[ADD] Supporting self certificate authority and mTls when using S3 object storage

Signed-off-by: Pooya Azarpour <[email protected]>

Author: poyaz

cmd/restic/main.go

@@ -20,8 +20,12 @@ import (
 )
 
 const (
-	backupDirEnvKey  = "BACKUP_DIR"
-	restoreDirEnvKey = "RESTORE_DIR"
+	backupDirEnvKey      = "BACKUP_DIR"
+	restoreDirEnvKey     = "RESTORE_DIR"
+	caCertFileEnvKey     = "CA_CERT_FILE"
+	clientCertFileEnvKey = "CLIENT_CERT_FILE"
+	clientKeyFileEnvKey  = "CLIENT_KEY_FILE"
+	workDirEnvKey        = "WORK_DIR"
 
 	restoreTypeArg              = "restoreType"
 	restoreS3EndpointArg        = "restoreS3Endpoint"
@@ -63,6 +67,9 @@ var (
 			&cli.StringFlag{Destination: &cfg.Config.RestoreS3AccessKey, Name: restoreS3AccessKeyIDArg, EnvVars: []string{"RESTORE_ACCESSKEYID"}, Usage: "S3 access key used to connect to the S3 endpoint when restoring"},
 			&cli.StringFlag{Destination: &cfg.Config.RestoreS3SecretKey, Name: restoreS3SecretAccessKeyArg, EnvVars: []string{"RESTORE_SECRETACCESSKEY"}, Usage: "S3 secret key used to connect to the S3 endpoint when restoring"},
 			&cli.StringFlag{Destination: &cfg.Config.RestoreS3Endpoint, Name: restoreS3EndpointArg, EnvVars: []string{"RESTORE_S3ENDPOINT"}, Usage: "S3 endpoint to connect to when restoring, e.g. 'https://minio.svc:9000/backup"},
+			&cli.PathFlag{Destination: &cfg.Config.RestoreCACert, Name: "restoreCaCert", Usage: "The certificate authority file path using for restore (If isn't filled, using caCert)"},
+			&cli.PathFlag{Destination: &cfg.Config.RestoreClientCert, Name: "restoreClientCert", Usage: "The client certificate file path using for restore (If isn't filled, using clientCert)"},
+			&cli.PathFlag{Destination: &cfg.Config.RestoreClientKey, Name: "restoreClientKey", Usage: "The client private key file path using for restore (If isn't filled, using clientKey)"},
 			&cli.BoolFlag{Destination: &cfg.Config.VerifyRestore, Name: "verifyRestore", Usage: "If the restore should get verified, only for PVCs restore"},
 			&cli.BoolFlag{Destination: &cfg.Config.RestoreTrimPath, Name: "trimRestorePath", EnvVars: []string{"TRIM_RESTOREPATH"}, Value: true, DefaultText: "enabled", Usage: "If set, strips the value of --restoreDir from the lefts side of the remote restore path value"},
 
@@ -87,6 +94,11 @@ var (
 
 			&cli.StringSliceFlag{Name: "targetPods", EnvVars: []string{"TARGET_PODS"}, Usage: "Filter list of pods by TARGET_PODS names"},
 			&cli.DurationFlag{Destination: &cfg.Config.SleepDuration, Name: "sleepDuration", EnvVars: []string{"SLEEP_DURATION"}, Usage: "Sleep for specified amount until init starts"},
+
+			&cli.PathFlag{Destination: &cfg.Config.VarDir, Name: "varDir", Value: "/k8up", Usage: "The var directory is stored k8up metadata files and temporary files"},
+			&cli.PathFlag{Destination: &cfg.Config.CACert, Name: "caCert", EnvVars: []string{caCertFileEnvKey}, Usage: "The certificate authority file path"},
+			&cli.PathFlag{Destination: &cfg.Config.ClientCert, Name: "clientCert", EnvVars: []string{clientCertFileEnvKey}, Usage: "The client certificate file path"},
+			&cli.PathFlag{Destination: &cfg.Config.ClientKey, Name: "clientKey", EnvVars: []string{clientKeyFileEnvKey}, Usage: "The client private key file path"},
 		},
 	}
 )
@@ -197,30 +209,52 @@ func doCheck(resticCLI *resticCli.Restic) error {
 }
 
 func doRestore(resticCLI *resticCli.Restic) error {
-	if cfg.Config.DoRestore {
-		if err := resticCLI.Restore(cfg.Config.RestoreSnap, resticCli.RestoreOptions{
-			RestoreType:   resticCli.RestoreType(cfg.Config.RestoreType),
-			RestoreDir:    cfg.Config.RestoreDir,
-			RestoreFilter: cfg.Config.RestoreFilter,
-			Verify:        cfg.Config.VerifyRestore,
-			S3Destination: resticCli.S3Bucket{
-				Endpoint:  cfg.Config.RestoreS3Endpoint,
-				AccessKey: cfg.Config.RestoreS3AccessKey,
-				SecretKey: cfg.Config.RestoreS3SecretKey,
-			},
-		}, cfg.Config.Tags); err != nil {
-			return fmt.Errorf("restore job failed: %w", err)
-		}
+	if !cfg.Config.DoRestore {
+		return nil
+	}
+
+	restoreOptions := resticCli.RestoreOptions{
+		RestoreType:   resticCli.RestoreType(cfg.Config.RestoreType),
+		RestoreDir:    cfg.Config.RestoreDir,
+		RestoreFilter: cfg.Config.RestoreFilter,
+		Verify:        cfg.Config.VerifyRestore,
+		S3Destination: resticCli.S3Bucket{
+			Endpoint:  cfg.Config.RestoreS3Endpoint,
+			AccessKey: cfg.Config.RestoreS3AccessKey,
+			SecretKey: cfg.Config.RestoreS3SecretKey,
+			Cert:      fillRestoreS3Cert(),
+		},
 	}
+
+	if err := resticCLI.Restore(cfg.Config.RestoreSnap, restoreOptions, cfg.Config.Tags); err != nil {
+		return fmt.Errorf("restore job failed: %w", err)
+	}
+
 	return nil
 }
 
 func doArchive(resticCLI *resticCli.Restic) error {
-	if cfg.Config.DoArchive {
-		if err := resticCLI.Archive(cfg.Config.ResticBin, cfg.Config.VerifyRestore, cfg.Config.Tags); err != nil {
-			return fmt.Errorf("archive job failed: %w", err)
-		}
+	if !cfg.Config.DoArchive {
+		return nil
 	}
+
+	restoreOptions := resticCli.RestoreOptions{
+		RestoreType:   resticCli.RestoreType(cfg.Config.RestoreType),
+		RestoreDir:    cfg.Config.RestoreDir,
+		RestoreFilter: cfg.Config.RestoreFilter,
+		Verify:        cfg.Config.VerifyRestore,
+		S3Destination: resticCli.S3Bucket{
+			Endpoint:  cfg.Config.RestoreS3Endpoint,
+			AccessKey: cfg.Config.RestoreS3AccessKey,
+			SecretKey: cfg.Config.RestoreS3SecretKey,
+			Cert:      fillRestoreS3Cert(),
+		},
+	}
+
+	if err := resticCLI.Archive(restoreOptions, cfg.Config.Tags); err != nil {
+		return fmt.Errorf("archive job failed: %w", err)
+	}
+
 	return nil
 }
 
@@ -289,3 +323,15 @@ func cancelOnTermination(cancel context.CancelFunc, mainLogger logr.Logger) {
 		cancel()
 	}()
 }
+
+func fillRestoreS3Cert() (cert resticCli.S3Cert) {
+	if cfg.Config.RestoreCACert != "" {
+		cert.CACert = cfg.Config.RestoreCACert
+	}
+	if cfg.Config.RestoreClientCert != "" && cfg.Config.RestoreClientKey != "" {
+		cert.ClientCert = cfg.Config.RestoreClientCert
+		cert.ClientKey = cfg.Config.RestoreClientKey
+	}
+
+	return cert
+}

envtest/envsuite.go

@@ -235,5 +235,6 @@ func defaultConfiguration() *cfg.Configuration {
 		MetricsBindAddress:               ":8080",
 		PodFilter:                        "backupPod=true",
 		EnableLeaderElection:             true,
+		PodVarDir:                        "/k8up",
 	}
 }

operator/archivecontroller/executor.go

@@ -2,8 +2,8 @@ package archivecontroller
 
 import (
 	"context"
-
 	"github.com/k8up-io/k8up/v2/operator/executor"
+	"github.com/k8up-io/k8up/v2/operator/utils"
 	batchv1 "k8s.io/api/batch/v1"
 	corev1 "k8s.io/api/core/v1"
 	controllerruntime "sigs.k8s.io/controller-runtime"
@@ -14,17 +14,22 @@ import (
 	"github.com/k8up-io/k8up/v2/operator/job"
 )
 
-const archivePath = "/archive"
+const (
+	archivePath  = "/archive"
+	_dataDirName = "k8up-dir"
+)
 
 // ArchiveExecutor will execute the batch.job for archive.
 type ArchiveExecutor struct {
 	executor.Generic
+	archive *k8upv1.Archive
 }
 
 // NewArchiveExecutor will return a new executor for archive jobs.
 func NewArchiveExecutor(config job.Config) *ArchiveExecutor {
 	return &ArchiveExecutor{
 		Generic: executor.Generic{Config: config},
+		archive: config.Obj.(*k8upv1.Archive),
 	}
 }
 
@@ -36,22 +41,26 @@ func (a *ArchiveExecutor) GetConcurrencyLimit() int {
 // Execute creates the actual batch.job on the k8s api.
 func (a *ArchiveExecutor) Execute(ctx context.Context) error {
 	log := controllerruntime.LoggerFrom(ctx)
-	archive := a.Obj.(*k8upv1.Archive)
 
 	batchJob := &batchv1.Job{}
 	batchJob.Name = a.jobName()
-	batchJob.Namespace = archive.Namespace
+	batchJob.Namespace = a.archive.Namespace
 
 	_, err := controllerutil.CreateOrUpdate(ctx, a.Client, batchJob, func() error {
-		mutateErr := job.MutateBatchJob(batchJob, archive, a.Config)
+		mutateErr := job.MutateBatchJob(batchJob, a.archive, a.Config)
 		if mutateErr != nil {
 			return mutateErr
 		}
 
-		batchJob.Spec.Template.Spec.Containers[0].Env = a.setupEnvVars(ctx, archive)
-		archive.Spec.AppendEnvFromToContainer(&batchJob.Spec.Template.Spec.Containers[0])
-		batchJob.Spec.Template.Spec.Containers[0].Args = a.setupArgs(archive)
-		return nil
+		batchJob.Spec.Template.Spec.Containers[0].Env = a.setupEnvVars(ctx, a.archive)
+		a.archive.Spec.AppendEnvFromToContainer(&batchJob.Spec.Template.Spec.Containers[0])
+		batchJob.Spec.Template.Spec.Containers[0].VolumeMounts = a.attachMoreVolumeMounts()
+		batchJob.Spec.Template.Spec.Volumes = a.attachMoreVolumes()
+
+		args, argsErr := a.setupArgs()
+		batchJob.Spec.Template.Spec.Containers[0].Args = args
+
+		return argsErr
 	})
 	if err != nil {
 		log.Error(err, "could not create job")
@@ -67,16 +76,17 @@ func (a *ArchiveExecutor) jobName() string {
 	return k8upv1.ArchiveType.String() + "-" + a.Obj.GetName()
 }
 
-func (a *ArchiveExecutor) setupArgs(archive *k8upv1.Archive) []string {
-	args := []string{"-archive", "-restoreType", "s3"}
+func (a *ArchiveExecutor) setupArgs() ([]string, error) {
+	args := a.appendOptionsArgs()
 
-	if archive.Spec.RestoreSpec != nil {
-		if len(archive.Spec.RestoreSpec.Tags) > 0 {
-			args = append(args, executor.BuildTagArgs(archive.Spec.RestoreSpec.Tags)...)
+	args = append(args, []string{"-archive", "-restoreType", "s3"}...)
+	if a.archive.Spec.RestoreSpec != nil {
+		if len(a.archive.Spec.RestoreSpec.Tags) > 0 {
+			args = append(args, executor.BuildTagArgs(a.archive.Spec.RestoreSpec.Tags)...)
 		}
 	}
 
-	return args
+	return args, nil
 }
 
 func (a *ArchiveExecutor) setupEnvVars(ctx context.Context, archive *k8upv1.Archive) []corev1.EnvVar {
@@ -118,3 +128,96 @@ func (a *ArchiveExecutor) setupEnvVars(ctx context.Context, archive *k8upv1.Arch
 func (a *ArchiveExecutor) cleanupOldArchives(ctx context.Context, archive *k8upv1.Archive) {
 	a.CleanupOldResources(ctx, &k8upv1.ArchiveList{}, archive.Namespace, archive)
 }
+
+func (a *ArchiveExecutor) appendOptionsArgs() []string {
+	var args []string
+
+	args = append(args, []string{"--varDir", cfg.Config.PodVarDir}...)
+
+	if a.archive.Spec.Backend.Options != nil {
+		if a.archive.Spec.Backend.Options.CACert != "" {
+			args = append(args, []string{"--caCert", a.archive.Spec.Backend.Options.CACert}...)
+		}
+		if a.archive.Spec.Backend.Options.ClientCert != "" && a.archive.Spec.Backend.Options.ClientKey != "" {
+			args = append(
+				args,
+				[]string{
+					"--clientCert",
+					a.archive.Spec.Backend.Options.ClientCert,
+					"--clientKey",
+					a.archive.Spec.Backend.Options.ClientKey,
+				}...,
+			)
+		}
+	}
+
+	if a.archive.Spec.RestoreMethod.Options != nil {
+		if a.archive.Spec.RestoreMethod.Options.CACert != "" {
+			args = append(args, []string{"--restoreCaCert", a.archive.Spec.RestoreMethod.Options.CACert}...)
+		}
+		if a.archive.Spec.RestoreMethod.Options.ClientCert != "" && a.archive.Spec.RestoreMethod.Options.ClientKey != "" {
+			args = append(
+				args,
+				[]string{
+					"--restoreClientCert",
+					a.archive.Spec.RestoreMethod.Options.ClientCert,
+					"--restoreClientKey",
+					a.archive.Spec.RestoreMethod.Options.ClientKey,
+				}...,
+			)
+		}
+	}
+
+	return args
+}
+
+func (a *ArchiveExecutor) attachMoreVolumes() []corev1.Volume {
+	ku8pVolume := corev1.Volume{
+		Name:         _dataDirName,
+		VolumeSource: corev1.VolumeSource{EmptyDir: &corev1.EmptyDirVolumeSource{}},
+	}
+
+	if utils.ZeroLen(a.archive.Spec.Volumes) {
+		return []corev1.Volume{ku8pVolume}
+	}
+
+	moreVolumes := make([]corev1.Volume, 0, len(*a.archive.Spec.Volumes)+1)
+	moreVolumes = append(moreVolumes, ku8pVolume)
+	for _, v := range *a.archive.Spec.Volumes {
+		vol := v
+
+		var volumeSource corev1.VolumeSource
+		if vol.PersistentVolumeClaim != nil {
+			volumeSource.PersistentVolumeClaim = vol.PersistentVolumeClaim
+		} else if vol.Secret != nil {
+			volumeSource.Secret = vol.Secret
+		} else if vol.ConfigMap != nil {
+			volumeSource.ConfigMap = vol.ConfigMap
+		} else {
+			continue
+		}
+
+		moreVolumes = append(moreVolumes, corev1.Volume{
+			Name:         vol.Name,
+			VolumeSource: volumeSource,
+		})
+	}
+
+	return moreVolumes
+}
+
+func (a *ArchiveExecutor) attachMoreVolumeMounts() []corev1.VolumeMount {
+	var volumeMount []corev1.VolumeMount
+
+	if a.archive.Spec.Backend.S3 != nil && !utils.ZeroLen(a.archive.Spec.Backend.S3.VolumeMounts) {
+		volumeMount = *a.archive.Spec.Backend.S3.VolumeMounts
+	}
+	if a.archive.Spec.Backend.Rest != nil && !utils.ZeroLen(a.archive.Spec.Backend.Rest.VolumeMounts) {
+		volumeMount = *a.archive.Spec.Backend.Rest.VolumeMounts
+	}
+
+	ku8pVolumeMount := corev1.VolumeMount{Name: _dataDirName, MountPath: cfg.Config.PodVarDir}
+	volumeMount = append(volumeMount, ku8pVolumeMount)
+
+	return volumeMount
+}