Add rule to prevent users from attempting to use the ssl_groups parameter with pg17 or earlier.

dsessler7 · dsessler7 · commit 9667cfccaef5 · 2025-11-08T02:31:36.000-08:00
diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -18700,6 +18700,9 @@ spec:
             - postgresVersion
             type: object
             x-kubernetes-validations:
+            - message: The ssl_groups parameter is only available in pg18 and greater
+              rule: '!has(self.?config.parameters.ssl_groups) || self.postgresVersion
+                > 17'
             - fieldPath: .config.parameters.log_directory
               message: all instances need "volumes.temp" to log in "/pgtmp"
               rule: self.?config.parameters.log_directory.optMap(v, type(v) != string
@@ -37769,6 +37772,10 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - message: The ssl_groups parameter is only available in pg18 and greater
+              rule: '!has(self.?config.parameters.ssl_groups) || self.postgresVersion
+                > 17'
           status:
             description: PostgresClusterStatus defines the observed state of PostgresCluster
             properties:
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1/postgrescluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1/postgrescluster_types.go
@@ -17,6 +17,10 @@ import (
 // PostgresClusterSpec defines the desired state of PostgresCluster
 // ---
 //
+// # Postgres 18
+//
+// +kubebuilder:validation:XValidation:rule=`!has(self.?config.parameters.ssl_groups) || self.postgresVersion > 17`,message=`The ssl_groups parameter is only available in pg18 and greater`
+//
 // # Postgres Logging
 //
 // +kubebuilder:validation:XValidation:fieldPath=`.config.parameters.log_directory`,message=`all instances need "volumes.temp" to log in "/pgtmp"`,rule=`self.?config.parameters.log_directory.optMap(v, type(v) != string || !v.startsWith("/pgtmp/logs/postgres") || self.instances.all(i, i.?volumes.temp.hasValue())).orValue(true)`
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go
@@ -13,6 +13,11 @@ import (
 )
 
 // PostgresClusterSpec defines the desired state of PostgresCluster
+// ---
+//
+// # Postgres 18
+//
+// +kubebuilder:validation:XValidation:rule=`!has(self.?config.parameters.ssl_groups) || self.postgresVersion > 17`,message=`The ssl_groups parameter is only available in pg18 and greater`
 type PostgresClusterSpec struct {
 	// +optional
 	Metadata *Metadata `json:"metadata,omitempty"`
