diff --git a/kube/deploy/apps/authentik/app/hr.yaml b/kube/deploy/apps/authentik/app/hr.yaml
index 5c287e4e..68e97b0a 100644
--- a/kube/deploy/apps/authentik/app/hr.yaml
+++ b/kube/deploy/apps/authentik/app/hr.yaml
@@ -93,7 +93,7 @@ spec:
               AUTHENTIK_POSTGRESQL__SSLROOTCERT: &pgca /secrets/pg/ca.crt
               AUTHENTIK_SESSION_STORAGE: "db" # store sessions in PG than Redis
               # pgBouncer / Database Connection Health
-              AUTHENTIK_POSTGRESQL__CONN_MAX_AGE: &pgage "None" # if not using pgBouncer, maybe setting this to null for unlimited persistent connections is a good idea: connection slots limit can be reached with authentik
+              AUTHENTIK_POSTGRESQL__CONN_MAX_AGE: &pgage "60" # if not using pgBouncer, maybe setting this to null for unlimited persistent connections is a good idea: connection slots limit can be reached with authentik
               AUTHENTIK_POSTGRESQL__CONN_HEALTH_CHECKS: &pgcheck "true"
               # AUTHENTIK_POSTGRESQL__DISABLE_SERVER_SIDE_CURSORS: "true"
               # Read Replicas
diff --git a/kube/deploy/core/db/pg/clusters/template/crunchy.yaml b/kube/deploy/core/db/pg/clusters/template/crunchy.yaml
index 5472d65b..965309c8 100644
--- a/kube/deploy/core/db/pg/clusters/template/crunchy.yaml
+++ b/kube/deploy/core/db/pg/clusters/template/crunchy.yaml
@@ -172,9 +172,10 @@ spec:
   proxy:
     pgBouncer:
       port: 5432
-      replicas: 3
-      # config:
-      #   global:
+      replicas: ${PGBOUNCER_REPLICAS:=3}
+      config:
+        global:
+          track_extra_parameters: "IntervalStyle,search_path"
       #     pool_mode: "transaction"
       resources:
         requests: