From 024aab1f13ea04c3accaba236cf7eb5fcad42334 Mon Sep 17 00:00:00 2001
From: Christian Rohmann <frittentheke@users.noreply.github.com>
Date: Mon, 2 Jan 2023 12:57:36 +0100
Subject: [PATCH] Add config switch to share pg_socket in /var/run/postgresql
 via an emptyDir with the sidecar containers (#962)

---
 docs/reference/operator_parameters.md         |  6 ++++
 docs/user.md                                  | 10 ++++++-
 manifests/operatorconfiguration.crd.yaml      |  3 ++
 pkg/apis/acid.zalan.do/v1/crds.go             |  3 ++
 .../v1/operator_configuration_type.go         |  1 +
 .../acid.zalan.do/v1/zz_generated.deepcopy.go |  5 ++++
 pkg/cluster/k8sres.go                         | 29 +++++++++++++++++++
 pkg/controller/operator_config.go             |  1 +
 pkg/util/config/config.go                     |  1 +
 9 files changed, 58 insertions(+), 1 deletion(-)

diff --git a/docs/reference/operator_parameters.md b/docs/reference/operator_parameters.md
index 763f9da75..42193660d 100644
--- a/docs/reference/operator_parameters.md
+++ b/docs/reference/operator_parameters.md
@@ -344,6 +344,12 @@ configuration they are grouped under the `kubernetes` key.
   to run alongside Spilo on the same pod. Globally defined sidecars are always
   enabled. Default is true.
 
+* **share_pg_socket_with_sidecars**
+  global option to create an emptyDir volume named `postgresql-run`. This is
+  mounted by all containers at `/var/run/postgresql` sharing the unix socket of
+  PostgreSQL (`pg_socket`) with the sidecars this way.
+  Default is `false`.
+
 * **secret_name_template**
   a template for the name of the database user secrets generated by the
   operator. `{namespace}` is replaced with name of the namespace if
diff --git a/docs/user.md b/docs/user.md
index a80d984f6..e2fa59380 100644
--- a/docs/user.md
+++ b/docs/user.md
@@ -1006,6 +1006,14 @@ option must be set to `true`.
 
 If you want to add a sidecar to every cluster managed by the operator, you can specify it in the [operator configuration](administrator.md#sidecars-for-postgres-clusters) instead.
 
+### Accessing the PostgreSQL socket from sidecars
+
+If enabled by the `share_pg_socket_with_sidecars` option in the operator
+configuration the PostgreSQL socket is placed in a volume of type
+`emptyDir` named `postgresql-run`.
+To allow access to the socket from any sidecar container simply add a
+VolumeMount to this volume to your sidecar spec.
+
 ## InitContainers Support
 
 Each cluster can specify arbitrary init containers to run. These containers can
@@ -1049,7 +1057,7 @@ When using AWS with gp3 volumes you should set the mode to `mixed` because it
 will also adjust the IOPS and throughput that can be defined in the manifest.
 Check the [AWS docs](https://aws.amazon.com/ebs/general-purpose/) to learn
 about default and maximum values. Keep in mind that AWS rate-limits updating
-volume specs to no more than once every 6 hours. 
+volume specs to no more than once every 6 hours.
 
 ```yaml
 spec:
diff --git a/manifests/operatorconfiguration.crd.yaml b/manifests/operatorconfiguration.crd.yaml
index 4402602a3..0597c692a 100644
--- a/manifests/operatorconfiguration.crd.yaml
+++ b/manifests/operatorconfiguration.crd.yaml
@@ -222,6 +222,9 @@ spec:
                     type: array
                     items:
                       type: string
+                  share_pg_socket_with_sidecars:
+                    type: boolean
+                    default: false
                   infrastructure_roles_secret_name:
                     type: string
                   infrastructure_roles_secrets:
diff --git a/pkg/apis/acid.zalan.do/v1/crds.go b/pkg/apis/acid.zalan.do/v1/crds.go
index f9af7eae5..645a30883 100644
--- a/pkg/apis/acid.zalan.do/v1/crds.go
+++ b/pkg/apis/acid.zalan.do/v1/crds.go
@@ -1289,6 +1289,9 @@ var OperatorConfigCRDResourceValidation = apiextv1.CustomResourceValidation{
 									},
 								},
 							},
+							"share_pg_socket_with_sidecars": {
+								Type: "boolean",
+							},
 							"infrastructure_roles_secret_name": {
 								Type: "string",
 							},
diff --git a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
index e49b8d7ae..4f6ef96af 100644
--- a/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
+++ b/pkg/apis/acid.zalan.do/v1/operator_configuration_type.go
@@ -72,6 +72,7 @@ type KubernetesMetaConfiguration struct {
 	StorageResizeMode                      string                       `json:"storage_resize_mode,omitempty"`
 	EnableInitContainers                   *bool                        `json:"enable_init_containers,omitempty"`
 	EnableSidecars                         *bool                        `json:"enable_sidecars,omitempty"`
+	SharePGSocketWithSidecars              *bool                        `json:"share_pgsocket_with_sidecars,omitempty"`
 	SecretNameTemplate                     config.StringTemplate        `json:"secret_name_template,omitempty"`
 	ClusterDomain                          string                       `json:"cluster_domain,omitempty"`
 	OAuthTokenSecretName                   spec.NamespacedName          `json:"oauth_token_secret_name,omitempty"`
diff --git a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
index 2cae5743e..a37ae6c3c 100644
--- a/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/acid.zalan.do/v1/zz_generated.deepcopy.go
@@ -193,6 +193,11 @@ func (in *KubernetesMetaConfiguration) DeepCopyInto(out *KubernetesMetaConfigura
 		*out = new(bool)
 		**out = **in
 	}
+	if in.SharePGSocketWithSidecars != nil {
+		in, out := &in.SharePGSocketWithSidecars, &out.SharePGSocketWithSidecars
+		*out = new(bool)
+		**out = **in
+	}
 	out.OAuthTokenSecretName = in.OAuthTokenSecretName
 	out.InfrastructureRolesSecretName = in.InfrastructureRolesSecretName
 	if in.InfrastructureRolesDefs != nil {
diff --git a/pkg/cluster/k8sres.go b/pkg/cluster/k8sres.go
index 73f4090d8..6d2b2bdfe 100644
--- a/pkg/cluster/k8sres.go
+++ b/pkg/cluster/k8sres.go
@@ -713,6 +713,7 @@ func (c *Cluster) generatePodTemplate(
 	spiloContainer *v1.Container,
 	initContainers []v1.Container,
 	sidecarContainers []v1.Container,
+	sharePGSocketWithSidecars *bool,
 	tolerationsSpec *[]v1.Toleration,
 	spiloRunAsUser *int64,
 	spiloRunAsGroup *int64,
@@ -775,6 +776,10 @@ func (c *Cluster) generatePodTemplate(
 		podSpec.PriorityClassName = priorityClassName
 	}
 
+	if sharePGSocketWithSidecars != nil && *sharePGSocketWithSidecars {
+		addVarRunVolume(&podSpec)
+	}
+
 	if additionalSecretMount != "" {
 		addSecretVolume(&podSpec, additionalSecretMount, additionalSecretMountPath)
 	}
@@ -1357,6 +1362,7 @@ func (c *Cluster) generateStatefulSet(spec *acidv1.PostgresSpec) (*appsv1.Statef
 		spiloContainer,
 		initContainers,
 		sidecarContainers,
+		c.OpConfig.SharePGSocketWithSidecars,
 		&tolerationSpec,
 		effectiveRunAsUser,
 		effectiveRunAsGroup,
@@ -1550,6 +1556,28 @@ func addShmVolume(podSpec *v1.PodSpec) {
 	podSpec.Volumes = volumes
 }
 
+func addVarRunVolume(podSpec *v1.PodSpec) {
+	volumes := append(podSpec.Volumes, v1.Volume{
+		Name: "postgresql-run",
+		VolumeSource: v1.VolumeSource{
+			EmptyDir: &v1.EmptyDirVolumeSource{
+				Medium: "Memory",
+			},
+		},
+	})
+
+	for i := range podSpec.Containers {
+		mounts := append(podSpec.Containers[i].VolumeMounts,
+			v1.VolumeMount{
+				Name:      "postgresql-run",
+				MountPath: "/var/run/postgresql",
+			})
+		podSpec.Containers[i].VolumeMounts = mounts
+	}
+
+	podSpec.Volumes = volumes
+}
+
 func addSecretVolume(podSpec *v1.PodSpec, additionalSecretMount string, additionalSecretMountPath string) {
 	volumes := append(podSpec.Volumes, v1.Volume{
 		Name: additionalSecretMount,
@@ -2080,6 +2108,7 @@ func (c *Cluster) generateLogicalBackupJob() (*batchv1.CronJob, error) {
 		logicalBackupContainer,
 		[]v1.Container{},
 		[]v1.Container{},
+		util.False(),
 		&[]v1.Toleration{},
 		nil,
 		nil,
diff --git a/pkg/controller/operator_config.go b/pkg/controller/operator_config.go
index e0107d18c..379a92be5 100644
--- a/pkg/controller/operator_config.go
+++ b/pkg/controller/operator_config.go
@@ -86,6 +86,7 @@ func (c *Controller) importConfigurationFromCRD(fromCRD *acidv1.OperatorConfigur
 	result.StorageResizeMode = util.Coalesce(fromCRD.Kubernetes.StorageResizeMode, "pvc")
 	result.EnableInitContainers = util.CoalesceBool(fromCRD.Kubernetes.EnableInitContainers, util.True())
 	result.EnableSidecars = util.CoalesceBool(fromCRD.Kubernetes.EnableSidecars, util.True())
+	result.SharePGSocketWithSidecars = util.CoalesceBool(fromCRD.Kubernetes.SharePGSocketWithSidecars, util.False())
 	result.SecretNameTemplate = fromCRD.Kubernetes.SecretNameTemplate
 	result.OAuthTokenSecretName = fromCRD.Kubernetes.OAuthTokenSecretName
 	result.EnableCrossNamespaceSecret = fromCRD.Kubernetes.EnableCrossNamespaceSecret
diff --git a/pkg/util/config/config.go b/pkg/util/config/config.go
index 374e26292..fcf1f607b 100644
--- a/pkg/util/config/config.go
+++ b/pkg/util/config/config.go
@@ -212,6 +212,7 @@ type Config struct {
 	EnablePodDisruptionBudget              *bool             `name:"enable_pod_disruption_budget" default:"true"`
 	EnableInitContainers                   *bool             `name:"enable_init_containers" default:"true"`
 	EnableSidecars                         *bool             `name:"enable_sidecars" default:"true"`
+	SharePGSocketWithSidecars              *bool             `name:"share_pg_socket_with_sidecars" default:"false"`
 	Workers                                uint32            `name:"workers" default:"8"`
 	APIPort                                int               `name:"api_port" default:"8080"`
 	RingLogLines                           int               `name:"ring_log_lines" default:"100"`