Allow users to set ssl_groups or ssl_ecdh_curve via spec.config.parameters.

dsessler7 · dsessler7 · commit 8b3410a59189 · 2025-11-08T00:17:34.000-08:00
diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -5063,7 +5063,8 @@ spec:
                     - message: change port using .spec.port instead
                       rule: '!has(self.port)'
                     - message: TLS is always enabled
-                      rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))'
+                      rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_")
+                        && !(k == ''ssl_groups'' || k == ''ssl_ecdh_curve''))'
                     - message: domain socket paths cannot be changed
                       rule: '!self.exists(k, k.startsWith("unix_socket_"))'
                     - message: wal_level must be "replica" or higher
@@ -24149,7 +24150,8 @@ spec:
                     - message: change port using .spec.port instead
                       rule: '!has(self.port)'
                     - message: TLS is always enabled
-                      rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))'
+                      rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_")
+                        && !(k == ''ssl_groups'' || k == ''ssl_ecdh_curve''))'
                     - message: domain socket paths cannot be changed
                       rule: '!self.exists(k, k.startsWith("unix_socket_"))'
                     - message: wal_level must be "replica" or higher
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1/postgres_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1/postgres_types.go
@@ -37,7 +37,7 @@ type PostgresConfigSpec struct {
 	//
 	// +kubebuilder:validation:XValidation:rule=`!has(self.listen_addresses)`,message=`network connectivity is always enabled: listen_addresses`
 	// +kubebuilder:validation:XValidation:rule=`!has(self.port)`,message=`change port using .spec.port instead`
-	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))`,message=`TLS is always enabled`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_") && !(k == 'ssl_groups' || k == 'ssl_ecdh_curve'))`,message=`TLS is always enabled`
 	// +kubebuilder:validation:XValidation:rule=`!self.exists(k, k.startsWith("unix_socket_"))`,message=`domain socket paths cannot be changed`
 	//
 	// # Write Ahead Log
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go
@@ -54,7 +54,7 @@ type PostgresConfigSpec struct {
 	//
 	// +kubebuilder:validation:XValidation:rule=`!has(self.listen_addresses)`,message=`network connectivity is always enabled: listen_addresses`
 	// +kubebuilder:validation:XValidation:rule=`!has(self.port)`,message=`change port using .spec.port instead`
-	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))`,message=`TLS is always enabled`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_") && !(k == 'ssl_groups' || k == 'ssl_ecdh_curve'))`,message=`TLS is always enabled`
 	// +kubebuilder:validation:XValidation:rule=`!self.exists(k, k.startsWith("unix_socket_"))`,message=`domain socket paths cannot be changed`
 	//
 	// # Write Ahead Log
