Add validation for pgbouncer logfile

This PR adds validation for v1 pgBouncer so that the logfile
must either be in /tmp or one of the attached additional volumes.

This PR also adds validation for v1beta1 that restricts the number
of global config settings and requires a '.log' suffix on the
logfile. (This may be reverted in the future as we are learning
towards validation in v1 and documentation in v1beta1.)

This PR also fixes an error in the OTEL setup around a custom
logfile.

Issues: [PGO-2565]

Author: benjaminjb

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -14472,10 +14472,12 @@ spec:
                           global:
                             additionalProperties:
                               type: string
-                            description: |-
-                              Settings that apply to the entire PgBouncer process.
-                              More info: https://www.pgbouncer.org/config.html
+                            maxProperties: 50
                             type: object
+                            x-kubernetes-map-type: granular
+                            x-kubernetes-validations:
+                            - message: logfile config must end with '.log'
+                              rule: '!has(self.logfile) || self.logfile.endsWith(''.log'')'
                           users:
                             additionalProperties:
                               type: string
@@ -16505,6 +16507,12 @@ spec:
                             x-kubernetes-list-type: map
                         type: object
                     type: object
+                    x-kubernetes-validations:
+                    - message: config.global.logfile destination is restricted to
+                        '/tmp/logs/pgbouncer/' or an existing additional volume
+                      rule: self.?config.global.logfile.optMap(f, f.startsWith("/tmp/logs/pgbouncer/")
+                        || (self.?volumes.additional.hasValue() && self.volumes.additional.exists(v,
+                        f.startsWith("/volumes/" + v.name)))).orValue(true)
                 required:
                 - pgBouncer
                 type: object
@@ -33505,10 +33513,12 @@ spec:
                           global:
                             additionalProperties:
                               type: string
-                            description: |-
-                              Settings that apply to the entire PgBouncer process.
-                              More info: https://www.pgbouncer.org/config.html
+                            maxProperties: 50
                             type: object
+                            x-kubernetes-map-type: granular
+                            x-kubernetes-validations:
+                            - message: logfile config must end with '.log'
+                              rule: '!has(self.logfile) || self.logfile.endsWith(''.log'')'
                           users:
                             additionalProperties:
                               type: string

internal/pgbouncer/reconcile.go

@@ -223,7 +223,7 @@ func Pod(
 	if collector.OpenTelemetryLogsOrMetricsEnabled(ctx, inCluster) {
 		collector.AddToPod(ctx, inCluster.Spec.Instrumentation, inCluster.Spec.ImagePullPolicy, inConfigMap,
 			template, []corev1.VolumeMount{configVolumeMount}, string(inSecret.Data["pgbouncer-password"]),
-			[]string{naming.PGBouncerLogPath}, true, true)
+			[]string{logPath}, true, true)
 	}
 }
 

internal/pgbouncer/reconcile_test.go

@@ -386,6 +386,12 @@ volumes:
 	})
 
 	t.Run("WithOtelNoLogSet", func(t *testing.T) {
+		featuresWithOtel := feature.NewGate()
+		assert.NilError(t, featuresWithOtel.SetFromMap(map[string]bool{
+			feature.OpenTelemetryLogs:    true,
+			feature.OpenTelemetryMetrics: true,
+		}))
+		ctx = feature.NewContext(context.Background(), featuresWithOtel)
 		cluster.Spec.Instrumentation = &v1beta1.InstrumentationSpec{}
 		logfile = "/tmp/pgbouncer.log"
 
@@ -425,6 +431,59 @@ containers:
   - mountPath: /etc/pgbouncer
     name: pgbouncer-config
     readOnly: true
+- command:
+  - bash
+  - -ceu
+  - --
+  - "monitor() {\n\nmkdir -p '/tmp/receiver' && { chmod 0775 '/tmp/receiver' || :;
+    }\nOTEL_PIDFILE=/tmp/otel.pid\n\nstart_otel_collector() {\n\techo \"Starting OTel
+    Collector\"\n\t/otelcol-contrib --config /etc/otel-collector/config.yaml &\n\techo
+    $! > $OTEL_PIDFILE\n}\nstart_otel_collector\n\nexec {fd}<> <(:||:)\nwhile read
+    -r -t 5 -u \"${fd}\" ||:; do\n\tlogrotate -s /tmp/logrotate.status /etc/logrotate.d/logrotate.conf\n\tif
+    [[ \"${directory}\" -nt \"/proc/self/fd/${fd}\" ]] && kill -HUP $(head -1 ${OTEL_PIDFILE?});\n\tthen\n\t\techo
+    \"OTel configuration changed...\"\n\t\texec {fd}>&- && exec {fd}<> <(:||:)\n\t\tstat
+    --format='Loaded configuration dated %y' \"${directory}\"\n\tfi\n\tif [[ ! -e
+    /proc/$(head -1 ${OTEL_PIDFILE?}) ]] ; then\n\t\tstart_otel_collector\n\tfi\ndone\n};
+    export directory=\"$1\"; export -f monitor; exec -a \"$0\" bash -ceu monitor"
+  - collector
+  - /etc/otel-collector
+  env:
+  - name: K8S_POD_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+  - name: K8S_POD_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: PGPASSWORD
+  imagePullPolicy: Always
+  name: collector
+  ports:
+  - containerPort: 9187
+    name: otel-metrics
+    protocol: TCP
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+  - mountPath: /etc/pgbouncer
+    name: pgbouncer-config
+    readOnly: true
+  - mountPath: /etc/otel-collector
+    name: collector-config
+    readOnly: true
+  - mountPath: /etc/logrotate.d
+    name: logrotate-config
+    readOnly: true
 - command:
   - bash
   - -ceu
@@ -498,6 +557,8 @@ volumes:
 			"logfile": "/volumes/required/mylog.log",
 		}
 		logfile = "/volumes/required/mylog.log"
+		// Reset the instrumentation from the previous test
+		cluster.Spec.Instrumentation = nil
 
 		call()
 

internal/testing/validation/pgbouncer_test.go

@@ -0,0 +1,168 @@
+// Copyright 2021 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package validation
+
+import (
+	"context"
+	"testing"
+
+	"gotest.tools/v3/assert"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/crunchydata/postgres-operator/internal/testing/require"
+	v1 "github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1"
+)
+
+func TestV1PGBouncerLogging(t *testing.T) {
+	ctx := context.Background()
+	cc := require.Kubernetes(t)
+	t.Parallel()
+
+	namespace := require.Namespace(t, cc)
+
+	base := v1.NewPostgresCluster()
+	base.Namespace = namespace.Name
+	base.Name = "pgbouncer-logging"
+	// required fields
+	require.UnmarshalInto(t, &base.Spec, `{
+		postgresVersion: 16,
+		instances: [{
+			dataVolumeClaimSpec: {
+				accessModes: [ReadWriteOnce],
+				resources: { requests: { storage: 1Mi } },
+			},
+		}],
+	}`)
+
+	assert.NilError(t, cc.Create(ctx, base.DeepCopy(), client.DryRunAll),
+		"expected this base to be valid")
+
+	t.Run("Can set logging on tmp with .log", func(t *testing.T) {
+		tmp := base.DeepCopy()
+
+		require.UnmarshalInto(t, &tmp.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/tmp/logs/pgbouncer/log.log"
+					}
+				}
+			}
+		}`)
+		assert.NilError(t, cc.Create(ctx, base.DeepCopy(), client.DryRunAll),
+			"expected this option to be valid")
+	})
+
+	t.Run("Cannot set logging on tmp without .log", func(t *testing.T) {
+		tmp := base.DeepCopy()
+
+		require.UnmarshalInto(t, &tmp.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/tmp/logs/pgbouncer/log.txt"
+					}
+				}
+			}
+		}`)
+
+		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "logfile config must end with '.log'")
+	})
+
+	t.Run("Cannot set logging on tmp without correct subdir", func(t *testing.T) {
+		tmp := base.DeepCopy()
+
+		require.UnmarshalInto(t, &tmp.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/tmp/logs/log.log"
+					}
+				}
+			}
+		}`)
+
+		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "logfile destination is restricted to '/tmp/logs/pgbouncer/' or an existing additional volume")
+
+		require.UnmarshalInto(t, &tmp.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/tmp/pgbouncer/log.log"
+					}
+				}
+			}
+		}`)
+
+		err = cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "logfile destination is restricted to '/tmp/logs/pgbouncer/' or an existing additional volume")
+	})
+
+	t.Run("Cannot set logging on volumes that don't exist", func(t *testing.T) {
+		vol := base.DeepCopy()
+
+		require.UnmarshalInto(t, &vol.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/volumes/logging/log.log"
+					}
+				}
+			}
+		}`)
+
+		err := cc.Create(ctx, vol.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "logfile destination is restricted to '/tmp/logs/pgbouncer/' or an existing additional volume")
+	})
+
+	t.Run("Cannot set logging elsewhere", func(t *testing.T) {
+		vol := base.DeepCopy()
+
+		require.UnmarshalInto(t, &vol.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/var/log.log"
+					}
+				}
+			}
+		}`)
+
+		err := cc.Create(ctx, vol.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "logfile destination is restricted to '/tmp/logs/pgbouncer/' or an existing additional volume")
+	})
+
+	t.Run("Can set logging on volumes that exist", func(t *testing.T) {
+		vol := base.DeepCopy()
+
+		require.UnmarshalInto(t, &vol.Spec.Proxy, `{
+			pgBouncer: {
+				config: {
+					global: {
+						logfile: "/volumes/logging/log.log"
+					}
+				},
+				volumes: {
+    				additional: [
+					{
+						name: logging,
+        				claimName: required-1
+					}]
+				}
+			}
+		}`)
+
+		assert.NilError(t, cc.Create(ctx, vol.DeepCopy(), client.DryRunAll),
+			"expected this option to be valid")
+	})
+}

pkg/apis/postgres-operator.crunchydata.com/v1/pgbouncer_types.go

@@ -0,0 +1,15 @@
+// Copyright 2021 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package v1
+
+import (
+	"github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1beta1"
+)
+
+// PGBouncerPodSpec defines the desired state of a PgBouncer connection pooler.
+// +kubebuilder:validation:XValidation:rule=`self.?config.global.logfile.optMap(f, f.startsWith("/tmp/logs/pgbouncer/") || (self.?volumes.additional.hasValue() && self.volumes.additional.exists(v, f.startsWith("/volumes/" + v.name)))).orValue(true)`,message=`config.global.logfile destination is restricted to '/tmp/logs/pgbouncer/' or an existing additional volume`
+type PGBouncerPodSpec struct {
+	v1beta1.PGBouncerPodSpec `json:",inline"`
+}

pkg/apis/postgres-operator.crunchydata.com/v1/postgrescluster_types.go

@@ -602,7 +602,7 @@ type PostgresInstanceSetStatus struct {
 type PostgresProxySpec struct {
 
 	// Defines a PgBouncer proxy and connection pooler.
-	PGBouncer *v1beta1.PGBouncerPodSpec `json:"pgBouncer"`
+	PGBouncer *PGBouncerPodSpec `json:"pgBouncer"`
 }
 
 // Default sets the defaults for any proxies that are set.

pkg/apis/postgres-operator.crunchydata.com/v1/zz_generated.deepcopy.go

@@ -26,7 +26,14 @@ type PGBouncerConfiguration struct {
 
 	// Settings that apply to the entire PgBouncer process.
 	// More info: https://www.pgbouncer.org/config.html
+	// ---
+	// # Logging
+	// +kubebuilder:validation:XValidation:rule=`!has(self.logfile) || self.logfile.endsWith('.log')`,message=`logfile config must end with '.log'`
+	// +kubebuilder:validation:MaxProperties=50
+	// See also XValidation rule on v1 PostgresProxySpec
+
 	// +optional
+	// +mapType=granular
 	Global map[string]string `json:"global,omitempty"`
 
 	// PgBouncer database definitions. The key is the database requested by a