kubestash · hmsayem · Feb 1, 2024 · Jan 31, 2024 · Jan 31, 2024 · Feb 1, 2024
diff --git a/apis/addons/v1alpha1/zz_generated.deepcopy.go b/apis/addons/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/config/v1alpha1/zz_generated.deepcopy.go b/apis/config/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/core/v1alpha1/zz_generated.deepcopy.go b/apis/core/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/storage/v1alpha1/types.go b/apis/storage/v1alpha1/types.go
@@ -107,6 +107,11 @@ type S3Spec struct {
 	// SecretName specifies the name of the Secret that contains the access credential for this storage.
 	// +optional
 	SecretName string `json:"secretName,omitempty"`
+
+	// When InsecureSkipVerify is set to true in a TLS configuration,
+	// crypto/tls will accept any certificate without verifying its authenticity.
+	// +optional
+	InsecureTLS bool `json:"insecureTLS,omitempty"`
 }
 
 type GCSSpec struct {

diff --git a/apis/storage/v1alpha1/zz_generated.deepcopy.go b/apis/storage/v1alpha1/zz_generated.deepcopy.go
diff --git a/apis/zz_generated.deepcopy.go b/apis/zz_generated.deepcopy.go
diff --git a/crds/storage.kubestash.com_backupstorages.yaml b/crds/storage.kubestash.com_backupstorages.yaml
@@ -4488,6 +4488,11 @@ spec:
                         description: Endpoint specifies the URL of the S3 or S3 compatible
                           storage bucket.
                         type: string
+                      insecureTLS:
+                        description: When InsecureSkipVerify is set to true in a TLS
+                          configuration, crypto/tls will accept any certificate without
+                          verifying its authenticity.
+                        type: boolean
                       prefix:
                         description: Prefix specifies a directory inside the bucket/container
                           where the data for this backend will be stored.

diff --git a/pkg/restic/commands.go b/pkg/restic/commands.go
@@ -79,6 +79,7 @@ func (w *ResticWrapper) listSnapshots(snapshotIDs []string) ([]Snapshot, error)
 	result := make([]Snapshot, 0)
 	args := w.appendCacheDirFlag([]interface{}{"snapshots", "--json", "--quiet", "--no-lock"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	for _, id := range snapshotIDs {
 		args = append(args, id)
@@ -94,6 +95,7 @@ func (w *ResticWrapper) listSnapshots(snapshotIDs []string) ([]Snapshot, error)
 func (w *ResticWrapper) tryDeleteSnapshots(snapshotIDs []string) ([]byte, error) {
 	args := w.appendCacheDirFlag([]interface{}{"forget", "--quiet", "--prune"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	for _, id := range snapshotIDs {
 		args = append(args, id)
@@ -118,6 +120,7 @@ func (w *ResticWrapper) repositoryExist() bool {
 	klog.Infoln("Checking whether the backend repository exist or not....")
 	args := w.appendCacheDirFlag([]interface{}{"snapshots", "--json", "--no-lock"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	if _, err := w.run(Command{Name: ResticCMD, Args: args}); err == nil {
 		return true
@@ -133,6 +136,7 @@ func (w *ResticWrapper) initRepository() error {
 
 	args := w.appendCacheDirFlag([]interface{}{"init"})
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	_, err := w.run(Command{Name: ResticCMD, Args: args})
 	return err
@@ -169,6 +173,7 @@ func (w *ResticWrapper) backup(params backupParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCleanupCacheFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
@@ -192,6 +197,7 @@ func (w *ResticWrapper) backupFromStdin(options BackupOptions) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCleanupCacheFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 
 	commands = append(commands, Command{Name: ResticCMD, Args: args})
@@ -237,6 +243,7 @@ func (w *ResticWrapper) restore(params restoreParams) ([]byte, error) {
 	}
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
@@ -268,6 +275,7 @@ func (w *ResticWrapper) DumpOnce(dumpOptions DumpOptions) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendCaCertFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	// first add restic command, then add StdoutPipeCommands
 	commands := []Command{
@@ -282,6 +290,7 @@ func (w *ResticWrapper) check() ([]byte, error) {
 	args := w.appendCacheDirFlag([]interface{}{"check", "--no-lock"})
 	args = w.appendCaCertFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -295,6 +304,7 @@ func (w *ResticWrapper) stats(snapshotID string) ([]byte, error) {
 	args = w.appendMaxConnectionsFlag(args)
 	args = append(args, "--quiet", "--json", "--mode", "raw-data", "--no-lock")
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -304,6 +314,7 @@ func (w *ResticWrapper) unlock() ([]byte, error) {
 	args := w.appendCacheDirFlag([]interface{}{"unlock", "--remove-all"})
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -457,6 +468,7 @@ func (w *ResticWrapper) addKey(params keyParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -469,6 +481,7 @@ func (w *ResticWrapper) listKey() ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -485,6 +498,7 @@ func (w *ResticWrapper) updateKey(params keyParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
@@ -497,6 +511,7 @@ func (w *ResticWrapper) removeKey(params keyParams) ([]byte, error) {
 	args = w.appendCacheDirFlag(args)
 	args = w.appendMaxConnectionsFlag(args)
 	args = w.appendCaCertFlag(args)
+	args = w.appendInsecureTLSFlag(args)
 
 	return w.run(Command{Name: ResticCMD, Args: args})
 }
diff --git a/pkg/restic/config.go b/pkg/restic/config.go
@@ -84,6 +84,7 @@ type backend struct {
 	bucket         string
 	endpoint       string
 	region         string
+	insecureTLS    bool
 	path           string
 	storageAccount string
 }
@@ -225,3 +226,10 @@ func (w *ResticWrapper) Copy() *ResticWrapper {
 	out.config = w.config
 	return out
 }
+
+func (w *ResticWrapper) appendInsecureTLSFlag(args []interface{}) []interface{} {
+	if w.config.insecureTLS {
+		return append(args, "--insecure-tls")
+	}
+	return args
+}
diff --git a/pkg/restic/setup.go b/pkg/restic/setup.go
@@ -377,6 +377,7 @@ func (w *ResticWrapper) setBackupStorageVariables() error {
 		w.config.bucket = s3.Bucket
 		w.config.endpoint = s3.Endpoint
 		w.config.path = s3.Prefix
+		w.config.insecureTLS = s3.InsecureTLS
 		secret = s3.SecretName
 	}