Overview
Elevarq pgAgroal is an open-source (BSD-3-Clause) production container image for pgagroal, the high-performance connection pooler for PostgreSQL. It is built from pinned upstream pgagroal 2.1.0 sources on a digest-pinned Debian base, for secure, repeatable production deployments.
Hardened by default
- The pgagroal HBA accepts connections only from a configurable source-address allowlist (the RFC1918 private ranges by default) and always authenticates with scram-sha-256 - never a catch-all.
- Unknown users are not transparently passed through to the backend (allow_unknown_users defaults to false).
- The Helm chart enables a NetworkPolicy by default that denies ingress from outside the release namespace; the bundled compose example publishes the pooler and metrics ports on loopback only.
- The runtime runs as a non-root user (UID 1000), drops all Linux capabilities, uses a read-only root filesystem, and defaults to the RuntimeDefault seccomp profile.
Signed supply chain
- Multi-architecture images (linux/amd64 and linux/arm64) are cosign-signed using GitHub OIDC and include an SBOM and SLSA provenance.
Kubernetes-ready
- A production-ready Helm chart simplifies Amazon EKS deployment with liveness and readiness probes, a PodDisruptionBudget, least-privilege security contexts, and optional Prometheus metrics.
Elevarq pgAgroal contains no telemetry and sends no data outside your environment.
Highlights
- Hardened shipped defaults: scram-sha-256 HBA source-address allowlist (no catch-all), no transparent unknown-user passthrough, and a default-on Kubernetes NetworkPolicy
- Hardened runtime: non-root (UID 1000), read-only root filesystem, all Linux capabilities dropped, seccomp RuntimeDefault
- Multi-arch (amd64/arm64), cosign-signed with SBOM and SLSA provenance; Helm chart for Amazon EKS with probes, a PodDisruptionBudget, and optional Prometheus metrics
Details
Introducing multi-product solutions
You can now purchase comprehensive solutions tailored to use cases and industries.
Features and programs
Financing for AWS Marketplace purchases
Pricing
Vendor refund policy
This product is free of software charges; no refunds apply. Community support is provided via GitHub Issues.
How can we make this page better?
Legal
Vendor terms and conditions
Content disclaimer
Delivery details
Helm chart (Amazon EKS)
- Amazon EKS
Helm chart
Helm charts are Kubernetes YAML manifests combined into a single package that can be installed on Kubernetes clusters. The containerized application is deployed on a cluster by running a single Helm install command to install the seller-provided Helm chart.
Version release notes
Elevarq packaging v1.4.3, bundling upstream pgagroal 2.1.0. Credential handling hardened: the Helm chart requires an operator-supplied credential source (a Kubernetes Secret is recommended) and ships no default or hardcoded password - it fails to install if no credential source is provided. The hardened shipped defaults from 1.4.0 (scram-sha-256 HBA source allowlist, allow_unknown_users=false, default-on NetworkPolicy) are unchanged. Release notes: https://github.com/Elevarq/pgAgroal/releases/tag/v1.4.3
Additional details
Usage instructions
-
Authenticate Helm to the AWS Marketplace registry: aws ecr get-login-password --region us-east-1 | helm registry login --username AWS --password-stdin 709825985650.dkr.ecr.us-east-1.amazonaws.com
-
Create a Kubernetes Secret with your EXISTING PostgreSQL credentials. The image ships no default or hardcoded password; these are your own database credentials. kubectl create namespace pgagroal kubectl -n pgagroal create secret generic pgagroal-pg-credentials --from-literal=PG_USERNAME=<app-user> --from-literal=PG_PASSWORD=<app-password>
-
Create a values file named pgagroal-values.yaml (two-space indentation), pointing at your backend and the Secret from step 2:
postgresql: host: <postgres-host> port: 5432 credentials: existingSecret: pgagroal-pg-credentials
The chart fails to install if no credential source is provided (no empty-password default). If your EKS pod network is outside the RFC1918 ranges (e.g. a 100.64.0.0/10 secondary CIDR), also set pgagroal.hbaSource to that CIDR.
-
Install into your cluster: helm install pgagroal oci://709825985650.dkr.ecr.us-east-1.amazonaws.com/elevarq/elevarq-pgagroal-chart --version 1.4.3 -n pgagroal -f pgagroal-values.yaml
-
Point applications at the pgagroal Service on port 6432. A NetworkPolicy is enabled by default and admits same-namespace clients; for clients in another namespace, set networkPolicy.ingressNamespaceSelectors. Full configuration: https://elevarq.com/docs/pgagroal-container
Resources
Vendor resources
Support
Vendor support
Community support via GitHub Issues at https://github.com/Elevarq/pgAgroal . Report security vulnerabilities to security@elevarq.com (see SECURITY.md).
AWS infrastructure support
AWS Support is a one-on-one, fast-response support channel that is staffed 24x7x365 with experienced and technical support engineers. The service helps customers of all sizes and technical abilities to successfully utilize the products and features provided by Amazon Web Services.