Adding source code changes for workaround for IPv6 issue in pgBackRest (#1841).

Author: dsessler7

internal/naming/annotations.go

@@ -50,4 +50,12 @@ const (
 	// timestamp), which will be stored in the PostgresCluster status to properly track completion
 	// of the Job.
 	PGBackRestRestore = annotationPrefix + "pgbackrest-restore"
+
+	// PGBackRestIPVersion is an annotation used to indicate whether an IPv6 wildcard address should be
+	// used for the pgBackRest "tls-server-address" or not. If the user wants to use IPv6, the value
+	// should be "IPv6". As of right now, if the annotation is not present or if the annotation's value
+	// is anything other than "IPv6", the "tls-server-address" will default to IPv4 (0.0.0.0). The need
+	// for this annotation is due to an issue in pgBackRest (#1841) where using a wildcard address to
+	// bind all addresses does not work in certain IPv6 environments.
+	PGBackRestIPVersion = annotationPrefix + "pgbackrest-ip-version"
 )

internal/naming/annotations_test.go

@@ -29,4 +29,5 @@ func TestAnnotationsValid(t *testing.T) {
 	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestConfigHash))
 	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestCurrentConfig))
 	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestRestore))
+	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestIPVersion))
 }

internal/pgbackrest/config.go

@@ -18,6 +18,7 @@ package pgbackrest
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -465,6 +466,20 @@ func serverConfig(cluster *v1beta1.PostgresCluster) iniSectionSet {
 	// - https://releases.k8s.io/v1.23.0/pkg/kubelet/kubelet_pods.go#L345
 	global.Set("tls-server-address", "0.0.0.0")
 
+	// NOTE (dsessler7): As pointed out by Chris above, there is an issue in
+	// pgBackRest (#1841), where using a wildcard address to bind all addresses
+	// does not work in certain IPv6 environments. Until this is fixed, we are
+	// going to workaround the issue by allowing the user to add an annotation to
+	// enable IPv6. We will check for that annotation here and override the
+	// "tls-server-address" setting accordingly.
+	annotations := cluster.GetAnnotations()
+	if annotations != nil {
+		if ipVersion, exists := annotations[naming.PGBackRestIPVersion]; exists &&
+			strings.ToLower(ipVersion) == "ipv6" {
+			global.Set("tls-server-address", "::")
+		}
+	}
+
 	// The client certificate for this cluster is allowed to connect for any stanza.
 	// Without the wildcard "*", the "pgbackrest info" and "pgbackrest repo-ls"
 	// commands fail with "access denied" when invoked without a "--stanza" flag.

internal/pgbackrest/config_test.go

@@ -337,3 +337,26 @@ log-level-stderr = error
 log-timestamp = n
 `)
 }
+
+func TestServerConfigIPv6(t *testing.T) {
+	cluster := &v1beta1.PostgresCluster{}
+	cluster.UID = "shoe"
+	annotations := map[string]string{}
+	annotations[naming.PGBackRestIPVersion] = "IPv6"
+	cluster.ObjectMeta.Annotations = annotations
+
+	assert.Equal(t, serverConfig(cluster).String(), `
+[global]
+tls-server-address = ::
+tls-server-auth = pgbackrest@shoe=*
+tls-server-ca-file = /etc/pgbackrest/conf.d/~postgres-operator/tls-ca.crt
+tls-server-cert-file = /etc/pgbackrest/server/server-tls.crt
+tls-server-key-file = /etc/pgbackrest/server/server-tls.key
+
+[global:server]
+log-level-console = detail
+log-level-file = off
+log-level-stderr = error
+log-timestamp = n
+`)
+}