Add ImageVolumeSource to AdditionalVolumes.

Add validation to ensure that user must choose between an image volume
source and a pvc claim.
Add validation to ensure that user cannot set readOnly to false when
using an image volume source.
Add validation to ensure that user sets a reference when using an image
volume source.
Add tests for using ImageVolumeSource in AdditionalVolume feature.

Author: dsessler7

config/crd/bases/postgres-operator.crunchydata.com_pgadmins.yaml

@@ -2620,6 +2620,27 @@ spec:
                           maxItems: 10
                           type: array
                           x-kubernetes-list-type: set
+                        image:
+                          description: Details for adding an image volume
+                          properties:
+                            pullPolicy:
+                              description: |-
+                                Policy for pulling OCI objects. Possible values are:
+                                Always: the kubelet always attempts to pull the reference. Container creation will fail If the pull fails.
+                                Never: the kubelet never pulls the reference and only uses a local image or artifact. Container creation will fail if the reference isn't present.
+                                IfNotPresent: the kubelet pulls if the reference isn't already present on disk. Container creation will fail if the reference isn't present and the pull fails.
+                                Defaults to Always if :latest tag is specified, or IfNotPresent otherwise.
+                              type: string
+                            reference:
+                              description: |-
+                                Required: Image or artifact reference to be used.
+                                Behaves in the same way as pod.spec.containers[*].image.
+                                Pull secrets will be assembled in the same way as for the container image by looking up node credentials, SA image pull secrets, and pod spec image pull secrets.
+                                More info: https://kubernetes.io/docs/concepts/containers/images
+                                This field is optional to allow higher level config management to default or override
+                                container images in workload controllers like Deployments and StatefulSets.
+                              type: string
+                          type: object
                         name:
                           description: |-
                             The name of the directory in which to mount this volume.
@@ -2633,10 +2654,17 @@ spec:
                             read-write. Defaults to false.
                           type: boolean
                       required:
-                      - claimName
                       - name
                       type: object
                       x-kubernetes-map-type: atomic
+                      x-kubernetes-validations:
+                      - message: you must set only one of image or claimName
+                        rule: has(self.claimName) != has(self.image)
+                      - message: readOnly cannot be set false when using an ImageVolumeSource
+                        rule: '!has(self.image) || !has(self.readOnly) || self.readOnly'
+                      - message: if using an ImageVolumeSource, you must set a reference
+                        rule: '!has(self.image) || (self.?image.reference.hasValue()
+                          && self.image.reference.size() > 0)'
                     maxItems: 10
                     type: array
                     x-kubernetes-list-map-keys:

config/crd/bases/postgres-operator.crunchydata.com_postgresclusters.yaml

@@ -9,7 +9,10 @@ import (
 	"testing"
 
 	"gotest.tools/v3/assert"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/yaml"
 
 	"github.com/crunchydata/postgres-operator/internal/testing/require"
 	v1 "github.com/crunchydata/postgres-operator/pkg/apis/postgres-operator.crunchydata.com/v1"
@@ -103,3 +106,165 @@ func TestPostgresUserInterfaceAcrossVersions(t *testing.T) {
 			"userInterface not available in v1")
 	})
 }
+
+func TestAdditionalVolumes(t *testing.T) {
+	ctx := context.Background()
+	cc := require.KubernetesAtLeast(t, "1.30")
+	t.Parallel()
+
+	namespace := require.Namespace(t, cc)
+	base := v1beta1.NewPostgresCluster()
+
+	base.Namespace = namespace.Name
+	base.Name = "image-volume-source-test"
+	// required fields
+	require.UnmarshalInto(t, &base.Spec, `{
+		postgresVersion: 16,
+		instances: [{
+			dataVolumeClaimSpec: {
+				accessModes: [ReadWriteOnce],
+				resources: { requests: { storage: 1Mi } },
+			},
+		}],
+	}`)
+
+	assert.NilError(t, cc.Create(ctx, base.DeepCopy(), client.DryRunAll),
+		"expected this base to be valid")
+
+	var unstructuredBase unstructured.Unstructured
+	require.UnmarshalInto(t, &unstructuredBase, require.Value(yaml.Marshal(base)))
+
+	t.Run("Cannot set both image and claimName", func(t *testing.T) {
+		tmp := unstructuredBase.DeepCopy()
+
+		require.UnmarshalIntoField(t, tmp, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						claimName: "pvc-claim",
+						image: {
+							reference: "test-image",
+							pullPolicy: Always
+						},
+						readOnly: true
+					}]
+				}
+			}]`, "spec", "instances")
+		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "you must set only one of image or claimName")
+	})
+
+	t.Run("Cannot set readOnly to false when using image volume", func(t *testing.T) {
+		tmp := unstructuredBase.DeepCopy()
+
+		require.UnmarshalIntoField(t, tmp, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						image: {
+							reference: "test-image",
+							pullPolicy: Always
+						},
+						readOnly: false
+					}]
+				}
+			}]`, "spec", "instances")
+		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "readOnly cannot be set false when using an ImageVolumeSource")
+	})
+
+	t.Run("Reference must be set when using image volume", func(t *testing.T) {
+		tmp := unstructuredBase.DeepCopy()
+
+		require.UnmarshalIntoField(t, tmp, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						image: {
+							pullPolicy: Always
+						},
+						readOnly: true
+					}]
+				}
+			}]`, "spec", "instances")
+		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "if using an ImageVolumeSource, you must set a reference")
+	})
+
+	t.Run("Reference cannot be an empty string when using image volume", func(t *testing.T) {
+		tmp := unstructuredBase.DeepCopy()
+
+		require.UnmarshalIntoField(t, tmp, `[{
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						image: {
+							reference: "",
+							pullPolicy: Always
+						},
+						readOnly: true
+					}]
+				}
+			}]`, "spec", "instances")
+		err := cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll)
+		assert.Assert(t, apierrors.IsInvalid(err))
+		assert.ErrorContains(t, err, "if using an ImageVolumeSource, you must set a reference")
+	})
+
+	t.Run("ReadOnly can be omitted or set true when using image volume", func(t *testing.T) {
+		tmp := unstructuredBase.DeepCopy()
+
+		require.UnmarshalIntoField(t, tmp, `[{
+				name: "test-instance",
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "test",
+						image: {
+							reference: "test-image",
+							pullPolicy: Always
+						},
+					}]
+				}
+			}, {
+				name: "another-instance",
+				dataVolumeClaimSpec: {
+					accessModes: [ReadWriteOnce],
+					resources: { requests: { storage: 1Mi } },
+				},
+				volumes: {
+					additional: [{
+						name: "another",
+						image: {
+							reference: "another-image",
+							pullPolicy: Always
+						},
+						readOnly: true
+					}]
+				}
+			}]`, "spec", "instances")
+		assert.NilError(t, cc.Create(ctx, tmp.DeepCopy(), client.DryRunAll))
+	})
+}

internal/testing/validation/postgrescluster_test.go

@@ -58,7 +58,13 @@ func addVolumesAndMounts(pod *corev1.PodSpec, volumes []v1beta1.AdditionalVolume
 	missingContainers := []string{}
 
 	for _, spec := range volumes {
-		mount := namer(spec.Name, spec.ReadOnly)
+		// If it is an image volume, override readOnly to true
+		readOnly := spec.ReadOnly
+		if spec.Image != nil {
+			readOnly = true
+		}
+
+		mount := namer(spec.Name, readOnly)
 		pod.Volumes = append(pod.Volumes, spec.AsVolume(mount.Name))
 
 		// Create a set of all the requested containers,

internal/util/volumes.go

@@ -207,6 +207,60 @@ func TestAddAdditionalVolumesAndMounts(t *testing.T) {
     claimName: required
     readOnly: true`,
 		expectedMissing: []string{},
+	}, {
+		tcName: "image volumes - readOnly overridden true",
+		additionalVolumes: []v1beta1.AdditionalVolume{{
+			Containers: []string{"database"},
+			Image: &corev1.ImageVolumeSource{
+				Reference:  "some-image-name",
+				PullPolicy: corev1.PullAlways,
+			},
+			Name:     "required",
+			ReadOnly: true,
+		}, {
+			Image: &corev1.ImageVolumeSource{
+				Reference:  "another-image-name",
+				PullPolicy: corev1.PullAlways,
+			},
+			Name:     "other",
+			ReadOnly: false,
+		}},
+		expectedContainers: `- name: database
+  resources: {}
+  volumeMounts:
+  - mountPath: /volumes/required
+    name: volumes-required
+    readOnly: true
+  - mountPath: /volumes/other
+    name: volumes-other
+    readOnly: true
+- name: other
+  resources: {}
+  volumeMounts:
+  - mountPath: /volumes/other
+    name: volumes-other
+    readOnly: true`,
+		expectedInitContainers: `- name: startup
+  resources: {}
+  volumeMounts:
+  - mountPath: /volumes/other
+    name: volumes-other
+    readOnly: true
+- name: config
+  resources: {}
+  volumeMounts:
+  - mountPath: /volumes/other
+    name: volumes-other
+    readOnly: true`,
+		expectedVolumes: `- image:
+    pullPolicy: Always
+    reference: some-image-name
+  name: volumes-required
+- image:
+    pullPolicy: Always
+    reference: another-image-name
+  name: volumes-other`,
+		expectedMissing: []string{},
 	}}
 
 	for _, tc := range testCases {

internal/util/volumes_test.go

@@ -311,14 +311,18 @@ func (meta *Metadata) GetAnnotationsOrNil() map[string]string {
 // Only one applier should be managing each volume definition.
 // https://docs.k8s.io/reference/using-api/server-side-apply#merge-strategy
 // +structType=atomic
+//
+// +kubebuilder:validation:XValidation:rule=`has(self.claimName) != has(self.image)`,message=`you must set only one of image or claimName`
+// +kubebuilder:validation:XValidation:rule=`!has(self.image) || !has(self.readOnly) || self.readOnly`,message=`readOnly cannot be set false when using an ImageVolumeSource`
+// +kubebuilder:validation:XValidation:rule=`!has(self.image) || (self.?image.reference.hasValue() && self.image.reference.size() > 0)`,message=`if using an ImageVolumeSource, you must set a reference`
 type AdditionalVolume struct {
 	// Name of an existing PersistentVolumeClaim.
 	// ---
 	// https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/core/validation#ValidatePersistentVolumeClaim
 	// https://pkg.go.dev/k8s.io/kubernetes/pkg/apis/core/validation#ValidatePersistentVolumeName
 	//
-	// +required
-	ClaimName DNS1123Subdomain `json:"claimName"`
+	// +optional
+	ClaimName DNS1123Subdomain `json:"claimName,omitempty"`
 
 	// The names of containers in which to mount this volume.
 	// The default mounts the volume in *all* containers. An empty list does not mount the volume to any containers.
@@ -333,6 +337,13 @@ type AdditionalVolume struct {
 	// +optional
 	Containers []DNS1123Label `json:"containers"`
 
+	// Details for adding an image volume
+	// ---
+	// https://docs.k8s.io/concepts/storage/volumes#image
+	//
+	// +optional
+	Image *corev1.ImageVolumeSource `json:"image,omitempty"`
+
 	// The name of the directory in which to mount this volume.
 	// Volumes are mounted in containers at `/volumes/{name}`.
 	// ---
@@ -366,6 +377,8 @@ func (in *AdditionalVolume) AsVolume(name string) corev1.Volume {
 			ClaimName: in.ClaimName,
 			ReadOnly:  in.ReadOnly,
 		}
+	case in.Image != nil:
+		out.Image = in.Image.DeepCopy()
 	}
 
 	return out

pkg/apis/postgres-operator.crunchydata.com/v1beta1/shared_types.go

@@ -45,6 +45,25 @@ func TestAdditionalVolumeAsVolume(t *testing.T) {
 			assert.DeepEqual(t, out, expected)
 		})
 	})
+
+	t.Run("Image", func(t *testing.T) {
+		in := v1beta1.AdditionalVolume{Image: &corev1.ImageVolumeSource{
+			Reference:  "jkl;",
+			PullPolicy: corev1.PullAlways,
+		}}
+		out := in.AsVolume("asdf")
+
+		var expected corev1.Volume
+		assert.NilError(t, yaml.Unmarshal([]byte(`{
+			name: asdf,
+			image: {
+				reference: jkl;,
+				pullPolicy: Always,
+			},
+		}`), &expected))
+
+		assert.DeepEqual(t, out, expected)
+	})
 }
 
 func TestDurationAsDuration(t *testing.T) {