Add validation rule that ensures that all instances have an additional volume that matches the log path when attempting to log pgbackrest sidecar to /volumes. Add test cases.

dsessler7 · dsessler7 · commit adfd56a66fe6 · 2025-09-16T12:54:05.000-07:00
diff --git a/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml b/config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml
@@ -18456,6 +18456,12 @@ spec:
                 || !v.startsWith("/volumes") || self.instances.all(i, i.?volumes.additional.hasValue()
                 && i.volumes.additional.exists(volume, v.startsWith("/volumes/" +
                 volume.name)))).orValue(true)
+            - fieldPath: .backups.pgbackrest.log.path
+              message: all instances need an additional volume for pgbackrest sidecar
+                to log in "/volumes"
+              rule: self.?backups.pgbackrest.log.path.optMap(v, !v.startsWith("/volumes")
+                || self.instances.all(i, i.?volumes.additional.hasValue() && i.volumes.additional.exists(volume,
+                v.startsWith("/volumes/" + volume.name)))).orValue(true)
           status:
             description: PostgresClusterStatus defines the observed state of PostgresCluster
             properties:
diff --git a/internal/testing/validation/pgbackrest_test.go b/internal/testing/validation/pgbackrest_test.go
@@ -63,23 +63,106 @@ func TestV1PGBackRestLogging(t *testing.T) {
 	t.Run("Cannot set pgbackrest sidecar's log.path without correct subdir", func(t *testing.T) {
 		tmp := base.DeepCopy()
 
-		require.UnmarshalInto(t, &tmp.Spec.Backups.PGBackRest, `{
-			log: {
-				path: "/something/wrong"
-			}
-		}`)
+		t.Run("Wrong subdir", func(t *testing.T) {
+			require.UnmarshalInto(t, &tmp.Spec.Backups.PGBackRest, `{
+				log: {
+					path: "/something/wrong"
+				}
+			}`)
 
-		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
-		assert.Assert(t, apierrors.IsInvalid(err))
-		assert.ErrorContains(t, err, "pgbackrest sidecar log path is restricted to an existing additional volume")
+			err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+			assert.Assert(t, apierrors.IsInvalid(err))
+			assert.ErrorContains(t, err, "pgbackrest sidecar log path is restricted to an existing additional volume")
+		})
 
-		require.UnmarshalInto(t, &tmp.Spec.Backups.PGBackRest, `{
-			log: {
-				path: "/volumes/this/should/pass"
-			}
-		}`)
+		t.Run("Single instance - missing additional volume", func(t *testing.T) {
+			require.UnmarshalInto(t, &tmp.Spec.Backups.PGBackRest, `{
+				log: {
+					path: "/volumes/anything"
+				}
+			}`)
 
-		assert.NilError(t, cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll), "expected log.path to be valid")
+			err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+			assert.Assert(t, apierrors.IsInvalid(err))
+			assert.ErrorContains(t, err, `all instances need an additional volume for pgbackrest sidecar to log in "/volumes"`)
+		})
+
+		t.Run("Multiple instances - one missing additional volume", func(t *testing.T) {
+			require.UnmarshalInto(t, &tmp.Spec.Backups.PGBackRest, `{
+				log: {
+					path: "/volumes/anything"
+				}
+			}`)
+
+			require.UnmarshalInto(t, &tmp.Spec.InstanceSets, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						claimName: "pvc-claim"
+					}]
+				}
+			},{
+				name: "instance2",
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+			}]`)
+
+			err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+			assert.Assert(t, apierrors.IsInvalid(err))
+			assert.ErrorContains(t, err, `all instances need an additional volume for pgbackrest sidecar to log in "/volumes"`)
+		})
+
+		t.Run("Single instance - additional volume present", func(t *testing.T) {
+			require.UnmarshalInto(t, &tmp.Spec.InstanceSets, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						claimName: "pvc-claim"
+					}]
+				}
+			}]`)
+
+			assert.NilError(t, cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll), "expected log.path to be valid")
+		})
+
+		t.Run("Multiple instances - additional volume present", func(t *testing.T) {
+			require.UnmarshalInto(t, &tmp.Spec.InstanceSets, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						claimName: "pvc-claim"
+					}]
+				}
+			},{
+				name: "instance2",
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "another",
+						claimName: "another-pvc-claim"
+					}]
+				}
+			}]`)
+
+			assert.NilError(t, cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll), "expected log.path to be valid")
+		})
 	})
 
 	t.Run("Cannot set logging on volumes that don't exist", func(t *testing.T) {
diff --git a/pkg/apis/postgres-operator.crunchydata.com/v1/postgrescluster_types.go b/pkg/apis/postgres-operator.crunchydata.com/v1/postgrescluster_types.go
@@ -22,6 +22,10 @@ import (
 // +kubebuilder:validation:XValidation:fieldPath=`.config.parameters.log_directory`,message=`all instances need "volumes.temp" to log in "/pgtmp"`,rule=`self.?config.parameters.log_directory.optMap(v, type(v) != string || !v.startsWith("/pgtmp/logs/postgres") || self.instances.all(i, i.?volumes.temp.hasValue())).orValue(true)`
 // +kubebuilder:validation:XValidation:fieldPath=`.config.parameters.log_directory`,message=`all instances need "walVolumeClaimSpec" to log in "/pgwal"`,rule=`self.?config.parameters.log_directory.optMap(v, type(v) != string || !v.startsWith("/pgwal/logs/postgres") || self.instances.all(i, i.?walVolumeClaimSpec.hasValue())).orValue(true)`
 // +kubebuilder:validation:XValidation:fieldPath=`.config.parameters.log_directory`,message=`all instances need an additional volume to log in "/volumes"`,rule=`self.?config.parameters.log_directory.optMap(v, type(v) != string || !v.startsWith("/volumes") || self.instances.all(i, i.?volumes.additional.hasValue() && i.volumes.additional.exists(volume, v.startsWith("/volumes/" + volume.name)))).orValue(true)`
+//
+// # pgBackRest Logging
+//
+// +kubebuilder:validation:XValidation:fieldPath=`.backups.pgbackrest.log.path`,message=`all instances need an additional volume for pgbackrest sidecar to log in "/volumes"`,rule=`self.?backups.pgbackrest.log.path.optMap(v, !v.startsWith("/volumes") || self.instances.all(i, i.?volumes.additional.hasValue() && i.volumes.additional.exists(volume, v.startsWith("/volumes/" + volume.name)))).orValue(true)`
 type PostgresClusterSpec struct {
 	// +optional
 	Metadata *v1beta1.Metadata `json:"metadata,omitempty"`
