Add config switch to share pg_socket in /var/run/postgresql via an emptyDir with the sidecar containers (zalando#962)

frittentheke · web-flow · commit 024aab1f13ea · 2023-01-02T12:57:36.000+01:00
diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md
@@ -344,6 +344,12 @@ configuration they are grouped under the `kubernetes` key.
   to run alongside Spilo on the same pod. Globally defined sidecars are always
   enabled. Default is true.
 
+* **share_pg_socket_with_sidecars**
+  global option to create an emptyDir volume named `postgresql-run`. This is
+  mounted by all containers at `/var/run/postgresql` sharing the unix socket of
+  PostgreSQL (`pg_socket`) with the sidecars this way.
+  Default is `false`.
+
 * **secret_name_template**
   a template for the name of the database user secrets generated by the
   operator. `{namespace}` is replaced with name of the namespace if
diff --git a/docs/user.md b/docs/user.md
@@ -1006,6 +1006,14 @@ option must be set to `true`.
 
 If you want to add a sidecar to every cluster managed by the operator, you can specify it in the [operator configuration](administrator.md#sidecars-for-postgres-clusters) instead.
 
+### Accessing the PostgreSQL socket from sidecars
+
+If enabled by the `share_pg_socket_with_sidecars` option in the operator
+configuration the PostgreSQL socket is placed in a volume of type
+`emptyDir` named `postgresql-run`.
+To allow access to the socket from any sidecar container simply add a
+VolumeMount to this volume to your sidecar spec.
+
 ## InitContainers Support
 
 Each cluster can specify arbitrary init containers to run. These containers can
@@ -1049,7 +1057,7 @@ When using AWS with gp3 volumes you should set the mode to `mixed` because it
 will also adjust the IOPS and throughput that can be defined in the manifest.
 Check the [AWS docs](https://aws.amazon.com/ebs/general-purpose/) to learn
 about default and maximum values. Keep in mind that AWS rate-limits updating
-volume specs to no more than once every 6 hours. 
+volume specs to no more than once every 6 hours.
 
 ```yaml
 spec:
diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml
@@ -222,6 +222,9 @@ spec:
                     type: array
                     items:
                       type: string
+                  share_pg_socket_with_sidecars:
+                    type: boolean
+                    default: false
                   infrastructure_roles_secret_name:
                     type: string
                   infrastructure_roles_secrets:
diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go
@@ -1289,6 +1289,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 									},
 								},
 							},
+							"share_pg_socket_with_sidecars": {
+								Type: "boolean",
+							},
 							"infrastructure_roles_secret_name": {
 								Type: "string",
 							},
diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@@ -72,6 +72,7 @@ type KubernetesMetaConfiguration struct {
 	StorageResizeMode                      string                       `json:"storage_resize_mode,omitempty"`
 	EnableInitContainers                   *bool                        `json:"enable_init_containers,omitempty"`
 	EnableSidecars                         *bool                        `json:"enable_sidecars,omitempty"`
+	SharePGSocketWithSidecars              *bool                        `json:"share_pgsocket_with_sidecars,omitempty"`
 	SecretNameTemplate                     config.StringTemplate        `json:"secret_name_template,omitempty"`
 	ClusterDomain                          string                       `json:"cluster_domain,omitempty"`
 	OAuthTokenSecretName                   spec.NamespacedName          `json:"oauth_token_secret_name,omitempty"`
diff --git a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go
@@ -713,6 +713,7 @@ func (c *Cluster) generatePodTemplate(
 	spiloContainer *v1.Container,
 	initContainers []v1.Container,
 	sidecarContainers []v1.Container,
+	sharePGSocketWithSidecars *bool,
 	tolerationsSpec *[]v1.Toleration,
 	spiloRunAsUser *int64,
 	spiloRunAsGroup *int64,
@@ -775,6 +776,10 @@ func (c *Cluster) generatePodTemplate(
 		podSpec.PriorityClassName = priorityClassName
 	}
 
+	if sharePGSocketWithSidecars != nil && *sharePGSocketWithSidecars {
+		addVarRunVolume(&podSpec)
+	}
+
 	if additionalSecretMount != "" {
 		addSecretVolume(&podSpec, additionalSecretMount, additionalSecretMountPath)
 	}
@@ -1357,6 +1362,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 		spiloContainer,
 		initContainers,
 		sidecarContainers,
+		c.OpConfig.SharePGSocketWithSidecars,
 		&tolerationSpec,
 		effectiveRunAsUser,
 		effectiveRunAsGroup,
@@ -1550,6 +1556,28 @@ func addShmVolume(podSpec *v1.PodSpec) {
 	podSpec.Volumes = volumes
 }
 
+func addVarRunVolume(podSpec *v1.PodSpec) {
+	volumes := append(podSpec.Volumes, v1.Volume{
+		Name: "postgresql-run",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{
+				Medium: "Memory",
+			},
+		},
+	})
+
+	for i := range podSpec.Containers {
+		mounts := append(podSpec.Containers[i].VolumeMounts,
+			v1.VolumeMount{
+				Name:      "postgresql-run",
+				MountPath: "/var/run/postgresql",
+			})
+		podSpec.Containers[i].VolumeMounts = mounts
+	}
+
+	podSpec.Volumes = volumes
+}
+
 func addSecretVolume(podSpec *v1.PodSpec, additionalSecretMount string, additionalSecretMountPath string) {
 	volumes := append(podSpec.Volumes, v1.Volume{
 		Name: additionalSecretMount,
@@ -2080,6 +2108,7 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1.CronJob, error) {
 		logicalBackupContainer,
 		[]v1.Container{},
 		[]v1.Container{},
+		util.False(),
 		&[]v1.Toleration{},
 		nil,
 		nil,
diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go
@@ -86,6 +86,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.StorageResizeMode = util.Coalesce(fromCRD.Kubernetes.StorageResizeMode, "pvc")
 	result.EnableInitContainers = util.CoalesceBool(fromCRD.Kubernetes.EnableInitContainers, util.True())
 	result.EnableSidecars = util.CoalesceBool(fromCRD.Kubernetes.EnableSidecars, util.True())
+	result.SharePGSocketWithSidecars = util.CoalesceBool(fromCRD.Kubernetes.SharePGSocketWithSidecars, util.False())
 	result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate
 	result.OAuthTokenSecretName = fromCRD.Kubernetes.OAuthTokenSecretName
 	result.EnableCrossNamespaceSecret = fromCRD.Kubernetes.EnableCrossNamespaceSecret
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
@@ -212,6 +212,7 @@ type Config struct {
 	EnablePodDisruptionBudget              *bool             `name:"enable_pod_disruption_budget" default:"true"`
 	EnableInitContainers                   *bool             `name:"enable_init_containers" default:"true"`
 	EnableSidecars                         *bool             `name:"enable_sidecars" default:"true"`
+	SharePGSocketWithSidecars              *bool             `name:"share_pg_socket_with_sidecars" default:"false"`
 	Workers                                uint32            `name:"workers" default:"8"`
 	APIPort                                int               `name:"api_port" default:"8080"`
 	RingLogLines                           int               `name:"ring_log_lines" default:"100"`
