test: add E2E test for backup and restore using endpoint CA

Added test case for backup and restore with object storage using TLS,
only covering `.spec.bootstrap.recovery.backup.endpointCA` for recovery,
still to be validated through an E2E test:
- endpointCA specified in Backup Status
- endpointCA specified in externalCluster

Co-authored-by: Jitendra Wadle <jitendrawadle@Laptop566-pn-in.local>

Author: wadlejitendra

tests/e2e/asserts_test.go

@@ -477,12 +477,11 @@ func AssertStorageCredentialsAreCreated(namespace string, name string, id string
 }
 
 // InstallMinio installs minio to verify the backup and archive walls
-func InstallMinio(namespace string) {
+func InstallMinio(namespace string, deploymentFile string) {
 	// Create a PVC-based deployment for the minio version
 	// minio/minio:RELEASE.2020-04-23T00-58-49Z
 	minioPVCFile := fixturesDir + "/backup/minio/minio-pvc.yaml"
-	minioDeploymentFile := fixturesDir +
-		"/backup/minio/minio-deployment.yaml"
+	minioDeploymentFile := fixturesDir + deploymentFile
 
 	_, _, err := testsUtils.Run(fmt.Sprintf("kubectl apply -n %v -f %v",
 		namespace, minioPVCFile))
@@ -509,8 +508,8 @@ func InstallMinio(namespace string) {
 }
 
 // InstallMinioClient installs minio client to verify the backup and archive walls
-func InstallMinioClient(namespace string) {
-	clientFile := fixturesDir + "/backup/minio/minio-client.yaml"
+func InstallMinioClient(namespace string, minioClientPodFile string) {
+	clientFile := fixturesDir + minioClientPodFile
 	_, _, err := testsUtils.Run(fmt.Sprintf(
 		"kubectl apply -n %v -f %v",
 		namespace, clientFile))
@@ -1403,13 +1402,13 @@ func prepareClusterForPITROnMinio(
 	})
 
 	By("setting up minio", func() {
-		InstallMinio(namespace)
+		InstallMinio(namespace, "/backup/minio/minio-deployment.yaml")
 	})
 
 	// Create the minio client pod and wait for it to be ready.
 	// We'll use it to check if everything is archived correctly
 	By("setting up minio client pod", func() {
-		InstallMinioClient(namespace)
+		InstallMinioClient(namespace, "/backup/minio/minio-client.yaml")
 	})
 
 	// Create the cluster

tests/e2e/backup_restore_test.go

@@ -12,6 +12,7 @@ import (
 	ctrlclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	apiv1 "github.com/EnterpriseDB/cloud-native-postgresql/api/v1"
+	"github.com/EnterpriseDB/cloud-native-postgresql/pkg/certs"
 	"github.com/EnterpriseDB/cloud-native-postgresql/tests"
 	"github.com/EnterpriseDB/cloud-native-postgresql/tests/utils"
 
@@ -84,13 +85,13 @@ var _ = Describe("Backup and restore", func() {
 			})
 
 			By("setting up minio", func() {
-				InstallMinio(namespace)
+				InstallMinio(namespace, "/backup/minio/minio-deployment.yaml")
 			})
 
 			// Create the minio client pod and wait for it to be ready.
 			// We'll use it to check if everything is archived correctly
 			By("setting up minio client pod", func() {
-				InstallMinioClient(namespace)
+				InstallMinioClient(namespace, "/backup/minio/minio-client.yaml")
 			})
 
 			// Create ConfigMap and secrets to verify metrics for target database after backup restore
@@ -168,13 +169,13 @@ var _ = Describe("Backup and restore", func() {
 			})
 
 			By("setting up minio", func() {
-				InstallMinio(namespace)
+				InstallMinio(namespace, "/backup/minio/minio-deployment.yaml")
 			})
 
 			// Create the minio client pod and wait for it to be ready.
 			// We'll use it to check if everything is archived correctly
 			By("setting up minio client pod", func() {
-				InstallMinioClient(namespace)
+				InstallMinioClient(namespace, "/backup/minio/minio-client.yaml")
 			})
 
 			AssertCreateCluster(namespace, clusterName, clusterWithMinioSampleFile, env)
@@ -207,13 +208,13 @@ var _ = Describe("Backup and restore", func() {
 			})
 
 			By("setting up minio", func() {
-				InstallMinio(namespace)
+				InstallMinio(namespace, "/backup/minio/minio-deployment.yaml")
 			})
 
 			// Create the minio client pod and wait for it to be ready.
 			// We'll use it to check if everything is archived correctly
 			By("setting up minio client pod", func() {
-				InstallMinioClient(namespace)
+				InstallMinioClient(namespace, "/backup/minio/minio-client.yaml")
 			})
 
 			AssertCreateCluster(namespace, clusterName, clusterWithMinioSampleFile, env)
@@ -246,6 +247,89 @@ var _ = Describe("Backup and restore", func() {
 
 			AssertClusterRestorePITR(namespace, restoredClusterName, tableName)
 		})
+
+		It("backup and restore with endpoint ca and tls connection", func() {
+			const (
+				clusterWithMinioSampleFile = fixturesDir + "/backup/minio-with-tls/cluster-with-backup-minio.yaml"
+				clusterRestoreSampleFile   = fixturesDir + "/backup/minio-with-tls/cluster-from-restore.yaml"
+				caSecName                  = "minio-server-ca-secret"
+				tlsSecName                 = "minio-server-tls-secret"
+			)
+			namespace = "backup-minio-endpoint-ca"
+			clusterName, err := env.GetResourceNameFromYAML(clusterWithMinioSampleFile)
+			Expect(err).ToNot(HaveOccurred())
+			// create namespace
+			err = env.CreateNamespace(namespace)
+			Expect(err).ToNot(HaveOccurred())
+
+			// create CA certificates
+			_, caPair := utils.CreateSecretCA(namespace, clusterName, caSecName, true, env)
+
+			// sign and create secret using CA certificate and key
+			serverPair, err := caPair.CreateAndSignPair("minio-service", certs.CertTypeServer,
+				[]string{"minio-service.internal.mydomain.net, minio-service.default.svc, minio-service.default,"},
+			)
+			Expect(err).ToNot(HaveOccurred())
+			serverSecret := serverPair.GenerateCertificateSecret(namespace, tlsSecName)
+			err = env.Client.Create(env.Ctx, serverSecret)
+			Expect(err).ToNot(HaveOccurred())
+
+			By("creating the credentials for minio", func() {
+				AssertStorageCredentialsAreCreated(namespace, "backup-storage-creds", "minio", "minio123")
+			})
+
+			By("setting up minio", func() {
+				InstallMinio(namespace, "/backup/minio-with-tls/minio-deployment.yaml")
+			})
+
+			// Create the minio client pod and wait for it to be ready.
+			// We'll use it to check if everything is archived correctly
+			By("setting up minio client pod", func() {
+				InstallMinioClient(namespace, "/backup/minio-with-tls/minio-client.yaml")
+			})
+
+			// Create the cluster
+			AssertCreateCluster(namespace, clusterName, clusterWithMinioSampleFile, env)
+
+			// Write a table and some data on the "app" database
+			AssertCreateTestData(namespace, clusterName, "test_table")
+
+			AssertArchiveWalOnMinio(namespace, clusterName)
+
+			// There should be a backup resource and
+			By("backing up a cluster and verifying it exists on minio", func() {
+				utils.ExecuteBackup(namespace, backupFile, env)
+
+				Eventually(func() (int, error) {
+					return CountFilesOnMinio(namespace, "data.tar")
+				}, 30).Should(BeEquivalentTo(1))
+				Eventually(func() (string, error) {
+					cluster := &apiv1.Cluster{}
+					err := env.Client.Get(env.Ctx,
+						ctrlclient.ObjectKey{Namespace: namespace, Name: clusterName},
+						cluster)
+					return cluster.Status.FirstRecoverabilityPoint, err
+				}, 30).ShouldNot(BeEmpty())
+			})
+
+			// Restore backup in a new cluster
+			AssertClusterRestore(namespace, clusterRestoreSampleFile, "test_table")
+
+			previous := 0
+
+			By("checking the previous number of .history files in minio", func() {
+				previous, err = CountFilesOnMinio(namespace, "*.history.gz")
+				Expect(err).ToNot(HaveOccurred())
+			})
+
+			AssertSwitchover(namespace, clusterName, env)
+
+			By("checking the number of .history after switchover", func() {
+				Eventually(func() (int, error) {
+					return CountFilesOnMinio(namespace, "*.history.gz")
+				}, 60).Should(BeNumerically(">", previous))
+			})
+		})
 	})
 
 	Context("using azure blobs as object storage with storage account access authentication", func() {
@@ -589,13 +673,13 @@ var _ = Describe("Clusters Recovery From Barman Object Store", func() {
 				AssertStorageCredentialsAreCreated(namespace, "backup-storage-creds", "minio", "minio123")
 			})
 			By("setting up minio", func() {
-				InstallMinio(namespace)
+				InstallMinio(namespace, "/backup/minio/minio-deployment.yaml")
 			})
 
 			// Create the minio client pod and wait for it to be ready.
 			// We'll use it to check if everything is archived correctly
 			By("setting up minio client pod", func() {
-				InstallMinioClient(namespace)
+				InstallMinioClient(namespace, "/backup/minio/minio-client.yaml")
 			})
 
 			// Create the cluster
@@ -659,13 +743,13 @@ var _ = Describe("Clusters Recovery From Barman Object Store", func() {
 				AssertStorageCredentialsAreCreated(namespace, "backup-storage-creds", "minio", "minio123")
 			})
 			By("setting up minio", func() {
-				InstallMinio(namespace)
+				InstallMinio(namespace, "/backup/minio/minio-deployment.yaml")
 			})
 
 			// Create the minio client pod and wait for it to be ready.
 			// We'll use it to check if everything is archived correctly.
 			By("setting up minio client pod", func() {
-				InstallMinioClient(namespace)
+				InstallMinioClient(namespace, "/backup/minio/minio-client.yaml")
 			})
 
 			// Create the Cluster

tests/e2e/fixtures/backup/minio-with-tls/.gitignore

@@ -0,0 +1,2 @@
+cluster-with-backup-minio.yaml
+cluster-from-restore.yaml

tests/e2e/fixtures/backup/minio-with-tls/cluster-from-restore.yaml.template

@@ -0,0 +1,28 @@
+apiVersion: postgresql.k8s.enterprisedb.io/v1
+kind: Cluster
+metadata:
+  name: cluster-restore
+spec:
+  instances: 2
+
+  postgresql:
+    parameters:
+      log_checkpoints: "on"
+      log_lock_waits: "on"
+      log_min_duration_statement: '1000'
+      log_statement: 'ddl'
+      log_temp_files: '1024'
+      log_autovacuum_min_duration: '1s'
+      log_replication_commands: 'on'
+
+  storage:
+    size: 1Gi
+    storageClass: ${E2E_DEFAULT_STORAGE_CLASS}
+
+  bootstrap:
+    recovery:
+      backup:
+        name: cluster-backup
+        endpointCA:
+          key: ca.crt
+          name: minio-server-ca-secret

tests/e2e/fixtures/backup/minio-with-tls/cluster-with-backup-minio.yaml.template

@@ -0,0 +1,54 @@
+apiVersion: postgresql.k8s.enterprisedb.io/v1
+kind: Cluster
+metadata:
+  name: pg-backup-minio
+spec:
+  instances: 2
+
+  postgresql:
+    parameters:
+      log_checkpoints: "on"
+      log_lock_waits: "on"
+      log_min_duration_statement: '1000'
+      log_statement: 'ddl'
+      log_temp_files: '1024'
+      log_autovacuum_min_duration: '1s'
+      log_replication_commands: 'on'
+
+  # Example of rolling update strategy:
+  # - unsupervised: automated update of the primary once all
+  #                 replicas have been upgraded (default)
+  # - supervised: requires manual supervision to perform
+  #               the switchover of the primary
+  primaryUpdateStrategy: unsupervised
+
+  # Persistent storage configuration
+  storage:
+    storageClass: ${E2E_DEFAULT_STORAGE_CLASS}
+    size: 1Gi
+
+  bootstrap:
+    initdb:
+      database: app
+      owner: app
+
+  backup:
+    barmanObjectStore:
+        destinationPath: s3://cluster-backups/
+        endpointURL: https://minio-service:9000
+        # Name field will be tls secret name
+        endpointCA:
+          key: ca.crt
+          name: minio-server-ca-secret
+        s3Credentials:
+          accessKeyId:
+            name: backup-storage-creds
+            key: ID
+          secretAccessKey:
+            name: backup-storage-creds
+            key: KEY
+        wal:
+          compression: gzip
+        data:
+          immediateCheckpoint: true
+    retentionPolicy: "30d"

tests/e2e/fixtures/backup/minio-with-tls/minio-client.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  labels:
+    run: mc
+  name: mc
+spec:
+  containers:
+  - env:
+    - name: MC_HOST_minio
+      value: https://minio:minio123@minio-service:9000
+    image: minio/mc
+    name: mc
+    volumeMounts:
+      # ca certificate path
+      - name: secret-volume
+        mountPath: /root/.mc/certs/CAs
+    resources: {}
+    # Keep the pod up to exec stuff on it
+    command:
+      - sleep
+      - "3600"
+  dnsPolicy: ClusterFirst
+  restartPolicy: Always
+  volumes:
+    - name: secret-volume
+      secret:
+        defaultMode: 0600
+        secretName: minio-server-ca-secret

tests/e2e/fixtures/backup/minio-with-tls/minio-deployment.yaml

@@ -0,0 +1,53 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minio
+  labels:
+    app: minio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: minio
+  template:
+    metadata:
+      labels:
+        app: minio
+    spec:
+      containers:
+        - name: minio
+          image: minio/minio:RELEASE.2020-04-23T00-58-49Z
+          ports:
+            - containerPort: 9000
+          volumeMounts:
+            - name: data
+              mountPath: /data
+            - name: secret-volume
+              mountPath: /etc/secrets/certs
+          command: ["minio"]
+          args: ["--certs-dir", "/etc/secrets/certs", "server", "/data"]
+          env:
+            - name: MINIO_ACCESS_KEY
+              value: "minio"
+            - name: MINIO_SECRET_KEY
+              value: "minio123"
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: minio-pv-claim
+        - name: secret-volume
+          projected:
+            defaultMode: 0600
+            sources:
+              - secret:
+                  name: minio-server-tls-secret
+                  items:
+                    - key: tls.crt
+                      path: public.crt
+                    - key: tls.key
+                      path: private.key
+              - secret:
+                  name: minio-server-ca-secret
+                  items:
+                    - key: ca.crt
+                      path: CAs/public.crt