K8SPG-554: add .spec.tlsOnly field (#998)

pooknull · hors · web-flow · commit 95b23639d43e · 2025-01-15T15:36:42.000+02:00
https://perconadev.atlassian.net/browse/K8SPG-554 Co-authored-by: Viacheslav Sarzhan <slava.sarzhan@percona.com>
diff --git a/build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml b/build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -17756,6 +17756,8 @@ spec:
                   format: int64
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.
diff --git a/build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml b/build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml
@@ -17427,6 +17427,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
diff --git a/config/crd/bases/pgv2.percona.com_perconapgclusters.yaml b/config/crd/bases/pgv2.percona.com_perconapgclusters.yaml
@@ -17833,6 +17833,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -17667,6 +17667,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.
diff --git a/deploy/bundle.yaml b/deploy/bundle.yaml
@@ -18126,6 +18126,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
@@ -43350,6 +43352,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.
diff --git a/deploy/cr.yaml b/deploy/cr.yaml
@@ -24,6 +24,7 @@ spec:
 #      name: cluster1-cert
 #    customReplicationTLSSecret:
 #      name: replication1-cert
+#  tlsOnly: false
 
 #  standby:
 #    enabled: true
diff --git a/deploy/crd.yaml b/deploy/crd.yaml
@@ -18126,6 +18126,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
@@ -43350,6 +43352,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.
diff --git a/deploy/cw-bundle.yaml b/deploy/cw-bundle.yaml
@@ -18126,6 +18126,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
@@ -43350,6 +43352,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.
diff --git a/internal/controller/postgrescluster/controller.go b/internal/controller/postgrescluster/controller.go
@@ -235,6 +235,16 @@ func (r *Reconciler) Reconcile(
 	pgmonitor.PostgreSQLHBAs(cluster, &pgHBAs)
 	pgbouncer.PostgreSQL(cluster, &pgHBAs)
 
+	// K8SPG-554
+	if cluster.Spec.TLSOnly {
+		for i := range pgHBAs.Mandatory {
+			pgHBAs.Mandatory[i].TLSOnly()
+		}
+		for i := range pgHBAs.Default {
+			pgHBAs.Default[i].TLSOnly()
+		}
+	}
+
 	pgParameters := postgres.NewParameters()
 	// K8SPG-375
 	if cluster.Spec.Extensions.PGStatMonitor {
diff --git a/internal/postgres/hba.go b/internal/postgres/hba.go
@@ -135,6 +135,13 @@ func (hba *HostBasedAuthentication) TLS() *HostBasedAuthentication {
 	return hba
 }
 
+func (hba *HostBasedAuthentication) TLSOnly() *HostBasedAuthentication {
+	if hba.origin == "host" || hba.origin == "hostnossl" {
+		hba.origin = "hostssl"
+	}
+	return hba
+}
+
 // TCP makes hba match connection attempts made using TCP/IP, with or without SSL.
 func (hba *HostBasedAuthentication) TCP() *HostBasedAuthentication {
 	hba.origin = "host"
diff --git a/pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go b/pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go
@@ -76,6 +76,8 @@ type PerconaPGClusterSpec struct {
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 
+	TLSOnly bool `json:"tlsOnly,omitempty"`
+
 	// The port on which PostgreSQL should listen.
 	// +optional
 	// +kubebuilder:default=5432
@@ -354,6 +356,8 @@ func (cr *PerconaPGCluster) ToCrunchy(ctx context.Context, postgresCluster *crun
 	postgresCluster.Spec.Extensions.PGAudit = *cr.Spec.Extensions.BuiltIn.PGAudit
 	postgresCluster.Spec.Extensions.PGVector = *cr.Spec.Extensions.BuiltIn.PGVector
 
+	postgresCluster.Spec.TLSOnly = cr.Spec.TLSOnly
+
 	return postgresCluster, nil
 }
 
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go
@@ -49,6 +49,8 @@ type PostgresClusterSpec struct {
 	// +optional
 	CustomTLSSecret *corev1.SecretProjection `json:"customTLSSecret,omitempty"`
 
+	TLSOnly bool `json:"tlsOnly,omitempty"`
+
 	// The secret containing the replication client certificates and keys for
 	// secure connections to the PostgreSQL server. It will need to contain the
 	// client TLS certificate, TLS key and the Certificate Authority certificate
