Skip to content

pg_hba validation#1855

Draft
limak9182 wants to merge 7 commits intofeature/database-controllersfrom
feature/pg_hba-validation
Draft

pg_hba validation#1855
limak9182 wants to merge 7 commits intofeature/database-controllersfrom
feature/pg_hba-validation

Conversation

@limak9182
Copy link
Copy Markdown

@limak9182 limak9182 commented Apr 20, 2026
edited
Loading

Description

Adds admission webhook validation for pg_hba.conf rules on PostgresCluster and PostgresClusterClass resources. Catches invalid rules at admission time instead of letting them propagate to the underlying PostgreSQL cluster where they'd cause runtime failures.

Key Changes

  • pkg/postgresql/cluster/core/hba.go — Core validation engine with layered checks: connection type → field count → auth method → address/netmask. Handles comment stripping, quote-aware tokenization, CIDR, IP+netmask, hostname, and special
    keywords.
    • pkg/postgresql/cluster/core/hba_test.go — Comprehensive unit tests covering valid rules, each error layer independently, and edge cases (IPv6, auth options, inline comments, quoted values).
    • pkg/splunk/enterprise/validation/postgrescluster_validation.go — Webhook validator for spec.pgHBA on PostgresCluster CREATE/UPDATE.
    • pkg/splunk/enterprise/validation/postgresclusterclass_validation.go — Webhook validator for spec.config.pgHBA on PostgresClusterClass CREATE/UPDATE.
    • pkg/splunk/enterprise/validation/registry.go — Registers both new validators in DefaultValidators.

Testing and Verification

  • Unit tests for all validation layers (connection type, field count, auth method, address/CIDR/netmask)
  • Webhook integration tests verifying correct field.ErrorList paths (spec.pgHBA, spec.config.pgHBA)
  • Tests cover valid rules, single-field errors, multi-error accumulation, and edge cases (comments, quoted auth options, IPv6)
  • All tests pass locally: go test ./pkg/postgresql/cluster/core/... ./pkg/splunk/enterprise/validation/...

Related Issues

CPI-1846

PR Checklist

  • Code changes adhere to the project's coding standards.
  • Relevant unit and integration tests are included.
  • Documentation has been updated accordingly.
  • All tests pass locally.
  • The PR description follows the project's guidelines.

@github-actions
Copy link
Copy Markdown
Contributor

github-actions Bot commented Apr 20, 2026

CLA Assistant Lite bot:
Thank you for your submission, we really appreciate it. Like many open-source projects, we ask that you sign our Contribution License Agreement before we can accept your contribution. You can sign the CLA by just posting a Pull Request Comment with the exact sentence copied from below.

I have read the CLA Document and I hereby sign the CLA

You can retrigger this bot by commenting recheck in this Pull Request

@limak9182 limak9182 force-pushed the feature/pg_hba-validation branch from dbafebc to fb47985 Compare April 22, 2026 07:22
DmytroPI-dev
DmytroPI-dev reviewed Apr 22, 2026
View reviewed changes
Comment thread config/webhook/manifests.yaml
Comment thread pkg/splunk/enterprise/validation/registry.go
Comment thread pkg/postgresql/cluster/adapter/webhook/postgres_webhook_integration_test.go
Comment thread pkg/postgresql/cluster/core/hba_unit_test.go
Comment thread pkg/postgresql/cluster/core/hba.go
Comment thread pkg/postgresql/cluster/adapter/webhook/postgresclusterclass_validation.go
Comment thread pkg/postgresql/cluster/core/hba_unit_test.go
Comment thread pkg/postgresql/cluster/adapter/webhook/postgrescluster_validation.go
Comment thread pkg/postgresql/cluster/core/hba.go
Comment thread pkg/postgresql/cluster/adapter/webhook/postgres_webhook_integration_test.go
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@DmytroPI-dev DmytroPI-dev DmytroPI-dev approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@limak9182 @DmytroPI-dev