K8SPG-683 support Authenticating Against a TLS-enabled LDAP Server

[gkech]

Jira: https://perconadev.atlassian.net/browse/K8SPG-683

CHANGE DESCRIPTION

Problem:

Adds support for configuring PostgreSQL LDAP authentication over TLS (ldaps) in PerconaPG clusters.

• Two new fields added to the PerconaPGCluster CR:
  • spec.config.files — mount arbitrary files (e.g. an LDAP CA certificate) into /etc/postgres
  • spec.authentication.rules — define custom pg_hba.conf rules, either structured or as raw HBA lines; rules are evaluated after mandatory operator rules and before the default scram-sha-256 fallback
• CRDs regenerated to reflect the new fields
• Two e2e tests added: one for plain LDAP and one for LDAP over TLS (ldap-tls suite)

Cause:
Short explanation of the root cause of the issue if applicable.

Solution:
Short explanation of the solution we are providing with this PR.

CHECKLIST

Jira

• Is the Jira ticket created and referenced properly?
• Does the Jira ticket have the proper statuses for documentation (Needs Doc) and QA (Needs QA)?
• Does the Jira ticket link to the proper milestone (Fix Version field)?

Tests

• Is an E2E test/test case added for the new feature/change?
• Are unit tests added where appropriate?

Config/Logging/Testability

• Are all needed new/changed options added to default YAML files?
• Are all needed new/changed options added to the Helm Chart?
• Did we add proper logging messages for operator actions?
• Did we ensure compatibility with the previous version or cluster upgrade process?
• Does the change support oldest and newest supported PG version?
• Does the change support oldest and newest supported Kubernetes version?

[egegunes]

is this still required?

[gkech]

	// Include authentication rules from spec.authentication.rules.
	// These are evaluated before any rules in Patroni's dynamic configuration.
	if authn := cluster.Spec.Authentication; authn != nil {
		for i := range authn.Rules {
			rule := &authn.Rules[i]
			if len(rule.HBA) > 0 {
				hba = append(hba, rule.HBA)
			} else if r := hbaFromSpec(&rule.PostgresHBARule); r != nil {
				hba = append(hba, r.String())
			}
		}
	}

In func DynamicConfiguration

[nmarukovich]

Do we have helm chart PR?

[nmarukovich]

we need to fix it :(

[gkech]

what needs fixing? 🤔

[JNKPercona]

Test Name	Result	Time
backup-enable-disable	passed	00:07:21
builtin-extensions	passed	00:05:09
cert-manager-tls	passed	00:06:17
custom-envs	passed	00:19:59
custom-extensions	failure	00:05:26
custom-tls	passed	00:06:47
database-init-sql	passed	00:02:17
demand-backup	passed	00:25:58
demand-backup-offline-snapshot	failure	00:13:27
dynamic-configuration	passed	00:03:42
finalizers	passed	00:04:40
init-deploy	passed	00:02:53
huge-pages	passed	00:03:02
ldap	passed	00:02:07
ldap-tls	passed	00:05:52
monitoring	passed	00:07:09
monitoring-pmm3	passed	00:09:41
one-pod	passed	00:05:50
operator-self-healing	failure	01:30:20
pitr	passed	00:12:43
scaling	passed	00:06:05
scheduled-backup	passed	00:27:38
self-healing	passed	00:09:18
sidecars	passed	00:02:39
standby-pgbackrest	passed	00:11:37
standby-streaming	passed	00:11:26
start-from-backup	passed	00:13:03
tablespaces	passed	00:07:05
telemetry-transfer	passed	00:04:29
upgrade-consistency	passed	00:06:04
upgrade-minor	passed	00:05:23
users	passed	00:04:37

Summary	Value
Tests Run	32/32
Job Duration	02:44:25
Total Test Time	05:50:22

commit: a359699
image: perconalab/percona-postgresql-operator:PR-1456-a3596997b