Updates for an always-on pgBackRest repo host

To support the 'backup-standby' pgBackRest configuration setting
as well as to simplify the overall pgBackRest integration, this
commit changes the pgBackRest repo host creation behavior to always
create a 'repo host' Pod as a location to run commands, regardless
of whether or not a repo volume is defined. This allows backup
commands to be consistently run on this Pod instead of being run at
times on the primary instance Pod.

Note that in cases where a repo host volume is not defined in the
PostgresCluster spec, no volume will be created and pgBackRest log
files will not be available in the Pod.

Issue: PGO-562

Author: tjmoore4

internal/controller/postgrescluster/instance.go

@@ -1376,10 +1376,8 @@ func addPGBackRestToInstancePodSpec(
 	ctx context.Context, cluster *v1beta1.PostgresCluster,
 	instanceCertificates *corev1.Secret, instancePod *corev1.PodSpec,
 ) {
-	if pgbackrest.DedicatedRepoHostEnabled(cluster) {
-		pgbackrest.AddServerToInstancePod(ctx, cluster, instancePod,
-			instanceCertificates.Name)
-	}
+	pgbackrest.AddServerToInstancePod(ctx, cluster, instancePod,
+		instanceCertificates.Name)
 
 	pgbackrest.AddConfigToInstancePod(cluster, instancePod)
 }

internal/controller/postgrescluster/instance_test.go

@@ -578,14 +578,104 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
     readOnly: true
 - name: other
   resources: {}
+- command:
+  - pgbackrest
+  - server
+  livenessProbe:
+    exec:
+      command:
+      - pgbackrest
+      - server-ping
+  name: pgbackrest
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+  - mountPath: /etc/pgbackrest/server
+    name: pgbackrest-server
+    readOnly: true
+  - mountPath: /pgdata
+    name: postgres-data
+  - mountPath: /pgwal
+    name: postgres-wal
+  - mountPath: /etc/pgbackrest/conf.d
+    name: pgbackrest-config
+    readOnly: true
+- command:
+  - bash
+  - -ceu
+  - --
+  - |-
+    monitor() {
+    exec {fd}<> <(:||:)
+    until read -r -t 5 -u "${fd}"; do
+      if
+        [[ "${filename}" -nt "/proc/self/fd/${fd}" ]] &&
+        pkill -HUP --exact --parent=0 pgbackrest
+      then
+        exec {fd}>&- && exec {fd}<> <(:||:)
+        stat --dereference --format='Loaded configuration dated %y' "${filename}"
+      elif
+        { [[ "${directory}" -nt "/proc/self/fd/${fd}" ]] ||
+          [[ "${authority}" -nt "/proc/self/fd/${fd}" ]]
+        } &&
+        pkill -HUP --exact --parent=0 pgbackrest
+      then
+        exec {fd}>&- && exec {fd}<> <(:||:)
+        stat --format='Loaded certificates dated %y' "${directory}"
+      fi
+    done
+    }; export directory="$1" authority="$2" filename="$3"; export -f monitor; exec -a "$0" bash -ceu monitor
+  - pgbackrest-config
+  - /etc/pgbackrest/server
+  - /etc/pgbackrest/conf.d/~postgres-operator/tls-ca.crt
+  - /etc/pgbackrest/conf.d/~postgres-operator_server.conf
+  name: pgbackrest-config
+  resources: {}
+  securityContext:
+    allowPrivilegeEscalation: false
+    capabilities:
+      drop:
+      - ALL
+    privileged: false
+    readOnlyRootFilesystem: true
+    runAsNonRoot: true
+    seccompProfile:
+      type: RuntimeDefault
+  volumeMounts:
+  - mountPath: /etc/pgbackrest/server
+    name: pgbackrest-server
+    readOnly: true
+  - mountPath: /etc/pgbackrest/conf.d
+    name: pgbackrest-config
+    readOnly: true
 		`))
 
-		// Instance configuration files but no certificates.
+		// Instance configuration files with certificates.
 		// Other volumes are ignored.
 		assert.Assert(t, marshalMatches(out.Volumes, `
 - name: other
 - name: postgres-data
 - name: postgres-wal
+- name: pgbackrest-server
+  projected:
+    sources:
+    - secret:
+        items:
+        - key: pgbackrest-server.crt
+          path: server-tls.crt
+        - key: pgbackrest-server.key
+          mode: 384
+          path: server-tls.key
+        name: some-secret
 - name: pgbackrest-config
   projected:
     sources:
@@ -595,7 +685,19 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
           path: pgbackrest_instance.conf
         - key: config-hash
           path: config-hash
+        - key: pgbackrest-server.conf
+          path: ~postgres-operator_server.conf
         name: hippo-pgbackrest-config
+    - secret:
+        items:
+        - key: pgbackrest.ca-roots
+          path: ~postgres-operator/tls-ca.crt
+        - key: pgbackrest-client.crt
+          path: ~postgres-operator/client-tls.crt
+        - key: pgbackrest-client.key
+          mode: 384
+          path: ~postgres-operator/client-tls.key
+        name: hippo-pgbackrest
 		`))
 	})
 
@@ -644,7 +746,6 @@ func TestAddPGBackRestToInstancePodSpec(t *testing.T) {
           mode: 384
           path: ~postgres-operator/client-tls.key
         name: hippo-pgbackrest
-        optional: true
 			`))
 		}