feat: support ipv6 and custom pg_hba for pgbouncer (cloudnative-pg#1395)

phisco · sxd · web-flow · commit 6fd72b5a8cc4 · 2023-02-15T18:14:35.000+08:00
This patch makes default pg_hba to use md5 auth method for both ipv4 and 
ipv6 connections. Also added parameter to allow configuring custom pg_hba rules,
similarly to what can already be done for postgresql.

Signed-off-by: Philippe Scorsolini &lt;p.scorsolini@gmail.com&gt;
Signed-off-by: Jonathan Gonzalez V &lt;jonathan.gonzalez@enterprisedb.com&gt;
Co-authored-by: Jonathan Gonzalez V &lt;jonathan.gonzalez@enterprisedb.com&gt;
diff --git a/api/v1/pooler_types.go b/api/v1/pooler_types.go
@@ -115,6 +115,11 @@ type PgBouncerSpec struct {
 	// the CNPG documentation for a list of options you can configure
 	Parameters map[string]string `json:"parameters,omitempty"`
 
+	// PostgreSQL Host Based Authentication rules (lines to be appended
+	// to the pg_hba.conf file)
+	// +optional
+	PgHBA []string `json:"pg_hba,omitempty"`
+
 	// When set to `true`, PgBouncer will disconnect from the PostgreSQL
 	// server, first waiting for all queries to complete, and pause all new
 	// client connections until this value is set to `false` (default). Internally,
diff --git a/api/v1/zz_generated.deepcopy.go b/api/v1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/postgresql.cnpg.io_poolers.yaml b/config/crd/bases/postgresql.cnpg.io_poolers.yaml
@@ -99,6 +99,12 @@ spec:
                       to `false` (default). Internally, the operator calls PgBouncer's
                       `PAUSE` and `RESUME` commands.
                     type: boolean
+                  pg_hba:
+                    description: PostgreSQL Host Based Authentication rules (lines
+                      to be appended to the pg_hba.conf file)
+                    items:
+                      type: string
+                    type: array
                   poolMode:
                     default: session
                     description: The pool mode
diff --git a/docs/src/api_reference.md b/docs/src/api_reference.md
@@ -666,6 +666,7 @@ Name            | Description
 `authQuerySecret` | The credentials of the user that need to be used for the authentication query. In case it is specified, also an AuthQuery (e.g. "SELECT usename, passwd FROM pg_shadow WHERE usename=$1") has to be specified and no automatic CNPG Cluster integration will be triggered.        | [*LocalObjectReference](#LocalObjectReference)
 `authQuery      ` | The query that will be used to download the hash of the password of a certain user. Default: "SELECT usename, passwd FROM user_search($1)". In case it is specified, also an AuthQuerySecret has to be specified and no automatic CNPG Cluster integration will be triggered.     | string                                        
 `parameters     ` | Additional parameters to be passed to PgBouncer - please check the CNPG documentation for a list of options you can configure                                                                                                                                                     | map[string]string                             
+`pg_hba         ` | PostgreSQL Host Based Authentication rules (lines to be appended to the pg_hba.conf file)                                                                                                                                                                                         | []string                                      
 `paused         ` | When set to `true`, PgBouncer will disconnect from the PostgreSQL server, first waiting for all queries to complete, and pause all new client connections until this value is set to `false` (default). Internally, the operator calls PgBouncer's `PAUSE` and `RESUME` commands. | *bool                                         
 
 <a id='PodTemplateSpec'></a>
diff --git a/pkg/management/pgbouncer/config/config.go b/pkg/management/pgbouncer/config/config.go
@@ -80,7 +80,13 @@ auth_query = {{ .AuthQuery }}
 `
 	pgbouncerHBAFileTemplateString = `
 local pgbouncer pgbouncer peer
+
+{{ range $rule := .PgHba }}
+{{ $rule -}}
+{{ end }}
+
 host all all 0.0.0.0/0 md5
+host all all ::/0 md5
 `
 
 	pgBouncerUserListTemplateString = `
@@ -180,6 +186,7 @@ func BuildConfigurationFiles(pooler *apiv1.Pooler, secrets *Secrets) (Configurat
 		AuthQueryUser     string
 		AuthQueryPassword string
 		Parameters        string
+		PgHba             []string
 	}{
 		Pooler:            pooler,
 		AuthQuery:         pooler.GetAuthQuery(),
@@ -193,6 +200,7 @@ func BuildConfigurationFiles(pooler *apiv1.Pooler, secrets *Secrets) (Configurat
 		// Also, we want the list of parameters inside the PgBouncer configuration
 		// to be stable.
 		Parameters: stringifyPgBouncerParameters(parameters),
+		PgHba:      pooler.Spec.PgBouncer.PgHBA,
 	}
 
 	err = pgBouncerIniTemplate.Execute(&pgbouncerIni, templateData)
