Allow use of certs for PG connections

[alaye-ms]

This PR modifies the PgHBA so that the localhost connections (only within the pod, i.e. gateway to pg connections) are inherently trusted.

It also changes the replication connection which is used by local and remote replicas to require a cert. This is already used for local HA replicas and so no change is needed. However, for remote replicas the cert would need to be propagated. If provided, we pass in a cert from the user to validate client connections. If none is provided, we will set it to trust all instead. This should change to a default cert being provided upon the creation of our higher level, managing operator.

[Copilot]

Pull request overview

This PR aims to tighten PostgreSQL access controls for DocumentDB deployments by adjusting CNPG PgHBA rules (gateway-to-Postgres and physical replication) and by introducing new clusterReplication fields to reference TLS materials for replication, with corresponding CRD and playground updates.

Changes:

• Add replicationTLSSecret and clientCASecret to the DocumentDB clusterReplication API/CRDs and wire them into replication context.
• Adjust CNPG cluster PgHBA defaults and physical replication external cluster configuration (including optional SSL cert/key selectors).
• Update playground deployment manifests/scripts to include cert-manager resources and propagate the new secret.

Reviewed changes

Copilot reviewed 9 out of 12 changed files in this pull request and generated 10 comments.

Show a summary per file

File	Description
operator/src/internal/utils/replication_context.go	Carries new replication TLS/CA secret names through replication context.
operator/src/internal/controller/physical_replication.go	Configures external cluster replication user and optional CNPG certificate references; adds trust fallback PgHBA.
operator/src/internal/cnpg/cnpg_cluster.go	Updates default PgHBA rules for the CNPG cluster spec.
operator/src/api/preview/documentdb_types.go	Adds replicationTLSSecret / clientCASecret fields to the API type.
operator/src/config/crd/bases/documentdb.io_dbs.yaml	Adds the new fields and expands schemaVersion description text.
operator/documentdb-helm-chart/crds/documentdb.io_dbs.yaml	Mirrors CRD changes into Helm-shipped CRDs.
documentdb-playground/aks-fleet-deployment/documentdb-resource-crp.yaml	Adds cert-manager Issuer/Certificate and sets new replication secret fields; places the secret via Fleet.
documentdb-playground/aks-fleet-deployment/deploy-fleet-bicep.sh	Updates fleet deployment flow (adds hub CA env injection) and removes a join script patch step.
operator/src/internal/utils/pv_recovery.go	Formatting-only constant alignment.
operator/src/internal/utils/constants.go	Formatting-only constant alignment.
operator/src/internal/controller/documentdb_controller.go	Removes stray whitespace.
operator/src/internal/cnpg/cnpg_sync.go	Formatting-only alignment.

[documentdb-triage-tool]

🤖 Auto-triaged by documentdb-triage-tool.

Applied: documentation, ecosystem, enhancement
Project fields suggested: Component controllers · Priority P2 · Effort L · Status Needs Review
Confidence: 0.72 (mixed)

Reasoning

component from path globs (controllers, docs, playground, api, manifests); effort from diff stats (400+22 LOC, 18 files); LLM: Modifies PgHBA and replication connection security to support certificate-based authentication for PG connections, a meaningful security enhancement touching internal controller logic.

If a label is wrong, remove it manually and ping @patty-chow so the rules can be tuned. The bot will not re-label items that already have component labels.