Make pgBouncer an Optional Dependency in Timescale Docker Image

[udesaiitrs]

Make pgBouncer an Optional Dependency in Timescale Docker Image

Description

We are requesting to make pgBouncer an optional dependency within the Timescale Docker image. Currently, pgBouncer is included by default, but we have identified some security concerns related to its inclusion.

Current Behavior

The Timescale Docker image includes pgBouncer as a default component.

Proposed Change

Make pgBouncer an optional dependency that can be excluded or included based on user preference.

Rationale

1. We do not use pgBouncer in our setup, making its inclusion unnecessary for our use case.
2. The version of Go included with pgBouncer contains some critical/high-level CVEs (Common Vulnerabilities and Exposures), posing potential security risks.

Benefits

1. Improved security for users who don't require pgBouncer.
2. Reduced image size for those who opt out of including pgBouncer.
3. Greater flexibility for users to customize their Timescale Docker setup.

Implementation Suggestions

1. Introduce a build argument or environment variable to control the inclusion of pgBouncer.
2. Provide clear documentation on how to build the image with or without pgBouncer.
3. Consider offering two separate Docker images: one with pgBouncer and one without.

Additional Notes

• It would be helpful to have information on the specific CVEs identified in the current pgBouncer implementation.
• If possible, please provide guidance on alternative connection pooling solutions for users who may need this functionality but are concerned about the current pgBouncer implementation.

Questions

1. Are there any known dependencies within the Timescale ecosystem that require pgBouncer?
2. What is the timeline for addressing the CVEs in the current pgBouncer implementation?

We appreciate your consideration of this request and look forward to your feedback.