Merge branch 'master' of https://github.com/CrunchyData/postgres-operator into ISSUE-3435/appProtocol

Author: szelenka-cisco

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -10267,7 +10267,7 @@ spec:
               postgresVersion:
                 description: The major version of PostgreSQL installed in the PostgreSQL
                   image
-                maximum: 14
+                maximum: 15
                 minimum: 10
                 type: integer
               proxy:

docs/content/tutorial/backups.md

@@ -379,6 +379,19 @@ The full list of [pgBackRest configuration options](https://pgbackrest.org/confi
 
 [https://pgbackrest.org/configuration.html](https://pgbackrest.org/configuration.html)
 
+## IPv6 Support
+
+If you are running your cluster in an IPv6-only environment, you will need to add an annotation to your PostgresCluster so that PGO knows to set pgBackRest's `tls-server-address` to an IPv6 address. Otherwise, `tls-server-address` will be set to `0.0.0.0`, making pgBackRest inaccessible, and backups will not run. The annotation should be added as shown below:
+
+```yaml
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: hippo
+  annotations:
+    postgres-operator.crunchydata.com/pgbackrest-ip-version: IPv6
+```
+
 ## Next Steps
 
 We've now seen how to use PGO to get our backups and archives set up and safely stored. Now let's take a look at [backup management]({{< relref "./backup-management.md" >}}) and how we can do things such as set backup frequency, set retention policies, and even take one-off backups!

internal/controller/postgrescluster/pgbackrest.go

@@ -1011,7 +1011,9 @@ func (r *Reconciler) reconcileRestoreJob(ctx context.Context,
 	for _, opt := range options {
 		var msg string
 		switch {
-		case strings.Contains(opt, "--repo"):
+		// Since '--repo' can be set with or without an equals ('=') sign, we check for both
+		// usage patterns.
+		case strings.Contains(opt, "--repo=") || strings.Contains(opt, "--repo "):
 			msg = "Option '--repo' is not allowed: please use the 'repoName' field instead."
 		case strings.Contains(opt, "--stanza"):
 			msg = "Option '--stanza' is not allowed: the operator will automatically set this " +
@@ -2200,9 +2202,11 @@ func (r *Reconciler) reconcileManualBackup(ctx context.Context,
 	// and not using the "--repo" option in the "manual.options" field.  Therefore, record a
 	// warning event and return if a "--repo" option is found.  Reconciliation will then be
 	// reattempted when "--repo" is removed from "manual.options" and the spec is updated.
+	// Since '--repo' can be set with or without an equals ('=') sign, we check for both
+	// usage patterns.
 	backupOpts := postgresCluster.Spec.Backups.PGBackRest.Manual.Options
 	for _, opt := range backupOpts {
-		if strings.Contains(opt, "--repo") {
+		if strings.Contains(opt, "--repo=") || strings.Contains(opt, "--repo ") {
 			r.Recorder.Eventf(postgresCluster, corev1.EventTypeWarning, "InvalidManualBackup",
 				"Option '--repo' is not allowed: please use the 'repoName' field instead.",
 				repoName)

internal/controller/postgrescluster/pgbackrest_test.go

@@ -1831,13 +1831,27 @@ func TestReconcilePostgresClusterDataSource(t *testing.T) {
 				expectedClusterCondition: nil,
 			},
 		}, {
-			desc: "invalid option: repo",
+			desc: "invalid option: --repo=",
 			dataSource: &v1beta1.DataSource{PostgresCluster: &v1beta1.PostgresClusterDataSource{
-				ClusterName: "invalid-repo-option", RepoName: "repo1",
-				Options: []string{"--repo"},
+				ClusterName: "invalid-repo-option-equals", RepoName: "repo1",
+				Options: []string{"--repo="},
 			}},
 			clusterBootstrapped: false,
-			sourceClusterName:   "invalid-repo-option",
+			sourceClusterName:   "invalid-repo-option-equals",
+			sourceClusterRepos:  []v1beta1.PGBackRestRepo{{Name: "repo1"}},
+			result: testResult{
+				configCount: 1, jobCount: 0, pvcCount: 1,
+				invalidSourceRepo: false, invalidSourceCluster: false, invalidOptions: true,
+				expectedClusterCondition: nil,
+			},
+		}, {
+			desc: "invalid option: --repo ",
+			dataSource: &v1beta1.DataSource{PostgresCluster: &v1beta1.PostgresClusterDataSource{
+				ClusterName: "invalid-repo-option-space", RepoName: "repo1",
+				Options: []string{"--repo "},
+			}},
+			clusterBootstrapped: false,
+			sourceClusterName:   "invalid-repo-option-space",
 			sourceClusterRepos:  []v1beta1.PGBackRestRepo{{Name: "repo1"}},
 			result: testResult{
 				configCount: 1, jobCount: 0, pvcCount: 1,

internal/naming/annotations.go

@@ -50,4 +50,12 @@ const (
 	// timestamp), which will be stored in the PostgresCluster status to properly track completion
 	// of the Job.
 	PGBackRestRestore = annotationPrefix + "pgbackrest-restore"
+
+	// PGBackRestIPVersion is an annotation used to indicate whether an IPv6 wildcard address should be
+	// used for the pgBackRest "tls-server-address" or not. If the user wants to use IPv6, the value
+	// should be "IPv6". As of right now, if the annotation is not present or if the annotation's value
+	// is anything other than "IPv6", the "tls-server-address" will default to IPv4 (0.0.0.0). The need
+	// for this annotation is due to an issue in pgBackRest (#1841) where using a wildcard address to
+	// bind all addresses does not work in certain IPv6 environments.
+	PGBackRestIPVersion = annotationPrefix + "pgbackrest-ip-version"
 )

internal/naming/annotations_test.go

@@ -29,4 +29,5 @@ func TestAnnotationsValid(t *testing.T) {
 	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestConfigHash))
 	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestCurrentConfig))
 	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestRestore))
+	assert.Assert(t, nil == validation.IsQualifiedName(PGBackRestIPVersion))
 }

internal/pgbackrest/config.go

@@ -18,6 +18,7 @@ package pgbackrest
 import (
 	"context"
 	"fmt"
+	"strings"
 
 	corev1 "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
@@ -465,6 +466,16 @@ func serverConfig(cluster *v1beta1.PostgresCluster) iniSectionSet {
 	// - https://releases.k8s.io/v1.23.0/pkg/kubelet/kubelet_pods.go#L345
 	global.Set("tls-server-address", "0.0.0.0")
 
+	// NOTE (dsessler7): As pointed out by Chris above, there is an issue in
+	// pgBackRest (#1841), where using a wildcard address to bind all addresses
+	// does not work in certain IPv6 environments. Until this is fixed, we are
+	// going to workaround the issue by allowing the user to add an annotation to
+	// enable IPv6. We will check for that annotation here and override the
+	// "tls-server-address" setting accordingly.
+	if strings.EqualFold(cluster.Annotations[naming.PGBackRestIPVersion], "ipv6") {
+		global.Set("tls-server-address", "::")
+	}
+
 	// The client certificate for this cluster is allowed to connect for any stanza.
 	// Without the wildcard "*", the "pgbackrest info" and "pgbackrest repo-ls"
 	// commands fail with "access denied" when invoked without a "--stanza" flag.

internal/pgbackrest/config_test.go

@@ -337,3 +337,26 @@ log-level-stderr = error
 log-timestamp = n
 `)
 }
+
+func TestServerConfigIPv6(t *testing.T) {
+	cluster := &v1beta1.PostgresCluster{}
+	cluster.UID = "shoe"
+	cluster.Annotations = map[string]string{
+		naming.PGBackRestIPVersion: "IPv6",
+	}
+
+	assert.Equal(t, serverConfig(cluster).String(), `
+[global]
+tls-server-address = ::
+tls-server-auth = pgbackrest@shoe=*
+tls-server-ca-file = /etc/pgbackrest/conf.d/~postgres-operator/tls-ca.crt
+tls-server-cert-file = /etc/pgbackrest/server/server-tls.crt
+tls-server-key-file = /etc/pgbackrest/server/server-tls.key
+
+[global:server]
+log-level-console = detail
+log-level-file = off
+log-level-stderr = error
+log-timestamp = n
+`)
+}

internal/pgbackrest/iana.go

@@ -0,0 +1,27 @@
+/*
+ Copyright 2021 - 2022 Crunchy Data Solutions, Inc.
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package pgbackrest
+
+// The protocol used by pgBackRest is registered with the Internet Assigned
+// Numbers Authority (IANA).
+// - https://www.iana.org/assignments/service-names-port-numbers
+const (
+	// IANAPortNumber is the port assigned to pgBackRest at the IANA.
+	IANAPortNumber = 8432
+
+	// IANAServiceName is the name of the pgBackRest protocol at the IANA.
+	IANAServiceName = "pgbackrest"
+)

internal/postgres/iana.go

@@ -0,0 +1,27 @@
+/*
+ Copyright 2021 - 2022 Crunchy Data Solutions, Inc.
+ Licensed under the Apache License, Version 2.0 (the "License");
+ you may not use this file except in compliance with the License.
+ You may obtain a copy of the License at
+
+ http://www.apache.org/licenses/LICENSE-2.0
+
+ Unless required by applicable law or agreed to in writing, software
+ distributed under the License is distributed on an "AS IS" BASIS,
+ WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+ See the License for the specific language governing permissions and
+ limitations under the License.
+*/
+
+package postgres
+
+// The protocol used by PostgreSQL is registered with the Internet Assigned
+// Numbers Authority (IANA).
+// - https://www.iana.org/assignments/service-names-port-numbers
+const (
+	// IANAPortNumber is the port assigned to PostgreSQL at the IANA.
+	IANAPortNumber = 5432
+
+	// IANAServiceName is the name of the PostgreSQL protocol at the IANA.
+	IANAServiceName = "postgresql"
+)

pkg/apis/postgres-operator.crunchydata.com/v1beta1/postgrescluster_types.go

@@ -123,7 +123,7 @@ type PostgresClusterSpec struct {
 	// The major version of PostgreSQL installed in the PostgreSQL image
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:Minimum=10
-	// +kubebuilder:validation:Maximum=14
+	// +kubebuilder:validation:Maximum=15
 	// +operator-sdk:csv:customresourcedefinitions:type=spec,order=1
 	PostgresVersion int `json:"postgresVersion"`