feat: add IPv6 support to allowedSourceRanges (#3082)

* feat: add IPv6 support to allowedSourceRanges Update regex pattern in CRD validation to accept both IPv4 and IPv6 CIDR notation, enabling dual-stack networking support. Fixes #2787 Signed-off-by: Raphael Torquato <> * add unit test fror ipv6 allowedSourceRanges --------- Signed-off-by: Raphael Torquato <> Co-authored-by: Raphael Torquato <> Co-authored-by: Jociele Padilha <jocielepadilha@gmail.com>
2026-06-12 10:09:06 -03:00 · 2026-06-12 10:09:06 -03:00 · 1036350eb4
parent ebf48667f1
commit 1036350eb4
5 changed files with 53 additions and 7 deletions
--- a/charts/postgres-operator/crds/postgresqls.yaml
+++ b/charts/postgres-operator/crds/postgresqls.yaml
@ -107,7 +107,7 @@ spec:
                description: load balancers' source ranges are the same for master
                  and replica services
                items:
-                  pattern: ^(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])$
+                  pattern: '^((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))$'
                  type: string
                nullable: true
                type: array
--- a/docs/reference/cluster_manifest.md
+++ b/docs/reference/cluster_manifest.md
@ -113,10 +113,11 @@ These parameters are grouped directly under  the `spec` key in the manifest.

 * **allowedSourceRanges**
  when one or more load balancers are enabled for the cluster, this parameter
-  defines the comma-separated range of IP networks (in CIDR-notation). The
-  corresponding load balancer is accessible only to the networks defined by
-  this parameter. Optional, when empty the load balancer service becomes
-  inaccessible from outside of the Kubernetes cluster.
+  defines the comma-separated range of IP networks (in CIDR-notation). Both
+  IPv4 (e.g. `192.168.1.0/24`) and IPv6 (e.g. `fd01::/48`) CIDR ranges are
+  supported. The corresponding load balancer is accessible only to the networks
+  defined by this parameter. Optional, when empty the load balancer service
+  becomes inaccessible from outside of the Kubernetes cluster.

 * **enableMasterNodePort**
  boolean flag to override the operator defaults (set by the
--- a/manifests/postgresql.crd.yaml
+++ b/manifests/postgresql.crd.yaml
@ -108,7 +108,7 @@ spec:
                description: load balancers' source ranges are the same for master
                  and replica services
                items:
-                  pattern: ^(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])$
+                  pattern: ^((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))$
                  type: string
                nullable: true
                type: array
--- a/pkg/apis/acid.zalan.do/v1/postgresql.crd.yaml
+++ b/pkg/apis/acid.zalan.do/v1/postgresql.crd.yaml
@ -108,7 +108,7 @@ spec:
                description: load balancers' source ranges are the same for master
                  and replica services
                items:
-                  pattern: ^(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])$
+                  pattern: ^((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))$
                  type: string
                nullable: true
                type: array
--- a/pkg/apis/acid.zalan.do/v1/util_test.go
+++ b/pkg/apis/acid.zalan.do/v1/util_test.go
@ -5,6 +5,7 @@ import (
 	"encoding/json"
 	"errors"
 	"reflect"
+	"regexp"
 	"testing"
 	"time"

@ -810,3 +811,47 @@ func TestPostgresqlClone(t *testing.T) {
 		})
 	}
 }
+
+func TestAllowedSourceRangesPattern(t *testing.T) {
+	// pattern used in CRD validation for allowedSourceRanges
+	pattern := `^((\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\.(\d|[1-9]\d|1\d\d|2[0-4]\d|25[0-5])\/(\d|[1-2]\d|3[0-2])|(([0-9a-fA-F]{1,4}:){7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-fA-F]{1,4}){1,4}|([0-9a-fA-F]{1,4}:){1,2}(:[0-9a-fA-F]{1,4}){1,5}|[0-9a-fA-F]{1,4}:((:[0-9a-fA-F]{1,4}){1,6})|:((:[0-9a-fA-F]{1,4}){1,7}|:))\/(12[0-8]|1[01][0-9]|[1-9]?[0-9]))$`
+	re := regexp.MustCompile(pattern)
+
+	valid := []string{
+		// IPv4
+		"192.168.1.0/24",
+		"0.0.0.0/0",
+		"127.0.0.1/32",
+		"10.0.0.0/8",
+		"185.85.220.0/22",
+		// IPv6
+		"fd01::/48",
+		"::1/128",
+		"::/0",
+		"2001:db8::/32",
+		"fe80::1/64",
+		"2001:0db8:85a3:0000:0000:8a2e:0370:7334/128",
+	}
+
+	invalid := []string{
+		"999.999.999.999/24",
+		"192.168.1.0/33",
+		"192.168.1.0",
+		"not-an-ip",
+		"fd01::/129",
+		"::gggg/64",
+		"",
+	}
+
+	for _, cidr := range valid {
+		if !re.MatchString(cidr) {
+			t.Errorf("expected %q to match allowedSourceRanges pattern", cidr)
+		}
+	}
+
+	for _, cidr := range invalid {
+		if re.MatchString(cidr) {
+			t.Errorf("expected %q NOT to match allowedSourceRanges pattern", cidr)
+		}
+	}
+}