Restrict generated pg_hba.conf rules (avoid blanket trust auth)

[xgerman]

Summary

Harden the PostgreSQL host-based authentication (pg_hba.conf) rules that the operator generates for the underlying CloudNative-PG cluster. Today they grant trust authentication to every address, which is overly permissive.

Background

Raised by @hossain-rayhan during review of #374:

Maybe we need to open a separate issue to make this more restricted?

(See review comment.)

In operator/src/internal/cnpg/cnpg_cluster.go (buildPostgresConfiguration), the operator sets:

pgHBA := []string{
    "host all all 0.0.0.0/0 trust",
    "host all all ::0/0 trust",
    "host replication all all trust",
}

These rules allow any client from any IPv4/IPv6 address to connect with trust (no password / no TLS client verification) for both regular and replication connections.

Proposed work

• Replace the blanket trust rules with more restrictive entries — for example, scope source CIDRs to the cluster's pod/service networks and require a stronger auth method (such as scram-sha-256 or certificate auth) instead of trust, especially for replication.
• Keep TLS / gateway connectivity working (the gateway and intra-cluster replication must still connect).
• Make the behavior consistent across single-region and multi-region (cross-cluster replication) deployments.
• Add/extend tests to cover the generated pg_hba rules.

Acceptance criteria

• pg_hba rules no longer use trust for 0.0.0.0/0 / ::0/0.
• Replication connections use a restricted, authenticated rule.
• Existing connectivity (gateway, replication, e2e suites) continues to pass.
• Unit coverage for the generated rules.

References

• PR: feat(api)!: domain-grouped DocumentDBSpec with image/postgres/plugins stanzas + imagePullSecrets #374
• Review thread: feat(api)!: domain-grouped DocumentDBSpec with image/postgres/plugins stanzas + imagePullSecrets #374 (comment)
• Code: operator/src/internal/cnpg/cnpg_cluster.go — buildPostgresConfiguration

[documentdb-triage-tool]

🤖 Auto-triaged by documentdb-triage-tool.

Applied: go
Project fields suggested: Component controllers · Priority P1 · Effort L · Status In Progress
Confidence: 0.82 (llm)

Reasoning

LLM: Security hardening to remove blanket trust auth from pg_hba.conf rules; overly permissive auth is a meaningful security risk, touching internal cluster config, multi-region behavior, and requiring new tests across components.

If a label is wrong, remove it manually and ping @patty-chow so the rules can be tuned. The bot will not re-label items that already have component labels.