splunk · mploski · Apr 23, 2026 · M4KIF · Apr 24, 2026
diff --git a/cmd/main.go b/cmd/main.go
@@ -302,25 +302,28 @@ func main() {
 	}
 	pgFleetMetricsCollector := pgprometheus.NewFleetCollector()
 
-	if err := (&controller.PostgresDatabaseReconciler{
-		Client:         mgr.GetClient(),
-		Scheme:         mgr.GetScheme(),
-		Recorder:       mgr.GetEventRecorderFor("postgresdatabase-controller"),
-		Metrics:        pgMetricsRecorder,
-		FleetCollector: pgFleetMetricsCollector,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "PostgresDatabase")
-		os.Exit(1)
-	}
-	if err := (&controller.PostgresClusterReconciler{
-		Client:         mgr.GetClient(),
-		Scheme:         mgr.GetScheme(),
-		Recorder:       mgr.GetEventRecorderFor("postgrescluster-controller"),
-		Metrics:        pgMetricsRecorder,
-		FleetCollector: pgFleetMetricsCollector,
-	}).SetupWithManager(mgr); err != nil {
-		setupLog.Error(err, "unable to create controller", "controller", "PostgresCluster")
-		os.Exit(1)
+	if config.DefaultMutableFeatureGate.Enabled(config.PostgresController) {
+		if err := (&controller.PostgresDatabaseReconciler{
+			Client:         mgr.GetClient(),
+			Scheme:         mgr.GetScheme(),
+			Recorder:       mgr.GetEventRecorderFor("postgresdatabase-controller"),
+			Metrics:        pgMetricsRecorder,
+			FleetCollector: pgFleetMetricsCollector,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "PostgresDatabase")
+			os.Exit(1)
+		}
+
+		if err := (&controller.PostgresClusterReconciler{
+			Client:         mgr.GetClient(),
+			Scheme:         mgr.GetScheme(),
+			Recorder:       mgr.GetEventRecorderFor("postgrescluster-controller"),
+			Metrics:        pgMetricsRecorder,
+			FleetCollector: pgFleetMetricsCollector,
+		}).SetupWithManager(mgr); err != nil {
+			setupLog.Error(err, "unable to create controller", "controller", "PostgresCluster")
+			os.Exit(1)
+		}
 	}
 
 	if _, ok := os.LookupEnv("ENABLE_VALIDATION_WEBHOOK"); ok {

diff --git a/config/samples/enterprise_v4_postgrescluster_dev.yaml b/config/samples/enterprise_v4_postgrescluster_dev.yaml
@@ -14,8 +14,8 @@ spec:
   clusterDeletionPolicy: Retain
   instances: 3
   # Storage and PostgreSQL version are overridden from the ClusterClass defaults. Validation rules on the PostgresCluster resource will prevent removing these fields or setting them to lower values than the original overrides.
-  storage: 1Gi
-  postgresVersion: "15.10"
+  storage: 20Gi
+  postgresVersion: "18.10"
   resources:
     requests:
       cpu: "250m"

diff --git a/config/webhook/manifests.yaml b/config/webhook/manifests.yaml
diff --git a/docs/FeatureGates.md b/docs/FeatureGates.md
@@ -49,7 +49,8 @@ When running the operator binary directly, pass feature gates at startup:
 
 | Gate                  | Default | Stage | Since   | Description                                              |
 |-----------------------|---------|-------|---------|----------------------------------------------------------|
-| `ValidationWebhook`  | `false` | Alpha | v3.2.0  | Centralized validation webhook server for CR admission   |
+| `ValidationWebhook`   | `false` | Alpha | v3.2.0  | Centralized validation webhook server for CR admission   |
+| `PostgresController`  | `false` | Alpha | ?       | PostgresCluster, PostgresClusterClass, and PostgresDatabase controllers and CRDs |
 
 ## Adding a New Feature Gate
 
@@ -130,6 +131,20 @@ metadata:
     splunk.com/feature-stage: alpha
 ```
 
+### d. Enable the gate in tests
+
+Validators and controllers gated behind a feature flag will reject all operations in tests unless the gate is explicitly enabled. Enable it via `SetFromMap` before your tests run:
+
+```go
+func init() {
+    if err := config.DefaultMutableFeatureGate.SetFromMap(map[string]bool{
+        string(config.MyNewFeature): true,
+    }); err != nil {
+        panic(err)
+    }
+}
+```
+
 ## Promoting a Gate
 
 - **Alpha → Beta**: Change `Default: false` to `Default: true` in `featuregates.go`; update the CRD label to `beta`

diff --git a/pkg/config/featuregates.go b/pkg/config/featuregates.go
@@ -35,14 +35,16 @@ const (
 	// When enabled, the operator runs a validating webhook that enforces
 	// CR schema rules at admission time.
 	// Replaces the legacy ENABLE_VALIDATION_WEBHOOK env var.
-	ValidationWebhook featuregate.Feature = "ValidationWebhook"
+	ValidationWebhook  featuregate.Feature = "ValidationWebhook"
+	PostgresController featuregate.Feature = "PostgresController"
 )
 
 // defaultFeatureGates is the authoritative registry of all feature gates and
 // their default state / maturity. Each entry here automatically becomes
 // available via --feature-gates on the operator binary.
 var defaultFeatureGates = map[featuregate.Feature]featuregate.FeatureSpec{
-	ValidationWebhook: {Default: false, PreRelease: featuregate.Alpha},
+	ValidationWebhook:  {Default: false, PreRelease: featuregate.Alpha},
+	PostgresController: {Default: false, PreRelease: featuregate.Alpha},
 }
 
 var DefaultMutableFeatureGate featuregate.MutableFeatureGate = featuregate.NewFeatureGate()

diff --git a/pkg/postgresql/cluster/adapter/webhook/postgrescluster_validation.go b/pkg/postgresql/cluster/adapter/webhook/postgrescluster_validation.go
@@ -20,13 +20,22 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	enterpriseApi "github.com/splunk/splunk-operator/api/v4"
+	"github.com/splunk/splunk-operator/pkg/config"
 	hba "github.com/splunk/splunk-operator/pkg/postgresql/cluster/core"
 )
 
 // ValidatePostgresClusterCreate validates a PostgresCluster on CREATE.
 func ValidatePostgresClusterCreate(obj *enterpriseApi.PostgresCluster) field.ErrorList {
 	var allErrs field.ErrorList
 
+	if !config.DefaultMutableFeatureGate.Enabled(config.PostgresController) {
+		allErrs = append(allErrs, field.Forbidden(
+			field.NewPath("spec"),
+			"the PostgresController feature is not enabled; set --feature-gates=PostgresController=true to activate"))
+
+		return allErrs
+	}
+
 	if len(obj.Spec.PgHBA) > 0 {
 		pgHBAPath := field.NewPath("spec").Child("pgHBA")
 		for _, re := range hba.ValidateRules(obj.Spec.PgHBA) {

diff --git a/pkg/postgresql/cluster/adapter/webhook/postgrescluster_validation_test.go b/pkg/postgresql/cluster/adapter/webhook/postgrescluster_validation_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	enterpriseApi "github.com/splunk/splunk-operator/api/v4"
+	"github.com/splunk/splunk-operator/pkg/config"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -174,6 +175,22 @@ func TestValidatePostgresClusterUpdate(t *testing.T) {
 	}
 }
 
+func TestValidatePostgresClusterCreateFeatureGateDisabled(t *testing.T) {
+	config.DefaultMutableFeatureGate.SetFromMap(map[string]bool{string(config.PostgresController): false})
+	t.Cleanup(func() {
+		config.DefaultMutableFeatureGate.SetFromMap(map[string]bool{string(config.PostgresController): true})
+	})
+
+	obj := &enterpriseApi.PostgresCluster{
+		Spec: enterpriseApi.PostgresClusterSpec{Class: "dev"},
+	}
+
+	errs := ValidatePostgresClusterCreate(obj)
+	assert.Len(t, errs, 1)
+	assert.Equal(t, "spec", errs[0].Field)
+	assert.Equal(t, "the PostgresController feature is not enabled; set --feature-gates=PostgresController=true to activate", errs[0].Detail)
+}
+
 func TestGetPostgresClusterWarningsOnCreate(t *testing.T) {
 	obj := &enterpriseApi.PostgresCluster{
 		Spec: enterpriseApi.PostgresClusterSpec{Class: "dev"},

diff --git a/pkg/postgresql/cluster/adapter/webhook/postgresclusterclass_validation.go b/pkg/postgresql/cluster/adapter/webhook/postgresclusterclass_validation.go
@@ -20,13 +20,22 @@ import (
 	"k8s.io/apimachinery/pkg/util/validation/field"
 
 	enterpriseApi "github.com/splunk/splunk-operator/api/v4"
+	"github.com/splunk/splunk-operator/pkg/config"
 	hba "github.com/splunk/splunk-operator/pkg/postgresql/cluster/core"
 )
 
 // ValidatePostgresClusterClassCreate validates a PostgresClusterClass on CREATE.
 func ValidatePostgresClusterClassCreate(obj *enterpriseApi.PostgresClusterClass) field.ErrorList {
 	var allErrs field.ErrorList
 
+	if !config.DefaultMutableFeatureGate.Enabled(config.PostgresController) {
+		allErrs = append(allErrs, field.Forbidden(
+			field.NewPath("spec"),
+			"the PostgresController feature is not enabled; set --feature-gates=PostgresController=true to activate"))
+
+		return allErrs
+	}
+
 	if obj.Spec.Config != nil && len(obj.Spec.Config.PgHBA) > 0 {
 		pgHBAPath := field.NewPath("spec").Child("config").Child("pgHBA")
 		for _, re := range hba.ValidateRules(obj.Spec.Config.PgHBA) {

diff --git a/pkg/postgresql/cluster/adapter/webhook/postgresclusterclass_validation_test.go b/pkg/postgresql/cluster/adapter/webhook/postgresclusterclass_validation_test.go
@@ -20,6 +20,7 @@ import (
 	"testing"
 
 	enterpriseApi "github.com/splunk/splunk-operator/api/v4"
+	"github.com/splunk/splunk-operator/pkg/config"
 	"github.com/stretchr/testify/assert"
 )
 
@@ -173,6 +174,22 @@ func TestValidatePostgresClusterClassUpdate(t *testing.T) {
 	}
 }
 
+func TestValidatePostgresClusterClassCreateFeatureGateDisabled(t *testing.T) {
+	config.DefaultMutableFeatureGate.SetFromMap(map[string]bool{string(config.PostgresController): false})
+	t.Cleanup(func() {
+		config.DefaultMutableFeatureGate.SetFromMap(map[string]bool{string(config.PostgresController): true})
+	})
+
+	obj := &enterpriseApi.PostgresClusterClass{
+		Spec: enterpriseApi.PostgresClusterClassSpec{Provisioner: "postgresql.cnpg.io"},
+	}
+
+	errs := ValidatePostgresClusterClassCreate(obj)
+	assert.Len(t, errs, 1)
+	assert.Equal(t, "spec", errs[0].Field)
+	assert.Equal(t, "the PostgresController feature is not enabled; set --feature-gates=PostgresController=true to activate", errs[0].Detail)
+}
+
 func TestGetPostgresClusterClassWarningsOnCreate(t *testing.T) {
 	obj := &enterpriseApi.PostgresClusterClass{
 		Spec: enterpriseApi.PostgresClusterClassSpec{Provisioner: "postgresql.cnpg.io"},

diff --git a/pkg/postgresql/cluster/adapter/webhook/testhelpers_test.go b/pkg/postgresql/cluster/adapter/webhook/testhelpers_test.go
@@ -0,0 +1,26 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook_test
+
+import (
+	"github.com/splunk/splunk-operator/pkg/config"
+	"github.com/splunk/splunk-operator/pkg/postgresql/shared/testhelpers"
+)
+
+func init() {
+	testhelpers.EnableFeatureGate(config.PostgresController)
+}
diff --git a/pkg/postgresql/cluster/adapter/webhook/testsetup_test.go b/pkg/postgresql/cluster/adapter/webhook/testsetup_test.go
@@ -0,0 +1,26 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	"github.com/splunk/splunk-operator/pkg/config"
+	"github.com/splunk/splunk-operator/pkg/postgresql/shared/testhelpers"
+)
+
+func init() {
+	testhelpers.EnableFeatureGate(config.PostgresController)
+}
diff --git a/pkg/postgresql/database/adapter/webhook/postgresdatabase_validation.go b/pkg/postgresql/database/adapter/webhook/postgresdatabase_validation.go
@@ -0,0 +1,54 @@
+/*
+Copyright 2026.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package webhook
+
+import (
+	"k8s.io/apimachinery/pkg/util/validation/field"
+
+	enterpriseApi "github.com/splunk/splunk-operator/api/v4"
+	"github.com/splunk/splunk-operator/pkg/config"
+)
+
+// ValidatePostgresDatabaseCreate validates a PostgresDatabase on CREATE.
+func ValidatePostgresDatabaseCreate(obj *enterpriseApi.PostgresDatabase) field.ErrorList {
+	var allErrs field.ErrorList
+
+	if !config.DefaultMutableFeatureGate.Enabled(config.PostgresController) {
+		allErrs = append(allErrs, field.Forbidden(
+			field.NewPath("spec"),
+			"the PostgresController feature is not enabled; set --feature-gates=PostgresController=true to activate"))
+
+		return allErrs
+	}
+
+	return allErrs
+}
+
+// ValidatePostgresDatabaseUpdate validates a PostgresDatabase on UPDATE.
+func ValidatePostgresDatabaseUpdate(obj, oldObj *enterpriseApi.PostgresDatabase) field.ErrorList {
+	return ValidatePostgresDatabaseCreate(obj)
+}
+
+// GetPostgresDatabaseWarningsOnCreate returns warnings for PostgresDatabase CREATE.
+func GetPostgresDatabaseWarningsOnCreate(obj *enterpriseApi.PostgresDatabase) []string {
+	return nil
+}
+
+// GetPostgresDatabaseWarningsOnUpdate returns warnings for PostgresDatabase UPDATE.
+func GetPostgresDatabaseWarningsOnUpdate(obj, oldObj *enterpriseApi.PostgresDatabase) []string {
+	return nil
+}