		return nil
+	}
+
+	var primaryPod *corev1.Pod
+	for _, instance := range instances.forCluster {
+		// Same condition as writablePod fn
+		if writable, known := instance.IsWritable(); writable && known && len(instance.Pods) > 0 {
+			primaryPod = instance.Pods[0]
+			break
+		}
+	}
+
+	if primaryPod == nil {
+		// We will retry later.
+		log.V(1).Info("No writable instance found, skipping PgBouncer RECONNECT")
+		return nil
+	}
+
+	currentPrimaryUID := string(primaryPod.UID)
+	lastReconnectUID := cluster.Status.Proxy.PGBouncer.LastReconnectPrimaryUID
+
+	if currentPrimaryUID == lastReconnectUID {
+		// Primary hasn't changed, no need to Reconnect.
+		return nil
+	}
+
+	log.Info("Primary changed, triggering PgBouncer RECONNECT",
+		"previousPrimaryUID", lastReconnectUID,
+		"currentPrimaryUID", currentPrimaryUID,
+		"currentPrimaryName", primaryPod.Name)
+
+	pgbouncerPods := &corev1.PodList{}
+	selector, err := naming.AsSelector(naming.ClusterPGBouncerSelector(cluster))
+	if err != nil {
+		return errors.WithStack(err)
+	}
+
+	if err := r.Client.List(ctx, pgbouncerPods,
+		client.InNamespace(cluster.Namespace),
+		client.MatchingLabelsSelector{Selector: selector}); err != nil {
+		return errors.WithStack(err)
+	}
+
+	// Send RECONNECT to each running PgBouncer pod
+	var reconnectErr error
+	successCount := 0
+
+	for i := range pgbouncerPods.Items {
+		pod := &pgbouncerPods.Items[i]
+		if pod.Status.Phase != corev1.PodRunning {
+			continue
+		}
+
+		exec := func(ctx context.Context, stdin io.Reader, stdout, stderr io.Writer, command ...string) error {
+			return r.PodExec(ctx, pod.Namespace, pod.Name, naming.ContainerPGBouncer, stdin, stdout, stderr, command...)
+		}
+
+		if err := pgbouncer.Reconnect(ctx, exec); err != nil {
+			log.Error(err, "PgBouncer RECONNECT: failed to issue command to pod.", "pod", pod.Name)
+			reconnectErr = err
+		} else {
+			successCount++
+		}
+	}
+
+	// If we can't send a RECONNECT command to one of the pods, we won't update the LastReconnectPrimaryUID.
+	// This means this will run again in the next reconciliation loop.
+	if reconnectErr == nil {
+		cluster.Status.Proxy.PGBouncer.LastReconnectPrimaryUID = currentPrimaryUID
+	}
+
+	log.Info("PgBouncer RECONNECT: done",
+		"failed", reconnectErr != nil,
+		"successCount", successCount,
+		"totalPods", len(pgbouncerPods.Items),
+	)
+
+	return reconnectErr
+}

internal/pgbouncer/config.go

@@ -120,8 +120,17 @@ func clusterINI(cluster *v1beta1.PostgresCluster) string {
 		"server_tls_sslmode": "verify-full",
 		"server_tls_ca_file": certBackendAuthorityAbsolutePath,
 
-		// Disable Unix sockets to keep the filesystem read-only.
-		"unix_socket_dir": "",
+		// Enable Unix socket for admin console access. The special user
+		// "pgbouncer" can connect without a password when using a Unix socket
+		// from the same UID as the running process. This allows the operator
+		// to send admin commands like RECONNECT after failover.
+		// Ref.: https://www.pgbouncer.org/usage.html#admin-console
+		"unix_socket_dir": "/tmp/pgbouncer",
+
+		// Allow the "pgbouncer" user to run admin commands (PAUSE, RESUME,
+		// RECONNECT, etc.) on the admin console. Combined with unix_socket_dir,
+		// this enables password-free admin access from within the container.
+		"admin_users": "pgbouncer",
 	}
 
 	// Override the above with any specified settings.

internal/pgbouncer/reconnect.go

@@ -0,0 +1,57 @@
+package pgbouncer
+
+import (
+	"bytes"
+	"context"
+
+	"github.com/percona/percona-postgresql-operator/internal/logging"
+	"github.com/percona/percona-postgresql-operator/internal/postgres"
+)
+
+// Reconnect sends the RECONNECT command to PgBouncer's admin console.
+// This closes all server connections at the next opportunity, forcing
+// PgBouncer to establish new connections to the current primary.
+//
+// From PgBouncer docs: "Close each open server connection for the given
+// database, or all databases, at the next opportunity."
+//
+// This is non-disruptive: PgBouncer waits for the connection to be
+// "released" before closing it. In transaction pooling mode, this means
+// waiting for the current transaction to complete. In session pooling
+// mode, this means waiting for the client to disconnect.
+//
+// The command connects via Unix socket as the special "pgbouncer" user,
+// which is allowed without password when the client has the same UID
+// as the running PgBouncer process.
+//
+// Ref.: https://www.pgbouncer.org/usage.html#admin-console
+func Reconnect(ctx context.Context, exec postgres.Executor) error {
+	log := logging.FromContext(ctx)
+	log.Info("Triggering PgBouncer RECONNECT to force new server connections")
+
+	stdout, stderr := &bytes.Buffer{}, &bytes.Buffer{}
+
+	// Connect to PgBouncer admin console via Unix socket.
+	// The "pgbouncer" user can connect without password from same UID.
+	// The "pgbouncer" database is the virtual admin console.
+	// Ref.:
+	err := exec(ctx, nil, stdout, stderr,
+		"psql",
+		"-h", "/tmp/pgbouncer",
+		"-p", "6432",
+		"-U", "pgbouncer",
+		"-d", "pgbouncer",
+		"-c", "RECONNECT",
+	)
+
+	if err != nil {
+		log.Error(err, "RECONNECT failed",
+			"stdout", stdout.String(),
+			"stderr", stderr.String())
+	} else {
+		log.V(1).Info("RECONNECT succeeded",
+			"stdout", stdout.String())
+	}
+
+	return err
+}

pkg/apis/postgres-operator.crunchydata.com/v1beta1/pgbouncer_types.go

@@ -173,4 +173,10 @@ type PGBouncerPodStatus struct {
 
 	// Total number of non-terminated pods.
 	Replicas int32 `json:"replicas,omitempty"`
+
+	// Identifies the primary pod UID when RECONNECT was last triggered.
+	// Used to detect failovers and force PgBouncer to establish new
+	// server connections to the correct primary.
+	// +optional
+	LastReconnectPrimaryUID string `json:"lastReconnectPrimaryUID,omitempty"`
 }