Convert container security context test to kuttl

This creates a Kuttl test to verify a PostgresCluster's containers'
security context settings which replaces the current EnvTest
implementation.

Issue: [sc-14262]

Author: tjmoore4

internal/controller/postgrescluster/cluster_test.go

@@ -20,10 +20,7 @@ package postgrescluster
 
 import (
 	"context"
-	"os"
-	"strings"
 	"testing"
-	"time"
 
 	"github.com/pkg/errors"
 	"go.opentelemetry.io/otel"
@@ -36,7 +33,6 @@ import (
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
-	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/client-go/tools/record"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/reconcile"
@@ -600,83 +596,6 @@ func TestCustomAnnotations(t *testing.T) {
 	})
 }
 
-func TestContainerSecurityContext(t *testing.T) {
-	if !strings.EqualFold(os.Getenv("USE_EXISTING_CLUSTER"), "true") {
-		t.Skip("Test requires pods to be created")
-	}
-
-	ctx := context.Background()
-	env, cc := setupKubernetes(t)
-	require.ParallelCapacity(t, 1)
-
-	reconciler := &Reconciler{
-		Client:   cc,
-		Owner:    client.FieldOwner(t.Name()),
-		Recorder: new(record.FakeRecorder),
-		Tracer:   otel.Tracer(t.Name()),
-	}
-
-	var err error
-	reconciler.PodExec, err = newPodExecutor(env.Config)
-	assert.NilError(t, err)
-
-	cluster := testCluster()
-	cluster.Namespace = setupNamespace(t, cc).Name
-
-	assert.NilError(t, errors.WithStack(reconciler.Client.Create(ctx, cluster)))
-	t.Cleanup(func() {
-		// Remove finalizers, if any, so the namespace can terminate.
-		assert.Check(t, client.IgnoreNotFound(
-			reconciler.Client.Patch(ctx, cluster, client.RawPatch(
-				client.Merge.Type(), []byte(`{"metadata":{"finalizers":[]}}`)))))
-	})
-
-	pods := &corev1.PodList{}
-	assert.NilError(t, wait.Poll(time.Second, Scale(2*time.Minute), func() (bool, error) {
-		// Reconcile the cluster
-		result, err := reconciler.Reconcile(ctx, reconcile.Request{
-			NamespacedName: client.ObjectKeyFromObject(cluster),
-		})
-		if err != nil {
-			return false, err
-		}
-		if result.Requeue {
-			return false, nil
-		}
-
-		err = reconciler.Client.List(ctx, pods,
-			client.InNamespace(cluster.Namespace),
-			client.MatchingLabels{
-				naming.LabelCluster: cluster.Name,
-			})
-		if err != nil {
-			return false, err
-		}
-
-		// Can expect 4 pods from a cluster
-		// instance, repo-host, pgbouncer, backup(s)
-		if len(pods.Items) < 4 {
-			return false, nil
-		}
-		return true, nil
-	}))
-
-	// Once we have a pod list with pods of each type, check that the
-	// pods containers have the expected Security Context options
-	for _, pod := range pods.Items {
-		for _, container := range pod.Spec.Containers {
-			assert.Equal(t, *container.SecurityContext.Privileged, false)
-			assert.Equal(t, *container.SecurityContext.ReadOnlyRootFilesystem, true)
-			assert.Equal(t, *container.SecurityContext.AllowPrivilegeEscalation, false)
-		}
-		for _, initContainer := range pod.Spec.InitContainers {
-			assert.Equal(t, *initContainer.SecurityContext.Privileged, false)
-			assert.Equal(t, *initContainer.SecurityContext.ReadOnlyRootFilesystem, true)
-			assert.Equal(t, *initContainer.SecurityContext.AllowPrivilegeEscalation, false)
-		}
-	}
-}
-
 func TestGenerateClusterPrimaryService(t *testing.T) {
 	_, cc := setupKubernetes(t)
 	require.ParallelCapacity(t, 0)

testing/kuttl/e2e/security-context/00--cluster.yaml

@@ -0,0 +1,26 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: security-context
+  labels: { postgres-operator-test: kuttl }
+spec:
+  postgresVersion: ${KUTTL_PG_VERSION}
+  instances:
+    - name: instance1
+      replicas: 1
+      dataVolumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
+  backups:
+    pgbackrest:
+      repos:
+      - name: repo1
+        volume:
+          volumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
+  proxy:
+    pgBouncer:
+      replicas: 1
+  userInterface:
+    pgAdmin:
+      dataVolumeClaimSpec: { accessModes: [ReadWriteOnce], resources: { requests: { storage: 1Gi } } }
+  monitoring:
+    pgmonitor:
+      exporter: {}

testing/kuttl/e2e/security-context/00-assert.yaml

@@ -0,0 +1,186 @@
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: security-context
+status:
+  instances:
+    - name: instance1
+      readyReplicas: 1
+      replicas: 1
+      updatedReplicas: 1
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  labels:
+    postgres-operator.crunchydata.com/cluster: security-context
+    postgres-operator.crunchydata.com/pgbackrest-backup: replica-create
+status:
+  succeeded: 1
+---
+# initial pgBackRest backup
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    postgres-operator.crunchydata.com/cluster: security-context
+    postgres-operator.crunchydata.com/pgbackrest: ""
+    postgres-operator.crunchydata.com/pgbackrest-backup: replica-create
+    postgres-operator.crunchydata.com/pgbackrest-repo: repo1
+spec:
+  containers:
+  - name: pgbackrest
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+---
+# instance
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    postgres-operator.crunchydata.com/cluster: security-context
+    postgres-operator.crunchydata.com/data: postgres
+    postgres-operator.crunchydata.com/instance-set: instance1
+    postgres-operator.crunchydata.com/patroni: security-context-ha
+    postgres-operator.crunchydata.com/role: master
+spec:
+  containers:
+  - name: database
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: replication-cert-copy
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: pgbackrest
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: pgbackrest-config
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: exporter
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  initContainers:
+  - name: postgres-startup
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: nss-wrapper-init
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+---
+# pgAdmin
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    postgres-operator.crunchydata.com/cluster: security-context
+    postgres-operator.crunchydata.com/data: pgadmin
+    postgres-operator.crunchydata.com/role: pgadmin
+    statefulset.kubernetes.io/pod-name: security-context-pgadmin-0
+  name: security-context-pgadmin-0
+spec:
+  containers:
+  - name: pgadmin
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  initContainers:
+  - name: pgadmin-startup
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: nss-wrapper-init
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+---
+# pgBouncer
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    postgres-operator.crunchydata.com/cluster: security-context
+    postgres-operator.crunchydata.com/role: pgbouncer
+spec:
+  containers:
+  - name: pgbouncer
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: pgbouncer-config
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+---
+# pgBackRest repo
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    postgres-operator.crunchydata.com/cluster: security-context
+    postgres-operator.crunchydata.com/data: pgbackrest
+    postgres-operator.crunchydata.com/pgbackrest: ""
+    postgres-operator.crunchydata.com/pgbackrest-dedicated: ""
+    statefulset.kubernetes.io/pod-name: security-context-repo-host-0
+  name: security-context-repo-host-0
+spec:
+  containers:
+  - name: pgbackrest
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: pgbackrest-config
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  initContainers:
+  - name: pgbackrest-log-dir
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true
+  - name: nss-wrapper-init
+    securityContext:
+      allowPrivilegeEscalation: false
+      privileged: false
+      readOnlyRootFilesystem: true
+      runAsNonRoot: true