diff --git a/class/defaults.yml b/class/defaults.yml index b0dc1b1..d309996 100644 --- a/class/defaults.yml +++ b/class/defaults.yml @@ -38,4 +38,4 @@ parameters: registry: docker.io image: debian tag: bullseye - tls_options: null + customCA: null diff --git a/component/schedule.libsonnet b/component/schedule.libsonnet index 223d014..15bf0e0 100644 --- a/component/schedule.libsonnet +++ b/component/schedule.libsonnet @@ -41,6 +41,19 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * * secretkeyname: 'password', }; + local customCA = if params.customCA != null then { + apiVersion: 'v1', + kind: 'ConfigMap', + metadata: { + name: 'k8up-custom-ca', + namespace: namespace, + }, + data: { + 'ca.crt': params.customCA, + }, + }; + local customCAname = if params.customCA != null then customCA.metadata.name else null; + local schedule = backup.Schedule( name, backupSchedule, @@ -49,7 +62,7 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * * backupkey=backupSecretRef, s3secret=bucketSecretRef, create_bucket=false, - tls_options=params.tls_options, + caConfigMap=customCAname, ).schedule + backup.PruneSpec(pruneSchedule, 30, 20) { metadata+: { namespace: namespace, @@ -149,7 +162,7 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * * backend+: { // drop S3 config s3:: {}, - volumeMounts: [ + volumeMounts+: [ { name: 'ssh-config', mountPath: '/home/k8up/.ssh', @@ -169,9 +182,9 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * * if params.backend_type == 's3' then - [ backupSecret, bucketSecret, schedule ] + [ backupSecret, bucketSecret, schedule ] + if params.customCA != null then [ customCA ] else [] else if params.backend_type == 'sftp' then - [ backupSecret, sftpRepository, sftpConfig, sftpPodConfig, sftpSchedule ] + [ backupSecret, sftpRepository, sftpConfig, sftpPodConfig, sftpSchedule ] + if params.customCA != null then [ customCA ] else [] else error "Backup backend type '%s' not supported by the component" % params.backend_type; diff --git a/docs/modules/ROOT/pages/references/parameters.adoc b/docs/modules/ROOT/pages/references/parameters.adoc index b0d142f..aff825b 100644 --- a/docs/modules/ROOT/pages/references/parameters.adoc +++ b/docs/modules/ROOT/pages/references/parameters.adoc @@ -259,13 +259,13 @@ This means that if a resource type listed in `must_exist` is not found, the back For this reason, and because we trust the discovery process of the new dumper, we set the default value to an empty list and recommend to not use this feature until the issue is resolved. ==== -== tls_options +== customCA [horizontal] type:: dict default:: `null` -Set TLS options for accessig the backend. +Configure a custom CA for connecting to the backend. == Example @@ -276,9 +276,8 @@ parameters: images: object_dumper: tag: v… - tls_options: - caCert: | - -----BEGIN CERTIFICATE----- - MY AWESOME CA - -----END CERTIFICATE----- + customCA: | + -----BEGIN CERTIFICATE----- + MY AWESOME CA + -----END CERTIFICATE----- ---- diff --git a/tests/golden/sftp/cluster-backup/cluster-backup/10_object.yaml b/tests/golden/sftp/cluster-backup/cluster-backup/10_object.yaml index f544923..3659f73 100644 --- a/tests/golden/sftp/cluster-backup/cluster-backup/10_object.yaml +++ b/tests/golden/sftp/cluster-backup/cluster-backup/10_object.yaml @@ -238,11 +238,10 @@ spec: key: password name: objects-backup-password tlsOptions: - caCert: | - -----BEGIN CERTIFICATE----- - MY AWESOME CA - -----END CERTIFICATE----- + caCert: /mnt/ca/ca.crt volumeMounts: + - mountPath: /mnt/ca/ + name: ca - mountPath: /home/k8up/.ssh name: ssh-config - mountPath: /home/k8up/.job @@ -252,6 +251,10 @@ spec: backup: keepJobs: 5 schedule: 25 * * * * + volumes: + - configMap: + name: k8up-custom-ca + name: ca check: schedule: 30 3 * * * podConfigRef: @@ -261,3 +264,18 @@ spec: keepDaily: 30 keepLast: 20 schedule: 10 */4 * * * +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MY AWESOME CA + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: cluster-backup + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: k8up-custom-ca + name: k8up-custom-ca + namespace: syn-cluster-backup diff --git a/tests/golden/sftp/cluster-backup/cluster-backup/20_ocp4_etcd.yaml b/tests/golden/sftp/cluster-backup/cluster-backup/20_ocp4_etcd.yaml index 2d6a527..a64979c 100644 --- a/tests/golden/sftp/cluster-backup/cluster-backup/20_ocp4_etcd.yaml +++ b/tests/golden/sftp/cluster-backup/cluster-backup/20_ocp4_etcd.yaml @@ -247,11 +247,10 @@ spec: key: password name: etcd-backup-password tlsOptions: - caCert: | - -----BEGIN CERTIFICATE----- - MY AWESOME CA - -----END CERTIFICATE----- + caCert: /mnt/ca/ca.crt volumeMounts: + - mountPath: /mnt/ca/ + name: ca - mountPath: /home/k8up/.ssh name: ssh-config - mountPath: /home/k8up/.job @@ -261,6 +260,10 @@ spec: backup: keepJobs: 5 schedule: 13 3 * * * + volumes: + - configMap: + name: k8up-custom-ca + name: ca check: schedule: 30 3 * * * podConfigRef: @@ -270,3 +273,18 @@ spec: keepDaily: 30 keepLast: 20 schedule: 20 */4 * * * +--- +apiVersion: v1 +data: + ca.crt: | + -----BEGIN CERTIFICATE----- + MY AWESOME CA + -----END CERTIFICATE----- +kind: ConfigMap +metadata: + labels: + app.kubernetes.io/component: cluster-backup + app.kubernetes.io/managed-by: commodore + app.kubernetes.io/name: k8up-custom-ca + name: k8up-custom-ca + namespace: syn-cluster-backup-etcd diff --git a/tests/sftp.yml b/tests/sftp.yml index b7bcf2d..38b2b10 100644 --- a/tests/sftp.yml +++ b/tests/sftp.yml @@ -18,8 +18,7 @@ parameters: sftp: ssh_known_hosts: | sftp.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSszUbK2KmbjXKSWCajPlTCR8GBCElkd2I1ciBari3k - tls_options: - caCert: | - -----BEGIN CERTIFICATE----- - MY AWESOME CA - -----END CERTIFICATE----- + customCA: | + -----BEGIN CERTIFICATE----- + MY AWESOME CA + -----END CERTIFICATE-----