Fix definition TLS Options

class/defaults.yml

@@ -38,4 +38,4 @@ parameters:
         registry: docker.io
         image: debian
         tag: bullseye
-    tls_options: null
+    customCA: null

component/schedule.libsonnet

@@ -41,6 +41,19 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * *
     secretkeyname: 'password',
   };
 
+  local customCA = if params.customCA != null then {
+    apiVersion: 'v1',
+    kind: 'ConfigMap',
+    metadata: {
+      name: 'k8up-custom-ca',
+      namespace: namespace,
+    },
+    data: {
+      'ca.crt': params.customCA,
+    },
+  };
+  local customCAname = if params.customCA != null then customCA.metadata.name else null;
+
   local schedule = backup.Schedule(
     name,
     backupSchedule,
@@ -49,7 +62,7 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * *
     backupkey=backupSecretRef,
     s3secret=bucketSecretRef,
     create_bucket=false,
-    tls_options=params.tls_options,
+    caConfigMap=customCAname,
   ).schedule + backup.PruneSpec(pruneSchedule, 30, 20) {
     metadata+: {
       namespace: namespace,
@@ -149,7 +162,7 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * *
       backend+: {
         // drop S3 config
         s3:: {},
-        volumeMounts: [
+        volumeMounts+: [
           {
             name: 'ssh-config',
             mountPath: '/home/k8up/.ssh',
@@ -169,9 +182,9 @@ local buildSchedule(name, namespace, backupSchedule, pruneSchedule='10 */4 * * *
 
 
   if params.backend_type == 's3' then
-    [ backupSecret, bucketSecret, schedule ]
+    [ backupSecret, bucketSecret, schedule ] + if params.customCA != null then [ customCA ] else []
   else if params.backend_type == 'sftp' then
-    [ backupSecret, sftpRepository, sftpConfig, sftpPodConfig, sftpSchedule ]
+    [ backupSecret, sftpRepository, sftpConfig, sftpPodConfig, sftpSchedule ] + if params.customCA != null then [ customCA ] else []
   else
     error "Backup backend type '%s' not supported by the component" % params.backend_type;
 

docs/modules/ROOT/pages/references/parameters.adoc

@@ -259,13 +259,13 @@ This means that if a resource type listed in `must_exist` is not found, the back
 For this reason, and because we trust the discovery process of the new dumper, we set the default value to an empty list and recommend to not use this feature until the issue is resolved.
 ====
 
-== tls_options
+== customCA
 
 [horizontal]
 type:: dict
 default:: `null`
 
-Set TLS options for accessig the backend.
+Configure a custom CA for connecting to the backend.
 
 == Example
 
@@ -276,9 +276,8 @@ parameters:
     images:
       object_dumper:
         tag: v…
-    tls_options:
-      caCert: |
-        -----BEGIN CERTIFICATE-----
-        MY AWESOME CA
-        -----END CERTIFICATE-----
+    customCA: |
+      -----BEGIN CERTIFICATE-----
+      MY AWESOME CA
+      -----END CERTIFICATE-----
 ----

tests/golden/sftp/cluster-backup/cluster-backup/10_object.yaml

@@ -238,11 +238,10 @@ spec:
       key: password
       name: objects-backup-password
     tlsOptions:
-      caCert: |
-        -----BEGIN CERTIFICATE-----
-        MY AWESOME CA
-        -----END CERTIFICATE-----
+      caCert: /mnt/ca/ca.crt
     volumeMounts:
+      - mountPath: /mnt/ca/
+        name: ca
       - mountPath: /home/k8up/.ssh
         name: ssh-config
       - mountPath: /home/k8up/.job
@@ -252,6 +251,10 @@ spec:
   backup:
     keepJobs: 5
     schedule: 25 * * * *
+    volumes:
+      - configMap:
+          name: k8up-custom-ca
+        name: ca
   check:
     schedule: 30 3 * * *
   podConfigRef:
@@ -261,3 +264,18 @@ spec:
       keepDaily: 30
       keepLast: 20
     schedule: 10 */4 * * *
+---
+apiVersion: v1
+data:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    MY AWESOME CA
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: cluster-backup
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: k8up-custom-ca
+  name: k8up-custom-ca
+  namespace: syn-cluster-backup

tests/golden/sftp/cluster-backup/cluster-backup/20_ocp4_etcd.yaml

@@ -247,11 +247,10 @@ spec:
       key: password
       name: etcd-backup-password
     tlsOptions:
-      caCert: |
-        -----BEGIN CERTIFICATE-----
-        MY AWESOME CA
-        -----END CERTIFICATE-----
+      caCert: /mnt/ca/ca.crt
     volumeMounts:
+      - mountPath: /mnt/ca/
+        name: ca
       - mountPath: /home/k8up/.ssh
         name: ssh-config
       - mountPath: /home/k8up/.job
@@ -261,6 +260,10 @@ spec:
   backup:
     keepJobs: 5
     schedule: 13 3 * * *
+    volumes:
+      - configMap:
+          name: k8up-custom-ca
+        name: ca
   check:
     schedule: 30 3 * * *
   podConfigRef:
@@ -270,3 +273,18 @@ spec:
       keepDaily: 30
       keepLast: 20
     schedule: 20 */4 * * *
+---
+apiVersion: v1
+data:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    MY AWESOME CA
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/component: cluster-backup
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: k8up-custom-ca
+  name: k8up-custom-ca
+  namespace: syn-cluster-backup-etcd

tests/sftp.yml

@@ -18,8 +18,7 @@ parameters:
     sftp:
       ssh_known_hosts: |
         sftp.example.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPSszUbK2KmbjXKSWCajPlTCR8GBCElkd2I1ciBari3k
-    tls_options:
-      caCert: |
-        -----BEGIN CERTIFICATE-----
-        MY AWESOME CA
-        -----END CERTIFICATE-----
+    customCA: |
+      -----BEGIN CERTIFICATE-----
+      MY AWESOME CA
+      -----END CERTIFICATE-----