diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml index d0891d05b..10910db1f 100644 --- a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml +++ b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml @@ -40,9 +40,19 @@ spec: description: PostgresClusterSpec defines the desired state of PostgresCluster properties: authentication: + description: Authentication settings for the PostgreSQL server properties: rules: - description: 'More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html' + description: |- + Postgres compares every new connection to these rules in the order they are + defined. The first rule that matches determines if and how the connection + must then authenticate. Connections that match no rules are disconnected. + + When this is omitted or empty, Postgres accepts encrypted connections to any + database from users that have a password. To refuse all network connections, + set this to one rule that matches "host" connections to the "reject" method. + + More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html items: properties: connection: @@ -79,6 +89,7 @@ spec: description: |- The authentication method to use when a connection matches this rule. The special value "reject" refuses connections that match this rule. + More info: https://www.postgresql.org/docs/current/auth-methods.html maxLength: 20 minLength: 1 @@ -93,6 +104,8 @@ spec: - type: integer - type: string x-kubernetes-int-or-string: true + description: Additional settings for this rule or its authentication + method. maxProperties: 20 type: object x-kubernetes-map-type: atomic @@ -4447,6 +4460,7 @@ spec: type: object type: object config: + description: General configuration of the PostgreSQL server properties: files: description: Files to mount under "/etc/postgres". diff --git a/internal/pgbackrest/reconcile_test.go b/internal/pgbackrest/reconcile_test.go index 0c9aece2b..6104a4e2a 100644 --- a/internal/pgbackrest/reconcile_test.go +++ b/internal/pgbackrest/reconcile_test.go @@ -522,7 +522,7 @@ func TestAddConfigToRestorePod(t *testing.T) { custom.Name = "custom-configmap-files" cluster := cluster.DeepCopy() - cluster.Spec.Config = &v1beta1.PostgresConfig{ + cluster.Spec.Config = &v1beta1.PostgresConfigSpec{ Files: []corev1.VolumeProjection{ {ConfigMap: &custom}, }, diff --git a/internal/testing/validation/postgrescluster_test.go b/internal/testing/validation/postgrescluster_test.go index 18a17de06..9bc0b662b 100644 --- a/internal/testing/validation/postgrescluster_test.go +++ b/internal/testing/validation/postgrescluster_test.go @@ -252,7 +252,7 @@ func TestPostgresConfigParameters(t *testing.T) { t.Run("Valid", func(t *testing.T) { cluster := base.DeepCopy() - cluster.Spec.Config = &v1beta1.PostgresConfig{ + cluster.Spec.Config = &v1beta1.PostgresConfigSpec{ Parameters: map[string]intstr.IntOrString{ "wal_level": intstr.FromString("logical"), }, @@ -263,7 +263,7 @@ func TestPostgresConfigParameters(t *testing.T) { t.Run("Invalid", func(t *testing.T) { cluster := base.DeepCopy() - cluster.Spec.Config = &v1beta1.PostgresConfig{ + cluster.Spec.Config = &v1beta1.PostgresConfigSpec{ Parameters: map[string]intstr.IntOrString{ "wal_level": intstr.FromString("minimal"), }, diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go index 8f950dbfa..29fd492e5 100644 --- a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go +++ b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go @@ -10,6 +10,14 @@ import ( ) type PostgresAuthenticationSpec struct { + // Postgres compares every new connection to these rules in the order they are + // defined. The first rule that matches determines if and how the connection + // must then authenticate. Connections that match no rules are disconnected. + // + // When this is omitted or empty, Postgres accepts encrypted connections to any + // database from users that have a password. To refuse all network connections, + // set this to one rule that matches "host" connections to the "reject" method. + // // More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html // --- // +kubebuilder:validation:MaxItems=10 @@ -18,7 +26,7 @@ type PostgresAuthenticationSpec struct { Rules []PostgresHBARuleSpec `json:"rules,omitempty"` } -type PostgresConfig struct { +type PostgresConfigSpec struct { // Files to mount under "/etc/postgres". // --- // +optional @@ -99,6 +107,7 @@ type PostgresHBARule struct { // The authentication method to use when a connection matches this rule. // The special value "reject" refuses connections that match this rule. + // // More info: https://www.postgresql.org/docs/current/auth-methods.html // --- // +kubebuilder:validation:MinLength=1 @@ -108,6 +117,7 @@ type PostgresHBARule struct { // +optional Method string `json:"method,omitempty"` + // Additional settings for this rule or its authentication method. // --- // +kubebuilder:validation:MaxProperties=20 // +mapType=atomic diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go index 4d3be247f..59029958f 100644 --- a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go +++ b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go @@ -21,6 +21,7 @@ type PostgresClusterSpec struct { // +optional DataSource *DataSource `json:"dataSource,omitempty"` + // Authentication settings for the PostgreSQL server // +optional Authentication *PostgresAuthenticationSpec `json:"authentication,omitempty"` @@ -28,8 +29,9 @@ type PostgresClusterSpec struct { // +optional Backups Backups `json:"backups,omitempty"` + // General configuration of the PostgreSQL server // +optional - Config *PostgresConfig `json:"config,omitempty"` + Config *PostgresConfigSpec `json:"config,omitempty"` // The secret containing the Certificates and Keys to encrypt PostgreSQL // traffic will need to contain the server TLS certificate, TLS key and the diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go index 58281cb92..8ee494d5f 100644 --- a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go +++ b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/zz_generated.deepcopy.go @@ -2019,7 +2019,7 @@ func (in *PostgresClusterSpec) DeepCopyInto(out *PostgresClusterSpec) { in.Backups.DeepCopyInto(&out.Backups) if in.Config != nil { in, out := &in.Config, &out.Config - *out = new(PostgresConfig) + *out = new(PostgresConfigSpec) (*in).DeepCopyInto(*out) } if in.CustomTLSSecret != nil { @@ -2191,7 +2191,7 @@ func (in *PostgresClusterStatus) DeepCopy() *PostgresClusterStatus { } // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil. -func (in *PostgresConfig) DeepCopyInto(out *PostgresConfig) { +func (in *PostgresConfigSpec) DeepCopyInto(out *PostgresConfigSpec) { *out = *in if in.Files != nil { in, out := &in.Files, &out.Files @@ -2209,12 +2209,12 @@ func (in *PostgresConfig) DeepCopyInto(out *PostgresConfig) { } } -// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresConfig. -func (in *PostgresConfig) DeepCopy() *PostgresConfig { +// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new PostgresConfigSpec. +func (in *PostgresConfigSpec) DeepCopy() *PostgresConfigSpec { if in == nil { return nil } - out := new(PostgresConfig) + out := new(PostgresConfigSpec) in.DeepCopyInto(out) return out }