initial

2026-02-13 12:12:49 +00:00
parent 246ba1e07a
commit e346bd803b
26 changed files with 4063 additions and 0 deletions
--- a/rootfs/opt/bitnami/scripts/libldapclient.sh
+++ b/rootfs/opt/bitnami/scripts/libldapclient.sh
@@ -0,0 +1,222 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami LDAP library
+
+# shellcheck disable=SC1090,SC1091
+
+# Load libraries
+. /opt/bitnami/scripts/libfs.sh
+. /opt/bitnami/scripts/liblog.sh
+. /opt/bitnami/scripts/libos.sh
+
+########################
+# Loads global variables used on LDAP configuration.
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   Series of exports to be used as 'eval' arguments
+#########################
+ldap_env() {
+    cat <<"EOF"
+export LDAP_NSLCD_USER="nslcd"
+export LDAP_URI="${LDAP_URI:-}"
+export LDAP_BASE="${LDAP_BASE:-}"
+export LDAP_BIND_DN="${LDAP_BIND_DN:-}"
+export LDAP_BIND_PASSWORD="${LDAP_BIND_PASSWORD:-}"
+export LDAP_BASE_LOOKUP="${LDAP_BASE_LOOKUP:-}"
+export LDAP_NSS_INITGROUPS_IGNOREUSERS="${LDAP_NSS_INITGROUPS_IGNOREUSERS:-root,nslcd}"
+export LDAP_SCOPE="${LDAP_SCOPE:-}"
+export LDAP_TLS_REQCERT="${LDAP_TLS_REQCERT:-}"
+export LDAP_SEARCH_FILTER="${LDAP_SEARCH_FILTER:-}"
+export LDAP_SEARCH_MAP="${LDAP_SEARCH_MAP:-}"
+
+EOF
+    if [[ "$OS_FLAVOUR" =~ ^debian-.*$ ]]; then
+        cat <<"EOF"
+export LDAP_NSLCD_GROUP="nslcd"
+EOF
+    elif [[ "$OS_FLAVOUR" =~ ^(photon)-.*$ ]]; then
+        cat <<"EOF"
+export LDAP_NSLCD_GROUP="ldap"
+EOF
+    fi
+}
+
+########################
+# Return LDAP config file path depending on distro
+# Globals:
+#   OS_FLAVOUR
+# Arguments:
+#   None
+# Returns:
+#   (String) LDAP config file path
+#########################
+ldap_openldap_config_path() {
+    local openldap_config
+    case "$OS_FLAVOUR" in
+    debian-* | ubuntu-*) openldap_config=/etc/ldap/ldap.conf ;;
+    photon-* | redhatubi-*) openldap_config=/etc/openldap/ldap.conf ;;
+    *) error "Unsupported OS flavor ${OS_FLAVOUR}" && exit 1 ;;
+    esac
+    echo "$openldap_config"
+}
+
+########################
+# Configure LDAP permissions (to be used at postunpack leve).
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_configure_permissions() {
+    ensure_dir_exists "/var/run/nslcd" && configure_permissions_ownership "/var/run/nslcd" -u "root" -g "root" -d "775"
+    # The nslcd.conf file may not exist in distros like UBI, so we need to create it first
+    touch "/etc/nslcd.conf"
+    configure_permissions_ownership "/etc/nslcd.conf" -u "root" -g "root" -f "660"
+    configure_permissions_ownership "$(ldap_openldap_config_path)" -u "root" -g "root" -f "660"
+}
+
+########################
+# Create nslcd.conf file
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_create_nslcd_config() {
+    if am_i_root; then
+        chown "root:${LDAP_NSLCD_GROUP}" "/etc/nslcd.conf"
+        chown -R "${LDAP_NSLCD_USER}:${LDAP_NSLCD_GROUP}" "/var/run/nslcd"
+        cat >"/etc/nslcd.conf" <<EOF
+# The user and group nslcd should run as
+uid $LDAP_NSLCD_USER
+gid $LDAP_NSLCD_GROUP
+EOF
+    else
+        cat >"/etc/nslcd.conf" <<EOF
+# Comment out uid,gid to avoid attempting change user/group to run as
+# uid
+# gid
+EOF
+    fi
+    cat >>"/etc/nslcd.conf" <<EOF
+nss_initgroups_ignoreusers $LDAP_NSS_INITGROUPS_IGNOREUSERS
+
+# The location at which the LDAP server(s) should be reachable.
+uri $LDAP_URI
+# The search base that will be used for all queries
+base $LDAP_BASE
+# The DN to bind with for normal lookups
+binddn $LDAP_BIND_DN
+bindpw $LDAP_BIND_PASSWORD
+EOF
+    if [[ -n "${LDAP_BASE_LOOKUP}" ]]; then
+        cat >>"/etc/nslcd.conf" <<EOF
+base passwd $LDAP_BASE_LOOKUP
+EOF
+    fi
+    if [[ -n "${LDAP_SCOPE}" ]]; then
+        cat >>"/etc/nslcd.conf" <<EOF
+# The search scope
+scope $LDAP_SCOPE
+EOF
+    fi
+    if [[ -n "${LDAP_SEARCH_FILTER}" ]]; then
+        cat >>"/etc/nslcd.conf" <<EOF
+# LDAP search filter to use for posix users
+filter passwd (objectClass=$LDAP_SEARCH_FILTER)
+EOF
+    fi
+    if [[ -n "${LDAP_SEARCH_MAP}" ]]; then
+        cat >>"/etc/nslcd.conf" <<EOF
+# Used for lookup of custom attributes
+map passwd uid $LDAP_SEARCH_MAP
+EOF
+    fi
+    if [[ -n "${LDAP_TLS_REQCERT}" ]]; then
+        cat >>"/etc/nslcd.conf" <<EOF
+# TLS options
+tls_reqcert $LDAP_TLS_REQCERT
+EOF
+    fi
+    if am_i_root; then
+        chmod "600" "/etc/nslcd.conf"
+    fi
+}
+
+########################
+# Create ldap.conf file
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_create_openldap_config() {
+    cat >>"$(ldap_openldap_config_path)" <<EOF
+BASE $LDAP_BASE
+URI $LDAP_URI
+
+TLS_CACERTDIR   /etc/openldap/certs
+
+# Turning this off breaks GSSAPI used with krb5 when rdns = false
+SASL_NOCANON    on
+EOF
+}
+
+########################
+# Create PAM configuration file
+# Globals:
+#   LDAP_*
+# Arguments:
+#   filename - PAM configuration file name
+# Returns:
+#   None
+#########################
+ldap_create_pam_config() {
+    local filename="${1:?ip is missing}"
+    cat >"/etc/pam.d/${filename}" <<EOF
+auth     required  pam_ldap.so  try_first_pass debug
+account  required  pam_ldap.so  debug
+EOF
+}
+
+########################
+# Initialize LDAP services
+# Globals:
+#   LDAP_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_initialize() {
+    if [[ -n "${LDAP_URI}" && "${LDAP_BASE}" && "${LDAP_BIND_DN}" && "${LDAP_BIND_PASSWORD}" ]]; then
+        info "Configuring LDAP connection"
+        ldap_create_nslcd_config
+        ldap_create_openldap_config
+    else
+        info "Missing LDAP settings. Skipping LDAP initialization"
+    fi
+}
+
+########################
+# Start nslcd in background
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+ldap_start_nslcd_bg() {
+    info "Starting nslcd in background"
+    nslcd
+}
--- a/rootfs/opt/bitnami/scripts/libpgpool.sh
+++ b/rootfs/opt/bitnami/scripts/libpgpool.sh
@@ -0,0 +1,618 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami Pgpool-II library
+
+# shellcheck disable=SC1090,SC1091
+
+# Load Generic Libraries
+. /opt/bitnami/scripts/libfile.sh
+. /opt/bitnami/scripts/libfs.sh
+. /opt/bitnami/scripts/liblog.sh
+. /opt/bitnami/scripts/libnet.sh
+. /opt/bitnami/scripts/libos.sh
+. /opt/bitnami/scripts/libservice.sh
+. /opt/bitnami/scripts/libvalidations.sh
+
+########################
+# Validate settings in PGPOOL_* env. variables
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_validate() {
+    info "Validating settings in PGPOOL_* env vars..."
+    local error_code=0
+
+    # Auxiliary functions
+    print_validation_error() {
+        error "$1"
+        error_code=1
+    }
+
+    if [[ -z "$PGPOOL_ADMIN_USERNAME" ]] || [[ -z "$PGPOOL_ADMIN_PASSWORD" ]]; then
+        print_validation_error "The Pgpool administrator user's credentials are mandatory. Set the environment variables PGPOOL_ADMIN_USERNAME and PGPOOL_ADMIN_PASSWORD with the Pgpool administrator user's credentials."
+    fi
+
+    if [[ "$PGPOOL_SR_CHECK_PERIOD" -gt 0 ]] && { [[ -z "$PGPOOL_SR_CHECK_USER" ]] || [[ -z "$PGPOOL_SR_CHECK_PASSWORD" ]]; }; then
+        print_validation_error "The Streaming Replication Check credentials are mandatory. Set the environment variables PGPOOL_SR_CHECK_USER and PGPOOL_SR_CHECK_PASSWORD with the Streaming Replication Check credentials."
+    fi
+    if [[ -z "$PGPOOL_HEALTH_CHECK_USER" ]] || [[ -z "$PGPOOL_HEALTH_CHECK_PASSWORD" ]]; then
+        print_validation_error "The PostgreSQL health check credentials are mandatory. Set the environment variables PGPOOL_HEALTH_CHECK_USER and PGPOOL_HEALTH_CHECK_PASSWORD with the PostgreSQL health check credentials."
+    fi
+    if is_boolean_yes "$PGPOOL_ENABLE_LDAP" && { [[ -z "${LDAP_URI}" ]] || [[ -z "${LDAP_BASE}" ]] || [[ -z "${LDAP_BIND_DN}" ]] || [[ -z "${LDAP_BIND_PASSWORD}" ]]; }; then
+        print_validation_error "The LDAP configuration is required when LDAP authentication is enabled. Set the environment variables LDAP_URI, LDAP_BASE, LDAP_BIND_DN and LDAP_BIND_PASSWORD with the LDAP configuration."
+    fi
+
+    if is_boolean_yes "$PGPOOL_ENABLE_LDAP" && (! is_boolean_yes "$PGPOOL_ENABLE_POOL_HBA" || ! is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"); then
+        print_validation_error "pool_hba.conf authentication and pool password should be enabled for LDAP to work. Keep the PGPOOL_ENABLE_POOL_HBA and PGPOOL_ENABLE_POOL_PASSWD environment variables set to 'yes'."
+    fi
+
+    if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD" && { [[ -z "$PGPOOL_POSTGRES_USERNAME" ]] || [[ -z "$PGPOOL_POSTGRES_PASSWORD" ]]; }; then
+        print_validation_error "The administrator's database credentials are required. Set the environment variables PGPOOL_POSTGRES_USERNAME and PGPOOL_POSTGRES_PASSWORD with the administrator's database credentials."
+    fi
+
+    if [[ -z "$PGPOOL_BACKEND_NODES" ]]; then
+        print_validation_error "The list of backend nodes cannot be empty. Set the environment variable PGPOOL_BACKEND_NODES with a comma separated list of backend nodes."
+    else
+        read -r -a nodes <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_NODES}")"
+        for node in "${nodes[@]}"; do
+            read -r -a fields <<<"$(tr ':' ' ' <<<"${node}")"
+            if [[ -z "${fields[0]:-}" ]]; then
+                print_validation_error "Error checking entry '$node', the field 'backend number' must be set!"
+            fi
+            if [[ -z "${fields[1]:-}" ]]; then
+                print_validation_error "Error checking entry '$node', the field 'host' must be set!"
+            fi
+        done
+    fi
+
+    if is_boolean_yes "$PGPOOL_AUTO_FAILBACK"; then
+        if  [[ -z "$PGPOOL_BACKEND_APPLICATION_NAMES" ]]; then
+            print_validation_error "The list of backend application names cannot be empty. Set the environment variable PGPOOL_BACKEND_APPLICATION_NAMES with a comma separated list of backend nodes."
+        fi
+
+        read -r -a app_name_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_APPLICATION_NAMES}")"
+        read -r -a nodes_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_NODES}")"
+        if [[ ${#app_name_list[@]} -ne ${#nodes_list[@]} ]]; then
+            print_validation_error "PGPOOL_BACKEND_APPLICATION_NAMES and PGPOOL_BACKEND_NODES lists should have the same length"
+        fi
+    fi
+
+    if [[ -n "$PGPOOL_USER_CONF_FILE" && ! -e "$PGPOOL_USER_CONF_FILE" ]]; then
+        print_validation_error "The provided PGPOOL_USER_CONF_FILE: ${PGPOOL_USER_CONF_FILE} must exist."
+    fi
+
+    if [[ -n "$PGPOOL_USER_HBA_FILE" && ! -e "$PGPOOL_USER_HBA_FILE" ]]; then
+        print_validation_error "The provided PGPOOL_USER_HBA_FILE: ${PGPOOL_USER_HBA_FILE} must exist."
+    fi
+
+    local yes_no_values=("PGPOOL_ENABLE_POOL_HBA" "PGPOOL_ENABLE_POOL_PASSWD" "PGPOOL_ENABLE_LOAD_BALANCING" "PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING" "PGPOOL_ENABLE_CONNECTION_CACHE" "PGPOOL_ENABLE_LOG_CONNECTIONS" "PGPOOL_ENABLE_LOG_HOSTNAME" "PGPOOL_ENABLE_LOG_PCP_PROCESSES" "PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT" "PGPOOL_AUTO_FAILBACK")
+    for yn in "${yes_no_values[@]}"; do
+        if ! is_yes_no_value "${!yn}"; then
+            print_validation_error "The values allowed for $yn are: yes or no"
+        fi
+    done
+    local positive_values=("PGPOOL_NUM_INIT_CHILDREN" "PGPOOL_MAX_POOL" "PGPOOL_CHILD_MAX_CONNECTIONS" "PGPOOL_CHILD_LIFE_TIME" "PGPOOL_CONNECTION_LIFE_TIME" "PGPOOL_CLIENT_IDLE_LIMIT" "PGPOOL_HEALTH_CHECK_PERIOD" "PGPOOL_HEALTH_CHECK_TIMEOUT" "PGPOOL_HEALTH_CHECK_MAX_RETRIES" "PGPOOL_HEALTH_CHECK_RETRY_DELAY" "PGPOOL_RESERVED_CONNECTIONS" "PGPOOL_CONNECT_TIMEOUT" "PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT")
+    for p in "${positive_values[@]}"; do
+        if [[ -n "${!p:-}" ]]; then
+            if ! is_positive_int "${!p}"; then
+                print_validation_error "The values allowed for $p: integer greater than 0"
+            fi
+        fi
+    done
+    if ! [[ "$PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE" =~ ^(off|transaction|trans_transaction|always)$ ]]; then
+        print_validation_error "The values allowed for PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE: off,transaction,trans_transaction,always"
+    fi
+
+    if ! is_yes_no_value "$PGPOOL_ENABLE_TLS"; then
+        print_validation_error "The values allowed for PGPOOL_ENABLE_TLS are: yes or no"
+    elif is_boolean_yes "$PGPOOL_ENABLE_TLS"; then
+        # TLS Checks
+        if [[ -z "$PGPOOL_TLS_CERT_FILE" ]]; then
+            print_validation_error "You must provide a X.509 certificate in order to use TLS"
+        elif [[ ! -f "$PGPOOL_TLS_CERT_FILE" ]]; then
+            print_validation_error "The X.509 certificate file in the specified path ${PGPOOL_TLS_CERT_FILE} does not exist"
+        fi
+        if [[ -z "$PGPOOL_TLS_KEY_FILE" ]]; then
+            print_validation_error "You must provide a private key in order to use TLS"
+        elif [[ ! -f "$PGPOOL_TLS_KEY_FILE" ]]; then
+            print_validation_error "The private key file in the specified path ${PGPOOL_TLS_KEY_FILE} does not exist"
+        fi
+        if [[ -z "$PGPOOL_TLS_CA_FILE" ]]; then
+            warn "A CA X.509 certificate was not provided. Client verification will not be performed in TLS connections"
+        elif [[ ! -f "$PGPOOL_TLS_CA_FILE" ]]; then
+            print_validation_error "The CA X.509 certificate file in the specified path ${PGPOOL_TLS_CA_FILE} does not exist"
+        fi
+        if ! is_yes_no_value "$PGPOOL_TLS_PREFER_SERVER_CIPHERS"; then
+            print_validation_error "The values allowed for PGPOOL_TLS_PREFER_SERVER_CIPHERS are: yes or no"
+        fi
+    fi
+
+    # Check for Authentication method
+    if ! [[ "$PGPOOL_AUTHENTICATION_METHOD" =~ ^(md5|scram-sha-256|trust)$ ]]; then
+        print_validation_error "The values allowed for PGPOOL_AUTHENTICATION_METHOD: md5,scram-sha-256,trust"
+    elif [[ "$PGPOOL_AUTHENTICATION_METHOD" = "trust" ]]; then
+        warn "You set 'trust' as authentication method. For safety reasons, do not use this method in production environments."
+    fi
+
+    # Check for required environment variables for scram-sha-256 based authentication
+    if [[ "$PGPOOL_AUTHENTICATION_METHOD" = "scram-sha-256" ]]; then
+        # If scram-sha-256 is enabled, pg_pool_password cannot be disabled
+        if ! is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
+            print_validation_error "PGPOOL_ENABLE_POOL_PASSWD cannot be disabled when PGPOOL_AUTHENTICATION_METHOD=scram-sha-256"
+        fi
+    fi
+
+    # Custom users validations
+    read -r -a custom_users_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_USERS}")"
+    read -r -a custom_passwords_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_PASSWORDS}")"
+    if [[ ${#custom_users_list[@]} -ne ${#custom_passwords_list[@]} ]]; then
+        print_validation_error "PGPOOL_POSTGRES_CUSTOM_USERS and PGPOOL_POSTGRES_CUSTOM_PASSWORDS lists should have the same length"
+    fi
+
+    [[ "$error_code" -eq 0 ]] || exit "$error_code"
+}
+
+########################
+# Returns backend nodes info using PCP
+# Globals:
+#   PGPOOL_*
+# Returns:
+#   String with backend nodes info
+#########################
+pgpool_nodes_info() {
+    PCPPASSFILE=$(mktemp /tmp/pcppass-XXXXX)
+    export PCPPASSFILE
+    echo "localhost:9898:${PGPOOL_ADMIN_USERNAME}:${PGPOOL_ADMIN_PASSWORD}" >"${PCPPASSFILE}"
+    pcp_node_info -h localhost -U "${PGPOOL_ADMIN_USERNAME}" -p 9898 -a -w 2> /dev/null
+    rm -rf "$PCPPASSFILE"
+    unset PCPPASSFILE
+}
+
+########################
+# Attach a backend node to Pgpool-II
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $1 - node id
+# Returns:
+#   None
+#########################
+pgpool_attach_node() {
+    local -r node_id=${1:?node id is missing}
+
+    echo "Attaching backend node..."
+    PCPPASSFILE=$(mktemp /tmp/pcppass-XXXXX)
+    export PCPPASSFILE
+    echo "localhost:9898:${PGPOOL_ADMIN_USERNAME}:${PGPOOL_ADMIN_PASSWORD}" >"${PCPPASSFILE}"
+    pcp_attach_node -h localhost -U "${PGPOOL_ADMIN_USERNAME}" -p 9898 -n "${node_id}" -w
+    rm -rf "$PCPPASSFILE"
+    unset PCPPASSFILE
+}
+
+########################
+# Check Pgpool-II health and attached offline backends when they are online
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   0 when healthy
+#   1 when unhealthy
+#########################
+pgpool_healthcheck() {
+    local backends node_id node_host node_port
+
+    # Check backend nodes
+    if backends="$(pgpool_nodes_info)"; then
+        # We're not interested in nodes marked as down|down
+        backends="$(grep -v "down down" <<< "$backends")"
+        # We should also check whether there are discrepancies between Pgpool-II and the actual primary node
+        if grep -e "standby primary" -e "primary standby" <<< "$backends" > /dev/null; then
+            echo "Found inconsistencies in pgpool_status"
+            return 1
+        fi
+        # Look up backends that are marked offline but being up
+        read -r -a nodes_to_attach <<< "$(grep "down up" <<< "$backends" | awk '{print $1,$2}' | tr ' ' '|' | tr '\n' ' ')"
+        for node in "${nodes_to_attach[@]}"; do
+            node_host=$(echo "$node" | awk -F '|' '{print $1}')
+            node_port=$(echo "$node" | awk -F '|' '{print $2}')
+            node_id=$(grep "$node_host" "$PGPOOL_CONF_FILE" | awk '{print $1}' | sed 's/^backend_hostname//')
+            if [[ $(PGCONNECT_TIMEOUT=3 PGPASSWORD="${PGPOOL_POSTGRES_PASSWORD}" psql -U "${PGPOOL_POSTGRES_USERNAME}" \
+                -d postgres -h "${node_host}" -p "${node_port}" -tA -c "SELECT 1" || true) == 1 ]]; then
+                # Attach backend if it has come back online
+                pgpool_attach_node "$node_id"
+            fi
+        done
+    else
+        echo "unable to list pool nodes"
+        return 1
+    fi
+
+    # Check if Pgpool-II responds to simple queries
+    PGCONNECT_TIMEOUT=$PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT PGPASSWORD="$PGPOOL_POSTGRES_PASSWORD" \
+        psql -U "$PGPOOL_POSTGRES_USERNAME" -d postgres -h "$PGPOOL_TMP_DIR" -p "$PGPOOL_PORT_NUMBER" \
+        -tA -c "SELECT 1" 2> /dev/null
+}
+
+########################
+# Create basic pg_hba.conf file
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_create_pghba() {
+    local all_authentication="$PGPOOL_AUTHENTICATION_METHOD"
+    is_boolean_yes "$PGPOOL_ENABLE_LDAP" && all_authentication="pam pamservice=pgpool"
+    local postgres_authentication="scram-sha-256"
+    # We avoid using 'trust' for the postgres user even if PGPOOL_AUTHENTICATION_METHOD is set to 'trust'
+    [[ "$PGPOOL_AUTHENTICATION_METHOD" = "md5" ]] && postgres_authentication="md5"
+
+    info "Generating pg_hba.conf file..."
+    local postgres_auth_line=""
+    if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
+        postgres_auth_line="host     all             ${PGPOOL_POSTGRES_USERNAME}       all        ${postgres_authentication}"
+    fi
+    local sr_check_auth_line=""
+    if [[ -n "$PGPOOL_SR_CHECK_USER" ]]; then
+        sr_check_auth_line="host     all             ${PGPOOL_SR_CHECK_USER}            all        ${postgres_authentication}"
+    fi
+
+    cat >"$PGPOOL_PGHBA_FILE" <<EOF
+local    all             all                            trust
+EOF
+
+    if ! is_empty_value "$PGPOOL_TLS_CA_FILE"; then
+        cat >>"$PGPOOL_PGHBA_FILE" <<EOF
+hostssl     all             all             0.0.0.0/0               cert
+hostssl     all             all             ::/0                    cert
+EOF
+    fi
+
+    cat >>"$PGPOOL_PGHBA_FILE" <<EOF
+${sr_check_auth_line}
+${postgres_auth_line}
+host     all             all                all         ${all_authentication}
+EOF
+}
+
+########################
+# Modify the pgpool.conf file by setting a property
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $1 - property
+#   $2 - value
+#   $3 - Path to configuration file (default: $PGPOOL_CONF_FILE)
+# Returns:
+#   None
+#########################
+pgpool_set_property() {
+    local -r property="${1:?missing property}"
+    local -r value="${2:-}"
+    local -r conf_file="${3:-$PGPOOL_CONF_FILE}"
+    replace_in_file "$conf_file" "^#*\s*${property}\s*=.*" "${property} = '${value}'" false
+}
+
+########################
+# Add a backend configuration to pgpool.conf file
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_create_backend_config() {
+    local -r node=${1:?node is missing}
+    local -r application="${2:-}"
+
+    # default values
+    read -r -a fields <<<"$(tr ':' ' ' <<<"${node}")"
+    local -r num="${fields[0]:?field num is needed}"
+    local -r host="${fields[1]:?field host is needed}"
+    local -r port="${fields[2]:-5432}"
+    local -r weight="${fields[3]:-1}"
+    local -r dir="${fields[4]:-$PGPOOL_DATA_DIR}"
+    local -r flag="${fields[5]:-ALLOW_TO_FAILOVER}"
+
+    debug "Adding '$host' information to the configuration..."
+    cat >>"$PGPOOL_CONF_FILE" <<EOF
+backend_hostname$num = '$host'
+backend_port$num = $port
+backend_weight$num = $weight
+backend_data_directory$num = '$dir'
+backend_flag$num = '$flag'
+EOF
+    if [[ -n "$application" ]]; then
+        cat >>"$PGPOOL_CONF_FILE" <<EOF
+backend_application_name$num = '$application'
+EOF
+    fi
+}
+
+########################
+# Create basic pgpool.conf file using the example provided in the etc/ folder
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_create_config() {
+    local pool_passwd=""
+    local i=0
+
+    if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
+        pool_passwd="$PGPOOL_PASSWD_FILE"
+    else
+        # Specifying '' (empty) disables the use of password file.
+        # ref: https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-POOL-PASSWD
+        pool_passwd=""
+    fi
+
+    info "Generating pgpool.conf file..."
+    # Configuring Pgpool-II to use the streaming replication mode since it's the recommended way
+    # ref: http://www.pgpool.net/docs/latest/en/html/configuring-pgpool.html
+    cp "${PGPOOL_BASE_DIR}/etc/pgpool.conf.sample" "$PGPOOL_CONF_FILE"
+
+    # Working directory
+    pgpool_set_property "work_dir" "$PGPOOL_WORK_DIR"
+
+    # Connection settings
+    # ref: http://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#RUNTIME-CONFIG-CONNECTION-SETTINGS
+    pgpool_set_property "listen_addresses" "*"
+    pgpool_set_property "port" "$PGPOOL_PORT_NUMBER"
+    pgpool_set_property "unix_socket_directories" "$PGPOOL_TMP_DIR"
+    pgpool_set_property "pcp_socket_dir" "$PGPOOL_TMP_DIR"
+    # Connection Pooling settings
+    # http://www.pgpool.net/docs/latest/en/html/runtime-config-connection-pooling.html
+    [[ -n "${PGPOOL_NUM_INIT_CHILDREN:-}" ]] && pgpool_set_property "num_init_children" "$PGPOOL_NUM_INIT_CHILDREN"
+    [[ -n "${PGPOOL_RESERVED_CONNECTIONS:-}" ]] && pgpool_set_property "reserved_connections" "$PGPOOL_RESERVED_CONNECTIONS"
+    pgpool_set_property "max_pool" "$PGPOOL_MAX_POOL"
+    [[ -n "${PGPOOL_CHILD_MAX_CONNECTIONS:-}" ]] && pgpool_set_property "child_max_connections" "$PGPOOL_CHILD_MAX_CONNECTIONS"
+    [[ -n "${PGPOOL_CHILD_LIFE_TIME:-}" ]] && pgpool_set_property "child_life_time" "$PGPOOL_CHILD_LIFE_TIME"
+    pgpool_set_property "connection_cache" "$(is_boolean_yes "$PGPOOL_ENABLE_CONNECTION_CACHE" && echo "on" || echo "off")"
+    [[ -n "${PGPOOL_CONNECTION_LIFE_TIME:-}" ]] && pgpool_set_property "connection_life_time" "$PGPOOL_CONNECTION_LIFE_TIME"
+    [[ -n "${PGPOOL_CLIENT_IDLE_LIMIT-}" ]] && pgpool_set_property "client_idle_limit" "$PGPOOL_CLIENT_IDLE_LIMIT"
+    # Logging settings
+    # https://www.pgpool.net/docs/latest/en/html/runtime-config-logging.html
+    pgpool_set_property "log_connections" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_CONNECTIONS" && echo "on" || echo "off")"
+    pgpool_set_property "log_hostname" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_HOSTNAME" && echo "on" || echo "off")"
+    pgpool_set_property "log_pcp_processes" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_PCP_PROCESSES" && echo "on" || echo "off")"
+    pgpool_set_property "log_per_node_statement" "$(is_boolean_yes "$PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT" && echo "on" || echo "off")"
+    [[ -n "${PGPOOL_LOG_LINE_PREFIX:-}" ]] && pgpool_set_property "log_line_prefix" "$PGPOOL_LOG_LINE_PREFIX"
+    [[ -n "${PGPOOL_CLIENT_MIN_MESSAGES:-}" ]] && pgpool_set_property "client_min_messages" "$PGPOOL_CLIENT_MIN_MESSAGES"
+    # Authentication settings
+    # ref: http://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#RUNTIME-CONFIG-AUTHENTICATION-SETTINGS
+    pgpool_set_property "enable_pool_hba" "$(is_boolean_yes "$PGPOOL_ENABLE_POOL_HBA" && echo "on" || echo "off")"
+    # ref: https://www.pgpool.net/docs/latest/en/html/runtime-config-connection.html#GUC-ALLOW-CLEAR-TEXT-FRONTEND-AUTH
+    if ! is_boolean_yes "$PGPOOL_ENABLE_POOL_HBA" || [[ "$PGPOOL_AUTHENTICATION_METHOD" = "trust" ]]; then
+        pgpool_set_property "allow_clear_text_frontend_auth" "on"
+    else
+        pgpool_set_property "allow_clear_text_frontend_auth" "off"
+    fi
+    pgpool_set_property "pool_passwd" "$pool_passwd"
+    pgpool_set_property "authentication_timeout" "30"
+    # File Locations settings
+    pgpool_set_property "pid_file_name" "$PGPOOL_PID_FILE"
+    pgpool_set_property "logdir" "$PGPOOL_LOG_DIR"
+    # Load Balancing settings
+    # https://www.pgpool.net/docs/latest/en/html/runtime-config-load-balancing.html
+    pgpool_set_property "load_balance_mode" "$(is_boolean_yes "$PGPOOL_ENABLE_LOAD_BALANCING" && echo "on" || echo "off")"
+    pgpool_set_property "black_function_list" "nextval,setval"
+    pgpool_set_property "statement_level_load_balance" "$(is_boolean_yes "$PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING" && echo "on" || echo "off")"
+    # Streaming Replication Check settings
+    # https://www.pgpool.net/docs/latest/en/html/runtime-streaming-replication-check.html
+    pgpool_set_property "sr_check_user" "$PGPOOL_SR_CHECK_USER"
+    pgpool_set_property "sr_check_password" "$(pgpool_encrypt_password ${PGPOOL_SR_CHECK_PASSWORD})"
+    pgpool_set_property "sr_check_period" "$PGPOOL_SR_CHECK_PERIOD"
+    pgpool_set_property "sr_check_database" "$PGPOOL_SR_CHECK_DATABASE"
+    # Healthcheck per node settings
+    # https://www.pgpool.net/docs/latest/en/html/runtime-config-health-check.html
+    pgpool_set_property "health_check_period" "$PGPOOL_HEALTH_CHECK_PERIOD"
+    pgpool_set_property "health_check_timeout" "$PGPOOL_HEALTH_CHECK_TIMEOUT"
+    pgpool_set_property "health_check_user" "$PGPOOL_HEALTH_CHECK_USER"
+    pgpool_set_property "health_check_password" "$(pgpool_encrypt_password ${PGPOOL_HEALTH_CHECK_PASSWORD})"
+    pgpool_set_property "health_check_max_retries" "$PGPOOL_HEALTH_CHECK_MAX_RETRIES"
+    pgpool_set_property "health_check_retry_delay" "$PGPOOL_HEALTH_CHECK_RETRY_DELAY"
+    pgpool_set_property "connect_timeout" "$PGPOOL_CONNECT_TIMEOUT"
+    # Failover settings
+    pgpool_set_property "failover_command" "echo \">>> Failover - that will initialize new primary node search!\""
+    pgpool_set_property "failover_on_backend_error" "$PGPOOL_FAILOVER_ON_BACKEND_ERROR"
+    pgpool_set_property "failover_on_backend_shutdown" "$PGPOOL_FAILOVER_ON_BACKEND_SHUTDOWN"
+    # Keeps searching for a primary node forever when a failover occurs
+    pgpool_set_property "search_primary_node_timeout" "0"
+    pgpool_set_property "disable_load_balance_on_write" "$PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE"
+    # SSL settings
+    # https://www.pgpool.net/docs/latest/en/html/runtime-ssl.html
+    if is_boolean_yes "$PGPOOL_ENABLE_TLS"; then
+        chmod 600 "$PGPOOL_TLS_KEY_FILE" || warn "Could not set compulsory permissions (600) on file ${PGPOOL_TLS_KEY_FILE}"
+        pgpool_set_property "ssl" "on"
+        # Server ciphers are preferred by default
+        ! is_boolean_yes "$PGPOOL_TLS_PREFER_SERVER_CIPHERS" && pgpool_set_property "ssl_prefer_server_ciphers" "off"
+        [[ -n $PGPOOL_TLS_CA_FILE ]] && pgpool_set_property "ssl_ca_cert" "$PGPOOL_TLS_CA_FILE"
+        pgpool_set_property "ssl_cert" "$PGPOOL_TLS_CERT_FILE"
+        pgpool_set_property "ssl_key" "$PGPOOL_TLS_KEY_FILE"
+    fi
+
+    # Backend settings
+    read -r -a nodes <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_NODES}")"
+    if is_boolean_yes "$PGPOOL_AUTO_FAILBACK"; then
+        pgpool_set_property "auto_failback" "on"
+
+        read -r -a app_name <<<"$(tr ',;' ' ' <<<"${PGPOOL_BACKEND_APPLICATION_NAMES}")"
+    fi
+
+    for node in "${nodes[@]}"; do
+        pgpool_create_backend_config "$node" "$(is_boolean_yes "$PGPOOL_AUTO_FAILBACK" && echo "${app_name[i]}")"
+        ((i += 1))
+    done
+
+    if [[ -f "$PGPOOL_USER_CONF_FILE" ]]; then
+        info "Custom configuration '$PGPOOL_USER_CONF_FILE' detected!. Adding it to the configuration file."
+        cat "$PGPOOL_USER_CONF_FILE" >>"$PGPOOL_CONF_FILE"
+    fi
+
+    if [[ -f "$PGPOOL_USER_HBA_FILE" ]]; then
+        info "Custom configuration '$PGPOOL_USER_HBA_FILE' detected!. Overwriting the generated hba file."
+        cat "$PGPOOL_USER_HBA_FILE" >"$PGPOOL_PGHBA_FILE"
+    fi
+}
+
+########################
+# Execute postgresql encrypt command
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $@ - Command to execute
+# Returns:
+#   String
+#########################
+pgpool_encrypt_execute() {
+    local -a password_encryption_cmd=("pg_md5")
+
+    # If authentication method for 'all' users is 'trust', we still use
+    # pg_enc to generate encrypted passwords for 'postgres' and 'sr_check' users
+    if [[ "$PGPOOL_AUTHENTICATION_METHOD" =~ ^(scram-sha-256|trust)$ ]]; then
+        if is_file_writable "$PGPOOLKEYFILE"; then
+            # Creating a PGPOOLKEYFILE as it is writeable
+            echo "$PGPOOL_AES_KEY" > "$PGPOOLKEYFILE"
+            # Fix permissions for PGPOOLKEYFILE
+            chmod 0600 "$PGPOOLKEYFILE"
+        fi
+        password_encryption_cmd=("pg_enc" "--key-file=${PGPOOLKEYFILE}")
+    fi
+
+    "${password_encryption_cmd[@]}" "$@"
+}
+
+########################
+# Generates a password file for local authentication
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_generate_password_file() {
+    if is_boolean_yes "$PGPOOL_ENABLE_POOL_PASSWD"; then
+        info "Generating password file for local authentication..."
+
+        debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_POSTGRES_USERNAME" "$PGPOOL_POSTGRES_PASSWORD"
+        if [[ -n "$PGPOOL_SR_CHECK_USER" ]]; then
+            debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$PGPOOL_SR_CHECK_USER" "$PGPOOL_SR_CHECK_PASSWORD"
+        fi
+
+        if [[ -n "${PGPOOL_POSTGRES_CUSTOM_USERS}" ]]; then
+            read -r -a custom_users_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_USERS}")"
+            read -r -a custom_passwords_list <<<"$(tr ',;' ' ' <<<"${PGPOOL_POSTGRES_CUSTOM_PASSWORDS}")"
+
+            local index=0
+            for user in "${custom_users_list[@]}"; do
+                debug_execute pgpool_encrypt_execute -m --config-file="$PGPOOL_CONF_FILE" -u "$user" "${custom_passwords_list[$index]}"
+                ((index += 1))
+            done
+        fi
+    else
+        info "Skip generating password file due to PGPOOL_ENABLE_POOL_PASSWD = no"
+    fi
+}
+
+########################
+# Encrypts a password
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   $1 - password
+# Returns:
+#   String
+#########################
+pgpool_encrypt_password() {
+    local -r password="${1:?missing password}"
+
+    if [[ "$PGPOOL_AUTHENTICATION_METHOD" =~ ^(scram-sha-256|trust)$ ]]; then
+        pgpool_encrypt_execute "$password" | grep -o -E "AES.+" | tr -d '\n'
+    else
+        pgpool_encrypt_execute "$password" | tr -d '\n'
+    fi
+}
+
+########################
+# Run custom initialization scripts
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_custom_init_scripts() {
+    if [[ -n $(find "$PGPOOL_INITSCRIPTS_DIR/" -type f -name "*.sh") ]]; then
+        info "Loading user's custom files from $PGPOOL_INITSCRIPTS_DIR ..."
+        find "$PGPOOL_INITSCRIPTS_DIR/" -type f -name "*.sh" | sort | while read -r f; do
+            if [[ -x "$f" ]]; then
+                debug "Executing $f"
+                "$f"
+            else
+                debug "Sourcing $f"
+                . "$f"
+            fi
+        done
+    fi
+}
+
+########################
+# Generate a password file for pgpool admin user
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_generate_admin_password_file() {
+    info "Generating password file for pgpool admin user..."
+    local passwd
+
+    passwd=$(pg_md5 "$PGPOOL_ADMIN_PASSWORD")
+    cat >>"$PGPOOL_PCP_CONF_FILE" <<EOF
+$PGPOOL_ADMIN_USERNAME:$passwd
+EOF
+}
+
+########################
+# Ensure Pgpool is initialized
+# Globals:
+#   PGPOOL_*
+# Arguments:
+#   None
+# Returns:
+#   None
+#########################
+pgpool_initialize() {
+    info "Initializing Pgpool-II..."
+
+    # This fixes an issue where the trap would kill the entrypoint.sh, if a PID was left over from a previous run
+    # Exec replaces the process without creating a new one, and when the container is restarted it may have the same PID
+    rm -f "$PGPOOL_PID_FILE"
+
+    # Configuring permissions for tmp, logs and data folders
+    am_i_root && configure_permissions_ownership "$PGPOOL_TMP_DIR $PGPOOL_LOG_DIR" -u "$PGPOOL_DAEMON_USER" -g "$PGPOOL_DAEMON_GROUP"
+    am_i_root && configure_permissions_ownership "$PGPOOL_DATA_DIR" -u "$PGPOOL_DAEMON_USER" -g "$PGPOOL_DAEMON_GROUP" -d "755" -f "644"
+
+    pgpool_create_pghba
+    pgpool_create_config
+    pgpool_generate_password_file
+    pgpool_generate_admin_password_file
+}
--- a/rootfs/opt/bitnami/scripts/pgpool-env.sh
+++ b/rootfs/opt/bitnami/scripts/pgpool-env.sh
@@ -0,0 +1,173 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Environment configuration for pgpool
+
+# The values for all environment variables will be set in the below order of precedence
+# 1. Custom environment variables defined below after Bitnami defaults
+# 2. Constants defined in this file (environment variables with no default), i.e. BITNAMI_ROOT_DIR
+# 3. Environment variables overridden via external files using *_FILE variables (see below)
+# 4. Environment variables set externally (i.e. current Bash context/Dockerfile/userdata)
+
+# Load logging library
+# shellcheck disable=SC1090,SC1091
+. /opt/bitnami/scripts/liblog.sh
+
+export BITNAMI_ROOT_DIR="/opt/bitnami"
+export BITNAMI_VOLUME_DIR="/bitnami"
+
+# Logging configuration
+export MODULE="${MODULE:-pgpool}"
+export BITNAMI_DEBUG="${BITNAMI_DEBUG:-false}"
+
+# By setting an environment variable matching *_FILE to a file path, the prefixed environment
+# variable will be overridden with the value specified in that file
+pgpool_env_vars=(
+    PGPOOL_WORK_DIR
+    PGPOOL_USER_CONF_FILE
+    PGPOOL_USER_HBA_FILE
+    PGPOOL_PASSWD_FILE
+    PGPOOL_PORT_NUMBER
+    PGPOOL_ENABLE_POOL_HBA
+    PGPOOL_ENABLE_POOL_PASSWD
+    PGPOOL_ENABLE_LOAD_BALANCING
+    PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING
+    PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE
+    PGPOOL_ENABLE_CONNECTION_CACHE
+    PGPOOL_TIMEOUT
+    PGPOOL_CONNECT_TIMEOUT
+    PGPOOL_MAX_POOL
+    PGPOOL_HEALTH_CHECK_PERIOD
+    PGPOOL_HEALTH_CHECK_TIMEOUT
+    PGPOOL_HEALTH_CHECK_MAX_RETRIES
+    PGPOOL_HEALTH_CHECK_RETRY_DELAY
+    PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT
+    PGPOOL_AUTO_FAILBACK
+    PGPOOL_DISCARD_STATUS
+    PGPOOL_SR_CHECK_USER
+    PGPOOL_SR_CHECK_PASSWORD
+    PGPOOL_SR_CHECK_DATABASE
+    PGPOOL_SR_CHECK_PERIOD
+    PGPOOL_HEALTH_CHECK_USER
+    PGPOOL_HEALTH_CHECK_PASSWORD
+    PGPOOL_ADMIN_USERNAME
+    PGPOOL_ADMIN_PASSWORD
+    PGPOOL_POSTGRES_USERNAME
+    PGPOOL_POSTGRES_PASSWORD
+    PGPOOL_POSTGRES_CUSTOM_USERS
+    PGPOOL_POSTGRES_CUSTOM_PASSWORDS
+    PGPOOL_ENABLE_LDAP
+    PGPOOL_AUTHENTICATION_METHOD
+    PGPOOL_AES_KEY
+    PGPOOL_ENABLE_TLS
+    PGPOOL_TLS_CA_FILE
+    PGPOOL_TLS_CERT_FILE
+    PGPOOL_TLS_KEY_FILE
+    PGPOOL_TLS_PREFER_SERVER_CIPHERS
+    PGPOOL_ENABLE_LOG_CONNECTIONS
+    PGPOOL_ENABLE_LOG_HOSTNAME
+    PGPOOL_ENABLE_LOG_PCP_PROCESSES
+    PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT
+    PGPOOL_BACKEND_NODES
+    PGPOOL_BACKEND_APPLICATION_NAMES
+    PGPOOL_FAILOVER_ON_BACKEND_SHUTDOWN
+    PGPOOL_FAILOVER_ON_BACKEND_ERROR
+    PGPOOL_DAEMON_USER
+    PGPOOL_DAEMON_GROUP
+)
+for env_var in "${pgpool_env_vars[@]}"; do
+    file_env_var="${env_var}_FILE"
+    if [[ -n "${!file_env_var:-}" ]]; then
+        if [[ -r "${!file_env_var:-}" ]]; then
+            export "${env_var}=$(< "${!file_env_var}")"
+            unset "${file_env_var}"
+        else
+            warn "Skipping export of '${env_var}'. '${!file_env_var:-}' is not readable."
+        fi
+    fi
+done
+unset pgpool_env_vars
+
+# Paths
+export PGPOOL_BASE_DIR="${BITNAMI_ROOT_DIR}/pgpool"
+export PGPOOL_BIN_DIR="${PGPOOL_BASE_DIR}/bin"
+export PGPOOL_DATA_DIR="${PGPOOL_BASE_DIR}/data"
+export PGPOOL_DEFAULT_CONF_DIR="${PGPOOL_BASE_DIR}/conf.default"
+export PGPOOL_CONF_DIR="${PGPOOL_BASE_DIR}/conf"
+export PGPOOL_DEFAULT_ETC_DIR="${PGPOOL_BASE_DIR}/etc.default"
+export PGPOOL_ETC_DIR="${PGPOOL_BASE_DIR}/etc"
+export PGPOOL_LOG_DIR="${PGPOOL_BASE_DIR}/logs"
+export PGPOOL_TMP_DIR="${PGPOOL_BASE_DIR}/tmp"
+export PGPOOL_WORK_DIR="${PGPOOL_WORK_DIR:-/tmp}"
+export PGPOOL_INITSCRIPTS_DIR="/docker-entrypoint-initdb.d"
+export PGPOOL_CONF_FILE="${PGPOOL_CONF_DIR}/pgpool.conf"
+export PGPOOL_PCP_CONF_FILE="${PGPOOL_ETC_DIR}/pcp.conf"
+export PGPOOL_PGHBA_FILE="${PGPOOL_CONF_DIR}/pool_hba.conf"
+export PGPOOL_USER_CONF_FILE="${PGPOOL_USER_CONF_FILE:-}"
+export PGPOOL_USER_HBA_FILE="${PGPOOL_USER_HBA_FILE:-}"
+export PGPOOL_LOG_FILE="${PGPOOL_LOG_DIR}/pgpool.log"
+export PGPOOL_PID_FILE="${PGPOOL_TMP_DIR}/pgpool.pid"
+export PGPOOL_PASSWD_FILE="${PGPOOL_PASSWD_FILE:-pool_passwd}"
+export PGPOOLKEYFILE="${PGPOOL_CONF_DIR}/.pgpoolkey"
+
+# General Pgpool-II settings
+export PGPOOL_PORT_NUMBER="${PGPOOL_PORT_NUMBER:-5432}"
+export PGPOOL_ENABLE_POOL_HBA="${PGPOOL_ENABLE_POOL_HBA:-yes}"
+export PGPOOL_ENABLE_POOL_PASSWD="${PGPOOL_ENABLE_POOL_PASSWD:-yes}"
+export PGPOOL_ENABLE_LOAD_BALANCING="${PGPOOL_ENABLE_LOAD_BALANCING:-yes}"
+export PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING="${PGPOOL_ENABLE_STATEMENT_LOAD_BALANCING:-no}"
+export PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE="${PGPOOL_DISABLE_LOAD_BALANCE_ON_WRITE:-transaction}"
+export PGPOOL_ENABLE_CONNECTION_CACHE="${PGPOOL_ENABLE_CONNECTION_CACHE:-yes}"
+export PGPOOL_TIMEOUT="${PGPOOL_TIMEOUT:-360}"
+export PGPOOL_CONNECT_TIMEOUT="${PGPOOL_CONNECT_TIMEOUT:-10000}"
+export PGPOOL_MAX_POOL="${PGPOOL_MAX_POOL:-15}"
+export PGPOOL_HEALTH_CHECK_PERIOD="${PGPOOL_HEALTH_CHECK_PERIOD:-30}"
+export PGPOOL_HEALTH_CHECK_TIMEOUT="${PGPOOL_HEALTH_CHECK_TIMEOUT:-10}"
+export PGPOOL_HEALTH_CHECK_MAX_RETRIES="${PGPOOL_HEALTH_CHECK_MAX_RETRIES:-5}"
+export PGPOOL_HEALTH_CHECK_RETRY_DELAY="${PGPOOL_HEALTH_CHECK_RETRY_DELAY:-5}"
+export PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT="${PGPOOL_HEALTH_CHECK_PSQL_TIMEOUT:-15}"
+export PGPOOL_AUTO_FAILBACK="${PGPOOL_AUTO_FAILBACK:-no}"
+export PGPOOL_DISCARD_STATUS="${PGPOOL_DISCARD_STATUS:-yes}"
+
+# Authentication settings
+export PGPOOL_SR_CHECK_USER="${PGPOOL_SR_CHECK_USER:-}"
+export PGPOOL_SR_CHECK_PASSWORD="${PGPOOL_SR_CHECK_PASSWORD:-}"
+export PGPOOL_SR_CHECK_DATABASE="${PGPOOL_SR_CHECK_DATABASE:-postgres}"
+export PGPOOL_SR_CHECK_PERIOD="${PGPOOL_SR_CHECK_PERIOD:-30}"
+export PGPOOL_HEALTH_CHECK_USER="${PGPOOL_HEALTH_CHECK_USER:-$PGPOOL_SR_CHECK_USER}"
+export PGPOOL_HEALTH_CHECK_PASSWORD="${PGPOOL_HEALTH_CHECK_PASSWORD:-$PGPOOL_SR_CHECK_PASSWORD}"
+export PGPOOL_ADMIN_USERNAME="${PGPOOL_ADMIN_USERNAME:-}"
+export PGPOOL_ADMIN_PASSWORD="${PGPOOL_ADMIN_PASSWORD:-}"
+export PGPOOL_POSTGRES_USERNAME="${PGPOOL_POSTGRES_USERNAME:-postgres}"
+export PGPOOL_POSTGRES_PASSWORD="${PGPOOL_POSTGRES_PASSWORD:-}"
+export PGPOOL_POSTGRES_CUSTOM_USERS="${PGPOOL_POSTGRES_CUSTOM_USERS:-}"
+export PGPOOL_POSTGRES_CUSTOM_PASSWORDS="${PGPOOL_POSTGRES_CUSTOM_PASSWORDS:-}"
+export PGPOOL_ENABLE_LDAP="${PGPOOL_ENABLE_LDAP:-no}"
+export PGPOOL_AUTHENTICATION_METHOD="${PGPOOL_AUTHENTICATION_METHOD:-scram-sha-256}"
+export PGPOOL_AES_KEY="${PGPOOL_AES_KEY:-head -c 20 /dev/urandom | base64}"
+
+# TLS settings
+export PGPOOL_ENABLE_TLS="${PGPOOL_ENABLE_TLS:-no}"
+export PGPOOL_TLS_CA_FILE="${PGPOOL_TLS_CA_FILE:-}"
+export PGPOOL_TLS_CERT_FILE="${PGPOOL_TLS_CERT_FILE:-}"
+export PGPOOL_TLS_KEY_FILE="${PGPOOL_TLS_KEY_FILE:-}"
+export PGPOOL_TLS_PREFER_SERVER_CIPHERS="${PGPOOL_TLS_PREFER_SERVER_CIPHERS:-yes}"
+
+# Logging settings
+export PGPOOL_ENABLE_LOG_CONNECTIONS="${PGPOOL_ENABLE_LOG_CONNECTIONS:-no}"
+export PGPOOL_ENABLE_LOG_HOSTNAME="${PGPOOL_ENABLE_LOG_HOSTNAME:-no}"
+export PGPOOL_ENABLE_LOG_PCP_PROCESSES="${PGPOOL_ENABLE_LOG_PCP_PROCESSES:-yes}"
+export PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT="${PGPOOL_ENABLE_LOG_PER_NODE_STATEMENT:-no}"
+
+# PostgreSQL backend settings
+export PGPOOL_BACKEND_NODES="${PGPOOL_BACKEND_NODES:-}"
+export PGPOOL_BACKEND_APPLICATION_NAMES="${PGPOOL_BACKEND_APPLICATION_NAMES:-}"
+export PGPOOL_FAILOVER_ON_BACKEND_SHUTDOWN="${PGPOOL_FAILOVER_ON_BACKEND_SHUTDOWN:-on}"
+export PGPOOL_FAILOVER_ON_BACKEND_ERROR="${PGPOOL_FAILOVER_ON_BACKEND_ERROR:-off}"
+
+# System settings
+export PGPOOL_DAEMON_USER="${PGPOOL_DAEMON_USER:-pgpool}"
+export PGPOOL_DAEMON_GROUP="${PGPOOL_DAEMON_GROUP:-pgpool}"
+
+# Custom environment variables may be defined below
--- a/rootfs/opt/bitnami/scripts/pgpool/entrypoint.sh
+++ b/rootfs/opt/bitnami/scripts/pgpool/entrypoint.sh
@@ -0,0 +1,48 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami Pgpool-II entrypoint
+
+# shellcheck disable=SC1091
+
+set -o errexit
+set -o nounset
+set -o pipefail
+#set -o xtrace
+
+# Load libraries
+. /opt/bitnami/scripts/libbitnami.sh
+. /opt/bitnami/scripts/liblog.sh
+. /opt/bitnami/scripts/libfs.sh
+. /opt/bitnami/scripts/libpgpool.sh
+
+# Load Pgpool-II environment
+. /opt/bitnami/scripts/pgpool-env.sh
+
+print_welcome_page
+
+if ! is_dir_empty "$PGPOOL_DEFAULT_CONF_DIR"; then
+    # We add the copy from default config in the entrypoint to not break users
+    # bypassing the setup.sh logic. If the file already exists do not overwrite (in
+    # case someone mounts a configuration file in /opt/bitnami/pgpool/conf)
+    debug "Copying files from $PGPOOL_DEFAULT_CONF_DIR to $PGPOOL_CONF_DIR"
+    cp -nr "$PGPOOL_DEFAULT_CONF_DIR"/. "$PGPOOL_CONF_DIR"
+fi
+
+if ! is_dir_empty "$PGPOOL_DEFAULT_ETC_DIR"; then
+    # We add the copy from default config in the entrypoint to not break users
+    # bypassing the setup.sh logic. If the file already exists do not overwrite (in
+    # case someone mounts a configuration file in /opt/bitnami/pgpool/etc)
+    debug "Copying files from $PGPOOL_DEFAULT_ETC_DIR to $PGPOOL_ETC_DIR"
+    cp -nr "$PGPOOL_DEFAULT_ETC_DIR"/. "$PGPOOL_ETC_DIR"
+fi
+
+if [[ "$*" = *"/opt/bitnami/scripts/pgpool/run.sh"* ]]; then
+    info "** Starting Pgpool-II setup **"
+    /opt/bitnami/scripts/pgpool/setup.sh
+    info "** Pgpool-II setup finished! **"
+fi
+
+echo ""
+exec "$@"
--- a/rootfs/opt/bitnami/scripts/pgpool/healthcheck.sh
+++ b/rootfs/opt/bitnami/scripts/pgpool/healthcheck.sh
@@ -0,0 +1,20 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami Pgpool-II healthcheck
+
+# shellcheck disable=SC1091
+
+set -o errexit
+set -o nounset
+set -o pipefail
+# set -o xtrace # Uncomment this line for debugging purpose
+
+# Load libraries
+. /opt/bitnami/scripts/libpgpool.sh
+
+# Load Pgpool-II environment
+. /opt/bitnami/scripts/pgpool-env.sh
+
+pgpool_healthcheck
--- a/rootfs/opt/bitnami/scripts/pgpool/postunpack.sh
+++ b/rootfs/opt/bitnami/scripts/pgpool/postunpack.sh
@@ -0,0 +1,37 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami Pgpool-II postunpack
+
+# shellcheck disable=SC1091
+
+# Load libraries
+. /opt/bitnami/scripts/libfs.sh
+. /opt/bitnami/scripts/libldapclient.sh
+. /opt/bitnami/scripts/libpgpool.sh
+
+# Load Pgpool-II environment
+. /opt/bitnami/scripts/pgpool-env.sh
+# Load LDAP environment variables
+eval "$(ldap_env)"
+
+for dir in "$PGPOOL_INITSCRIPTS_DIR" "$PGPOOL_TMP_DIR" "$PGPOOL_LOG_DIR" "$PGPOOL_CONF_DIR" "$PGPOOL_DEFAULT_CONF_DIR" "$PGPOOL_ETC_DIR" "$PGPOOL_DEFAULT_ETC_DIR" "$PGPOOL_DATA_DIR"; do
+    ensure_dir_exists "$dir"
+    chmod -R g+rwX "$dir"
+done
+
+# LDAP permissions
+ldap_configure_permissions
+ldap_create_pam_config "pgpool"
+
+# Redirect all logging to stdout
+ln -sf /dev/stdout "$PGPOOL_LOG_FILE"
+
+if ! is_dir_empty "$PGPOOL_CONF_DIR"; then
+    cp -r "$PGPOOL_CONF_DIR"/* "$PGPOOL_DEFAULT_CONF_DIR"
+fi
+
+if ! is_dir_empty "$PGPOOL_ETC_DIR"; then
+    cp -r "$PGPOOL_ETC_DIR"/* "$PGPOOL_DEFAULT_ETC_DIR"
+fi
--- a/rootfs/opt/bitnami/scripts/pgpool/run.sh
+++ b/rootfs/opt/bitnami/scripts/pgpool/run.sh
@@ -0,0 +1,35 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami Pgpool-II run
+
+# shellcheck disable=SC1091
+
+set -o errexit
+set -o nounset
+set -o pipefail
+# set -o xtrace # Uncomment this line for debugging purpose
+
+# Load libraries
+. /opt/bitnami/scripts/liblog.sh
+. /opt/bitnami/scripts/libldapclient.sh
+. /opt/bitnami/scripts/libpgpool.sh
+
+# Load Pgpool-II environment
+. /opt/bitnami/scripts/pgpool-env.sh
+# Load LDAP environment variables
+eval "$(ldap_env)"
+
+command="$(command -v pgpool)"
+flags=("-n" "--config-file=${PGPOOL_CONF_FILE}" "--hba-file=${PGPOOL_PGHBA_FILE}")
+is_boolean_yes "$PGPOOL_DISCARD_STATUS" && flags+=("-D")
+[[ -z "${PGPOOL_EXTRA_FLAGS:-}" ]] || flags=("${flags[@]}" "${PGPOOL_EXTRA_FLAGS[@]}")
+
+is_boolean_yes "$PGPOOL_ENABLE_LDAP" && ldap_start_nslcd_bg
+info "** Starting Pgpool-II **"
+if am_i_root; then
+    exec_as_user "$PGPOOL_DAEMON_USER" "${command}" "${flags[@]}"
+else
+    exec "${command}" "${flags[@]}"
+fi
--- a/rootfs/opt/bitnami/scripts/pgpool/setup.sh
+++ b/rootfs/opt/bitnami/scripts/pgpool/setup.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Copyright Broadcom, Inc. All Rights Reserved.
+# SPDX-License-Identifier: APACHE-2.0
+#
+# Bitnami Pgpool-II setup
+
+# shellcheck disable=SC1091
+
+set -o errexit
+set -o nounset
+set -o pipefail
+# set -o xtrace # Uncomment this line for debugging purpose
+
+# Load libraries
+. /opt/bitnami/scripts/libldapclient.sh
+. /opt/bitnami/scripts/libpgpool.sh
+
+# Load Pgpool-II environment
+. /opt/bitnami/scripts/pgpool-env.sh
+# Load LDAP environment variables
+eval "$(ldap_env)"
+
+# Ensure Pgpool-II environment variables are valid
+pgpool_validate
+# Ensure 'daemon' user exists when running as 'root'
+am_i_root && ensure_user_exists "$PGPOOL_DAEMON_USER" --group "$PGPOOL_DAEMON_GROUP"
+am_i_root && ensure_user_exists "$LDAP_NSLCD_USER" --group "$LDAP_NSLCD_GROUP"
+# Ensure Pgpool-II is initialized
+pgpool_initialize
+# Ensure LDAP is initialized
+is_boolean_yes "$PGPOOL_ENABLE_LDAP" && ldap_initialize
+# Allow running custom initialization scripts
+pgpool_custom_init_scripts