Skip to content

K8SPG-911: Add pg_tde support #1508

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Draft
egegunes wants to merge 1 commit into
base: main
Choose a base branch
from
Draft

K8SPG-911: Add pg_tde support #1508

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
56 changes: 56 additions & 0 deletions build/crd/crunchy/generated/postgres-operator.crunchydata.com_postgresclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13594,6 +13594,53 @@ spec:
type: boolean
extensions:
properties:
pg_tde:
properties:
enabled:
type: boolean
vault:
properties:
caSecret:
description: Name of the secret that contains the CA certificate
for SSL verification.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
host:
description: Host of Vault server.
type: string
mountPath:
default: secret/data
description: The mount point on the Vault server where
the key provider should store the keys.
type: string
tokenSecret:
description: Name of the secret that contains the access
token with read and write access to the mount path.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- host
- tokenSecret
type: object
type: object
x-kubernetes-validations:
- message: vault is required for enabling pg_tde
rule: '!has(self.enabled) || (has(self.enabled) && self.enabled
== false) || has(self.vault)'
pgAudit:
type: boolean
pgRepack:
Expand All @@ -13605,6 +13652,11 @@ spec:
pgvector:
type: boolean
type: object
x-kubernetes-validations:
- message: to disable pg_tde first set enabled=false without removing
vault and wait for pod restarts
rule: '!has(oldSelf.pg_tde) || !has(oldSelf.pg_tde.vault) || !has(oldSelf.pg_tde.enabled)
|| !oldSelf.pg_tde.enabled || has(self.pg_tde.vault)'
image:
description: |-
The image name to use for PostgreSQL containers. When omitted, the value
Expand Down Expand Up @@ -30971,6 +31023,10 @@ spec:
description: The PostgreSQL system identifier reported by Patroni.
type: string
type: object
pgTDERevision:
description: Identifies the pg_tde configuration that have been installed
into PostgreSQL.
type: string
pgbackrest:
description: Status information for pgBackRest
properties:
Expand Down
82 changes: 82 additions & 0 deletions build/crd/percona/generated/pgv2.percona.com_perconapgclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13693,6 +13693,8 @@ spec:
description: The specification of extensions.
properties:
builtin:
description: 'Deprecated: Use extensions.<extension> instead.
This field will be removed after 2.11.0.'
properties:
pg_audit:
type: boolean
Expand Down Expand Up @@ -13722,6 +13724,78 @@ spec:
description: PullPolicy describes a policy for if/when to pull
a container image
type: string
pg_audit:
properties:
enabled:
type: boolean
type: object
pg_repack:
properties:
enabled:
type: boolean
type: object
pg_stat_monitor:
properties:
enabled:
type: boolean
type: object
pg_stat_statements:
properties:
enabled:
type: boolean
type: object
pg_tde:
properties:
enabled:
type: boolean
vault:
properties:
caSecret:
description: Name of the secret that contains the CA certificate
for SSL verification.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
host:
description: Host of Vault server.
type: string
mountPath:
default: secret/data
description: The mount point on the Vault server where
the key provider should store the keys.
type: string
tokenSecret:
description: Name of the secret that contains the access
token with read and write access to the mount path.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- host
- tokenSecret
type: object
type: object
x-kubernetes-validations:
- message: vault is required for enabling pg_tde
rule: '!has(self.enabled) || (has(self.enabled) && self.enabled
== false) || has(self.vault)'
pgvector:
properties:
enabled:
type: boolean
type: object
storage:
properties:
bucket:
Expand Down Expand Up @@ -13804,6 +13878,11 @@ spec:
type: string
type: object
type: object
x-kubernetes-validations:
- message: to disable pg_tde first set enabled=false without removing
vault and wait for pod restarts
rule: '!has(oldSelf.pg_tde) || !has(oldSelf.pg_tde.vault) || !has(oldSelf.pg_tde.enabled)
|| !oldSelf.pg_tde.enabled || has(self.pg_tde.vault)'
image:
description: The image name to use for PostgreSQL containers.
type: string
Expand Down Expand Up @@ -28778,6 +28857,9 @@ spec:
- postgresVersion
type: object
x-kubernetes-validations:
- message: pg_tde is only supported for PG17 and above
rule: '!has(self.extensions) || !has(self.extensions.pg_tde) || !has(self.extensions.pg_tde.enabled)
|| !self.extensions.pg_tde.enabled || self.postgresVersion >= 17'
- message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
and is true
rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
Expand Down
82 changes: 82 additions & 0 deletions config/crd/bases/pgv2.percona.com_perconapgclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -14332,6 +14332,8 @@ spec:
description: The specification of extensions.
properties:
builtin:
description: 'Deprecated: Use extensions.<extension> instead.
This field will be removed after 2.11.0.'
properties:
pg_audit:
type: boolean
Expand Down Expand Up @@ -14361,6 +14363,78 @@ spec:
description: PullPolicy describes a policy for if/when to pull
a container image
type: string
pg_audit:
properties:
enabled:
type: boolean
type: object
pg_repack:
properties:
enabled:
type: boolean
type: object
pg_stat_monitor:
properties:
enabled:
type: boolean
type: object
pg_stat_statements:
properties:
enabled:
type: boolean
type: object
pg_tde:
properties:
enabled:
type: boolean
vault:
properties:
caSecret:
description: Name of the secret that contains the CA certificate
for SSL verification.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
host:
description: Host of Vault server.
type: string
mountPath:
default: secret/data
description: The mount point on the Vault server where
the key provider should store the keys.
type: string
tokenSecret:
description: Name of the secret that contains the access
token with read and write access to the mount path.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- host
- tokenSecret
type: object
type: object
x-kubernetes-validations:
- message: vault is required for enabling pg_tde
rule: '!has(self.enabled) || (has(self.enabled) && self.enabled
== false) || has(self.vault)'
pgvector:
properties:
enabled:
type: boolean
type: object
storage:
properties:
bucket:
Expand Down Expand Up @@ -14443,6 +14517,11 @@ spec:
type: string
type: object
type: object
x-kubernetes-validations:
- message: to disable pg_tde first set enabled=false without removing
vault and wait for pod restarts
rule: '!has(oldSelf.pg_tde) || !has(oldSelf.pg_tde.vault) || !has(oldSelf.pg_tde.enabled)
|| !oldSelf.pg_tde.enabled || has(self.pg_tde.vault)'
image:
description: The image name to use for PostgreSQL containers.
type: string
Expand Down Expand Up @@ -29417,6 +29496,9 @@ spec:
- postgresVersion
type: object
x-kubernetes-validations:
- message: pg_tde is only supported for PG17 and above
rule: '!has(self.extensions) || !has(self.extensions.pg_tde) || !has(self.extensions.pg_tde.enabled)
|| !self.extensions.pg_tde.enabled || self.postgresVersion >= 17'
- message: PostgresVersion must be >= 15 if grantPublicSchemaAccess exists
and is true
rule: '!has(self.users) || self.postgresVersion >= 15 || self.users.all(u,
Expand Down
56 changes: 56 additions & 0 deletions config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -13554,6 +13554,53 @@ spec:
type: boolean
extensions:
properties:
pg_tde:
properties:
enabled:
type: boolean
vault:
properties:
caSecret:
description: Name of the secret that contains the CA certificate
for SSL verification.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
host:
description: Host of Vault server.
type: string
mountPath:
default: secret/data
description: The mount point on the Vault server where
the key provider should store the keys.
type: string
tokenSecret:
description: Name of the secret that contains the access
token with read and write access to the mount path.
properties:
key:
type: string
name:
type: string
required:
- key
- name
type: object
required:
- host
- tokenSecret
type: object
type: object
x-kubernetes-validations:
- message: vault is required for enabling pg_tde
rule: '!has(self.enabled) || (has(self.enabled) && self.enabled
== false) || has(self.vault)'
pgAudit:
type: boolean
pgRepack:
Expand All @@ -13565,6 +13612,11 @@ spec:
pgvector:
type: boolean
type: object
x-kubernetes-validations:
- message: to disable pg_tde first set enabled=false without removing
vault and wait for pod restarts
rule: '!has(oldSelf.pg_tde) || !has(oldSelf.pg_tde.vault) || !has(oldSelf.pg_tde.enabled)
|| !oldSelf.pg_tde.enabled || has(self.pg_tde.vault)'
image:
description: |-
The image name to use for PostgreSQL containers. When omitted, the value
Expand Down Expand Up @@ -30869,6 +30921,10 @@ spec:
description: The PostgreSQL system identifier reported by Patroni.
type: string
type: object
pgTDERevision:
description: Identifies the pg_tde configuration that have been installed
into PostgreSQL.
type: string
pgbackrest:
description: Status information for pgBackRest
properties:
Expand Down
Loading
Loading