From 37e11d6895c83b7570bbc940ffa21db8a9024f30 Mon Sep 17 00:00:00 2001
From: Chris Bandy <chris.bandy@crunchydata.com>
Date: Mon, 8 Sep 2025 11:00:31 -0500
Subject: [PATCH] Set data directory group permissions during bootstrap

Immediately after bootstrap, the data directory lacks group permissions
when the storage provider ignores fsGroup. The startup container resets
group permissions correctly, so pod restart works around this.

Issue: PGO-300
See: c7842e7a2723044ccce5d5643dc1f66f6007a081
---
 internal/patroni/config.go      | 7 ++++++-
 internal/patroni/config_test.go | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)

diff --git a/internal/patroni/config.go b/internal/patroni/config.go
index 7815fc8c8..8f9948796 100644
--- a/internal/patroni/config.go
+++ b/internal/patroni/config.go
@@ -552,6 +552,11 @@ func instanceYAML(
 		} else {
 
 			initdb := []string{
+				// Pod "securityContext.fsGroup" ensures processes and filesystems agree on a GID.
+				// Group access ensures processes can access data regardless of their UID.
+				// NOTE: The "--allow-group-access" option was introduced in PostgreSQL v11.
+				"allow-group-access",
+
 				// Enable checksums on data pages to help detect corruption of
 				// storage that would otherwise be silent. This also enables
 				// "wal_log_hints" which is a prerequisite for using `pg_rewind`.
@@ -568,7 +573,7 @@ func instanceYAML(
 				"data-checksums",
 				"encoding=UTF8",
 
-				// NOTE(cbandy): The "--waldir" option was introduced in PostgreSQL v10.
+				// NOTE: The "--waldir" option was introduced in PostgreSQL v10.
 				"waldir=" + postgres.WALDirectory(cluster, instance),
 			}
 
diff --git a/internal/patroni/config_test.go b/internal/patroni/config_test.go
index d5aef835e..1f787bea7 100644
--- a/internal/patroni/config_test.go
+++ b/internal/patroni/config_test.go
@@ -685,6 +685,7 @@ func TestInstanceYAML(t *testing.T) {
 # Your changes will not be saved.
 bootstrap:
   initdb:
+  - allow-group-access
   - data-checksums
   - encoding=UTF8
   - waldir=/pgdata/pg12_wal
@@ -708,6 +709,7 @@ tags: {}
 # Your changes will not be saved.
 bootstrap:
   initdb:
+  - allow-group-access
   - data-checksums
   - encoding=UTF8
   - waldir=/pgdata/pg12_wal
@@ -747,6 +749,7 @@ tags: {}
 # Your changes will not be saved.
 bootstrap:
   initdb:
+  - allow-group-access
   - data-checksums
   - encoding=UTF8
   - waldir=/pgdata/pg12_wal