Neither the Fly proxy nor HAProxy understands pgsql, which means we are not able to handle TLS termination in the same way we do for other apps. We need to decide whether to use something like Stunnel to handle termination or work to inject certificates as secrets and just have Postgres handle it.

If it's possible, I'd prefer to just show people how to setup a pgbouncer that does TLS termination and points at their postgres cluster. It makes a lot of sense to isolate public ports to a special pgbouncer vm!

We can also just not do this for quite some time.

Yeah, I think that could work. I think the big thing would be to ensure pgbouncer runs within the same regions as their Postgres app in order to accommodate reads.

Is this a duplicate of #4 ?