Add InsecureTLS field for S3 backend storage (#100)

* Add `InsecureTLS` field for `S3` backend storage
Signed-off-by: Anisur Rahman <anisur@appscode.com>

* Add `--insecure-tls` into restic
Signed-off-by: Anisur Rahman <anisur@appscode.com>

* Update api comment

Signed-off-by: Anisur Rahman <anisur@appscode.com>

---------

Signed-off-by: Anisur Rahman <anisur@appscode.com>

apis/storage/v1alpha1/types.go

@@ -107,6 +107,14 @@ type S3Spec struct {
 	// SecretName specifies the name of the Secret that contains the access credential for this storage.
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
+
+	// InsecureTLS controls whether a client should skip TLS certificate verification.
+	// Setting this field to true disables verification, which might be necessary in cases
+	// where the server uses self-signed certificates or certificates from an untrusted CA.
+	// Use this option with caution, as it can expose the client to man-in-the-middle attacks
+	// and other security risks. Only use it when absolutely necessary.
+	// +optional
+	InsecureTLS bool `json:"insecureTLS,omitempty"`
 }
 
 type GCSSpec struct {

crds/storage.kubestash.com_backupstorages.yaml

@@ -4488,6 +4488,16 @@ spec:
                         description: Endpoint specifies the URL of the S3 or S3 compatible
                           storage bucket.
                         type: string
+                      insecureTLS:
+                        description: InsecureTLS controls whether a client should
+                          skip TLS certificate verification. Setting this field to
+                          true disables verification, which might be necessary in
+                          cases where the server uses self-signed certificates or
+                          certificates from an untrusted CA. Use this option with
+                          caution, as it can expose the client to man-in-the-middle
+                          attacks and other security risks. Only use it when absolutely
+                          necessary.
+                        type: boolean
                       prefix:
                         description: Prefix specifies a directory inside the bucket/container
                           where the data for this backend will be stored.

pkg/restic/commands.go

@@ -79,6 +79,7 @@ func (w *ResticWrapper) listSnapshots(snapshotIDs []string) ([]Snapshot, error)
 	result := make([]Snapshot, 0)
 	args := w.appendCacheDirFlag([]interface{}{"snapshots", "--json", "--quiet", "--no-lock"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	for _, id := range snapshotIDs {
 		args = append(args, id)
@@ -94,6 +95,7 @@ func (w *ResticWrapper) listSnapshots(snapshotIDs []string) ([]Snapshot, error)
 func (w *ResticWrapper) tryDeleteSnapshots(snapshotIDs []string) ([]byte, error) {
 	args := w.appendCacheDirFlag([]interface{}{"forget", "--quiet", "--prune"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	for _, id := range snapshotIDs {
 		args = append(args, id)
@@ -118,6 +120,7 @@ func (w *ResticWrapper) repositoryExist() bool {
 	klog.Infoln("Checking whether the backend repository exist or not....")
 	args := w.appendCacheDirFlag([]interface{}{"snapshots", "--json", "--no-lock"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	if _, err := w.run(Command{Name: ResticCMD, Args: args}); err == nil {
 		return true
@@ -133,6 +136,7 @@ func (w *ResticWrapper) initRepository() error {
 
 	args := w.appendCacheDirFlag([]interface{}{"init"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	_, err := w.run(Command{Name: ResticCMD, Args: args})
 	return err
@@ -169,6 +173,7 @@ func (w *ResticWrapper) backup(params backupParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCleanupCacheFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
@@ -192,6 +197,7 @@ func (w *ResticWrapper) backupFromStdin(options BackupOptions) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCleanupCacheFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 
 	commands = append(commands, Command{Name: ResticCMD, Args: args})
@@ -237,6 +243,7 @@ func (w *ResticWrapper) restore(params restoreParams) ([]byte, error) {
 	}
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
@@ -268,6 +275,7 @@ func (w *ResticWrapper) DumpOnce(dumpOptions DumpOptions) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCaCertFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	// first add restic command, then add StdoutPipeCommands
 	commands := []Command{
@@ -282,6 +290,7 @@ func (w *ResticWrapper) check() ([]byte, error) {
 	args := w.appendCacheDirFlag([]interface{}{"check", "--no-lock"})
 	args = w.appendCaCertFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -295,6 +304,7 @@ func (w *ResticWrapper) stats(snapshotID string) ([]byte, error) {
 	args = w.appendMaxConnectionsFlag(args)
 	args = append(args, "--quiet", "--json", "--mode", "raw-data", "--no-lock")
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -304,6 +314,7 @@ func (w *ResticWrapper) unlock() ([]byte, error) {
 	args := w.appendCacheDirFlag([]interface{}{"unlock", "--remove-all"})
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -457,6 +468,7 @@ func (w *ResticWrapper) addKey(params keyParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -469,6 +481,7 @@ func (w *ResticWrapper) listKey() ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -485,6 +498,7 @@ func (w *ResticWrapper) updateKey(params keyParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -497,6 +511,7 @@ func (w *ResticWrapper) removeKey(params keyParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }

pkg/restic/config.go

@@ -84,6 +84,7 @@ type backend struct {
 	bucket         string
 	endpoint       string
 	region         string
+	insecureTLS    bool
 	path           string
 	storageAccount string
 }
@@ -225,3 +226,10 @@ func (w *ResticWrapper) Copy() *ResticWrapper {
 	out.config = w.config
 	return out
 }
+
+func (w *ResticWrapper) appendInsecureTLSFlag(args []interface{}) []interface{} {
+	if w.config.insecureTLS {
+		return append(args, "--insecure-tls")
+	}
+	return args
+}

pkg/restic/setup.go

@@ -377,6 +377,7 @@ func (w *ResticWrapper) setBackupStorageVariables() error {
 		w.config.bucket = s3.Bucket
 		w.config.endpoint = s3.Endpoint
 		w.config.path = s3.Prefix
+		w.config.insecureTLS = s3.InsecureTLS
 		secret = s3.SecretName
 	}