Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Pass-through CA certificates to Velero #925

Merged
merged 1 commit into from Jun 15, 2023
Merged

Pass-through CA certificates to Velero #925

merged 1 commit into from Jun 15, 2023

Conversation

hatfieldbrian
Copy link
Collaborator

@hatfieldbrian hatfieldbrian commented Jun 13, 2023
edited

Problem

An S3 store specified in a VRG's profiles has a certificate signed by a non-trusted authority and Kube object/resource protection is enabled but unable to store or retrieve data from it. See issue #921.

Proposed solution

Velero and OADP provide ways to specify CA certificates; both eventually specify them in a BackupStorageLocation. Provide a caCertificates input in each S3 profile and pass it through to corresponding BackupStorageLocation.

  • Make s3StoreAccessor an S3StoreProfile to avoid field duplication

Test results

End-to-end shio-demo failover and failback completed successfully with caCertificates field omitted from s3StoreProfiles

@hatfieldbrian
kubeobjects: Pass-through CA certificates to Velero
0b228cf 
Signed-off-by: hatfieldbrian <bhatfiel@redhat.com>
@hatfieldbrian hatfieldbrian mentioned this pull request Jun 13, 2023
Closed
tjanssen3
tjanssen3 approved these changes Jun 14, 2023
View reviewed changes
controllers/s3_store_accessors.go
Comment on lines -44 to +39
s3ProfileName,
s3StoreProfile.S3CompatibleEndpoint,
s3StoreProfile.S3Bucket,
s3StoreProfile.S3Region,
s3StoreProfile.VeleroNamespaceSecretKeyRef,
s3StoreProfile,
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It's not obvious to me why this change is needed in this PR, but it's good refactoring. I believe the requests.go could use similar treatment so it's not required to pass in seven or so values for creating a backup/restore request, but that is optional and can/should be deferred.

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

One more field that had to be duplicated was enough for me to fix it. The kubeobjects interface is intended to be a separate "library" and not have any dependencies on Ramen including its S3StoreProfile.

@ShyamsundarR ShyamsundarR merged commit 5127005 into RamenDR:main Jun 15, 2023
9 checks passed
@hatfieldbrian hatfieldbrian deleted the cacert branch June 23, 2023 13:09
@hatfieldbrian hatfieldbrian mentioned this pull request Jul 7, 2023
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@ShyamsundarR ShyamsundarR ShyamsundarR approved these changes

@tjanssen3 tjanssen3 tjanssen3 approved these changes

Assignees

@hatfieldbrian hatfieldbrian

Labels
None yet
Projects
Release 0.3
Status: Done
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@hatfieldbrian @ShyamsundarR @tjanssen3