pgAgroal Enterprise · How-to
Collect a support bundle
The support collector builds a redacted diagnostic bundle for Enterprise support, so an incident can be diagnosed without telemetry and without hand-copying logs. It collects locally and writes a .tar.gz that you hand over — nothing is sent anywhere.
What it collects
Each item below is redacted before it is written into the bundle:
- Runtime metadata and environment, with credential-like env values redacted.
- pgagroal config and HBA (
/etc/pgagroal), with passwords removed. - A pgagroal metrics snapshot.
- Control-plane state when reachable:
/fleet,/fleet/health,/drift, and/metrics. - Audit-verification output (
audit-verify).
The redaction guarantee
Redaction is not optional and runs before anything reaches the tarball. It strips passwords in URLs and DSNs (rewriting them to user:****@) and the values of credential-like keys such as PG_PASSWORD=, password:, and api_key=. This behaviour is covered by unit tests.
The bundle is plain text and JSON throughout, so you can inspect every file before sending it — verify the redaction yourself rather than trusting it blind.
Run the collector
Point the collector at your metrics and control-plane endpoints and run support from inside the Enterprise image:
PGAGROAL_METRICS_URL=http://pg1:2346/metrics \
PGAGROAL_CP_URL=http://control-plane:8443 \
support -out bundle.tar.gzRun it as a one-off in Kubernetes
Because support ships in the Enterprise image, it also runs as a one-off exec and the bundle is copied back out:
kubectl exec deploy/pg1 -- support -out /tmp/bundle.tar.gz && \
kubectl cp pg1:/tmp/bundle.tar.gz ./bundle.tar.gzInspect the bundle before sending it — every file is plain text or JSON inside the tarball.
Next steps
- Security and compliance — how redaction fits the broader audit-readiness posture.
- How to buy — get Enterprise support and hand the bundle to the support team.