Skip to content

feat: switch to include directives in pg_hba #1765

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 10 commits into
base: develop
Choose a base branch
from
Open

feat: switch to include directives in pg_hba #1765

wants to merge 10 commits into from

Conversation

staaldraad
Copy link
Member

@staaldraad staaldraad commented Aug 15, 2025
edited
Loading

Using include directives makes changing the pg_hba.conf on the fly more flexible. Enabling / disabling ssl enforcement for example only requires creating or removing a file, leaving the pg_hba.conf untouched. Allowing for more repeatable and stable processes and no need for regex based replace or custom parsers.

This will also support the just-in-time access work by allowing jit to be dynamically enabled/disabled

⚠️ do not merge yet: requires admin-api update, otherwise ssl enforcement enable/disable will stop functioning

The required admin-api update is included as v0.88.0 added to ansible/vars.yml

@staaldraad
Copy link
Member Author

Requires pg16+

@staaldraad staaldraad force-pushed the etienne/sec-493-switch-pg_hba-to-use-include-directive branch from e258813 to 6d11c7d Compare August 19, 2025 07:54
@staaldraad staaldraad marked this pull request as ready for review August 26, 2025 12:52
@staaldraad staaldraad requested review from a team as code owners August 26, 2025 12:52
hunleyd
hunleyd requested changes Aug 27, 2025
View reviewed changes
@staaldraad staaldraad force-pushed the etienne/sec-493-switch-pg_hba-to-use-include-directive branch from 7b62c4f to 641951d Compare August 27, 2025 14:08
@staaldraad staaldraad requested a review from hunleyd August 27, 2025 18:57
@staaldraad staaldraad mentioned this pull request Aug 29, 2025
Open
hunleyd
hunleyd previously requested changes Sep 3, 2025
View reviewed changes
Copy link
Contributor

@hunleyd hunleyd left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

lgtm, minus the conflict

@staaldraad
feat: switch to include directives in pg_hba
1d88591 
Using include directives makes changing the pg_hba.conf on the fly more
flexible. Enabling / disabling ssl enforcement for example only requires
creating or removing a file, leaving the pg_hba.conf untouched. Allowing
for more repeatable and stable processes and no need for regex based
replace or custom parsers.

This will also support the just-in-time access work by allowing jit to
be dynamically enabled/disabled
@staaldraad
chore: postgres 15 doesnt support include directive
ed4afad
@staaldraad
chore: version checks
444e001
@staaldraad
chore: check version by name
9d71b5f
@staaldraad
chore: include lib
91080c2
@staaldraad
chore: set active version
fe04fca
@staaldraad
chore: fix run-server to be pg_hba version aware
ce68399
@staaldraad
chore: patch ansible playbook for psql_15
845208f
@staaldraad
chore: pg_hba must have newline
9490f95
@staaldraad
chore: rebase and use block for condition
9a840bf
@staaldraad staaldraad force-pushed the etienne/sec-493-switch-pg_hba-to-use-include-directive branch from 641951d to 9a840bf Compare September 8, 2025 08:27
@staaldraad staaldraad dismissed hunleyd’s stale review September 8, 2025 11:11

conflict resolved and rebased to use latest admin_api and admin_mgr as introduced by #1780

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@hunleyd hunleyd hunleyd left review comments

At least 1 approving review is required to merge this pull request.

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@staaldraad @hunleyd