noSecret option

pluginSpecificMap no secret check minor fix, it was not using the short plugin name ie. `gcp` to match but the full long plugin name.
openshift · Feb 17, 2023 · 0747309 · 0747309
1 parent 68e3d41
commit 0747309
Show file tree

Hide file tree

Showing 7 changed files with 40 additions and 24 deletions.
diff --git a/api/v1alpha1/oadp_types.go b/api/v1alpha1/oadp_types.go
@@ -80,6 +80,10 @@ type VeleroConfig struct {
 	// If you need to install Velero without a default backup storage location noDefaultBackupLocation flag is required for confirmation
 	// +optional
 	NoDefaultBackupLocation bool `json:"noDefaultBackupLocation,omitempty"`
+	// If you need to install Velero without a secret, this flag is required for confirmation
+	// +optional
+	// +kubebuilder:default=false
+	NoSecret bool `json:"noSecret,omitempty"`
 	// Pod specific configuration
 	PodConfig *PodConfig `json:"podConfig,omitempty"`
 	// Velero server’s log level (use debug for the most logging, leave unset for velero default)

diff --git a/bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml b/bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml
@@ -265,6 +265,10 @@ spec:
                         noDefaultBackupLocation:
                           description: If you need to install Velero without a default backup storage location noDefaultBackupLocation flag is required for confirmation
                           type: boolean
+                        noSecret:
+                          default: false
+                          description: If you need to install Velero without a secret, this flag is required for confirmation
+                          type: boolean
                         podConfig:
                           description: Pod specific configuration
                           properties:

diff --git a/config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml b/config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml
@@ -265,6 +265,10 @@ spec:
                         noDefaultBackupLocation:
                           description: If you need to install Velero without a default backup storage location noDefaultBackupLocation flag is required for confirmation
                           type: boolean
+                        noSecret:
+                          default: false
+                          description: If you need to install Velero without a secret, this flag is required for confirmation
+                          type: boolean
                         podConfig:
                           description: Pod specific configuration
                           properties:

diff --git a/controllers/bsl.go b/controllers/bsl.go
@@ -99,11 +99,12 @@ func (r *DPAReconciler) ReconcileBackupStorageLocations(log logr.Logger) (bool,
 		//	 1. oadpApi.OadpOperatorLabel: "True"
 		// 	 2. <namespace>.dataprotectionapplication: <name>
 		// which in turn will be used in th elabel handler to trigger the reconciliation loop
-
-		secretName, _ := r.getSecretNameAndKeyforBackupLocation(bslSpec)
-		_, err := r.UpdateCredentialsSecretLabels(secretName, dpa.Namespace, dpa.Name)
-		if err != nil {
-			return false, err
+		if !dpa.Spec.Configuration.Velero.NoSecret {
+			secretName, _ := r.getSecretNameAndKeyforBackupLocation(bslSpec)
+			_, err := r.UpdateCredentialsSecretLabels(secretName, dpa.Namespace, dpa.Name)
+			if err != nil {
+				return false, err
+			}
 		}
 
 		// Create BSL
@@ -324,13 +325,15 @@ func (r *DPAReconciler) validateProviderPluginAndSecret(bslSpec velerov1.BackupS
 		r.Log.Info(fmt.Sprintf("%s backupstoragelocation is configured but velero plugin for %s is not present", bslSpec.Provider, bslSpec.Provider))
 		//TODO: set warning condition on Velero CR
 	}
-	secretName, _ := r.getSecretNameAndKey(&bslSpec, oadpv1alpha1.DefaultPlugin(bslSpec.Provider))
+	if !dpa.Spec.Configuration.Velero.NoSecret {
+		secretName, _ := r.getSecretNameAndKey(&bslSpec, oadpv1alpha1.DefaultPlugin(bslSpec.Provider))
 
-	_, err := r.getProviderSecret(secretName)
+		_, err := r.getProviderSecret(secretName)
 
-	if err != nil {
-		r.Log.Info(fmt.Sprintf("error validating %s provider secret:  %s/%s", bslSpec.Provider, r.NamespacedName.Namespace, secretName))
-		return err
+		if err != nil {
+			r.Log.Info(fmt.Sprintf("error validating %s provider secret:  %s/%s", bslSpec.Provider, r.NamespacedName.Namespace, secretName))
+			return err
+		}
 	}
 	return nil
 }

diff --git a/controllers/validator.go b/controllers/validator.go
@@ -3,10 +3,11 @@ package controllers
 import (
 	"errors"
 	"fmt"
+	"time"
+
 	"github.com/go-logr/logr"
 	oadpv1alpha1 "github.com/openshift/oadp-operator/api/v1alpha1"
 	"github.com/openshift/oadp-operator/pkg/credentials"
-	"time"
 )
 
 func (r *DPAReconciler) ValidateDataProtectionCR(log logr.Logger) (bool, error) {
@@ -28,8 +29,8 @@ func (r *DPAReconciler) ValidateDataProtectionCR(log logr.Logger) (bool, error)
 		}
 	}
 
-	if dpa.Spec.Configuration.Velero.NoDefaultBackupLocation && dpa.BackupImages() {
-		return false, errors.New("backupImages needs to be set to false when noDefaultBackupLocation is set")
+	if dpa.Spec.Configuration.Velero.NoDefaultBackupLocation || dpa.Spec.Configuration.Velero.NoSecret && dpa.BackupImages() {
+		return false, errors.New("backupImages needs to be set to false when noDefaultBackupLocation or noSecret is true")
 	}
 
 	if len(dpa.Spec.BackupLocations) > 0 {
@@ -99,6 +100,7 @@ func (r *DPAReconciler) ValidateVeleroPlugins(log logr.Logger) (bool, error) {
 		return false, err
 	}
 
+	// Get map of cloud providers that need default credentials based on DPA CR
 	providerNeedsDefaultCreds, hasCloudStorage, err := r.noDefaultCredentials(dpa)
 	if err != nil {
 		return false, err
@@ -114,7 +116,7 @@ func (r *DPAReconciler) ValidateVeleroPlugins(log logr.Logger) (bool, error) {
 			pluginNeedsCheck = true
 		}
 
-		if ok && pluginSpecificMap.IsCloudProvider && pluginNeedsCheck && !dpa.Spec.Configuration.Velero.NoDefaultBackupLocation {
+		if ok && pluginSpecificMap.IsCloudProvider && pluginNeedsCheck {
 			secretName := pluginSpecificMap.SecretName
 			_, err := r.getProviderSecret(secretName)
 			if err != nil {

diff --git a/controllers/velero.go b/controllers/velero.go
@@ -34,13 +34,9 @@ import (
 )
 
 const (
-	Server   = "server"
-	Registry = "Registry"
+	Server = "server"
 	//TODO: Check for default secret names
-	VeleroAWSSecretName   = "cloud-credentials"
-	VeleroAzureSecretName = "cloud-credentials-azure"
-	VeleroGCPSecretName   = "cloud-credentials-gcp"
-	enableCSIFeatureFlag  = "EnableCSI"
+	enableCSIFeatureFlag = "EnableCSI"
 )
 
 var (
@@ -707,10 +703,12 @@ func (r *DPAReconciler) getResticResourceReqs(dpa *oadpv1alpha1.DataProtectionAp
 // noDefaultCredentials determines if a provider needs the default credentials.
 // This returns a map of providers found to if they need a default credential,
 // a boolean if Cloud Storage backup storage location was used and an error if any occured.
+// When dpa.Spec.Configuration.Velero.NoSecret is set, we do not need to check for default credentials.
+// map[string]bool is a map of provider to if it needs a default credential. Where string is "aws", "azure", "gcp", etc.
 func (r DPAReconciler) noDefaultCredentials(dpa oadpv1alpha1.DataProtectionApplication) (map[string]bool, bool, error) {
 	providerNeedsDefaultCreds := map[string]bool{}
 	hasCloudStorage := false
-	if dpa.Spec.Configuration.Velero.NoDefaultBackupLocation {
+	if dpa.Spec.Configuration.Velero.NoDefaultBackupLocation || dpa.Spec.Configuration.Velero.NoSecret {
 		needDefaultCred := false
 
 		if dpa.Spec.UnsupportedOverrides[oadpv1alpha1.OperatorTypeKey] == oadpv1alpha1.OperatorTypeMTC {
@@ -720,7 +718,7 @@ func (r DPAReconciler) noDefaultCredentials(dpa oadpv1alpha1.DataProtectionAppli
 		// go through cloudprovider plugins and mark providerNeedsDefaultCreds to false
 		for _, provider := range dpa.Spec.Configuration.Velero.DefaultPlugins {
 			if psf, ok := credentials.PluginSpecificFields[provider]; ok && psf.IsCloudProvider {
-				providerNeedsDefaultCreds[psf.PluginName] = needDefaultCred
+				providerNeedsDefaultCreds[string(provider)] = needDefaultCred
 			}
 		}
 	} else {

diff --git a/pkg/credentials/credentials.go b/pkg/credentials/credentials.go
@@ -296,6 +296,7 @@ func AppendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtectionApplication, vele
 				pluginNeedsCheck = true
 			}
 
+			// if plugin is a cloud provider
 			if !pluginSpecificMap.IsCloudProvider || !pluginNeedsCheck {
 				continue
 			}
@@ -306,7 +307,7 @@ func AppendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtectionApplication, vele
 			}
 			// set default secret name to use
 			secretName := pluginSpecificMap.SecretName
-			// append plugin specific volume mounts
+			// append plugin specific secret volume mounts
 			if veleroContainer != nil {
 				veleroContainer.VolumeMounts = append(
 					veleroContainer.VolumeMounts,
@@ -324,7 +325,7 @@ func AppendPluginSpecificSpecs(dpa *oadpv1alpha1.DataProtectionApplication, vele
 					})
 			}
 
-			// append plugin specific volumes
+			// append plugin specific secret volumes
 			veleroDeployment.Spec.Template.Spec.Volumes = append(
 				veleroDeployment.Spec.Template.Spec.Volumes,
 				corev1.Volume{