Allow user to set an annotation that will specify an existing PVC to be mounted to cloud backup jobs so that the backup logs can be persisted.

Author: dsessler7

internal/controller/postgrescluster/pgbackrest.go

@@ -38,6 +38,7 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/pgbackrest"
 	"github.com/crunchydata/postgres-operator/internal/pki"
 	"github.com/crunchydata/postgres-operator/internal/postgres"
+	"github.com/crunchydata/postgres-operator/internal/util"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
 
@@ -771,7 +772,7 @@ func (r *Reconciler) generateRepoVolumeIntent(postgresCluster *v1beta1.PostgresC
 }
 
 // generateBackupJobSpecIntent generates a JobSpec for a pgBackRest backup job
-func generateBackupJobSpecIntent(ctx context.Context, postgresCluster *v1beta1.PostgresCluster,
+func (r *Reconciler) generateBackupJobSpecIntent(ctx context.Context, postgresCluster *v1beta1.PostgresCluster,
 	repo v1beta1.PGBackRestRepo, serviceAccountName string,
 	labels, annotations map[string]string, opts ...string) *batchv1.JobSpec {
 
@@ -873,6 +874,27 @@ func generateBackupJobSpecIntent(ctx context.Context, postgresCluster *v1beta1.P
 		// to read certificate files
 		jobSpec.Template.Spec.SecurityContext = postgres.PodSecurityContext(postgresCluster)
 		pgbackrest.AddConfigToCloudBackupJob(postgresCluster, &jobSpec.Template)
+
+		// If the user has specified a PVC to use as a log volume via the PGBackRestCloudLogVolume
+		// annotation, check for the PVC. If we find it, mount it to the backup job.
+		// Otherwise, create a warning event.
+		if logVolumeName := postgresCluster.Annotations[naming.PGBackRestCloudLogVolume]; logVolumeName != "" {
+			logVolume := &corev1.PersistentVolumeClaim{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      logVolumeName,
+					Namespace: postgresCluster.GetNamespace(),
+				},
+			}
+			err := errors.WithStack(r.Client.Get(ctx,
+				client.ObjectKeyFromObject(logVolume), logVolume))
+			if err != nil {
+				// PVC not retrieved, create warning event
+				r.Recorder.Event(postgresCluster, corev1.EventTypeWarning, "PGBackRestCloudLogVolumeNotFound", err.Error())
+			} else {
+				// We successfully found the specified PVC, so we will add it to the backup job
+				util.AddVolumeAndMountsToPod(&jobSpec.Template.Spec, logVolume)
+			}
+		}
 	}
 
 	return jobSpec
@@ -2040,8 +2062,31 @@ func (r *Reconciler) reconcilePGBackRestConfig(ctx context.Context,
 	repoHostName, configHash, serviceName, serviceNamespace string,
 	instanceNames []string) error {
 
+	// If the user has specified a PVC to use as a log volume for cloud backups via the
+	// PGBackRestCloudLogVolume annotation, check for the PVC. If we find it, set the cloud
+	// log path. If the user has specified a PVC, but we can't find it, create a warning event.
+	cloudLogPath := ""
+	if logVolumeName := postgresCluster.Annotations[naming.PGBackRestCloudLogVolume]; logVolumeName != "" {
+		logVolume := &corev1.PersistentVolumeClaim{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      logVolumeName,
+				Namespace: postgresCluster.GetNamespace(),
+			},
+		}
+		err := errors.WithStack(r.Client.Get(ctx,
+			client.ObjectKeyFromObject(logVolume), logVolume))
+		if err != nil {
+			// PVC not retrieved, create warning event
+			r.Recorder.Event(postgresCluster, corev1.EventTypeWarning,
+				"PGBackRestCloudLogVolumeNotFound", err.Error())
+		} else {
+			// We successfully found the specified PVC, so we will set the log path
+			cloudLogPath = "/volumes/" + logVolumeName
+		}
+	}
+
 	backrestConfig, err := pgbackrest.CreatePGBackRestConfigMapIntent(ctx, postgresCluster, repoHostName,
-		configHash, serviceName, serviceNamespace, instanceNames)
+		configHash, serviceName, serviceNamespace, cloudLogPath, instanceNames)
 	if err != nil {
 		return err
 	}
@@ -2454,7 +2499,7 @@ func (r *Reconciler) reconcileManualBackup(ctx context.Context,
 	backupJob.Labels = labels
 	backupJob.Annotations = annotations
 
-	spec := generateBackupJobSpecIntent(ctx, postgresCluster, repo,
+	spec := r.generateBackupJobSpecIntent(ctx, postgresCluster, repo,
 		serviceAccount.GetName(), labels, annotations, backupOpts...)
 
 	backupJob.Spec = *spec
@@ -2631,7 +2676,7 @@ func (r *Reconciler) reconcileReplicaCreateBackup(ctx context.Context,
 	backupJob.Labels = labels
 	backupJob.Annotations = annotations
 
-	spec := generateBackupJobSpecIntent(ctx, postgresCluster, replicaCreateRepo,
+	spec := r.generateBackupJobSpecIntent(ctx, postgresCluster, replicaCreateRepo,
 		serviceAccount.GetName(), labels, annotations)
 
 	backupJob.Spec = *spec
@@ -3058,7 +3103,7 @@ func (r *Reconciler) reconcilePGBackRestCronJob(
 	// set backup type (i.e. "full", "diff", "incr")
 	backupOpts := []string{"--type=" + backupType}
 
-	jobSpec := generateBackupJobSpecIntent(ctx, cluster, repo,
+	jobSpec := r.generateBackupJobSpecIntent(ctx, cluster, repo,
 		serviceAccount.GetName(), labels, annotations, backupOpts...)
 
 	// Suspend cronjobs when shutdown or read-only. Any jobs that have already

internal/controller/postgrescluster/pgbackrest_test.go

@@ -40,6 +40,7 @@ import (
 	"github.com/crunchydata/postgres-operator/internal/pgbackrest"
 	"github.com/crunchydata/postgres-operator/internal/pki"
 	"github.com/crunchydata/postgres-operator/internal/testing/cmp"
+	"github.com/crunchydata/postgres-operator/internal/testing/events"
 	"github.com/crunchydata/postgres-operator/internal/testing/require"
 	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
 )
@@ -2601,6 +2602,17 @@ func TestCopyConfigurationResources(t *testing.T) {
 }
 
 func TestGenerateBackupJobIntent(t *testing.T) {
+	_, cc := setupKubernetes(t)
+	require.ParallelCapacity(t, 0)
+	ns := setupNamespace(t, cc)
+
+	recorder := events.NewRecorder(t, runtime.Scheme)
+	r := &Reconciler{
+		Client:   cc,
+		Recorder: recorder,
+		Owner:    ControllerName,
+	}
+
 	ctx := context.Background()
 	cluster := v1beta1.PostgresCluster{}
 	cluster.Name = "hippo-test"
@@ -2609,7 +2621,7 @@ func TestGenerateBackupJobIntent(t *testing.T) {
 	// If repo.Volume is nil, the code interprets this as a cloud repo backup,
 	// therefore, an "empty" input results in a job spec for a cloud repo backup
 	t.Run("empty", func(t *testing.T) {
-		spec := generateBackupJobSpecIntent(ctx,
+		spec := r.generateBackupJobSpecIntent(ctx,
 			&cluster, v1beta1.PGBackRestRepo{},
 			"",
 			nil, nil,
@@ -2670,7 +2682,7 @@ volumes:
 	})
 
 	t.Run("volumeRepo", func(t *testing.T) {
-		spec := generateBackupJobSpecIntent(ctx,
+		spec := r.generateBackupJobSpecIntent(ctx,
 			&cluster, v1beta1.PGBackRestRepo{
 				Volume: &v1beta1.RepoPVC{
 					VolumeClaimSpec: v1beta1.VolumeClaimSpec{},
@@ -2747,7 +2759,7 @@ volumes:
 				ImagePullPolicy: corev1.PullAlways,
 			},
 		}
-		job := generateBackupJobSpecIntent(ctx,
+		job := r.generateBackupJobSpecIntent(ctx,
 			cluster, v1beta1.PGBackRestRepo{},
 			"",
 			nil, nil,
@@ -2762,7 +2774,7 @@ volumes:
 			cluster.Spec.Backups = v1beta1.Backups{
 				PGBackRest: v1beta1.PGBackRestArchive{},
 			}
-			job := generateBackupJobSpecIntent(ctx,
+			job := r.generateBackupJobSpecIntent(ctx,
 				cluster, v1beta1.PGBackRestRepo{},
 				"",
 				nil, nil,
@@ -2779,7 +2791,7 @@ volumes:
 					},
 				},
 			}
-			job := generateBackupJobSpecIntent(ctx,
+			job := r.generateBackupJobSpecIntent(ctx,
 				cluster, v1beta1.PGBackRestRepo{},
 				"",
 				nil, nil,
@@ -2818,7 +2830,7 @@ volumes:
 				},
 			},
 		}
-		job := generateBackupJobSpecIntent(ctx,
+		job := r.generateBackupJobSpecIntent(ctx,
 			cluster, v1beta1.PGBackRestRepo{},
 			"",
 			nil, nil,
@@ -2831,7 +2843,7 @@ volumes:
 		cluster.Spec.Backups.PGBackRest.Jobs = &v1beta1.BackupJobs{
 			PriorityClassName: initialize.String("some-priority-class"),
 		}
-		job := generateBackupJobSpecIntent(ctx,
+		job := r.generateBackupJobSpecIntent(ctx,
 			cluster, v1beta1.PGBackRestRepo{},
 			"",
 			nil, nil,
@@ -2849,7 +2861,7 @@ volumes:
 		cluster.Spec.Backups.PGBackRest.Jobs = &v1beta1.BackupJobs{
 			Tolerations: tolerations,
 		}
-		job := generateBackupJobSpecIntent(ctx,
+		job := r.generateBackupJobSpecIntent(ctx,
 			cluster, v1beta1.PGBackRestRepo{},
 			"",
 			nil, nil,
@@ -2863,14 +2875,14 @@ volumes:
 		t.Run("Undefined", func(t *testing.T) {
 			cluster.Spec.Backups.PGBackRest.Jobs = nil
 
-			spec := generateBackupJobSpecIntent(ctx,
+			spec := r.generateBackupJobSpecIntent(ctx,
 				cluster, v1beta1.PGBackRestRepo{}, "", nil, nil,
 			)
 			assert.Assert(t, spec.TTLSecondsAfterFinished == nil)
 
 			cluster.Spec.Backups.PGBackRest.Jobs = &v1beta1.BackupJobs{}
 
-			spec = generateBackupJobSpecIntent(ctx,
+			spec = r.generateBackupJobSpecIntent(ctx,
 				cluster, v1beta1.PGBackRestRepo{}, "", nil, nil,
 			)
 			assert.Assert(t, spec.TTLSecondsAfterFinished == nil)
@@ -2881,7 +2893,7 @@ volumes:
 				TTLSecondsAfterFinished: initialize.Int32(0),
 			}
 
-			spec := generateBackupJobSpecIntent(ctx,
+			spec := r.generateBackupJobSpecIntent(ctx,
 				cluster, v1beta1.PGBackRestRepo{}, "", nil, nil,
 			)
 			if assert.Check(t, spec.TTLSecondsAfterFinished != nil) {
@@ -2894,14 +2906,169 @@ volumes:
 				TTLSecondsAfterFinished: initialize.Int32(100),
 			}
 
-			spec := generateBackupJobSpecIntent(ctx,
+			spec := r.generateBackupJobSpecIntent(ctx,
 				cluster, v1beta1.PGBackRestRepo{}, "", nil, nil,
 			)
 			if assert.Check(t, spec.TTLSecondsAfterFinished != nil) {
 				assert.Equal(t, *spec.TTLSecondsAfterFinished, int32(100))
 			}
 		})
 	})
+
+	t.Run("CloudLogVolumeAnnotationNoPvc", func(t *testing.T) {
+		cluster.Namespace = ns.Name
+		cluster.Annotations = map[string]string{}
+		cluster.Annotations[naming.PGBackRestCloudLogVolume] = "some-pvc"
+		spec := r.generateBackupJobSpecIntent(ctx,
+			&cluster, v1beta1.PGBackRestRepo{},
+			"",
+			nil, nil,
+		)
+		assert.Assert(t, cmp.MarshalMatches(spec.Template.Spec, `
+containers:
+- command:
+  - /bin/pgbackrest
+  - backup
+  - --stanza=db
+  - --repo=
+  name: pgbackrest
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+  - mountPath: /etc/pgbackrest/conf.d
+    name: pgbackrest-config
+    readOnly: true
+  - mountPath: /tmp
+    name: tmp
+enableServiceLinks: false
+restartPolicy: Never
+securityContext:
+  fsGroup: 26
+  fsGroupChangePolicy: OnRootMismatch
+volumes:
+- name: pgbackrest-config
+  projected:
+    sources:
+    - configMap:
+        items:
+        - key: pgbackrest_cloud.conf
+          path: pgbackrest_cloud.conf
+        name: hippo-test-pgbackrest-config
+    - secret:
+        items:
+        - key: pgbackrest.ca-roots
+          path: ~postgres-operator/tls-ca.crt
+        - key: pgbackrest-client.crt
+          path: ~postgres-operator/client-tls.crt
+        - key: pgbackrest-client.key
+          mode: 384
+          path: ~postgres-operator/client-tls.key
+        name: hippo-test-pgbackrest
+- emptyDir:
+    sizeLimit: 16Mi
+  name: tmp
+		`))
+
+		assert.Equal(t, len(recorder.Events), 1)
+		assert.Equal(t, recorder.Events[0].Regarding.Name, cluster.Name)
+		assert.Equal(t, recorder.Events[0].Reason, "PGBackRestCloudLogVolumeNotFound")
+		assert.Equal(t, recorder.Events[0].Note, "persistentvolumeclaims \"some-pvc\" not found")
+	})
+
+	t.Run("CloudLogVolumeAnnotationPvcInPlace", func(t *testing.T) {
+		cluster.Namespace = ns.Name
+		cluster.Annotations = map[string]string{}
+		cluster.Annotations[naming.PGBackRestCloudLogVolume] = "another-pvc"
+
+		pvc := &corev1.PersistentVolumeClaim{
+			ObjectMeta: metav1.ObjectMeta{
+				Name:      "another-pvc",
+				Namespace: ns.Name,
+			},
+			Spec: corev1.PersistentVolumeClaimSpec(testVolumeClaimSpec()),
+		}
+		err := r.Client.Create(ctx, pvc)
+		assert.NilError(t, err)
+
+		spec := r.generateBackupJobSpecIntent(ctx,
+			&cluster, v1beta1.PGBackRestRepo{},
+			"",
+			nil, nil,
+		)
+		assert.Assert(t, cmp.MarshalMatches(spec.Template.Spec, `
+containers:
+- command:
+  - /bin/pgbackrest
+  - backup
+  - --stanza=db
+  - --repo=
+  name: pgbackrest
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+  - mountPath: /etc/pgbackrest/conf.d
+    name: pgbackrest-config
+    readOnly: true
+  - mountPath: /tmp
+    name: tmp
+  - mountPath: /volumes/another-pvc
+    name: another-pvc
+enableServiceLinks: false
+restartPolicy: Never
+securityContext:
+  fsGroup: 26
+  fsGroupChangePolicy: OnRootMismatch
+volumes:
+- name: pgbackrest-config
+  projected:
+    sources:
+    - configMap:
+        items:
+        - key: pgbackrest_cloud.conf
+          path: pgbackrest_cloud.conf
+        name: hippo-test-pgbackrest-config
+    - secret:
+        items:
+        - key: pgbackrest.ca-roots
+          path: ~postgres-operator/tls-ca.crt
+        - key: pgbackrest-client.crt
+          path: ~postgres-operator/client-tls.crt
+        - key: pgbackrest-client.key
+          mode: 384
+          path: ~postgres-operator/client-tls.key
+        name: hippo-test-pgbackrest
+- emptyDir:
+    sizeLimit: 16Mi
+  name: tmp
+- name: another-pvc
+  persistentVolumeClaim:
+    claimName: another-pvc
+		`))
+
+		// No new events
+		assert.Equal(t, len(recorder.Events), 1)
+		assert.Equal(t, recorder.Events[0].Regarding.Name, cluster.Name)
+		assert.Equal(t, recorder.Events[0].Reason, "PGBackRestCloudLogVolumeNotFound")
+		assert.Equal(t, recorder.Events[0].Note, "persistentvolumeclaims \"some-pvc\" not found")
+	})
 }
 
 func TestGenerateRepoHostIntent(t *testing.T) {