Allow users to set ssl_groups or ssl_ecdh_curve via spec.config.parameters.

dsessler7 · dsessler7 · commit 442878b8b5a4 · 2025-11-09T06:20:04.000-08:00
diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -4822,7 +4822,8 @@ spec:
                     - message: change port using .spec.port instead
                       rule: '!has(self.port)'
                     - message: TLS is always enabled
-                      rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))'
+                      rule: '!has(self.ssl) && !self.exists(k, k.startsWith("ssl_")
+                        && !(k == ''ssl_groups'' || k == ''ssl_ecdh_curve''))'
                     - message: domain socket paths cannot be changed
                       rule: '!self.exists(k, k.startsWith("unix_socket_"))'
                     - message: wal_level must be "replica" or higher
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go
@@ -54,7 +54,7 @@ type PostgresConfigSpec struct {
 	//
 	// +kubebuilder:validation:XValidation:rule=`!has(self.listen_addresses)`,message=`network connectivity is always enabled: listen_addresses`
 	// +kubebuilder:validation:XValidation:rule=`!has(self.port)`,message=`change port using .spec.port instead`
-	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))`,message=`TLS is always enabled`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_") && !(k == 'ssl_groups' || k == 'ssl_ecdh_curve'))`,message=`TLS is always enabled`
 	// +kubebuilder:validation:XValidation:rule=`!self.exists(k, k.startsWith("unix_socket_"))`,message=`domain socket paths cannot be changed`
 	//
 	// # Write Ahead Log
