Allow pgbackrest in cloud backup jobs to log to an additional volume.

Author: dsessler7

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -1430,6 +1430,13 @@ spec:
                                     x-kubernetes-list-type: atomic
                                 type: object
                             type: object
+                          log:
+                            description: Logging configuration for pgbackrest processes
+                              running in Backup Job Pods.
+                            properties:
+                              path:
+                                type: string
+                            type: object
                           priorityClassName:
                             description: |-
                               Priority class name for the pgBackRest backup Job pods.
@@ -4606,6 +4613,9 @@ spec:
                     - message: log path is restricted to an existing additional volume
                       rule: '!has(self.repoHost) || !has(self.repoHost.log) || !has(self.repoHost.log.path)
                         || self.repoHost.volumes.additional.exists(x, self.repoHost.log.path.startsWith("/volumes/"+x.name))'
+                    - message: log path is restricted to an existing additional volume
+                      rule: '!has(self.jobs) || !has(self.jobs.log) || !has(self.jobs.log.path)
+                        || self.jobs.volumes.additional.exists(x, self.jobs.log.path.startsWith("/volumes/"+x.name))'
                   snapshots:
                     description: VolumeSnapshot configuration
                     properties:
@@ -20381,6 +20391,13 @@ spec:
                                     x-kubernetes-list-type: atomic
                                 type: object
                             type: object
+                          log:
+                            description: Logging configuration for pgbackrest processes
+                              running in Backup Job Pods.
+                            properties:
+                              path:
+                                type: string
+                            type: object
                           priorityClassName:
                             description: |-
                               Priority class name for the pgBackRest backup Job pods.

internal/controller/postgrescluster/pgbackrest.go

@@ -38,6 +38,7 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/pgbackrest"
 	"github.com/crunchydata/postgres-operator/internal/pki"
 	"github.com/crunchydata/postgres-operator/internal/postgres"
+	"github.com/crunchydata/postgres-operator/internal/shell"
 	"github.com/crunchydata/postgres-operator/internal/util"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
@@ -821,7 +822,13 @@ func (r *Reconciler) generateBackupJobSpecIntent(ctx context.Context, postgresCl
 			{Name: "SELECTOR", Value: naming.PGBackRestDedicatedSelector(postgresCluster.GetName()).String()},
 		}
 	} else {
-		container.Command = []string{"/bin/pgbackrest", "backup"}
+		mkdirCommand := ""
+		cloudLogPath := r.reconcileCloudLogPath(ctx, postgresCluster)
+		if cloudLogPath != "" {
+			mkdirCommand += shell.MakeDirectories(cloudLogPath, cloudLogPath) + "; "
+		}
+
+		container.Command = []string{"sh", "-c", "--", mkdirCommand + `exec "$@"`, "--", "/bin/pgbackrest", "backup"}
 		container.Command = append(container.Command, cmdOpts...)
 	}
 
@@ -2075,28 +2082,7 @@ func (r *Reconciler) reconcilePGBackRestConfig(ctx context.Context,
 	repoHostName, configHash, serviceName, serviceNamespace string,
 	instanceNames []string) error {
 
-	// If the user has specified a PVC to use as a log volume for cloud backups via the
-	// PGBackRestCloudLogVolume annotation, check for the PVC. If we find it, set the cloud
-	// log path. If the user has specified a PVC, but we can't find it, create a warning event.
-	cloudLogPath := ""
-	if logVolumeName := postgresCluster.Annotations[naming.PGBackRestCloudLogVolume]; logVolumeName != "" {
-		logVolume := &corev1.PersistentVolumeClaim{
-			ObjectMeta: metav1.ObjectMeta{
-				Name:      logVolumeName,
-				Namespace: postgresCluster.GetNamespace(),
-			},
-		}
-		err := errors.WithStack(r.Client.Get(ctx,
-			client.ObjectKeyFromObject(logVolume), logVolume))
-		if err != nil {
-			// PVC not retrieved, create warning event
-			r.Recorder.Event(postgresCluster, corev1.EventTypeWarning,
-				"PGBackRestCloudLogVolumeNotFound", err.Error())
-		} else {
-			// We successfully found the specified PVC, so we will set the log path
-			cloudLogPath = "/volumes/" + logVolumeName
-		}
-	}
+	cloudLogPath := r.reconcileCloudLogPath(ctx, postgresCluster)
 
 	backrestConfig, err := pgbackrest.CreatePGBackRestConfigMapIntent(ctx, postgresCluster, repoHostName,
 		configHash, serviceName, serviceNamespace, cloudLogPath, instanceNames)
@@ -3351,3 +3337,40 @@ func authorizeBackupRemovalAnnotationPresent(postgresCluster *v1beta1.PostgresCl
 	}
 	return false
 }
+
+// reconcileCloudLogPath is responsible for determining the appropriate log path
+// for pgbackrest in cloud backup jobs.
+func (r *Reconciler) reconcileCloudLogPath(ctx context.Context,
+	postgresCluster *v1beta1.PostgresCluster) string {
+	// If the user has specified a PVC to use as a log volume for cloud backups via the
+	// PGBackRestCloudLogVolume annotation, check for the PVC. If we find it, set the cloud
+	// log path. If the user has specified a PVC, but we can't find it, create a warning event.
+	// If the user has not set the PGBackRestCloudLogVolume annotation, but has set a log
+	// path via the spec, use that.
+	// TODO: Make sure this is what we want (i.e. annotation to take precedence over spec)
+	cloudLogPath := ""
+	if logVolumeName := postgresCluster.Annotations[naming.PGBackRestCloudLogVolume]; logVolumeName != "" {
+		logVolume := &corev1.PersistentVolumeClaim{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      logVolumeName,
+				Namespace: postgresCluster.GetNamespace(),
+			},
+		}
+		err := errors.WithStack(r.Client.Get(ctx,
+			client.ObjectKeyFromObject(logVolume), logVolume))
+		if err != nil {
+			// PVC not retrieved, create warning event
+			r.Recorder.Event(postgresCluster, corev1.EventTypeWarning,
+				"PGBackRestCloudLogVolumeNotFound", err.Error())
+		} else {
+			// We successfully found the specified PVC, so we will set the log path
+			cloudLogPath = "/volumes/" + logVolumeName
+		}
+		// TODO: Can we safely assume that backups are enabled?
+	} else if postgresCluster.Spec.Backups.PGBackRest.Jobs != nil &&
+		postgresCluster.Spec.Backups.PGBackRest.Jobs.Log != nil &&
+		postgresCluster.Spec.Backups.PGBackRest.Jobs.Log.Path != "" {
+		cloudLogPath = postgresCluster.Spec.Backups.PGBackRest.Jobs.Log.Path
+	}
+	return cloudLogPath
+}

internal/controller/postgrescluster/pgbackrest_test.go

@@ -2661,6 +2661,11 @@ func TestGenerateBackupJobIntent(t *testing.T) {
 		assert.Assert(t, cmp.MarshalMatches(spec.Template.Spec, `
 containers:
 - command:
+  - sh
+  - -c
+  - --
+  - exec "$@"
+  - --
   - /bin/pgbackrest
   - backup
   - --stanza=db
@@ -2963,6 +2968,12 @@ volumes:
 		assert.Assert(t, cmp.MarshalMatches(spec.Template.Spec, `
 containers:
 - command:
+  - sh
+  - -c
+  - --
+  - mkdir -p '/volumes/another-pvc' && { chmod 0775 '/volumes/another-pvc' || :; };
+    exec "$@"
+  - --
   - /bin/pgbackrest
   - backup
   - --stanza=db
@@ -3029,7 +3040,11 @@ volumes:
 
 		cluster := cluster.DeepCopy()
 		cluster.Namespace = ns.Name
+		cluster.Annotations = map[string]string{}
 		cluster.Spec.Backups.PGBackRest.Jobs = &v1beta1.BackupJobs{
+			Log: &v1beta1.LoggingConfiguration{
+				Path: "/volumes/stuff/log",
+			},
 			Volumes: &v1beta1.PGBackRestVolumesSpec{
 				Additional: []v1beta1.AdditionalVolume{
 					{
@@ -3046,18 +3061,70 @@ volumes:
 			nil, nil,
 		)
 
-		for _, container := range spec.Template.Spec.Containers {
-			assert.Assert(t, cmp.MarshalContains(container.VolumeMounts,
-				`
-- mountPath: /volumes/stuff
-  name: volumes-stuff`))
-		}
-
-		assert.Assert(t, cmp.MarshalContains(spec.Template.Spec.Volumes,
-			`
+		assert.Assert(t, cmp.MarshalMatches(spec.Template.Spec, `
+containers:
+- command:
+  - sh
+  - -c
+  - --
+  - mkdir -p '/volumes/stuff/log' && { chmod 0775 '/volumes/stuff/log' || :; }; exec
+    "$@"
+  - --
+  - /bin/pgbackrest
+  - backup
+  - --stanza=db
+  - --repo=
+  name: pgbackrest
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+  - mountPath: /etc/pgbackrest/conf.d
+    name: pgbackrest-config
+    readOnly: true
+  - mountPath: /tmp
+    name: tmp
+  - mountPath: /volumes/stuff
+    name: volumes-stuff
+enableServiceLinks: false
+restartPolicy: Never
+securityContext:
+  fsGroup: 26
+  fsGroupChangePolicy: OnRootMismatch
+volumes:
+- name: pgbackrest-config
+  projected:
+    sources:
+    - configMap:
+        items:
+        - key: pgbackrest_cloud.conf
+          path: pgbackrest_cloud.conf
+        name: hippo-test-pgbackrest-config
+    - secret:
+        items:
+        - key: pgbackrest.ca-roots
+          path: ~postgres-operator/tls-ca.crt
+        - key: pgbackrest-client.crt
+          path: ~postgres-operator/client-tls.crt
+        - key: pgbackrest-client.key
+          mode: 384
+          path: ~postgres-operator/client-tls.key
+        name: hippo-test-pgbackrest
+- emptyDir:
+    sizeLimit: 16Mi
+  name: tmp
 - name: volumes-stuff
   persistentVolumeClaim:
-    claimName: additional-pvc`))
+    claimName: additional-pvc
+				`))
 
 		// No events created
 		assert.Equal(t, len(recorder.Events), 0)

pkg/apis/postgres-operator.crunchydata.com/v1/pgbackrest_types.go

@@ -10,6 +10,7 @@ import (
 
 // PGBackRestArchive defines a pgBackRest archive configuration
 // +kubebuilder:validation:XValidation:rule=`!has(self.repoHost) || !has(self.repoHost.log) || !has(self.repoHost.log.path) || self.repoHost.volumes.additional.exists(x, self.repoHost.log.path.startsWith("/volumes/"+x.name))`,message=`log path is restricted to an existing additional volume`
+// +kubebuilder:validation:XValidation:rule=`!has(self.jobs) || !has(self.jobs.log) || !has(self.jobs.log.path) || self.jobs.volumes.additional.exists(x, self.jobs.log.path.startsWith("/volumes/"+x.name))`,message=`log path is restricted to an existing additional volume`
 type PGBackRestArchive struct {
 	v1beta1.PGBackRestArchive `json:",inline"`
 }

pkg/apis/postgres-operator.crunchydata.com/v1beta1/pgbackrest_types.go

@@ -159,6 +159,10 @@ type BackupJobs struct {
 	// +optional
 	Resources corev1.ResourceRequirements `json:"resources,omitzero"`
 
+	// Logging configuration for pgbackrest processes running in Backup Job Pods.
+	// +optional
+	Log *LoggingConfiguration `json:"log,omitempty"`
+
 	// Priority class name for the pgBackRest backup Job pods.
 	// More info: https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/
 	// +optional