-
Notifications
You must be signed in to change notification settings - Fork 130
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Reuse the aws session with cacerts and credentials for fetching region #71
Conversation
High level question - would it be possible to support the CA cert with the VolumeSnapshotter API, too? |
@nrb Yes, its possible and we should definitely do it to make this adoption across any API calls. But this might need a bit more changes as we have to decide how should we propagate the CA certs passed via |
b609083
to
27b4614
Compare
velero-plugin-for-aws/helpers.go
Outdated
} | ||
|
||
// Init initializes the S3 config parameters which needs to be fetched/prepared based on the passed options | ||
func (h *S3Config) Init() error { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
h? s would be more appropriate.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
velero-plugin-for-aws/helpers.go
Outdated
return nil | ||
} | ||
|
||
// GetBucketRegion returns the AWS region that a bucket is in, or an error |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Comment case should match method
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
done
velero-plugin-for-aws/helpers.go
Outdated
} | ||
|
||
// add region to the session config | ||
if h.s3URL == "" && h.region == "" { |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is funky. h.getBucketRegion gets called once, the structure gets changed and then it should not be called again. getBucketRegion does not need to be a method, just keep it a func and pass in session and bucket.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Got it. Will make that change
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Done
Signed-off-by: Ayush Rangwala <arangwala@vmware.com>
Signed-off-by: Ayush Rangwala <arangwala@vmware.com>
Signed-off-by: Ayush Rangwala <arangwala@vmware.com>
any updates we wanna make here? |
This PR won't work after the SDK is bumped up to v2. |
Velero has a way to use custom CA bundle to access the objectStore behind the proxy by providing the option
--cacerts
at the time of velero install or velero client operations.s3 plugin tries to communicate the objectStore for finding out the region or to push/pull the Backup manifests. If the region is not provided in the BackupStorageLocation config, while finding the region, plugin creates a new aws session config which doesnot use any session options, such as certs or credential profile.
This PR is to add the support for aws s3 plugin also to consume the ca certificate bundle passed in
BackupStorageLocation
with thecaCerts
field.This can be tested by having a velero setup behind proxy with a sef-signed certs and pass them along with the velero install and try to perform the backup/restore operations
Fixes: vmware-tanzu/velero#3449
Signed-off-by: Ayush Rangwala arangwala@vmware.com