Explain HBA rules in their field description

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -40,9 +40,19 @@ spec:
             description: PostgresClusterSpec defines the desired state of PostgresCluster
             properties:
               authentication:
+                description: Authentication settings for the PostgreSQL server
                 properties:
                   rules:
-                    description: 'More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html'
+                    description: |-
+                      Postgres compares every new connection to these rules in the order they are
+                      defined. The first rule that matches determines if and how the connection
+                      must then authenticate. Connections that match no rules are disconnected.
+
+                      When this is omitted or empty, Postgres accepts encrypted connections to any
+                      database from users that have a password. To refuse all network connections,
+                      set this to one rule that matches "host" connections to the "reject" method.
+
+                      More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
                     items:
                       properties:
                         connection:
@@ -79,6 +89,7 @@ spec:
                           description: |-
                             The authentication method to use when a connection matches this rule.
                             The special value "reject" refuses connections that match this rule.
+
                             More info: https://www.postgresql.org/docs/current/auth-methods.html
                           maxLength: 20
                           minLength: 1
@@ -93,6 +104,8 @@ spec:
                             - type: integer
                             - type: string
                             x-kubernetes-int-or-string: true
+                          description: Additional settings for this rule or its authentication
+                            method.
                           maxProperties: 20
                           type: object
                           x-kubernetes-map-type: atomic
@@ -4447,6 +4460,7 @@ spec:
                     type: object
                 type: object
               config:
+                description: General configuration of the PostgreSQL server
                 properties:
                   files:
                     description: Files to mount under "/etc/postgres".

internal/pgbackrest/reconcile_test.go

@@ -522,7 +522,7 @@ func TestAddConfigToRestorePod(t *testing.T) {
 		custom.Name = "custom-configmap-files"
 
 		cluster := cluster.DeepCopy()
-		cluster.Spec.Config = &v1beta1.PostgresConfig{
+		cluster.Spec.Config = &v1beta1.PostgresConfigSpec{
 			Files: []corev1.VolumeProjection{
 				{ConfigMap: &custom},
 			},

internal/testing/validation/postgrescluster_test.go

@@ -252,7 +252,7 @@ func TestPostgresConfigParameters(t *testing.T) {
 		t.Run("Valid", func(t *testing.T) {
 			cluster := base.DeepCopy()
 
-			cluster.Spec.Config = &v1beta1.PostgresConfig{
+			cluster.Spec.Config = &v1beta1.PostgresConfigSpec{
 				Parameters: map[string]intstr.IntOrString{
 					"wal_level": intstr.FromString("logical"),
 				},
@@ -263,7 +263,7 @@ func TestPostgresConfigParameters(t *testing.T) {
 		t.Run("Invalid", func(t *testing.T) {
 			cluster := base.DeepCopy()
 
-			cluster.Spec.Config = &v1beta1.PostgresConfig{
+			cluster.Spec.Config = &v1beta1.PostgresConfigSpec{
 				Parameters: map[string]intstr.IntOrString{
 					"wal_level": intstr.FromString("minimal"),
 				},

pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgres_types.go

@@ -10,6 +10,14 @@ import (
 )
 
 type PostgresAuthenticationSpec struct {
+	// Postgres compares every new connection to these rules in the order they are
+	// defined. The first rule that matches determines if and how the connection
+	// must then authenticate. Connections that match no rules are disconnected.
+	//
+	// When this is omitted or empty, Postgres accepts encrypted connections to any
+	// database from users that have a password. To refuse all network connections,
+	// set this to one rule that matches "host" connections to the "reject" method.
+	//
 	// More info: https://www.postgresql.org/docs/current/auth-pg-hba-conf.html
 	// ---
 	// +kubebuilder:validation:MaxItems=10
@@ -18,7 +26,7 @@ type PostgresAuthenticationSpec struct {
 	Rules []PostgresHBARuleSpec `json:"rules,omitempty"`
 }
 
-type PostgresConfig struct {
+type PostgresConfigSpec struct {
 	// Files to mount under "/etc/postgres".
 	// ---
 	// +optional
@@ -99,6 +107,7 @@ type PostgresHBARule struct {
 
 	// The authentication method to use when a connection matches this rule.
 	// The special value "reject" refuses connections that match this rule.
+	//
 	// More info: https://www.postgresql.org/docs/current/auth-methods.html
 	// ---
 	// +kubebuilder:validation:MinLength=1
@@ -108,6 +117,7 @@ type PostgresHBARule struct {
 	// +optional
 	Method string `json:"method,omitempty"`
 
+	// Additional settings for this rule or its authentication method.
 	// ---
 	// +kubebuilder:validation:MaxProperties=20
 	// +mapType=atomic

pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go

@@ -21,15 +21,17 @@ type PostgresClusterSpec struct {
 	// +optional
 	DataSource *DataSource `json:"dataSource,omitempty"`
 
+	// Authentication settings for the PostgreSQL server
 	// +optional
 	Authentication *PostgresAuthenticationSpec `json:"authentication,omitempty"`
 
 	// PostgreSQL backup configuration
 	// +optional
 	Backups Backups `json:"backups,omitempty"`
 
+	// General configuration of the PostgreSQL server
 	// +optional
-	Config *PostgresConfig `json:"config,omitempty"`
+	Config *PostgresConfigSpec `json:"config,omitempty"`
 
 	// The secret containing the Certificates and Keys to encrypt PostgreSQL
 	// traffic will need to contain the server TLS certificate, TLS key and the