docs: document pg_hba_conf/pg_ident_conf + e2e

[moizpgedge]

Document the user-managed pg_hba_conf and pg_ident_conf fields, and add an end-to-end test that confirms the entries reach the running Postgres.

• Add an "Authentication Rules" subsection under "Customizing Database Configuration" in the create-a-database guide, covering both fields, the per-node prepend behavior, the password_encryption interaction, and the Swarm source-IP nuance.
• Add a single-node e2e test that creates a database with database- and node-level entries and asserts, via Postgres' own pg_hba_file_rules and pg_ident_file_mappings views, that they loaded without error and in the right order, then updates an entry and confirms it applies via a reload (pg_postmaster_start_time unchanged), not a restart.

The test stays intentionally small: single-node for speed, no connection matrix, and no replication re-assertion, since those are covered elsewhere.

PLAT-629

---

Summary

Adds user-facing documentation for the pg_hba_conf / pg_ident_conf database-spec fields and a small end-to-end test that proves user entries reach the running Postgres and that updates apply via reload, not restart. This is the docs-and-testing follow-up to the spec and generator work.

Changes

• Docs (docs/using/create-db.md): add an "Authentication Rules" subsection under "Customizing Database Configuration" covering both fields, per-node prepend, the password_encryption interaction, and the Swarm source-IP nuance, with a curl example.
• e2e (e2e/pg_hba_test.go): new single-node test that creates a database with database- and node-level pg_hba_conf plus a pg_ident_conf mapping, then queries pg_hba_file_rules / pg_ident_file_mappings to confirm Postgres loaded them with no parse error and in prepend order, and updates an entry to confirm a reload (unchanged pg_postmaster_start_time) rather than a restart.

Testing

go build ./...
make lint                                  # golangci-lint: 0 issues
make test                                  # 1163 unit tests pass

# the new e2e against a running cluster (single-node, ~115s)
make test-e2e E2E_RUN='^TestPgHbaPgIdentUserConfig$'

Manual: ran the e2e live against a dev cluster — the entries appear in the container's pg_hba.conf / pg_ident.conf, load without error, and the update is applied via SIGHUP reload (same container, unchanged postmaster start time).

[coderabbitai]

Warning

Review limit reached

@moizpgedge, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 5 minutes and 4 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 7ad8ed33-6a2d-4184-b4c6-6a80030de51b

📥 Commits

Reviewing files that changed from the base of the PR and between 3ccc1d3 and cbb351e.

📒 Files selected for processing (1)

• docs/using/create-db.md

📝 Walkthrough

Walkthrough

This PR adds documentation and end-to-end test coverage for PostgreSQL client authentication customization. The documentation subsection explains configuring pg_hba_conf and pg_ident_conf rules across the database spec, while the test validates these configurations are correctly parsed, ordered, applied, and reloaded without restarting Postgres.

Changes

PostgreSQL Authentication Configuration

Layer / File(s)	Summary
Authentication rules documentation docs/using/create-db.md	New subsection covering pg_hba_conf and pg_ident_conf configuration: API request example, node-level prepend behavior, reload vs restart, ident mapping requirements, and Swarm IP guidance.
End-to-end authentication test e2e/pg_hba_test.go	Test validates pg_hba and pg_ident entries parse without errors, appear in correct prepend order, produce correct ident mappings, and that config updates reload rather than restart. Includes helpers to query active rule addresses and count parse errors in both pg_hba_file_rules and pg_ident_file_mappings.

Poem

🐰 PostgreSQL rules now dance in line,
With identities mapped, so fine, so fine!
A test to check each prefix's place,
While configs reload at their steady pace.
The auth grows strong, no restarts in sight—
A rabbit's joy! Documentation done right! 🔐

🚥 Pre-merge checks | ✅ 4 | ❌ 1

❌ Failed checks (1 warning)

Check name	Status	Explanation	Resolution
Docstring Coverage	⚠️ Warning	Docstring coverage is 50.00% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (4 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title concisely summarizes the main changes: documentation for pg_hba_conf/pg_ident_conf and an end-to-end test, which matches the changeset.
Description check	✅ Passed	The description covers all required template sections: Summary, Changes, Testing, and Checklist with all items addressed. Issue is linked (PLAT-629) and documentation updates are included.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch Docs/PLAT-629pg_hba-and-pg_ident-docs

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[coderabbitai]

Actionable comments posted: 1

🧹 Nitpick comments (1)

e2e/pg_hba_test.go (1)

154-155: ⚡ Quick win

Clarify the error message.

The assertion checks that the start times are equal (reload occurred), but the error message says "start time changed". This is confusing because if the assertion fails, it means the times are NOT equal, indicating Postgres restarted.

📝 Suggested improvement for clarity

 		require.True(t, postmasterStartTime.Equal(after),
-			"Postgres should reload, not restart (start time changed)")
+			"Postgres restarted instead of reloading (start time changed)")

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@e2e/pg_hba_test.go` around lines 154 - 155, The assertion using
require.True(t, postmasterStartTime.Equal(after), ...) has a confusing message;
update the require.True call’s error string (the one paired with
postmasterStartTime.Equal(after)) to clearly state that a changed start time
means Postgres restarted, e.g. "Postgres restarted: start time changed (expected
reload)". Locate the require.True call with postmasterStartTime.Equal(after) in
e2e/pg_hba_test.go and replace the current message to reflect that failure
indicates a restart rather than a reload.

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@docs/using/create-db.md`:
- Line 187: The sentence claiming "default `md5`" is ambiguous — change the docs
text to explicitly state that `password_encryption` is defaulted to `md5` by the
control plane (not upstream Postgres), referencing the control-plane default in
server/internal/postgres/gucs.go and the Patroni config generator fallback;
update the phrasing in the create-db documentation to something like "the
control plane defaults `password_encryption` to `md5` (see
server/internal/postgres/gucs.go and Patroni config generator fallback), which
may differ from PostgreSQL upstream defaults" so readers aren’t confused by
upstream Postgres’ `scram-sha-256` default.

---

Nitpick comments:
In `@e2e/pg_hba_test.go`:
- Around line 154-155: The assertion using require.True(t,
postmasterStartTime.Equal(after), ...) has a confusing message; update the
require.True call’s error string (the one paired with
postmasterStartTime.Equal(after)) to clearly state that a changed start time
means Postgres restarted, e.g. "Postgres restarted: start time changed (expected
reload)". Locate the require.True call with postmasterStartTime.Equal(after) in
e2e/pg_hba_test.go and replace the current message to reflect that failure
indicates a restart rather than a reload.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 35629252-9a52-44b8-ab1a-fa5c4a40cb05

📥 Commits

Reviewing files that changed from the base of the PR and between 80897e8 and 3ccc1d3.

📒 Files selected for processing (2)

• docs/using/create-db.md
• e2e/pg_hba_test.go