feat(postgresql): support WITH INHERIT FALSE on role membership grants (PostgreSQL 16+)

[matthewgreenwaldagility]

Closes #359

What this does

Adds a withInherit boolean field to spec.forProvider on the PostgreSQL Grant resource, enabling WITH INHERIT FALSE on role membership grants — a feature introduced in PostgreSQL 16.

apiVersion: postgresql.sql.crossplane.io/v1alpha1
kind: Grant
spec:
  forProvider:
    withInherit: false   # emits: GRANT admin TO master_user WITH INHERIT FALSE
    roleRef:
      name: master-user
    memberOfRef:
      name: admin-role

When withInherit is omitted, behaviour is unchanged. When combined with withOption: ADMIN, the emitted SQL is WITH ADMIN OPTION, INHERIT FALSE.

The field is only valid on memberOf grants — setting it on a privilege grant (privileges field) returns a validation error.

Motivation

The primary use case is RDS PostgreSQL with IAM database authentication. Without this field, granting a master user membership in an admin role that holds rds_iam creates a transitive chain (master_user → admin → rds_iam), which causes RDS to route all connections for that user through PAM/IAM token verification, breaking password authentication. WITH INHERIT FALSE grants membership (satisfying ALTER DEFAULT PRIVILEGES FOR ROLE admin) without inheriting rds_iam.

Changes

File	Change
apis/cluster/postgresql/v1alpha1/grant_types.go	Add WithInherit *bool field to GrantParameters
apis/cluster/postgresql/v1alpha1/zz_generated.deepcopy.go	Regenerated
package/crds/postgresql.sql.crossplane.io_grants.yaml	Regenerated — CRD schema updated
pkg/controller/cluster/postgresql/grant/reconciler.go	New membershipWithClauses helper; selectGrantQuery filters pg_auth_members.inherit_option when set; createGrantQueries uses new helper; validation rejects withInherit on privilege grants
pkg/controller/cluster/postgresql/grant/reconciler_test.go	7 new test cases covering WithInherit nil/true/false for both Observe and Create
examples/cluster/postgresql/grant-with-inherit-false.yaml	New example illustrating the RDS IAM pattern
Makefile	Bump GOLANGCILINT_VERSION from 2.1.2 → 2.10.1 to match CI and support Go 1.26
README.md	Fix stale Go version (1.18→1.26.1), add mise recommendation, fix copy-paste "Developing locally" section (was provider-helm content), add Schema to PostgreSQL resource list, fix example paths

Testing

make reviewable passes (generate + lint + all 26 test packages).

The inherit_option column on pg_auth_members was added in PostgreSQL 16. Setting withInherit on an older cluster will result in a SQL error, which is the expected and documented behaviour.

[matthewgreenwaldagility]

@Duologic @jdotw @jvrplmlmn @iainlane Can I get a review on this please? Or at least trigger CI?

[chlunde]

When omitted the field is not managed, i.e. if we set it as false, and then remove it, it doesn't become true, we just ignore it? OK but documentation could reflect that?

[chlunde]

also update the same file in namedspaced/

[chlunde]

this should also be checked with a CEL expression

[chlunde]

like with the types, we must also have the same code in pkg/controller/namespaced/

[chlunde]

Could you do this and Makefile in another PR?

[chlunde]

Makefile changes are in master now, FYI

[chlunde]

@matthewgreenwaldagility thanks for your contribution, please take a look at the comments!

[chlunde]

@matthewgreenwaldagility could you rebase or merge master into this?