Skip to content

K8SPG-873 support Authenticating Against a TLS-enabled LDAP Server #1456

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
gkech wants to merge 7 commits into
base: main
Choose a base branch
from
+5,142 −80
Open

K8SPG-873 support Authenticating Against a TLS-enabled LDAP Server #1456

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
7 commits
Select commit Hold shift + click to select a range
90e807a
K8SPG-873 support Authenticating Against a TLS-enabled LDAP Server (l…
gkech Feb 20, 2026
2034c06
remove old config file
gkech Feb 20, 2026
7aeeeb4
generate new crds
gkech Feb 20, 2026
377a60d
add e2e test
gkech Feb 20, 2026
91ea225
e2e test for ldap with tls + fix unit test
gkech Feb 20, 2026
76bc563
fix unit test
gkech Feb 20, 2026
1fc219e
make ldap test more ok when secrets etc are not created at the right …
gkech Feb 20, 2026
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
105 changes: 105 additions & 0 deletions build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -39,6 +39,61 @@ spec:
spec:
description: PostgresClusterSpec defines the desired state of PostgresCluster
properties:
authentication:
description: |-
Defines additional authentication rules for PostgreSQL host-based
authentication (pg_hba.conf). Rules added here are applied after any
mandatory rules and before the default scram-sha-256 fallback.
properties:
rules:
description: |-
Rules to include in pg_hba.conf. They are evaluated after mandatory
operator rules and before the default scram-sha-256 fallback.
items:
description: |-
PostgresAuthenticationRule defines a single pg_hba.conf entry. Use either
the structured fields or the raw HBA line, not both.
properties:
connection:
description: 'Connection type: local, host, hostssl, hostnossl,
hostgssenc, hostnogssenc.'
type: string
databases:
description: Databases to match. An empty list matches all
databases.
items:
type: string
type: array
hba:
description: |-
A raw pg_hba.conf line. When non-empty, this line is used as-is and the
structured fields are ignored.
type: string
method:
description: Authentication method to use when a connection
matches this rule.
type: string
options:
additionalProperties:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
description: Options for the authentication method (e.g.
ldapserver, ldapport).
type: object
users:
description: Users to match. An empty list matches all users.
items:
type: string
type: array
required:
- connection
- method
type: object
type: array
x-kubernetes-list-type: atomic
type: object
backups:
description: PostgreSQL backup configuration
properties:
Expand Down Expand Up @@ -7387,6 +7442,7 @@ spec:
config:
properties:
files:
description: Files to mount under "/etc/postgres".
items:
description: |-
Projection that may be projected along with other supported volume types.
Expand Down Expand Up @@ -7828,6 +7884,55 @@ spec:
type: object
type: object
type: array
parameters:
additionalProperties:
anyOf:
- type: integer
- type: string
x-kubernetes-int-or-string: true
description: |-
Configuration parameters for the PostgreSQL server. Some values will
be reloaded without validation and some cause PostgreSQL to restart.
Some values cannot be changed at all.
More info: https://www.postgresql.org/docs/current/runtime-config.html
maxProperties: 50
type: object
x-kubernetes-map-type: granular
x-kubernetes-validations:
- message: 'cannot change PGDATA path: config_file, data_directory'
rule: '!has(self.config_file) && !has(self.data_directory)'
- message: cannot change external_pid_file
rule: '!has(self.external_pid_file)'
- message: 'cannot change authentication path: hba_file, ident_file'
rule: '!has(self.hba_file) && !has(self.ident_file)'
- message: 'network connectivity is always enabled: listen_addresses'
rule: '!has(self.listen_addresses)'
- message: change port using .spec.port instead
rule: '!has(self.port)'
- message: TLS is always enabled
rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_")
&& !(k == ''ssl_groups'' || k == ''ssl_ecdh_curve''))'
- message: domain socket paths cannot be changed
rule: '!self.exists(k, k.startsWith("unix_socket_"))'
- message: wal_level must be "replica" or higher
rule: '!has(self.wal_level) || self.wal_level in ["logical"]'
- message: wal_log_hints are always enabled
rule: '!has(self.wal_log_hints)'
- rule: '!has(self.archive_mode) && !has(self.archive_command)
&& !has(self.restore_command)'
- rule: '!has(self.recovery_target) && !self.exists(k, k.startsWith("recovery_target_"))'
- message: hot_standby is always enabled
rule: '!has(self.hot_standby)'
- rule: '!has(self.synchronous_standby_names)'
- rule: '!has(self.primary_conninfo) && !has(self.primary_slot_name)'
- message: delayed replication is not supported at this time
rule: '!has(self.recovery_min_apply_delay)'
- message: cluster_name is derived from the PostgresCluster name
rule: '!has(self.cluster_name)'
- message: disabling logging_collector is unsafe
rule: '!has(self.logging_collector)'
- message: log_file_mode cannot be changed
rule: '!has(self.log_file_mode)'
type: object
customReplicationTLSSecret:
description: |-
Expand Down
Loading
Loading