Listing Thumbnail

    Elevarq pgAgroal

     Info
    Sold by: Elevarq 
    Deployed on AWS
    Production-ready, security-hardened pgagroal container for PostgreSQL: restrictive shipped defaults, a non-root runtime, signed multi-arch images, a Kubernetes Helm chart, and zero telemetry.

    Overview

    Elevarq pgAgroal is an open-source (BSD-3-Clause) production container image for pgagroal, the high-performance connection pooler for PostgreSQL. It is built from pinned upstream pgagroal 2.1.0 sources on a digest-pinned Debian base, for secure, repeatable production deployments.

    Hardened by default

    • The pgagroal HBA accepts connections only from a configurable source-address allowlist (the RFC1918 private ranges by default) and always authenticates with scram-sha-256 - never a catch-all.
    • Unknown users are not transparently passed through to the backend (allow_unknown_users defaults to false).
    • The Helm chart enables a NetworkPolicy by default that denies ingress from outside the release namespace; the bundled compose example publishes the pooler and metrics ports on loopback only.
    • The runtime runs as a non-root user (UID 1000), drops all Linux capabilities, uses a read-only root filesystem, and defaults to the RuntimeDefault seccomp profile.

    Signed supply chain

    • Multi-architecture images (linux/amd64 and linux/arm64) are cosign-signed using GitHub OIDC and include an SBOM and SLSA provenance.

    Kubernetes-ready

    • A production-ready Helm chart simplifies Amazon EKS deployment with liveness and readiness probes, a PodDisruptionBudget, least-privilege security contexts, and optional Prometheus metrics.

    Elevarq pgAgroal contains no telemetry and sends no data outside your environment.

    Highlights

    • Hardened shipped defaults: scram-sha-256 HBA source-address allowlist (no catch-all), no transparent unknown-user passthrough, and a default-on Kubernetes NetworkPolicy
    • Hardened runtime: non-root (UID 1000), read-only root filesystem, all Linux capabilities dropped, seccomp RuntimeDefault
    • Multi-arch (amd64/arm64), cosign-signed with SBOM and SLSA provenance; Helm chart for Amazon EKS with probes, a PodDisruptionBudget, and optional Prometheus metrics

    Details

    Sold by

    Delivery method

    Supported services

    Delivery option
    Helm chart (Amazon EKS)

    Latest version

    Operating system
    Linux

    Deployed on AWS
    New

    Introducing multi-product solutions

    You can now purchase comprehensive solutions tailored to use cases and industries.

    Multi-product solutions

    Features and programs

    Financing for AWS Marketplace purchases

    AWS Marketplace now accepts line of credit payments through the PNC Vendor Finance program. This program is available to select AWS customers in the US, excluding NV, NC, ND, TN, & VT.
    Financing for AWS Marketplace purchases

    Pricing

    Elevarq pgAgroal

     Info
    This product is available free of charge. Free subscriptions have no end date and may be canceled any time.
    Additional AWS infrastructure costs may apply. Use the AWS Pricing Calculator  to estimate your infrastructure costs.

    Vendor refund policy

    This product is free of software charges; no refunds apply. Community support is provided via GitHub Issues.

    How can we make this page better?

    Tell us how we can improve this page, or report an issue with this product.
    Tell us how we can improve this page, or report an issue with this product.

    Legal

    Vendor terms and conditions

    Upon subscribing to this product, you must acknowledge and agree to the terms and conditions outlined in the vendor's End User License Agreement (EULA) .

    Content disclaimer

    Vendors are responsible for their product descriptions and other product content. AWS does not warrant that vendors' product descriptions or other product content are accurate, complete, reliable, current, or error-free.

    Usage information

     Info

    Delivery details

    Helm chart (Amazon EKS)

    Supported services: Learn more 
    • Amazon EKS
    Helm chart

    Helm charts are Kubernetes YAML manifests combined into a single package that can be installed on Kubernetes clusters. The containerized application is deployed on a cluster by running a single Helm install command to install the seller-provided Helm chart.

    Version release notes

    Elevarq packaging v1.4.3, bundling upstream pgagroal 2.1.0. Credential handling hardened: the Helm chart requires an operator-supplied credential source (a Kubernetes Secret is recommended) and ships no default or hardcoded password - it fails to install if no credential source is provided. The hardened shipped defaults from 1.4.0 (scram-sha-256 HBA source allowlist, allow_unknown_users=false, default-on NetworkPolicy) are unchanged. Release notes: https://github.com/Elevarq/pgAgroal/releases/tag/v1.4.3 

    Additional details

    Usage instructions

    1. Authenticate Helm to the AWS Marketplace registry: aws ecr get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com

    2. Create a Kubernetes Secret with your EXISTING PostgreSQL credentials. The image ships no default or hardcoded password; these are your own database credentials. kubectl create namespace pgagroal kubectl -n pgagroal create secret generic pgagroal-pg-credentials --from-literal=PG_USERNAME=<app-user> --from-literal=PG_PASSWORD=<app-password>

    3. Create a values file named pgagroal-values.yaml (two-space indentation), pointing at your backend and the Secret from step 2:

      postgresql: host: <postgres-host> port: 5432 credentials: existingSecret: pgagroal-pg-credentials

      The chart fails to install if no credential source is provided (no empty-password default). If your EKS pod network is outside the RFC1918 ranges (e.g. a 100.64.0.0/10 secondary CIDR), also set pgagroal.hbaSource to that CIDR.

    4. Install into your cluster: helm install pgagroal oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/elevarq/elevarq-pgagroal-chart --version 1.4.3 -n pgagroal -f pgagroal-values.yaml

    5. Point applications at the pgagroal Service on port 6432. A NetworkPolicy is enabled by default and admits same-namespace clients; for clients in another namespace, set networkPolicy.ingressNamespaceSelectors. Full configuration: https://elevarq.com/docs/pgagroal-container 

    Resources

    Support

    Vendor support

    Community support via GitHub Issues at https://github.com/Elevarq/pgAgroal . Report security vulnerabilities to security@elevarq.com  (see SECURITY.md).

    AWS infrastructure support

    AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.

    Similar products

    Customer reviews

    Ratings and reviews

     Info
    0 ratings
    5 star
    4 star
    3 star
    2 star
    1 star
    0%
    0%
    0%
    0%
    0%
    0 reviews
    No customer reviews yet
    Be the first to review this product . We've partnered with PeerSpot to gather customer feedback. You can share your experience by writing or recording a review, or scheduling a call with a PeerSpot analyst.