discussion with Chris

Author: benjaminjb

internal/controller/postgrescluster/pgbouncer.go

@@ -68,8 +68,14 @@ func (r *Reconciler) reconcilePGBouncer(
 func setPGBouncerLogfile(cluster *v1beta1.PostgresCluster) string {
 	logfile := naming.PGBouncerFullLogPath
 
-	if dest, ok := cluster.Spec.Proxy.PGBouncer.Config.Global["logfile"]; ok {
-		logfile = dest
+	if cluster.Spec.Proxy == nil || cluster.Spec.Proxy.PGBouncer == nil {
+		return ""
+	}
+
+	if cluster.Spec.Proxy.PGBouncer.Config.Global != nil {
+		if dest, ok := cluster.Spec.Proxy.PGBouncer.Config.Global["logfile"]; ok {
+			logfile = dest
+		}
 	}
 
 	return logfile
@@ -478,7 +484,9 @@ func (r *Reconciler) generatePGBouncerDeployment(
 	// Do not add environment variables describing services in this namespace.
 	deploy.Spec.Template.Spec.EnableServiceLinks = initialize.Bool(false)
 
-	deploy.Spec.Template.Spec.SecurityContext = util.PodSecurityContext(ctx, 2, cluster.Spec.SupplementalGroups)
+	deploy.Spec.Template.Spec.SecurityContext = util.PodSecurityContext(2,
+		cluster.Spec.SupplementalGroups, initialize.FromPointer(cluster.Spec.OpenShift),
+	)
 
 	// set the image pull secrets, if any exist
 	deploy.Spec.Template.Spec.ImagePullSecrets = cluster.Spec.ImagePullSecrets

internal/util/pod_security.go

@@ -5,17 +5,14 @@
 package util
 
 import (
-	"context"
-
 	corev1 "k8s.io/api/core/v1"
 
 	"github.com/crunchydata/postgres-operator/internal/initialize"
-	"github.com/crunchydata/postgres-operator/internal/kubernetes"
 )
 
 // PodSecurityContext returns a v1.PodSecurityContext for cluster that can write
 // to PersistentVolumes.
-func PodSecurityContext(ctx context.Context, fsgroup int64, supplementalGroups []int64) *corev1.PodSecurityContext {
+func PodSecurityContext(fsgroup int64, supplementalGroups []int64, openshift bool) *corev1.PodSecurityContext {
 	psc := initialize.PodSecurityContext()
 
 	// Use the specified supplementary groups except for root. The CRD has
@@ -33,9 +30,7 @@ func PodSecurityContext(ctx context.Context, fsgroup int64, supplementalGroups [
 	// - https://cloud.redhat.com/blog/a-guide-to-openshift-and-uids
 	// - https://docs.k8s.io/tasks/configure-pod-container/security-context/
 	// - https://docs.openshift.com/container-platform/4.8/authentication/managing-security-context-constraints.html
-	if !kubernetes.Has(ctx, kubernetes.API{
-		Group: "security.openshift.io", Kind: "SecurityContextConstraints",
-	}) {
+	if !openshift {
 		psc.FSGroup = initialize.Int64(fsgroup)
 	}
 

internal/util/pod_security_test.go

@@ -5,50 +5,48 @@
 package util
 
 import (
-	"context"
 	"testing"
 
 	"gotest.tools/v3/assert"
 
-	"github.com/crunchydata/postgres-operator/internal/kubernetes"
 	"github.com/crunchydata/postgres-operator/internal/testing/cmp"
 )
 
 func TestPodSecurityContext(t *testing.T) {
-	ctx := context.Background()
-	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, []int64{}), `
+	t.Run("Non-Openshift", func(t *testing.T) {
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, []int64{}, false), `
 fsGroup: 2
 fsGroupChangePolicy: OnRootMismatch
 	`))
 
-	supplementalGroups := []int64{3, 4}
-	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 26, supplementalGroups), `
+		supplementalGroups := []int64{3, 4}
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(26, supplementalGroups, false), `
 fsGroup: 26
 fsGroupChangePolicy: OnRootMismatch
 supplementalGroups:
 - 3
 - 4
 	`))
+	})
 
-	ctx = kubernetes.NewAPIContext(ctx, kubernetes.NewAPISet(kubernetes.API{
-		Group: "security.openshift.io", Version: "v1",
-		Kind: "SecurityContextConstraints",
-	}))
-	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, []int64{}),
-		`fsGroupChangePolicy: OnRootMismatch`))
+	t.Run("OpenShift", func(t *testing.T) {
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, []int64{}, true),
+			`fsGroupChangePolicy: OnRootMismatch`))
 
-	assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(ctx, 2, supplementalGroups), `
+		supplementalGroups := []int64{3, 4}
+		assert.Assert(t, cmp.MarshalMatches(PodSecurityContext(2, supplementalGroups, true), `
 fsGroupChangePolicy: OnRootMismatch
 supplementalGroups:
 - 3
 - 4
 	`))
+	})
 
 	t.Run("NoRootGID", func(t *testing.T) {
-		supplementalGroups = []int64{999, 0, 100, 0}
-		assert.DeepEqual(t, []int64{999, 100}, PodSecurityContext(ctx, 2, supplementalGroups).SupplementalGroups)
+		supplementalGroups := []int64{999, 0, 100, 0}
+		assert.DeepEqual(t, []int64{999, 100}, PodSecurityContext(2, supplementalGroups, false).SupplementalGroups)
 
 		supplementalGroups = []int64{0}
-		assert.Assert(t, PodSecurityContext(ctx, 2, supplementalGroups).SupplementalGroups == nil)
+		assert.Assert(t, PodSecurityContext(2, supplementalGroups, false).SupplementalGroups == nil)
 	})
 }