feat: switch to include directives in pg_hba #1765
Open
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters. Learn more about bidirectional Unicode characters
| Requires pg16+ |
staaldraad force-pushed the etienne/sec-493-switch-pg_hba-to-use-include-directive branch from e258813 to 6d11c7d Compare 
hunleyd requested changes Aug 27, 2025
staaldraad force-pushed the etienne/sec-493-switch-pg_hba-to-use-include-directive branch from 7b62c4f to 641951d Compare Open
hunleyd previously requested changes Sep 3, 2025
Using include directives makes changing the pg_hba.conf on the fly more flexible. Enabling / disabling ssl enforcement for example only requires creating or removing a file, leaving the pg_hba.conf untouched. Allowing for more repeatable and stable processes and no need for regex based replace or custom parsers. This will also support the just-in-time access work by allowing jit to be dynamically enabled/disabled
staaldraad force-pushed the etienne/sec-493-switch-pg_hba-to-use-include-directive branch from 641951d to 9a840bf Compare staaldraad dismissed hunleyd’s stale review conflict resolved and rebased to use latest admin_api and admin_mgr as introduced by #1780
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Add this suggestion to a batch that can be applied as a single commit. This suggestion is invalid because no changes were made to the code. Suggestions cannot be applied while the pull request is closed. Suggestions cannot be applied while viewing a subset of changes. Only one suggestion per line can be applied in a batch. Add this suggestion to a batch that can be applied as a single commit. Applying suggestions on deleted lines is not supported. You must change the existing code in this line in order to create a valid suggestion. Outdated suggestions cannot be applied. This suggestion has been applied or marked resolved. Suggestions cannot be applied from pending reviews. Suggestions cannot be applied on multi-line comments. Suggestions cannot be applied while the pull request is queued to merge. Suggestion cannot be applied right now. Please check back later.
Using include directives makes changing the pg_hba.conf on the fly more flexible. Enabling / disabling ssl enforcement for example only requires creating or removing a file, leaving the pg_hba.conf untouched. Allowing for more repeatable and stable processes and no need for regex based replace or custom parsers.
This will also support the just-in-time access work by allowing jit to be dynamically enabled/disabled
The required admin-api update is included as v0.88.0 added to ansible/vars.yml