Merge pull request #95 from cybertec-postgresql/SecurityContext

Schmaetz · web-flow · commit 1d25f8db2706 · 2025-10-30T13:38:35.000+01:00
Security context
diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go
@@ -881,11 +881,15 @@ func (c *Cluster) generatePodTemplate(
 		addEmptyDirVolume(&podSpec, "exporter-tmp", "postgres-exporter", "/tmp")
 	}
 
-	if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem {
+	if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem && !isRepoHost {
 		addRunVolume(&podSpec, "postgres-run", "postgres", "/run")
 		addEmptyDirVolume(&podSpec, "postgres-tmp", "postgres", "/tmp")
 	}
 
+	if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem && isRepoHost {
+		addEmptyDirVolume(&podSpec, "pgbackrest-tmp", "pgbackrest", "/tmp")
+	}
+
 	if sharePgSocketWithSidecars != nil && *sharePgSocketWithSidecars {
 		addVarRunVolume(&podSpec)
 	}
@@ -1024,6 +1028,10 @@ func (c *Cluster) generateSpiloPodEnvVars(
 		envVars = append(envVars, v1.EnvVar{Name: "USE_PGBACKREST", Value: "true"})
 	}
 
+	if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem {
+		envVars = append(envVars, v1.EnvVar{Name: "HOME", Value: "/home/postgres"})
+	}
+
 	if spec.TDE != nil && spec.TDE.Enable {
 		envVars = append(envVars, v1.EnvVar{Name: "TDE", Value: "true"})
 		// envVars = append(envVars, v1.EnvVar{Name: "PGENCRKEYCMD", Value: "/tmp/tde.sh"})
@@ -2250,6 +2258,13 @@ func addEmptyDirVolume(podSpec *v1.PodSpec, volumeName string, containerName str
 			podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, mount)
 		}
 	}
+	if vol.Name == "postgres-tmp" && len(podSpec.InitContainers) > 0 {
+		for i := range podSpec.InitContainers {
+			if podSpec.InitContainers[i].Name == "pgbackrest-restore" {
+				podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, mount)
+			}
+		}
+	}
 }
 
 func addRunVolume(podSpec *v1.PodSpec, volumeName string, containerName string, path string) {
diff --git a/pkg/cluster/majorversionupgrade.go b/pkg/cluster/majorversionupgrade.go
@@ -145,7 +145,7 @@ func (c *Cluster) majorVersionUpgrade() error {
 		return nil
 	}
 
-	pods, err := c.listPods()
+	pods, err := c.listPodsOfType(TYPE_POSTGRESQL)
 	if err != nil {
 		return err
 	}
@@ -213,7 +213,13 @@ func (c *Cluster) majorVersionUpgrade() error {
 		c.logger.Error("could not get members data from Patroni API, skipping major version upgrade")
 		return err
 	}
-	patroniVer, err := semver.NewVersion(patroniData.Patroni.Version)
+	patroniVersion := patroniData.Patroni.Version
+	parts := strings.Split(patroniVersion, ".")
+	if len(parts) > 3 {
+		patroniVersion = strings.Join(parts[:3], ".")
+	}
+	patroniVer, err := semver.NewVersion(patroniVersion)
+
 	if err != nil {
 		c.logger.Error("error parsing Patroni version")
 		patroniVer, _ = semver.NewVersion("3.0.4")
@@ -237,7 +243,7 @@ func (c *Cluster) majorVersionUpgrade() error {
 
 	isUpgradeSuccess := true
 	numberOfPods := len(pods)
-	if allRunning && masterPod != nil {
+	if allRunning {
 		c.logger.Infof("healthy cluster ready to upgrade, current: %d desired: %d", c.currentMajorVersion, desiredVersion)
 		if c.currentMajorVersion < desiredVersion {
 			defer func() error {
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
@@ -262,7 +262,7 @@ type Config struct {
 	MajorVersionUpgradeMode                  string            `name:"major_version_upgrade_mode" default:"off"`
 	MajorVersionUpgradeTeamAllowList         []string          `name:"major_version_upgrade_team_allow_list" default:""`
 	MinimalMajorVersion                      string            `name:"minimal_major_version" default:"13"`
-	TargetMajorVersion                       string            `name:"target_major_version" default:"17"`
+	TargetMajorVersion                       string            `name:"target_major_version" default:"18"`
 	PatroniAPICheckInterval                  time.Duration     `name:"patroni_api_check_interval" default:"1s"`
 	PatroniAPICheckTimeout                   time.Duration     `name:"patroni_api_check_timeout" default:"5s"`
 	EnablePatroniFailsafeMode                *bool             `name:"enable_patroni_failsafe_mode" default:"false"`

Original file line number	Diff line number	Diff line change
`@@ -881,11 +881,15 @@ func (c *Cluster) generatePodTemplate(`
`881`	`881`	`addEmptyDirVolume(&podSpec, "exporter-tmp", "postgres-exporter", "/tmp")`
`882`	`882`	`}`
`883`	`883`
`884`		`- if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem {`
	`884`	`+ if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem && !isRepoHost {`
`885`	`885`	`addRunVolume(&podSpec, "postgres-run", "postgres", "/run")`
`886`	`886`	`addEmptyDirVolume(&podSpec, "postgres-tmp", "postgres", "/tmp")`
`887`	`887`	`}`
`888`	`888`
	`889`	`+ if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem && isRepoHost {`
	`890`	`+ addEmptyDirVolume(&podSpec, "pgbackrest-tmp", "pgbackrest", "/tmp")`
	`891`	`+ }`
	`892`	`+`
`889`	`893`	`if sharePgSocketWithSidecars != nil && *sharePgSocketWithSidecars {`
`890`	`894`	`addVarRunVolume(&podSpec)`
`891`	`895`	`}`
`@@ -1024,6 +1028,10 @@ func (c *Cluster) generateSpiloPodEnvVars(`
`1024`	`1028`	`envVars = append(envVars, v1.EnvVar{Name: "USE_PGBACKREST", Value: "true"})`
`1025`	`1029`	`}`
`1026`	`1030`
	`1031`	`+ if c.OpConfig.ReadOnlyRootFilesystem != nil && *c.OpConfig.ReadOnlyRootFilesystem {`
	`1032`	`+ envVars = append(envVars, v1.EnvVar{Name: "HOME", Value: "/home/postgres"})`
	`1033`	`+ }`
	`1034`	`+`
`1027`	`1035`	`if spec.TDE != nil && spec.TDE.Enable {`
`1028`	`1036`	`envVars = append(envVars, v1.EnvVar{Name: "TDE", Value: "true"})`
`1029`	`1037`	`// envVars = append(envVars, v1.EnvVar{Name: "PGENCRKEYCMD", Value: "/tmp/tde.sh"})`
`@@ -2250,6 +2258,13 @@ func addEmptyDirVolume(podSpec *v1.PodSpec, volumeName string, containerName str`
`2250`	`2258`	`podSpec.Containers[i].VolumeMounts = append(podSpec.Containers[i].VolumeMounts, mount)`
`2251`	`2259`	`}`
`2252`	`2260`	`}`
	`2261`	`+ if vol.Name == "postgres-tmp" && len(podSpec.InitContainers) > 0 {`
	`2262`	`+ for i := range podSpec.InitContainers {`
	`2263`	`+ if podSpec.InitContainers[i].Name == "pgbackrest-restore" {`
	`2264`	`+ podSpec.InitContainers[i].VolumeMounts = append(podSpec.InitContainers[i].VolumeMounts, mount)`
	`2265`	`+ }`
	`2266`	`+ }`
	`2267`	`+ }`
`2253`	`2268`	`}`
`2254`	`2269`
`2255`	`2270`	`func addRunVolume(podSpec *v1.PodSpec, volumeName string, containerName string, path string) {`