K8SPS-340: set initContainer security context of restore job to .spec.backup.containerSecuriryContext (#675)

* K8SPS-340: update initContainer security context of restore job

https://perconadev.atlassian.net/browse/K8SPS-340

* use `containerSecurityContext` from `.spec.backup.storages[]`

* check backup job in test

---------

Co-authored-by: Viacheslav Sarzhan <[email protected]>

Author: pooknull

e2e-tests/tests/gr-security-context/04-assert.yaml

@@ -2,24 +2,91 @@ apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
 timeout: 300
 ---
-kind: PerconaServerMySQLBackup
-apiVersion: ps.percona.com/v1alpha1
+apiVersion: batch/v1
+kind: Job
 metadata:
-  name: gr-security-context-minio
+  generation: 1
+  labels:
+    app.kubernetes.io/component: xtrabackup
+    app.kubernetes.io/instance: gr-security-context
+    app.kubernetes.io/managed-by: percona-server-operator
+    app.kubernetes.io/name: percona-server
+    app.kubernetes.io/part-of: percona-server
+  name: xb-gr-security-context-minio-minio
+spec:
+  backoffLimit: 6
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  suspend: false
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app.kubernetes.io/component: xtrabackup
+        app.kubernetes.io/instance: gr-security-context
+        app.kubernetes.io/managed-by: percona-server-operator
+        app.kubernetes.io/name: percona-server
+        app.kubernetes.io/part-of: percona-server
+        job-name: xb-gr-security-context-minio-minio
+    spec:
+      containers:
+      - command:
+        - /opt/percona/run-backup.sh
+        image: perconalab/percona-server-mysql-operator:main-backup
+        imagePullPolicy: Always
+        name: xtrabackup
+        resources: {}
+        securityContext:
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /opt/percona
+          name: bin
+        - mountPath: /var/lib/mysql
+          name: datadir
+        - mountPath: /etc/mysql/mysql-tls-secret
+          name: tls
+      dnsPolicy: ClusterFirst
+      initContainers:
+      - command:
+        - /opt/percona-server-mysql-operator/ps-init-entrypoint.sh
+        imagePullPolicy: Always
+        name: xtrabackup-init
+        resources: {}
+        securityContext:
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /opt/percona
+          name: bin
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      securityContext:
+        fsGroup: 1001
+        supplementalGroups:
+        - 1001
+        - 1002
+        - 1003
+      setHostnameAsFQDN: true
+      shareProcessNamespace: true
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: bin
+      - emptyDir: {}
+        name: datadir
+      - name: users
+        secret:
+          defaultMode: 420
+          secretName: test-secrets
+      - name: tls
+        secret:
+          defaultMode: 420
+          secretName: test-ssl
 status:
-  state: Succeeded
-  storage:
-    containerSecurityContext:
-      privileged: true
-    podSecurityContext:
-      fsGroup: 1001
-      supplementalGroups:
-      - 1001
-      - 1002
-      - 1003
-    s3:
-      bucket: operator-testing
-      credentialsSecret: minio-secret
-      endpointUrl: http://minio-service:9000
-      region: us-east-1
-    type: s3
+  active: 1
+  ready: 0
+  uncountedTerminatedPods: {}

e2e-tests/tests/gr-security-context/05-assert.yaml

@@ -1,24 +1,25 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 30
+timeout: 300
 ---
-kind: ConfigMap
-apiVersion: v1
+kind: PerconaServerMySQLBackup
+apiVersion: ps.percona.com/v1alpha1
 metadata:
-  name: 04-delete-data-minio-0
-data:
-  data: ""
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: 04-delete-data-minio-1
-data:
-  data: ""
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: 04-delete-data-minio-2
-data:
-  data: ""
+  name: gr-security-context-minio
+status:
+  state: Succeeded
+  storage:
+    containerSecurityContext:
+      privileged: true
+    podSecurityContext:
+      fsGroup: 1001
+      supplementalGroups:
+      - 1001
+      - 1002
+      - 1003
+    s3:
+      bucket: operator-testing
+      credentialsSecret: minio-secret
+      endpointUrl: http://minio-service:9000
+      region: us-east-1
+    type: s3

e2e-tests/tests/gr-security-context/06-assert.yaml

@@ -1,25 +1,24 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 500
+timeout: 30
 ---
-apiVersion: ps.percona.com/v1alpha1
-kind: PerconaServerMySQL
+kind: ConfigMap
+apiVersion: v1
 metadata:
-  name: gr-security-context
-status:
-  haproxy:
-    ready: 3
-    size: 3
-    state: ready
-  mysql:
-    ready: 3
-    size: 3
-    state: ready
-  state: ready
+  name: 04-delete-data-minio-0
+data:
+  data: ""
 ---
-kind: PerconaServerMySQLRestore
-apiVersion: ps.percona.com/v1alpha1
+kind: ConfigMap
+apiVersion: v1
 metadata:
-  name: gr-security-context-restore-minio
-status:
-  state: Succeeded
+  name: 04-delete-data-minio-1
+data:
+  data: ""
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 04-delete-data-minio-2
+data:
+  data: ""

e2e-tests/tests/gr-security-context/05-delete-data.yaml renamed to e2e-tests/tests/gr-security-context/06-delete-data.yaml

@@ -1,24 +1,90 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestAssert
-timeout: 30
+timeout: 500
 ---
-kind: ConfigMap
-apiVersion: v1
+apiVersion: batch/v1
+kind: Job
 metadata:
-  name: 06-read-data-minio-0
-data:
-  data: "100500"
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: 06-read-data-minio-1
-data:
-  data: "100500"
----
-kind: ConfigMap
-apiVersion: v1
-metadata:
-  name: 06-read-data-minio-2
-data:
-  data: "100500"
+  annotations:
+    batch.kubernetes.io/job-tracking: ""
+  generation: 1
+  labels:
+    app.kubernetes.io/component: xtrabackup
+    app.kubernetes.io/instance: gr-security-context
+    app.kubernetes.io/managed-by: percona-server-operator
+    app.kubernetes.io/name: percona-server
+    app.kubernetes.io/part-of: percona-server
+  name: xb-restore-gr-security-context-restore-minio
+spec:
+  backoffLimit: 4
+  completionMode: NonIndexed
+  completions: 1
+  parallelism: 1
+  suspend: false
+  template:
+    spec:
+      containers:
+      - command:
+        - /opt/percona/run-restore.sh
+        image: perconalab/percona-server-mysql-operator:main-backup
+        imagePullPolicy: Always
+        name: xtrabackup
+        resources: {}
+        securityContext:
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /opt/percona
+          name: bin
+        - mountPath: /var/lib/mysql
+          name: datadir
+        - mountPath: /etc/mysql/mysql-tls-secret
+          name: tls
+      dnsPolicy: ClusterFirst
+      initContainers:
+      - command:
+        - /opt/percona-server-mysql-operator/ps-init-entrypoint.sh
+        imagePullPolicy: Always
+        name: xtrabackup-init
+        resources: {}
+        securityContext:
+          privileged: true
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /opt/percona
+          name: bin
+        - mountPath: /var/lib/mysql
+          name: datadir
+        - mountPath: /etc/mysql/mysql-users-secret
+          name: users
+        - mountPath: /etc/mysql/mysql-tls-secret
+          name: tls
+      restartPolicy: Never
+      schedulerName: default-scheduler
+      securityContext:
+        fsGroup: 1001
+        supplementalGroups:
+        - 1001
+        - 1002
+        - 1003
+      terminationGracePeriodSeconds: 30
+      volumes:
+      - emptyDir: {}
+        name: bin
+      - name: datadir
+        persistentVolumeClaim:
+          claimName: datadir-gr-security-context-mysql-0
+      - name: users
+        secret:
+          defaultMode: 420
+          secretName: test-secrets
+      - name: tls
+        secret:
+          defaultMode: 420
+          secretName: test-ssl
+status:
+  active: 1
+  ready: 0
+  uncountedTerminatedPods: {}

e2e-tests/tests/gr-security-context/07-assert.yaml

@@ -0,0 +1,25 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 500
+---
+apiVersion: ps.percona.com/v1alpha1
+kind: PerconaServerMySQL
+metadata:
+  name: gr-security-context
+status:
+  haproxy:
+    ready: 3
+    size: 3
+    state: ready
+  mysql:
+    ready: 3
+    size: 3
+    state: ready
+  state: ready
+---
+kind: PerconaServerMySQLRestore
+apiVersion: ps.percona.com/v1alpha1
+metadata:
+  name: gr-security-context-restore-minio
+status:
+  state: Succeeded

e2e-tests/tests/gr-security-context/06-restore-from-minio.yaml renamed to e2e-tests/tests/gr-security-context/07-restore-from-minio.yaml

@@ -0,0 +1,24 @@
+apiVersion: kuttl.dev/v1beta1
+kind: TestAssert
+timeout: 30
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 06-read-data-minio-0
+data:
+  data: "100500"
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 06-read-data-minio-1
+data:
+  data: "100500"
+---
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: 06-read-data-minio-2
+data:
+  data: "100500"

e2e-tests/tests/gr-security-context/08-assert.yaml

@@ -104,7 +104,7 @@ func Job(
 							componentName,
 							initImage,
 							cluster.Spec.Backup.ImagePullPolicy,
-							cluster.Spec.Backup.ContainerSecurityContext,
+							storage.ContainerSecurityContext,
 						),
 					},
 					Containers: []corev1.Container{
@@ -322,7 +322,7 @@ func RestoreJob(
 						{
 							Name:            componentName + "-init",
 							Image:           initImage,
-							ImagePullPolicy: cluster.Spec.MySQL.ImagePullPolicy,
+							ImagePullPolicy: cluster.Spec.Backup.ImagePullPolicy,
 							VolumeMounts: []corev1.VolumeMount{
 								{
 									Name:      apiv1alpha1.BinVolumeName,
@@ -344,7 +344,7 @@ func RestoreJob(
 							Command:                  []string{"/opt/percona-server-mysql-operator/ps-init-entrypoint.sh"},
 							TerminationMessagePath:   "/dev/termination-log",
 							TerminationMessagePolicy: corev1.TerminationMessageReadFile,
-							SecurityContext:          cluster.Spec.MySQL.ContainerSecurityContext,
+							SecurityContext:          storage.ContainerSecurityContext,
 						},
 					},
 					Containers: []corev1.Container{
@@ -358,6 +358,7 @@ func RestoreJob(
 					PriorityClassName:         storage.PriorityClassName,
 					RuntimeClassName:          storage.RuntimeClassName,
 					DNSPolicy:                 corev1.DNSClusterFirst,
+					SecurityContext:           storage.PodSecurityContext,
 					Volumes: []corev1.Volume{
 						{
 							Name: apiv1alpha1.BinVolumeName,