feat: adds variables to enable client tls on pgbouncer

[n-borges]

This PR is related to #582.

Although this is a trivial change, I think that quite a few people could incur in the requirement of having to enable TLS at least between clients and pgbouncer.

This has been tried on a deployment of type "A". Without these configurations, trying to connect to the cluster vip using TLS fails:

❯ PGSSLMODE=require psql --host pgdebian2.domain.lan --port 5000 --user testuser --db test --password
psql: error: connection to server at "pgdebian2.domain.lan" (192.168.99.99), port 5000 failed: server does not support SSL, but SSL was required

To allow encrypted connections, one could add to /etc/pgbouncer/pgbouncer.ini on each node:

# using the self-signed example certs
client_tls_sslmode = allow
client_tls_key_file = /etc/ssl/private/ssl-cert-snakeoil.key 
client_tls_cert_file = /etc/ssl/certs/ssl-cert-snakeoil.pem

After restarting the pgbouncer service, encrypted connections are allowed on the cluster virtual ip.

❯ PGSSLMODE=require psql --host pgdebian2.domain.lan --port 5000 --user testuser --db test --password
psql (16.1, server 16.2 (Debian 16.2-1.pgdg120+2))
SSL connection (protocol: TLSv1.3, cipher: TLS_AES_256_GCM_SHA384, compression: off)

Let me know if you want me to add some tests.

Thanks!

[vitabaks]

Hi! Thank you for your contribution to the project.

Could you add an example of a setup with the test result to the PR? In which the encrypted connection would be visible?

[n-borges]

Hi! Thank you for your contribution to the project.

Could you add an example of a setup with the test result to the PR? In which the encrypted connection would be visible?

Of course. I updated the PR body