K8SPG-554: add .spec.tlsOnly field

build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -17756,6 +17756,8 @@ spec:
                   format: int64
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.

build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml

@@ -17427,6 +17427,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the

config/crd/bases/pgv2.percona.com_perconapgclusters.yaml

@@ -17833,6 +17833,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -17667,6 +17667,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.

deploy/bundle.yaml

@@ -18126,6 +18126,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
@@ -43350,6 +43352,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.

deploy/cr.yaml

@@ -24,6 +24,7 @@ spec:
 #      name: cluster1-cert
 #    customReplicationTLSSecret:
 #      name: replication1-cert
+#  tlsOnly: false
 
 #  standby:
 #    enabled: true

deploy/crd.yaml

@@ -18126,6 +18126,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
@@ -43350,6 +43352,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.

deploy/cw-bundle.yaml

@@ -18126,6 +18126,8 @@ spec:
                     pattern: ^repo[1-4]
                     type: string
                 type: object
+              tlsOnly:
+                type: boolean
               unmanaged:
                 description: |-
                   Suspends the rollout and reconciliation of changes made to the
@@ -43350,6 +43352,8 @@ spec:
                   minimum: 1
                   type: integer
                 type: array
+              tlsOnly:
+                type: boolean
               userInterface:
                 description: The specification of a user interface that connects to
                   PostgreSQL.

internal/controller/postgrescluster/controller.go

@@ -235,6 +235,16 @@ func (r *Reconciler) Reconcile(
 	pgmonitor.PostgreSQLHBAs(cluster, &pgHBAs)
 	pgbouncer.PostgreSQL(cluster, &pgHBAs)
 
+	// K8SPG-554
+	if cluster.Spec.TLSOnly {
+		for i := range pgHBAs.Mandatory {
+			pgHBAs.Mandatory[i].TLSOnly()
+		}
+		for i := range pgHBAs.Default {
+			pgHBAs.Default[i].TLSOnly()
+		}
+	}
+
 	pgParameters := postgres.NewParameters()
 	// K8SPG-375
 	if cluster.Spec.Extensions.PGStatMonitor {

internal/postgres/hba.go

@@ -135,6 +135,13 @@ func (hba *HostBasedAuthentication) TLS() *HostBasedAuthentication {
 	return hba
 }
 
+func (hba *HostBasedAuthentication) TLSOnly() *HostBasedAuthentication {
+	if hba.origin == "host" || hba.origin == "hostnossl" {
+		hba.origin = "hostssl"
+	}
+	return hba
+}
+
 // TCP makes hba match connection attempts made using TCP/IP, with or without SSL.
 func (hba *HostBasedAuthentication) TCP() *HostBasedAuthentication {
 	hba.origin = "host"

pkg/apis/pgv2.percona.com/v2/perconapgcluster_types.go

@@ -76,6 +76,8 @@ type PerconaPGClusterSpec struct {
 	// +optional
 	ImagePullSecrets []corev1.LocalObjectReference `json:"imagePullSecrets,omitempty"`
 
+	TLSOnly bool `json:"tlsOnly,omitempty"`
+
 	// The port on which PostgreSQL should listen.
 	// +optional
 	// +kubebuilder:default=5432
@@ -354,6 +356,8 @@ func (cr *PerconaPGCluster) ToCrunchy(ctx context.Context, postgresCluster *crun
 	postgresCluster.Spec.Extensions.PGAudit = *cr.Spec.Extensions.BuiltIn.PGAudit
 	postgresCluster.Spec.Extensions.PGVector = *cr.Spec.Extensions.BuiltIn.PGVector
 
+	postgresCluster.Spec.TLSOnly = cr.Spec.TLSOnly
+
 	return postgresCluster, nil
 }
 

pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go

@@ -49,6 +49,8 @@ type PostgresClusterSpec struct {
 	// +optional
 	CustomTLSSecret *corev1.SecretProjection `json:"customTLSSecret,omitempty"`
 
+	TLSOnly bool `json:"tlsOnly,omitempty"`
+
 	// The secret containing the replication client certificates and keys for
 	// secure connections to the PostgreSQL server. It will need to contain the
 	// client TLS certificate, TLS key and the Certificate Authority certificate