Key feature: PgBouncer intercepts connections from Nextcloud and replaces static credentials with temporary dynamic credentials from Vault. Nextcloud has no idea about Vault — it thinks it's connecting to a regular PostgreSQL.
// inspect component
← Click any component in the diagram to see details
Proof of work
Real cluster logs — dynamic credentials in action. PgBouncer connects to PostgreSQL with a temporary user generated by Vault.
↑ Nextcloud connects with a dynamic user generated by Vault
root@k3s-master-prod — postgres roles
$ psql -U postgres -c '\du'
─────────────────────────────────────
nextcloud │ Create DB
postgres │ Superuser
v-kubernet-nextclou-C6gO...
│ valid until 2026-04-02 10:29:47
↑ Dynamic user with 1h TTL — Vault auto-deletes after expiry
How It Works
01
KUBERNETES AUTH
PgBouncer uses a Kubernetes ServiceAccount to authenticate with Vault. No static passwords in configs.
k8s auth method
02
CREDENTIAL SWAP
Nextcloud passes static credentials → PgBouncer intercepts and replaces them with dynamic credentials from Vault. Nextcloud has no knowledge of Vault.
credential swap
03
DYNAMIC SECRETS
Vault generates a unique PostgreSQL login/password with a 1-hour TTL. After TTL expires the temporary user is deleted. The nextcloud-role stays as a template.
TTL: 1h / max: 24h
04
AUTO SSL
Cert-manager automatically obtains and renews SSL certificates from Let's Encrypt via http01 challenge with Nginx.