Add commands for generating restore rules and managing restic keys (#189)

Signed-off-by: hmsayem <hmsayem@appscode.com>

Author: hmsayem

go.mod

@@ -9,6 +9,7 @@ require (
 	github.com/pkg/errors v0.9.1
 	github.com/spf13/cobra v1.7.0
 	golang.org/x/text v0.9.0
+	gomodules.xyz/flags v0.1.3
 	gomodules.xyz/go-sh v0.1.0
 	gomodules.xyz/logs v0.0.7
 	gomodules.xyz/pointer v0.1.0
@@ -25,7 +26,8 @@ require (
 	kmodules.xyz/objectstore-api v0.25.1
 	kmodules.xyz/offshoot-api v0.25.4
 	kmodules.xyz/openshift v0.25.0
-	stash.appscode.dev/apimachinery v0.31.1
+	sigs.k8s.io/yaml v1.3.0
+	stash.appscode.dev/apimachinery v0.31.2-0.20231004063459-741d01499f90
 	stash.appscode.dev/stash v0.31.0
 )
 
@@ -104,7 +106,6 @@ require (
 	golang.org/x/term v0.8.0 // indirect
 	golang.org/x/time v0.1.0 // indirect
 	gomodules.xyz/clock v0.0.0-20200817085942-06523dba733f // indirect
-	gomodules.xyz/flags v0.1.3 // indirect
 	gomodules.xyz/jsonpatch/v2 v2.4.0 // indirect
 	gomodules.xyz/mergo v0.3.13 // indirect
 	gomodules.xyz/sets v0.2.1 // indirect
@@ -127,5 +128,4 @@ require (
 	sigs.k8s.io/kustomize/api v0.12.1 // indirect
 	sigs.k8s.io/kustomize/kyaml v0.13.9 // indirect
 	sigs.k8s.io/structured-merge-diff/v4 v4.2.3 // indirect
-	sigs.k8s.io/yaml v1.3.0 // indirect
 )

go.sum

@@ -1102,7 +1102,7 @@ sigs.k8s.io/yaml v1.1.0/go.mod h1:UJmg0vDUVViEyp3mgSv9WPwZCDxu4rQW1olrI1uml+o=
 sigs.k8s.io/yaml v1.2.0/go.mod h1:yfXDCHCao9+ENCvLSE62v9VSji2MKu5jeNfTrofGhJc=
 sigs.k8s.io/yaml v1.3.0 h1:a2VclLzOGrwOHDiV8EfBGhvjHvP46CtW5j6POvhYGGo=
 sigs.k8s.io/yaml v1.3.0/go.mod h1:GeOyir5tyXNByN85N/dRIT9es5UQNerPYEKK56eTBm8=
-stash.appscode.dev/apimachinery v0.31.1 h1:5a4+kSnsNvg+iT+xTyoD7SjzbSdmTrmY+VuQuY/qJpw=
-stash.appscode.dev/apimachinery v0.31.1/go.mod h1:IDbssRbYLSnMwZAQOGX4Vam+hl43FofP8BuXMLXVaPQ=
+stash.appscode.dev/apimachinery v0.31.2-0.20231004063459-741d01499f90 h1:PaLblgeoXMiuKFuK6lor9DIHWnC0xblT6/Rfs7wvIyY=
+stash.appscode.dev/apimachinery v0.31.2-0.20231004063459-741d01499f90/go.mod h1:IDbssRbYLSnMwZAQOGX4Vam+hl43FofP8BuXMLXVaPQ=
 stash.appscode.dev/stash v0.31.0 h1:q5dLevm2mZECXEpyba04JbqyUeVtYTKtfS1QcpRU+II=
 stash.appscode.dev/stash v0.31.0/go.mod h1:TfYcLyr+YsTqoKHNbyOgOCPqygjRpf3USMztNc2EfjU=

pkg/add_key.go

@@ -0,0 +1,257 @@
+/*
+Copyright AppsCode Inc. and Contributors
+
+Licensed under the AppsCode Community License 1.0.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    https://github.com/appscode/licenses/raw/1.0.0/AppsCode-Community-1.0.0.md
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package pkg
+
+import (
+	"context"
+	"fmt"
+	"os"
+	"os/exec"
+	"os/user"
+	"path/filepath"
+
+	"stash.appscode.dev/apimachinery/apis"
+	"stash.appscode.dev/apimachinery/apis/stash/v1alpha1"
+	"stash.appscode.dev/apimachinery/pkg/restic"
+	"stash.appscode.dev/stash/pkg/util"
+
+	"github.com/pkg/errors"
+	"github.com/spf13/cobra"
+	"gomodules.xyz/flags"
+	core "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/cli-runtime/pkg/genericclioptions"
+	"k8s.io/client-go/rest"
+	"k8s.io/klog/v2"
+)
+
+type keyOptions struct {
+	config    *rest.Config
+	repo      *v1alpha1.Repository
+	localDirs cliLocalDirectories
+	restic.KeyOptions
+}
+
+func NewCmdAddKey(clientGetter genericclioptions.RESTClientGetter) *cobra.Command {
+	opt := keyOptions{}
+	cmd := &cobra.Command{
+		Use:               "add",
+		Short:             `Add a new key (password) to a restic repository`,
+		DisableAutoGenTag: true,
+		RunE: func(cmd *cobra.Command, args []string) error {
+			flags.EnsureRequiredFlags(cmd, "new-password-file")
+			var err error
+			opt.File, err = filepath.Abs(opt.File)
+			if err != nil {
+				return fmt.Errorf("failed to find the absolute path for password file: %w", err)
+			}
+
+			_, err = os.Stat(opt.File)
+			if os.IsNotExist(err) {
+				return fmt.Errorf("%s does not exist", opt.File)
+			}
+
+			if len(args) == 0 || args[0] == "" {
+				return fmt.Errorf("repository name not found")
+			}
+			repositoryName := args[0]
+
+			opt.config, err = clientGetter.ToRESTConfig()
+			if err != nil {
+				return errors.Wrap(err, "failed to read kubeconfig")
+			}
+
+			// get source repository
+			opt.repo, err = stashClient.StashV1alpha1().Repositories(namespace).Get(context.TODO(), repositoryName, metav1.GetOptions{})
+			if err != nil {
+				return err
+			}
+
+			if opt.repo.Spec.Backend.Local != nil {
+				return opt.addResticKeyForLocalRepo()
+			}
+
+			return opt.addResticKey()
+		},
+	}
+
+	cmd.Flags().StringVar(&opt.Host, "host", opt.Host, "Host for the new key")
+	cmd.Flags().StringVar(&opt.User, "user", opt.User, "Username for the new key")
+	cmd.Flags().StringVar(&opt.File, "new-password-file", opt.File, "File from which to read the new password")
+
+	return cmd
+}
+
+func (opt *keyOptions) addResticKeyForLocalRepo() error {
+	// get the pod that mount this repository as volume
+	pod, err := getBackendMountingPod(kubeClient, opt.repo)
+	if err != nil {
+		return err
+	}
+
+	if err := opt.copyPasswordFileToPod(pod); err != nil {
+		return fmt.Errorf("failed to copy password file from local directory to pod: %w", err)
+	}
+
+	command := []string{"/stash-enterprise", "add-key"}
+	command = append(command, "--repo-name="+opt.repo.Name, "--repo-namespace="+opt.repo.Namespace)
+	command = append(command, "--new-password-file="+getPodDirForPasswordFile())
+
+	if opt.User != "" {
+		command = append(command, "--user="+opt.User)
+	}
+	if opt.Host != "" {
+		command = append(command, "--host="+opt.Host)
+	}
+
+	_, err = execCommandOnPod(kubeClient, opt.config, pod, command)
+	if err != nil {
+		return err
+	}
+
+	if err := opt.removePasswordFileFromPod(pod); err != nil {
+		return fmt.Errorf("failed to remove password file from pod: %w", err)
+	}
+
+	klog.Infof("Restic key has been added successfully for repository %s/%s", opt.repo.Namespace, opt.repo.Name)
+	return nil
+}
+
+func (opt *keyOptions) removePasswordFileFromPod(pod *core.Pod) error {
+	cmd := []string{"rm", "-rf", getPodDirForPasswordFile()}
+	out, err := execCommandOnPod(kubeClient, opt.config, pod, cmd)
+	if string(out) != "" {
+		klog.Infoln("Output:", string(out))
+	}
+	return err
+}
+
+func (opt *keyOptions) copyPasswordFileToPod(pod *core.Pod) error {
+	_, err := exec.Command(cmdKubectl, "cp", opt.File, fmt.Sprintf("%s/%s:%s", pod.Namespace, pod.Name, getPodDirForPasswordFile())).CombinedOutput()
+	if err != nil {
+		return err
+	}
+	return nil
+}
+
+func getPodDirForPasswordFile() string {
+	return filepath.Join(apis.ScratchDirMountPath, passwordFile)
+}
+
+func (opt *keyOptions) addResticKey() error {
+	// get source repository secret
+	secret, err := kubeClient.CoreV1().Secrets(namespace).Get(context.TODO(), opt.repo.Spec.Backend.StorageSecretName, metav1.GetOptions{})
+	if err != nil {
+		return err
+	}
+
+	if err = os.MkdirAll(ScratchDir, 0o755); err != nil {
+		return err
+	}
+	defer os.RemoveAll(ScratchDir)
+
+	// configure restic wrapper
+	extraOpt := util.ExtraOptions{
+		StorageSecret: secret,
+		ScratchDir:    ScratchDir,
+	}
+	// configure setupOption
+	setupOpt, err := util.SetupOptionsForRepository(*opt.repo, extraOpt)
+	if err != nil {
+		return fmt.Errorf("setup option for repository failed")
+	}
+	// init restic wrapper
+	resticWrapper, err := restic.NewResticWrapper(setupOpt)
+	if err != nil {
+		return err
+	}
+
+	opt.localDirs = cliLocalDirectories{
+		configDir: filepath.Join(ScratchDir, configDirName),
+	}
+
+	// dump restic's environments into `restic-env` file.
+	// we will pass this env file to restic docker container.
+
+	err = resticWrapper.DumpEnv(opt.localDirs.configDir, ResticEnvs)
+	if err != nil {
+		return err
+	}
+
+	args := []string{
+		"key",
+		"add",
+		"--no-cache",
+	}
+
+	// For TLS secured Minio/REST server, specify cert path
+	if resticWrapper.GetCaPath() != "" {
+		args = append(args, "--cacert", resticWrapper.GetCaPath())
+	}
+
+	if err = manageKeyViaDocker(opt, args); err != nil {
+		return err
+	}
+	klog.Infof("Restic key has been added successfully for repository %s/%s", opt.repo.Namespace, opt.repo.Name)
+	return nil
+}
+
+func manageKeyViaDocker(opt *keyOptions, args []string) error {
+	// get current user
+	currentUser, err := user.Current()
+	if err != nil {
+		return err
+	}
+
+	keyArgs := []string{
+		"run",
+		"--rm",
+		"-u", currentUser.Uid,
+		"-v", ScratchDir + ":" + ScratchDir,
+		"--env", "HTTP_PROXY=" + os.Getenv("HTTP_PROXY"),
+		"--env", "HTTPS_PROXY=" + os.Getenv("HTTPS_PROXY"),
+		"--env-file", filepath.Join(opt.localDirs.configDir, ResticEnvs),
+	}
+
+	if opt.File != "" {
+		keyArgs = append(keyArgs, "-v", opt.File+":"+opt.File)
+	}
+
+	keyArgs = append(keyArgs, imgRestic.ToContainerImage())
+	keyArgs = append(keyArgs, args...)
+
+	if opt.File != "" {
+		keyArgs = append(keyArgs, "--new-password-file", opt.File)
+	}
+
+	if opt.User != "" {
+		keyArgs = append(keyArgs, "--user", opt.User)
+	}
+
+	if opt.Host != "" {
+		keyArgs = append(keyArgs, "--host", opt.Host)
+	}
+
+	klog.Infoln("Running docker with args:", keyArgs)
+
+	out, err := exec.Command("docker", keyArgs...).CombinedOutput()
+	if err != nil {
+		return err
+	}
+	klog.Infoln(fmt.Sprintf("\n%s", string(out)))
+	return nil
+}

pkg/cli.go

@@ -32,11 +32,13 @@ const (
 	ScratchDir     = "/tmp/scratch"
 	DestinationDir = "/tmp/destination"
 	configDirName  = "config"
+	passwordFile   = "password.txt"
 
 	ResticEnvs     = "restic-envs"
 	ResticRegistry = "stashed"
 	ResticImage    = "restic"
 	ResticTag      = "latest"
+	cmdKubectl     = "kubectl"
 )
 
 type cliLocalDirectories struct {