Skip to content

Commit 8a9b3dc

Browse files
1gtm1gtm
authored
[cherry-pick] Fix Backup and Restore for TLS enabled mongo (#1805) (#1815)
Signed-off-by: Mohammad Fahim Abrar <fahimabrar@appscode.com>
1 parent 6d1afa7 commit 8a9b3dc

File tree

2 files changed

+37
-17
lines changed

2 files changed

+37
-17
lines changed

pkg/backup.go

Lines changed: 21 additions & 9 deletions
Original file line numberDiff line numberDiff line change
@@ -247,16 +247,24 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic
247247
return nil, err
248248
}
249249

250-
appBindingSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{})
250+
authSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{})
251251
if err != nil {
252252
return nil, err
253253
}
254254

255-
err = appBinding.TransformSecret(opt.kubeClient, appBindingSecret.Data)
255+
err = appBinding.TransformSecret(opt.kubeClient, authSecret.Data)
256256
if err != nil {
257257
return nil, err
258258
}
259259

260+
var tlsSecret *core.Secret
261+
if appBinding.Spec.TLSSecret != nil {
262+
tlsSecret, err = opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.TLSSecret.Name, metav1.GetOptions{})
263+
if err != nil {
264+
return nil, err
265+
}
266+
}
267+
260268
hostname, err := appBinding.Hostname()
261269
if err != nil {
262270
return nil, err
@@ -314,13 +322,17 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic
314322
}
315323

316324
if appBinding.Spec.ClientConfig.CABundle != nil {
325+
if tlsSecret == nil {
326+
return nil, errors.Wrap(err, "spec.tlsSecret needs to be set in appbinding for TLS secured database.")
327+
}
328+
317329
if err := os.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, MongoTLSCertFileName), appBinding.Spec.ClientConfig.CABundle, os.ModePerm); err != nil {
318330
return nil, err
319331
}
320332
mongoCreds = []interface{}{
321333
"--tls",
322334
"--tlsCAFile", filepath.Join(opt.setupOptions.ScratchDir, MongoTLSCertFileName),
323-
"--tlsPEMKeyFile", filepath.Join(opt.setupOptions.ScratchDir, MongoClientPemFileName),
335+
"--tlsCertificateKeyFile", filepath.Join(opt.setupOptions.ScratchDir, MongoClientPemFileName),
324336
}
325337
dumpCreds = []interface{}{
326338
"--ssl",
@@ -331,13 +343,13 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic
331343
// get certificate secret to get client certificate
332344
var pemBytes []byte
333345
var ok bool
334-
pemBytes, ok = appBindingSecret.Data[MongoClientPemFileName]
346+
pemBytes, ok = tlsSecret.Data[MongoClientPemFileName]
335347
if !ok {
336-
crt, ok := appBindingSecret.Data[core.TLSCertKey]
348+
crt, ok := tlsSecret.Data[core.TLSCertKey]
337349
if !ok {
338350
return nil, errors.Wrap(err, "unable to retrieve tls.crt from secret.")
339351
}
340-
key, ok := appBindingSecret.Data[core.TLSPrivateKeyKey]
352+
key, ok := tlsSecret.Data[core.TLSPrivateKeyKey]
341353
if !ok {
342354
return nil, errors.Wrap(err, "unable to retrieve tls.key from secret.")
343355
}
@@ -361,8 +373,8 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic
361373

362374
} else {
363375
userAuth := []interface{}{
364-
fmt.Sprintf("--username=%s", appBindingSecret.Data[MongoUserKey]),
365-
fmt.Sprintf("--password=%s", appBindingSecret.Data[MongoPasswordKey]),
376+
fmt.Sprintf("--username=%s", authSecret.Data[MongoUserKey]),
377+
fmt.Sprintf("--password=%s", authSecret.Data[MongoPasswordKey]),
366378
"--authenticationDatabase", opt.authenticationDatabase,
367379
}
368380
mongoCreds = append(mongoCreds, userAuth...)
@@ -662,7 +674,7 @@ func lockConfigServer(configSVRDSN, secondaryHost string) error {
662674
"config",
663675
"--host", secondaryHost,
664676
"--quiet",
665-
"--eval", "rs.slaveOk(); db.BackupControl.find({ '_id' : 'BackupControlDocument' }).readConcern('majority');",
677+
"--eval", "rs.secondaryOk(); db.BackupControl.find({ '_id' : 'BackupControlDocument' }).readConcern('majority');",
666678
}, mongoCreds...)
667679

668680
if err := sh.Command(MongoCMD, args...).UnmarshalJSON(&v); err != nil {

pkg/restore.go

Lines changed: 16 additions & 8 deletions
Original file line numberDiff line numberDiff line change
@@ -185,16 +185,24 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti
185185
return nil, err
186186
}
187187

188-
appBindingSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{})
188+
authSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{})
189189
if err != nil {
190190
return nil, err
191191
}
192192

193-
err = appBinding.TransformSecret(opt.kubeClient, appBindingSecret.Data)
193+
err = appBinding.TransformSecret(opt.kubeClient, authSecret.Data)
194194
if err != nil {
195195
return nil, err
196196
}
197197

198+
var tlsSecret *core.Secret
199+
if appBinding.Spec.TLSSecret != nil {
200+
tlsSecret, err = opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.TLSSecret.Name, metav1.GetOptions{})
201+
if err != nil {
202+
return nil, err
203+
}
204+
}
205+
198206
hostname, err := appBinding.Hostname()
199207
if err != nil {
200208
return nil, err
@@ -251,7 +259,7 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti
251259
mongoCreds = []interface{}{
252260
"--tls",
253261
"--tlsCAFile", filepath.Join(opt.setupOptions.ScratchDir, MongoTLSCertFileName),
254-
"--tlsPEMKeyFile", filepath.Join(opt.setupOptions.ScratchDir, MongoClientPemFileName),
262+
"--tlsCertificateKeyFile", filepath.Join(opt.setupOptions.ScratchDir, MongoClientPemFileName),
255263
}
256264
dumpCreds = []interface{}{
257265
"--ssl",
@@ -262,13 +270,13 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti
262270
// get certificate secret to get client certificate
263271
var pemBytes []byte
264272
var ok bool
265-
pemBytes, ok = appBindingSecret.Data[MongoClientPemFileName]
273+
pemBytes, ok = tlsSecret.Data[MongoClientPemFileName]
266274
if !ok {
267-
crt, ok := appBindingSecret.Data[core.TLSCertKey]
275+
crt, ok := tlsSecret.Data[core.TLSCertKey]
268276
if !ok {
269277
return nil, errors.Wrap(err, "unable to retrieve tls.crt from secret.")
270278
}
271-
key, ok := appBindingSecret.Data[core.TLSPrivateKeyKey]
279+
key, ok := tlsSecret.Data[core.TLSPrivateKeyKey]
272280
if !ok {
273281
return nil, errors.Wrap(err, "unable to retrieve tls.key from secret.")
274282
}
@@ -292,8 +300,8 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti
292300

293301
} else {
294302
userAuth := []interface{}{
295-
fmt.Sprintf("--username=%s", appBindingSecret.Data[MongoUserKey]),
296-
fmt.Sprintf("--password=%s", appBindingSecret.Data[MongoPasswordKey]),
303+
fmt.Sprintf("--username=%s", authSecret.Data[MongoUserKey]),
304+
fmt.Sprintf("--password=%s", authSecret.Data[MongoPasswordKey]),
297305
"--authenticationDatabase", opt.authenticationDatabase,
298306
}
299307
mongoCreds = append(mongoCreds, userAuth...)

0 commit comments

Comments
 (0)