From f6a697be6fb40399b7064b6c2d897e6a79c4e49d Mon Sep 17 00:00:00 2001
From: valmiranogueira <valmira.nogueira@percona.com>
Date: Tue, 19 May 2026 10:21:12 -0300
Subject: [PATCH 1/4] Fix LDAP permissions for Openshift

---
 e2e-tests/tests/ldap-tls/00-deploy-operator.yaml   |  5 -----
 e2e-tests/tests/ldap-tls/01-openldap-tls.yaml      | 14 ++++++++++++++
 .../tests/ldap-tls/files/openldap-tls-deploy.yaml  |  1 +
 e2e-tests/tests/ldap/00-deploy-operator.yaml       |  5 -----
 e2e-tests/tests/ldap/01-openldap.yaml              | 14 ++++++++++++++
 e2e-tests/tests/ldap/files/openldap.yaml           |  1 +
 6 files changed, 30 insertions(+), 10 deletions(-)

diff --git a/e2e-tests/tests/ldap-tls/00-deploy-operator.yaml b/e2e-tests/tests/ldap-tls/00-deploy-operator.yaml
index 9e2d6a12b5..7826f3b2b5 100644
--- a/e2e-tests/tests/ldap-tls/00-deploy-operator.yaml
+++ b/e2e-tests/tests/ldap-tls/00-deploy-operator.yaml
@@ -9,11 +9,6 @@ commands:
           source ../../functions
           init_temp_dir # do this only in the first TestStep
 
-          if [[ $OPENSHIFT ]]; then
-              echo "Skipping LDAP-TLS test on OpenShift"
-              exit 1
-          fi
-
           deploy_operator
           deploy_client
           deploy_cert_manager
diff --git a/e2e-tests/tests/ldap-tls/01-openldap-tls.yaml b/e2e-tests/tests/ldap-tls/01-openldap-tls.yaml
index d77fa1a4c9..1bd9ae25f2 100644
--- a/e2e-tests/tests/ldap-tls/01-openldap-tls.yaml
+++ b/e2e-tests/tests/ldap-tls/01-openldap-tls.yaml
@@ -1,4 +1,18 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      kubectl create serviceaccount openldap-tls \
+        --namespace "${NAMESPACE}"
+
+      if [[ $(detect_k8s_platform) == "openshift" ]]; then
+        oc adm policy add-scc-to-user anyuid -z openldap-tls -n "${NAMESPACE}"
+        sleep 5
+      fi
 apply:
   - files/openldap-tls.yaml
diff --git a/e2e-tests/tests/ldap-tls/files/openldap-tls-deploy.yaml b/e2e-tests/tests/ldap-tls/files/openldap-tls-deploy.yaml
index e7f9544f97..8468ff5387 100644
--- a/e2e-tests/tests/ldap-tls/files/openldap-tls-deploy.yaml
+++ b/e2e-tests/tests/ldap-tls/files/openldap-tls-deploy.yaml
@@ -15,6 +15,7 @@ spec:
       labels:
         app.kubernetes.io/name: openldap-tls
     spec:
+      serviceAccountName: openldap-tls
       containers:
         - name: openldap
           image: osixia/openldap:latest
diff --git a/e2e-tests/tests/ldap/00-deploy-operator.yaml b/e2e-tests/tests/ldap/00-deploy-operator.yaml
index dbea2a35c5..906c0976c7 100644
--- a/e2e-tests/tests/ldap/00-deploy-operator.yaml
+++ b/e2e-tests/tests/ldap/00-deploy-operator.yaml
@@ -9,10 +9,5 @@ commands:
           source ../../functions
           init_temp_dir # do this only in the first TestStep
 
-          if [[ $OPENSHIFT ]]; then
-              echo "Skipping LDAP test on OpenShift"
-              exit 1
-          fi
-
           deploy_operator
           deploy_client
diff --git a/e2e-tests/tests/ldap/01-openldap.yaml b/e2e-tests/tests/ldap/01-openldap.yaml
index bb6f0bff57..ce6c527629 100644
--- a/e2e-tests/tests/ldap/01-openldap.yaml
+++ b/e2e-tests/tests/ldap/01-openldap.yaml
@@ -1,4 +1,18 @@
 apiVersion: kuttl.dev/v1beta1
 kind: TestStep
+commands:
+  - script: |-
+      set -o errexit
+      set -o xtrace
+
+      source ../../functions
+
+      kubectl create serviceaccount openldap \
+        --namespace "${NAMESPACE}"
+
+      if [[ $(detect_k8s_platform) == "openshift" ]]; then
+        oc adm policy add-scc-to-user anyuid -z openldap -n "${NAMESPACE}"
+        sleep 5
+      fi
 apply:
   - files/openldap.yaml
diff --git a/e2e-tests/tests/ldap/files/openldap.yaml b/e2e-tests/tests/ldap/files/openldap.yaml
index da1ec46f6e..70925e7764 100644
--- a/e2e-tests/tests/ldap/files/openldap.yaml
+++ b/e2e-tests/tests/ldap/files/openldap.yaml
@@ -23,6 +23,7 @@ spec:
       labels:
         app.kubernetes.io/name: openldap
     spec:
+      serviceAccountName: openldap
       containers:
         - name: openldap
           image: osixia/openldap:latest

From 743fe2af2f34d3cba4988fe610085226ffcc13ff Mon Sep 17 00:00:00 2001
From: valmiranogueira <valmira.nogueira@percona.com>
Date: Tue, 19 May 2026 19:13:54 -0300
Subject: [PATCH 2/4] Fix Minio installation on Openshift for migration tests

---
 e2e-tests/functions                           | 44 ++++++++++++++++---
 .../00-deploy-operators.yaml                  | 32 +-------------
 .../00-deploy-operators.yaml                  | 35 ++-------------
 3 files changed, 42 insertions(+), 69 deletions(-)

diff --git a/e2e-tests/functions b/e2e-tests/functions
index c81f44786f..6c570f587b 100644
--- a/e2e-tests/functions
+++ b/e2e-tests/functions
@@ -216,15 +216,41 @@ retry() {
 }
 
 deploy_minio() {
+	local name="${1:-"minio-service"}"
+	local tls_secret="${2:-}"
 	local access_key
 	local secret_key
+	local endpoint_url="http://minio-service:9000"
+	local aws_extra_args=""
+	local service_account_name="minio-sa"
+	local -a additional_helm_args
+	
 	access_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 -d)"
 	secret_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 -d)"
 
-	helm uninstall -n "${NAMESPACE}" minio-service || :
+	if [[ $(detect_k8s_platform) == "openshift" ]]; then
+		kubectl create serviceaccount "${service_account_name}" \
+			--namespace "${NAMESPACE}"
+		oc adm policy add-scc-to-user anyuid -z "${service_account_name}" -n "${NAMESPACE}"
+		additional_helm_args+=(
+			--set serviceAccount.create=false
+			--set serviceAccount.name="${service_account_name}"
+		)
+	fi
+
+	if [[ -n $tls_secret ]]; then
+		additional_helm_args+=(
+			--set tls.enabled=true
+			--set tls.certSecret="${tls_secret}"
+		)
+		endpoint_url="https://${name}:9000"
+		aws_extra_args="--no-verify-ssl"
+	fi
+
+	helm uninstall -n "${NAMESPACE}" "${name}" || :
 	helm repo remove minio || :
 	helm repo add minio https://charts.min.io/
-	retry 10 60 helm install minio-service \
+	retry 10 60 helm install "${name}" \
 		-n "${NAMESPACE}" \
 		--version "${MINIO_VER}" \
 		--set replicas=1 \
@@ -236,17 +262,23 @@ deploy_minio() {
 		--set "users[0].secretKey"="$(printf '%q' "$(printf '%q' "$secret_key")")" \
 		--set "users[0].policy"=consoleAdmin \
 		--set service.type=ClusterIP \
-		--set configPathmc=/tmp/.minio/ \
 		--set persistence.size=2G \
 		--set securityContext.enabled=false \
+		"${additional_helm_args[@]}" \
 		minio/minio
-	MINIO_POD=$(kubectl -n "${NAMESPACE}" get pods --selector=release=minio-service -o 'jsonpath={.items[].metadata.name}')
+
+	MINIO_POD=$(
+		kubectl -n "${NAMESPACE}" get pods \
+			--selector=release=${name} \
+			-o 'jsonpath={.items[].metadata.name}'
+	)
+
 	wait_pod $MINIO_POD
 
 	# create bucket
 	kubectl -n "${NAMESPACE}" run -i --rm aws-cli --image=perconalab/awscli --restart=Never -- \
 		bash -c "AWS_ACCESS_KEY_ID='$access_key' AWS_SECRET_ACCESS_KEY='$secret_key' AWS_DEFAULT_REGION=us-east-1 \
-		/usr/bin/aws --endpoint-url http://minio-service:9000 s3 mb s3://operator-testing"
+		/usr/bin/aws --endpoint-url ${endpoint_url} ${aws_extra_args} s3 mb s3://operator-testing"
 }
 
 get_repo_auth() {
@@ -1744,4 +1776,4 @@ verify_hugepages_usage() {
         echo "Hugepages available but NOT being used by PostgreSQL"
         return 1
     fi
-}
\ No newline at end of file
+}
diff --git a/e2e-tests/tests/migration-from-crunchy-backup-restore/00-deploy-operators.yaml b/e2e-tests/tests/migration-from-crunchy-backup-restore/00-deploy-operators.yaml
index ee4da28439..f101b67782 100644
--- a/e2e-tests/tests/migration-from-crunchy-backup-restore/00-deploy-operators.yaml
+++ b/e2e-tests/tests/migration-from-crunchy-backup-restore/00-deploy-operators.yaml
@@ -36,37 +36,7 @@ commands:
         --from-file=public.crt="${TEMP_DIR}/minio.crt" \
         --from-file=private.key="${TEMP_DIR}/minio.key"
 
-      helm repo remove minio 2>/dev/null || true
-      helm repo add minio https://charts.min.io/
-      helm uninstall -n "${NAMESPACE}" minio-service 2>/dev/null || true
-      retry 10 60 helm install minio-service minio/minio \
-        -n "${NAMESPACE}" \
-        --version "${MINIO_VER}" \
-        --set replicas=1 \
-        --set mode=standalone \
-        --set resources.requests.memory=256Mi \
-        --set rootUser=rootuser \
-        --set rootPassword=rootpass123 \
-        --set "users[0].accessKey=$(printf '%q' "$(printf '%q' "$access_key")")" \
-        --set "users[0].secretKey=$(printf '%q' "$(printf '%q' "$secret_key")")" \
-        --set "users[0].policy=consoleAdmin" \
-        --set service.type=ClusterIP \
-        --set configPathmc=/tmp/.minio/ \
-        --set persistence.size=2G \
-        --set securityContext.enabled=false \
-        --set tls.enabled=true \
-        --set tls.certSecret=minio-tls
-
-      MINIO_POD=$(kubectl -n "${NAMESPACE}" get pods \
-        --selector=release=minio-service -o 'jsonpath={.items[].metadata.name}')
-      wait_pod "${MINIO_POD}"
-
-      kubectl -n "${NAMESPACE}" run -i --rm aws-cli \
-        --image=perconalab/awscli --restart=Never -- bash -c \
-        "AWS_ACCESS_KEY_ID='${access_key}' AWS_SECRET_ACCESS_KEY='${secret_key}' \
-        AWS_DEFAULT_REGION=us-east-1 \
-        /usr/bin/aws --endpoint-url https://minio-service:9000 --no-verify-ssl \
-        s3 mb s3://operator-testing"
+      deploy_minio minio-service minio-tls
 
       cat > "${TEMP_DIR}/pgbackrest-minio.ini" << EOF
       [global]
diff --git a/e2e-tests/tests/migration-from-crunchy-pv/00-deploy-operators.yaml b/e2e-tests/tests/migration-from-crunchy-pv/00-deploy-operators.yaml
index 10f064e88b..1289a68822 100644
--- a/e2e-tests/tests/migration-from-crunchy-pv/00-deploy-operators.yaml
+++ b/e2e-tests/tests/migration-from-crunchy-pv/00-deploy-operators.yaml
@@ -18,7 +18,8 @@ commands:
         --set singleNamespace=true \
         --wait
 
-      # Deploy minio WITH TLS — pgBackRest requires HTTPS; repo1-s3-verify-tls=n skips validation.
+      # Deploy MinIO using the shared helper so this test follows the same
+      # setup path as the rest of the suite.
       kubectl -n "${NAMESPACE}" apply -f "${TESTS_CONFIG_DIR}/minio-secret.yml"
 
       access_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret \
@@ -35,37 +36,7 @@ commands:
         --from-file=public.crt="${TEMP_DIR}/minio.crt" \
         --from-file=private.key="${TEMP_DIR}/minio.key"
 
-      helm repo remove minio 2>/dev/null || true
-      helm repo add minio https://charts.min.io/
-      helm uninstall -n "${NAMESPACE}" minio-service 2>/dev/null || true
-      retry 10 60 helm install minio-service minio/minio \
-        -n "${NAMESPACE}" \
-        --version "${MINIO_VER}" \
-        --set replicas=1 \
-        --set mode=standalone \
-        --set resources.requests.memory=256Mi \
-        --set rootUser=rootuser \
-        --set rootPassword=rootpass123 \
-        --set "users[0].accessKey=$(printf '%q' "$(printf '%q' "$access_key")")" \
-        --set "users[0].secretKey=$(printf '%q' "$(printf '%q' "$secret_key")")" \
-        --set "users[0].policy=consoleAdmin" \
-        --set service.type=ClusterIP \
-        --set configPathmc=/tmp/.minio/ \
-        --set persistence.size=2G \
-        --set securityContext.enabled=false \
-        --set tls.enabled=true \
-        --set tls.certSecret=minio-tls
-
-      MINIO_POD=$(kubectl -n "${NAMESPACE}" get pods \
-        --selector=release=minio-service -o 'jsonpath={.items[].metadata.name}')
-      wait_pod "${MINIO_POD}"
-
-      kubectl -n "${NAMESPACE}" run -i --rm aws-cli \
-        --image=perconalab/awscli --restart=Never -- bash -c \
-        "AWS_ACCESS_KEY_ID='${access_key}' AWS_SECRET_ACCESS_KEY='${secret_key}' \
-        AWS_DEFAULT_REGION=us-east-1 \
-        /usr/bin/aws --endpoint-url https://minio-service:9000 --no-verify-ssl \
-        s3 mb s3://operator-testing"
+      deploy_minio minio-service minio-tls
 
       cat > "${TEMP_DIR}/pgbackrest-minio.ini" << EOF
       [global]

From 874e79d3c1eeaaeb2101260f13105c3c59d1eac1 Mon Sep 17 00:00:00 2001
From: valmiranogueira <valmira.nogueira@percona.com>
Date: Tue, 19 May 2026 19:24:07 -0300
Subject: [PATCH 3/4] Fix migration test name and Minio installation

---
 e2e-tests/run-release.csv                     |  2 +-
 .../00-deploy-operators.yaml                  | 32 +------------------
 2 files changed, 2 insertions(+), 32 deletions(-)

diff --git a/e2e-tests/run-release.csv b/e2e-tests/run-release.csv
index 72910e2af7..a073552ffe 100644
--- a/e2e-tests/run-release.csv
+++ b/e2e-tests/run-release.csv
@@ -40,4 +40,4 @@ upgrade-minor
 users
 migration-from-crunchy-backup-restore
 migration-from-crunchy-pv
-migration-from-crunchy-standb
+migration-from-crunchy-standby
diff --git a/e2e-tests/tests/migration-from-crunchy-standby/00-deploy-operators.yaml b/e2e-tests/tests/migration-from-crunchy-standby/00-deploy-operators.yaml
index 39a0d3c2bc..ab06269c20 100644
--- a/e2e-tests/tests/migration-from-crunchy-standby/00-deploy-operators.yaml
+++ b/e2e-tests/tests/migration-from-crunchy-standby/00-deploy-operators.yaml
@@ -39,37 +39,7 @@ commands:
         --from-file=public.crt="${TEMP_DIR}/minio.crt" \
         --from-file=private.key="${TEMP_DIR}/minio.key"
 
-      helm repo remove minio 2>/dev/null || true
-      helm repo add minio https://charts.min.io/
-      helm uninstall -n "${NAMESPACE}" minio-service 2>/dev/null || true
-      retry 10 60 helm install minio-service minio/minio \
-        -n "${NAMESPACE}" \
-        --version "${MINIO_VER}" \
-        --set replicas=1 \
-        --set mode=standalone \
-        --set resources.requests.memory=256Mi \
-        --set rootUser=rootuser \
-        --set rootPassword=rootpass123 \
-        --set "users[0].accessKey=$(printf '%q' "$(printf '%q' "$access_key")")" \
-        --set "users[0].secretKey=$(printf '%q' "$(printf '%q' "$secret_key")")" \
-        --set "users[0].policy=consoleAdmin" \
-        --set service.type=ClusterIP \
-        --set configPathmc=/tmp/.minio/ \
-        --set persistence.size=2G \
-        --set securityContext.enabled=false \
-        --set tls.enabled=true \
-        --set tls.certSecret=minio-tls
-
-      MINIO_POD=$(kubectl -n "${NAMESPACE}" get pods \
-        --selector=release=minio-service -o 'jsonpath={.items[].metadata.name}')
-      wait_pod "${MINIO_POD}"
-
-      kubectl -n "${NAMESPACE}" run -i --rm aws-cli \
-        --image=perconalab/awscli --restart=Never -- bash -c \
-        "AWS_ACCESS_KEY_ID='${access_key}' AWS_SECRET_ACCESS_KEY='${secret_key}' \
-        AWS_DEFAULT_REGION=us-east-1 \
-        /usr/bin/aws --endpoint-url https://minio-service:9000 --no-verify-ssl \
-        s3 mb s3://operator-testing"
+      deploy_minio minio-service minio-tls
 
       cat > "${TEMP_DIR}/pgbackrest-minio.ini" << EOF
       [global]

From 7b689f38bda7585ffb2d857b121965547a37c886 Mon Sep 17 00:00:00 2001
From: valmiranogueira <valmira.nogueira@percona.com>
Date: Tue, 19 May 2026 19:44:06 -0300
Subject: [PATCH 4/4] Fix lint

---
 e2e-tests/functions | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/e2e-tests/functions b/e2e-tests/functions
index 6c570f587b..1301c17280 100644
--- a/e2e-tests/functions
+++ b/e2e-tests/functions
@@ -224,7 +224,7 @@ deploy_minio() {
 	local aws_extra_args=""
 	local service_account_name="minio-sa"
 	local -a additional_helm_args
-	
+
 	access_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_ACCESS_KEY_ID}' | base64 -d)"
 	secret_key="$(kubectl -n "${NAMESPACE}" get secret minio-secret -o jsonpath='{.data.AWS_SECRET_ACCESS_KEY}' | base64 -d)"