Create a custom CA secret for volsync.

Copy the CA cert field from each BackupStorageLocation's ObjectStorage to a secret that volsync can look up and pass to restic. Signed-off-by: Matthew Arnold <marnold@redhat.com>
openshift-cherrypick-robot · Mar 13, 2023 · 46d48e2 · 46d48e2
1 parent be0412c
commit 46d48e2
Showing 1 changed file with 60 additions and 0 deletions.
diff --git a/controllers/datamover.go b/controllers/datamover.go
@@ -28,6 +28,7 @@ const (
 	ResticRepository    = "RESTIC_REPOSITORY"
 	ResticsecretName    = "dm-credential"
 	ResticPruneInterval = "restic-prune-interval"
+	ResticCustomCAKey   = "CUSTOM_CA"
 
 	// batchNumbers vars
 	DefaultConcurrentBackupVolumes  = "10"
@@ -558,6 +559,59 @@ func (r *DPAReconciler) createResticSecretsPerBSL(dpa *oadpv1alpha1.DataProtecti
 	return nil, nil
 }
 
+func (r *DPAReconciler) createResticCustomCASecret(dpa *oadpv1alpha1.DataProtectionApplication, bsl velerov1.BackupStorageLocation) (*corev1.Secret, error) {
+	insecureSkipTLSVerify, skipPresent := bsl.Spec.Config["insecureSkipTLSVerify"]
+	if !skipPresent || insecureSkipTLSVerify != "false" {
+		return nil, nil
+	}
+	if bsl.Spec.ObjectStorage.CACert == nil {
+		return nil, errors.New("insecureSkipTLSVerify set to false with no caCert specified")
+	}
+
+	secret := &corev1.Secret{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      fmt.Sprintf("%s-volsync-restic-customca", bsl.Name),
+			Namespace: bsl.Namespace,
+			Labels: map[string]string{
+				oadpv1alpha1.OadpBSLnameLabel:     bsl.Name,
+				oadpv1alpha1.OadpBSLProviderLabel: bsl.Spec.Provider,
+				oadpv1alpha1.OadpOperatorLabel:    "True",
+			},
+		},
+	}
+
+	mutateSecret := func() error {
+		err := controllerutil.SetControllerReference(dpa, secret, r.Scheme)
+		if err != nil {
+			return err
+		}
+
+		rData := &corev1.Secret{
+			Data: map[string][]byte{
+				ResticCustomCAKey: []byte(bsl.Spec.ObjectStorage.CACert),
+			},
+		}
+		secret.Data = rData.Data
+
+		return nil
+	}
+
+	op, err := controllerutil.CreateOrPatch(r.Context, r.Client, secret, mutateSecret)
+	if err != nil {
+		return nil, err
+	}
+
+	if op == controllerutil.OperationResultCreated || op == controllerutil.OperationResultUpdated {
+		r.EventRecorder.Event(secret,
+			corev1.EventTypeNormal,
+			"ResticCustomCASecretReconciled",
+			fmt.Sprintf("%s restic custom CA secret %s", op, secret.Name),
+		)
+	}
+
+	return nil, nil
+}
+
 //build data mover restic secret for given aws bsl
 func (r *DPAReconciler) buildDataMoverResticSecretForAWS(rsecret *corev1.Secret, key string, secret string, region string, pass []byte, repo string, pruneInterval string) error {
 
@@ -673,6 +727,12 @@ func (r *DPAReconciler) ReconcileDataMoverResticSecret(log logr.Logger) (bool, e
 				if err != nil {
 					return false, err
 				}
+
+				_, err = r.createResticCustomCASecret(&dpa, bsl)
+
+				if err != nil {
+					return false, err
+				}
 			}
 		}