Validate the Postgres log_directory parameter in v1

This is a tightening of validation compared to v1beta1. The parameter
must have one of a handful of prefixes. A spec-level rule ensures the
value refers to a volume declared in the spec.

Co-authored-by: Benjamin Blattberg <ben.blattberg@crunchydata.com>
Co-authored-by: Drew Sessler <drew.sessler@crunchydata.com>
Issue: PGO-2558

Author: 3 people

.github/workflows/test.yaml

@@ -53,7 +53,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        kubernetes: [v1.33, v1.28]
+        kubernetes: [v1.30, v1.33]
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-go@v6
@@ -87,7 +87,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        kubernetes: [v1.33, v1.28]
+        kubernetes: [v1.30, v1.33]
     steps:
       - uses: actions/checkout@v5
       - uses: actions/setup-go@v6

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -4939,6 +4939,13 @@ spec:
                       rule: '!has(self.logging_collector)'
                     - message: log_file_mode cannot be changed
                       rule: '!has(self.log_file_mode)'
+                    - fieldPath: .log_directory
+                      message: must start with "/pgdata/logs/postgres", "/pgtmp/logs/postgres",
+                        "/pgwal/logs/postgres", "/volumes", or be "log" to keep logs
+                        inside PGDATA
+                      rule: self.?log_directory.optMap(v, type(v) == string && (v
+                        == "log" || v.startsWith("/volumes") || ["/pgdata","/pgtmp","/pgwal","/volumes"].exists(p,
+                        v == (p + "/logs/postgres") || v.startsWith(p + "/logs/postgres/")))).orValue(true)
                 type: object
               customReplicationTLSSecret:
                 description: |-
@@ -18380,6 +18387,21 @@ spec:
             - instances
             - postgresVersion
             type: object
+            x-kubernetes-validations:
+            - fieldPath: .config.parameters.log_directory
+              message: all instances need "volumes.temp" to log in "/pgtmp"
+              rule: self.?config.parameters.log_directory.optMap(v, type(v) != string
+                || !v.startsWith("/pgtmp/logs/postgres") || self.instances.all(i,
+                i.?volumes.temp.hasValue())).orValue(true)
+            - fieldPath: .config.parameters.log_directory
+              message: all instances need "walVolumeClaimSpec" to log in "/pgwal"
+              rule: self.?config.parameters.log_directory.optMap(v, type(v) != string
+                || !v.startsWith("/pgwal/logs/postgres") || self.instances.all(i,
+                i.?walVolumeClaimSpec.hasValue())).orValue(true)
+            - fieldPath: .config.parameters.log_directory
+              message: all instances need an additional volume to log in "/volumes"
+              rule: self.?config.parameters.log_directory.optMap(v, type(v) != string
+                || !v.startsWith("/volumes") || self.instances.all(i, i.?volumes.additional.hasValue())).orValue(true)
           status:
             description: PostgresClusterStatus defines the observed state of PostgresCluster
             properties:

internal/testing/cmp/cmp.go

@@ -5,6 +5,7 @@
 package cmp
 
 import (
+	stdcmp "cmp"
 	"regexp"
 	"strings"
 
@@ -51,6 +52,12 @@ func DeepEqual[T any](x, y T, opts ...gocmp.Option) Comparison {
 	return gotest.DeepEqual(x, y, opts...)
 }
 
+// Equal succeeds if x == y, the same as [gotest.tools/v3/assert.Equal].
+// The type constraint makes it easier to compare against numeric literals and typed constants.
+func Equal[T any](x, y T) Comparison {
+	return gotest.Equal(x, y)
+}
+
 // Len succeeds if actual has the expected length.
 func Len[Slice ~[]E, E any](actual Slice, expected int) Comparison {
 	return gotest.Len(actual, expected)
@@ -85,6 +92,15 @@ func MarshalMatches(actual any, expected string) Comparison {
 	))
 }
 
+// Or is an alias to [stdcmp.Or] in the standard library:
+//   - It returns the leftmost argument that is not zero.
+//   - It returns zero when all its arguments are zero.
+//
+// This is here so test authors can import fewer "cmp" packages.
+func Or[T comparable](values ...T) T {
+	return stdcmp.Or(values...)
+}
+
 // Regexp succeeds if value contains any match of the regular expression.
 // The regular expression may be a *regexp.Regexp or a string that is a valid
 // regexp pattern.

internal/testing/validation/postgrescluster/postgres_config_test.go

@@ -50,6 +50,26 @@ func TestPostgresConfigParametersV1beta1(t *testing.T) {
 	assert.Equal(t, u.GetAPIVersion(), "postgres-operator.crunchydata.com/v1beta1")
 
 	testPostgresConfigParametersCommon(t, cc, u)
+
+	t.Run("Logging", func(t *testing.T) {
+		t.Run("Allowed", func(t *testing.T) {
+			for _, tt := range []struct {
+				key   string
+				value any
+			}{
+				{key: "log_directory", value: "anything"},
+			} {
+				t.Run(tt.key, func(t *testing.T) {
+					cluster := u.DeepCopy()
+					require.UnmarshalIntoField(t, cluster,
+						require.Value(yaml.Marshal(tt.value)),
+						"spec", "config", "parameters", tt.key)
+
+					assert.NilError(t, cc.Create(ctx, cluster, client.DryRunAll))
+				})
+			}
+		})
+	})
 }
 
 func TestPostgresConfigParametersV1(t *testing.T) {
@@ -82,6 +102,194 @@ func TestPostgresConfigParametersV1(t *testing.T) {
 	assert.Equal(t, u.GetAPIVersion(), "postgres-operator.crunchydata.com/v1")
 
 	testPostgresConfigParametersCommon(t, cc, u)
+
+	t.Run("Logging", func(t *testing.T) {
+		t.Run("log_directory", func(t *testing.T) {
+			volume := `{ accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Mi } } }`
+
+			for _, tt := range []struct {
+				name      string
+				value     any
+				valid     bool
+				message   string
+				instances string
+			}{
+				// Only a few prefixes are allowed.
+				{valid: false, value: 99, message: `must start with "/`},
+				{valid: false, value: "relative", message: `must start with "/`},
+				{valid: false, value: "/absolute", message: `must start with "/pg`},
+
+				// These are the two acceptable directories inside /pgdata.
+				{valid: true, value: "log"},
+				{valid: true, value: "/pgdata/logs/postgres"},
+				{valid: false, value: "/pgdata", message: `"/pgdata/logs/postgres"`},
+				{valid: false, value: "/pgdata/elsewhere", message: `"/pgdata/logs/postgres"`},
+				{valid: false, value: "/pgdata/sub/dir", message: `"/pgdata/logs/postgres"`},
+
+				// There is one acceptable directory inside /pgtmp, but every instance set needs a temp volume.
+				{
+					name:  "two instance sets and two temp volumes",
+					value: "/pgtmp/logs/postgres",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, volumes: { temp: ` + volume + ` } },
+						{ name: two, dataVolumeClaimSpec: ` + volume + `, volumes: { temp: ` + volume + ` } },
+					]`,
+					valid: true,
+				},
+				{
+					name:  "two instance sets and one temp volume",
+					value: "/pgtmp/logs/postgres",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, volumes: { temp: ` + volume + ` } },
+						{ name: two, dataVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `all instances need "volumes.temp"`,
+				},
+				{
+					name:  "two instance sets and no temp volumes",
+					value: "/pgtmp/logs/postgres",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + ` },
+						{ name: two, dataVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `all instances need "volumes.temp"`,
+				},
+
+				// These directories inside /pgtmp are unacceptable, regardless of volumes.
+				{
+					name:      "no temp volumes",
+					value:     "/pgtmp/elsewhere",
+					instances: `[{ name: any, dataVolumeClaimSpec: ` + volume + ` }]`,
+					valid:     false,
+					message:   `"/pgtmp/logs/postgres"`,
+				},
+				{
+					name:  "two temp volumes",
+					value: "/pgtmp",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, volumes: { temp: ` + volume + ` } },
+						{ name: two, dataVolumeClaimSpec: ` + volume + `, volumes: { temp: ` + volume + ` } },
+					]`,
+					valid:   false,
+					message: `"/pgtmp/logs/postgres"`,
+				},
+
+				// There is one acceptable directory inside /pgwal, but every instance set needs a WAL volume.
+				{
+					name:  "two instance sets and two WAL volumes",
+					value: "/pgwal/logs/postgres",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, walVolumeClaimSpec: ` + volume + ` },
+						{ name: two, dataVolumeClaimSpec: ` + volume + `, walVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid: true,
+				},
+				{
+					name:  "two instance sets and one WAL volume",
+					value: "/pgwal/logs/postgres",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, walVolumeClaimSpec: ` + volume + ` },
+						{ name: two, dataVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `all instances need "walVolumeClaimSpec"`,
+				},
+				{
+					name:  "two instance sets and no WAL volumes",
+					value: "/pgwal/logs/postgres",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + ` },
+						{ name: two, dataVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `all instances need "walVolumeClaimSpec"`,
+				},
+
+				// These directories inside /pgwal are unacceptable, regardless of volumes.
+				{
+					name:      "no WAL volumes",
+					value:     "/pgwal/elsewhere",
+					instances: `[{ name: any, dataVolumeClaimSpec: ` + volume + ` }]`,
+					valid:     false,
+					message:   `"/pgwal/logs/postgres"`,
+				},
+				{
+					name:  "two WAL volumes",
+					value: "/pgwal",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, walVolumeClaimSpec: ` + volume + ` },
+						{ name: two, dataVolumeClaimSpec: ` + volume + `, walVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `"/pgwal/logs/postgres"`,
+				},
+
+				// Directories inside /volumes are acceptable, but every instance set needs additional volumes.
+				//
+				// TODO(validation): This could be more precise and check the directory name of each additional
+				// volume, but Kubernetes 1.33 incorrectly estimates the cost of volume.name:
+				// https://github.com/kubernetes-sigs/controller-tools/pull/1270#issuecomment-3272211184
+				{
+					name:  "two instance sets and two additional volumes",
+					value: "/volumes/anything",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, volumes: { additional: [{ name: dir, claimName: a }] } },
+						{ name: two, dataVolumeClaimSpec: ` + volume + `, volumes: { additional: [{ name: dir, claimName: b }] } },
+					]`,
+					valid: true,
+				},
+				{
+					name:  "two instance sets and one additional volume",
+					value: "/volumes/anything",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + `, volumes: { additional: [{ name: dir, claimName: a }] } },
+						{ name: two, dataVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `all instances need an additional volume`,
+				},
+				{
+					name:  "two instance sets and no additional volumes",
+					value: "/volumes/anything",
+					instances: `[
+						{ name: one, dataVolumeClaimSpec: ` + volume + ` },
+						{ name: two, dataVolumeClaimSpec: ` + volume + ` },
+					]`,
+					valid:   false,
+					message: `all instances need an additional volume`,
+				},
+			} {
+				t.Run(cmp.Or(tt.name, fmt.Sprint(tt.valid, tt.value)), func(t *testing.T) {
+					cluster := u.DeepCopy()
+					if tt.instances != "" {
+						require.UnmarshalIntoField(t, cluster, tt.instances, "spec", "instances")
+					}
+					require.UnmarshalIntoField(t, cluster, require.Value(yaml.Marshal(tt.value)),
+						"spec", "config", "parameters", "log_directory")
+
+					err := cc.Create(ctx, cluster, client.DryRunAll)
+
+					if tt.valid {
+						assert.NilError(t, err)
+						assert.Equal(t, "", tt.message, "BUG IN TEST: no message expected when valid")
+					} else {
+						assert.Assert(t, apierrors.IsInvalid(err))
+
+						details := require.StatusErrorDetails(t, err)
+						assert.Assert(t, cmp.Len(details.Causes, 1))
+
+						// https://issue.k8s.io/133761
+						if details.Causes[0].Field != "spec.config.parameters.[log_directory]" {
+							assert.Check(t, cmp.Equal(details.Causes[0].Field, "spec.config.parameters[log_directory]"))
+						}
+						assert.Assert(t, cmp.Contains(details.Causes[0].Message, tt.message))
+					}
+				})
+			}
+		})
+	})
 }
 
 func testPostgresConfigParametersCommon(t *testing.T, cc client.Client, base unstructured.Unstructured) {
@@ -155,7 +363,6 @@ func testPostgresConfigParametersCommon(t *testing.T, cc client.Client, base uns
 			{valid: false, key: "logging_collector", value: "on", message: "unsafe"},
 
 			{valid: true, key: "log_destination", value: "anything"},
-			{valid: true, key: "log_directory", value: "anything"},
 			{valid: true, key: "log_filename", value: "anything"},
 			{valid: true, key: "log_filename", value: "percent-%s-too"},
 			{valid: true, key: "log_rotation_age", value: "7d"},

pkg/apis/postgres-operator.crunchydata.com/v1/postgres_types.go

@@ -0,0 +1,71 @@
+// Copyright 2021 - 2025 Crunchy Data Solutions, Inc.
+//
+// SPDX-License-Identifier: Apache-2.0
+
+package v1
+
+import (
+	corev1 "k8s.io/api/core/v1"
+	"k8s.io/apimachinery/pkg/util/intstr"
+)
+
+type PostgresConfigSpec struct {
+	// Files to mount under "/etc/postgres".
+	// ---
+	// +optional
+	Files []corev1.VolumeProjection `json:"files,omitempty"`
+
+	// Configuration parameters for the PostgreSQL server. Some values will
+	// be reloaded without validation and some cause PostgreSQL to restart.
+	// Some values cannot be changed at all.
+	// More info: https://www.postgresql.org/docs/current/runtime-config.html
+	// ---
+	//
+	// Postgres 17 has something like 350+ built-in parameters, but typically
+	// an administrator will change only a handful of these.
+	// +kubebuilder:validation:MaxProperties=50
+	//
+	// # File Locations
+	// - https://www.postgresql.org/docs/current/runtime-config-file-locations.html
+	//
+	// +kubebuilder:validation:XValidation:rule=`!has(self.config_file) && !has(self.data_directory)`,message=`cannot change PGDATA path: config_file, data_directory`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.external_pid_file)`,message=`cannot change external_pid_file`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.hba_file) && !has(self.ident_file)`,message=`cannot change authentication path: hba_file, ident_file`
+	//
+	// # Connections
+	// - https://www.postgresql.org/docs/current/runtime-config-connection.html
+	//
+	// +kubebuilder:validation:XValidation:rule=`!has(self.listen_addresses)`,message=`network connectivity is always enabled: listen_addresses`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.port)`,message=`change port using .spec.port instead`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.ssl) && !self.exists(k, k.startsWith("ssl_"))`,message=`TLS is always enabled`
+	// +kubebuilder:validation:XValidation:rule=`!self.exists(k, k.startsWith("unix_socket_"))`,message=`domain socket paths cannot be changed`
+	//
+	// # Write Ahead Log
+	// - https://www.postgresql.org/docs/current/runtime-config-wal.html
+	//
+	// +kubebuilder:validation:XValidation:rule=`!has(self.wal_level) || self.wal_level in ["logical"]`,message=`wal_level must be "replica" or higher`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.wal_log_hints)`,message=`wal_log_hints are always enabled`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.archive_mode) && !has(self.archive_command) && !has(self.restore_command)`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.recovery_target) && !self.exists(k, k.startsWith("recovery_target_"))`
+	//
+	// # Replication
+	// - https://www.postgresql.org/docs/current/runtime-config-replication.html
+	//
+	// +kubebuilder:validation:XValidation:rule=`!has(self.hot_standby)`,message=`hot_standby is always enabled`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.synchronous_standby_names)`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.primary_conninfo) && !has(self.primary_slot_name)`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.recovery_min_apply_delay)`,message=`delayed replication is not supported at this time`
+	//
+	// # Logging
+	// - https://www.postgresql.org/docs/current/runtime-config-logging.html
+	//
+	// +kubebuilder:validation:XValidation:rule=`!has(self.cluster_name)`,message=`cluster_name is derived from the PostgresCluster name`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.logging_collector)`,message=`disabling logging_collector is unsafe`
+	// +kubebuilder:validation:XValidation:rule=`!has(self.log_file_mode)`,message=`log_file_mode cannot be changed`
+	//
+	// +kubebuilder:validation:XValidation:fieldPath=`.log_directory`,message=`must start with "/pgdata/logs/postgres", "/pgtmp/logs/postgres", "/pgwal/logs/postgres", "/volumes", or be "log" to keep logs inside PGDATA`,rule=`self.?log_directory.optMap(v, type(v) == string && (v == "log" || v.startsWith("/volumes") || ["/pgdata","/pgtmp","/pgwal","/volumes"].exists(p, v == (p + "/logs/postgres") || v.startsWith(p + "/logs/postgres/")))).orValue(true)`
+	//
+	// +mapType=granular
+	// +optional
+	Parameters map[string]intstr.IntOrString `json:"parameters,omitempty"`
+}