wip: enable tls for backup

Signed-off-by: kouki <[email protected]>
cybozu-go · Oct 18, 2023 · 66c7498 · 66c7498
1 parent 8b8123d
commit 66c7498
Show file tree

Hide file tree

Showing 5 changed files with 134 additions and 40 deletions.
diff --git a/cmd/moco-backup/cmd/root.go b/cmd/moco-backup/cmd/root.go
@@ -2,8 +2,11 @@ package cmd
 
 import (
  "context"
+ "crypto/tls"
+ "crypto/x509"
  "errors"
  "fmt"
+ "net/http"
  "net/url"
  "os"
 
@@ -15,12 +18,13 @@ import (
 )
 
 var commonArgs struct {
- workDir string
- threads int
- region string
- endpointURL string
- usePathStyle bool
- backendType string
+ workDir string
+ threads int
+ region string
+ endpointURL string
+ usePathStyle bool
+ backendType string
+ caCertFilePath string
 }
 
 func makeBucket(bucketName string) (bucket.Bucket, error) {
@@ -45,6 +49,26 @@ func makeS3Bucket(bucketName string) (bucket.Bucket, error) {
  if commonArgs.usePathStyle {
  opts = append(opts, bucket.WithPathStyle())
  }
+ if len(commonArgs.caCertFilePath) > 0 {
+ caCertFile, err := os.ReadFile(commonArgs.caCertFilePath)
+ if err != nil {
+ return nil, err
+ }
+ caCertPool, err := x509.SystemCertPool()
+ if err != nil {
+ return nil, err
+ }
+ if ok := caCertPool.AppendCertsFromPEM(caCertFile); !ok {
+ return nil, fmt.Errorf("failed to add ca cert")
+ }
+ transport := http.DefaultTransport.(*http.Transport).Clone()
+ transport.TLSClientConfig = &tls.Config{
+ RootCAs: caCertPool,
+ }
+ opts = append(opts, bucket.WithHTTPClient(&http.Client{
+ Transport: transport,
+ }))
+ }
  return bucket.NewS3Bucket(bucketName, opts...)
 }
 
@@ -95,4 +119,5 @@ func init() {
  pf.StringVar(&commonArgs.endpointURL, "endpoint", "", "Object storage API endpoint URL")
  pf.BoolVar(&commonArgs.usePathStyle, "use-path-style", false, "Use path-style S3 API")
  pf.StringVar(&commonArgs.backendType, "backend-type", "s3", "The identifier for the object storage to be used.")
+ pf.StringVar(&commonArgs.caCertFilePath, "ca-cert-file-path", "", "The file path using ca-certs")
 }
diff --git a/e2e/backup_test.go b/e2e/backup_test.go
@@ -19,6 +19,9 @@ import (
  metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+//go:embed testdata/makebucket.yaml
+var makeBucketYAML string
+
 //go:embed testdata/backup.yaml
 var backupYAML string
 
@@ -33,9 +36,7 @@ var _ = Context("backup", func() {
  var restorePoint time.Time
 
  It("should create a bucket", func() {
- kubectlSafe(nil, "run", "--command", "make-bucket", "--image=moco-backup:dev", "--",
- "s3cmd", "--host=minio.default.svc:9000", "--host-bucket=minio.default.svc:9000", "--no-ssl",
- "--access_key=minioadmin", "--secret_key=minioadmin", "mb", "s3://moco")
+ kubectlSafe([]byte(makeBucketYAML), "apply", "-f", "-")
  })
 
  It("should construct a source cluster", func() {

diff --git a/e2e/minio.yaml b/e2e/minio.yaml
@@ -1,14 +1,36 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+ namespace: default
+ name: default-selfsigned-issuer
+spec:
+ selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ namespace: default
+ name: minio-cert
+spec:
+ commonName: minio cert
+ issuerRef:
+ kind: Issuer
+ name: default-selfsigned-issuer
+ secretName: minio-cert
+ dnsNames:
+ - minio.default.svc
+---
 apiVersion: v1
 kind: Service
 metadata:
  namespace: default
  name: minio
 spec:
  ports:
- - name: minio
- port: 9000
- targetPort: minio
- protocol: TCP
+  - name: minio
+  port: 9000
+  targetPort: minio
+  protocol: TCP
  selector:
  name: minio
 ---
@@ -21,18 +43,30 @@ metadata:
  name: minio
 spec:
  containers:
- - name: minio
- image: minio/minio
- args:
- - server
- - /data
- ports:
  - name: minio
- containerPort: 9000
- protocol: TCP
- volumeMounts:
- - name: data
- mountPath: /data
+ image: minio/minio
+ args:
+ - server
+ - /data
+ ports:
+ - name: minio
+ containerPort: 9000
+ protocol: TCP
+ volumeMounts:
+ - name: data
+ mountPath: /data
+ - name: secret-volume
+ mountPath: /root/.minio/certs
  volumes:
- - name: data
- emptyDir: {}
+ - name: data
+ emptyDir: {}
+ - name: secret-volume
+ secret:
+ secretName: minio-cert
+ items:
+ - key: ca.crt
+ path: public.crt
+ - key: tls.key
+ path: private.key
+ - key: ca.crt
+ path: CAs/public.crt
diff --git a/e2e/testdata/backup.yaml b/e2e/testdata/backup.yaml
@@ -27,13 +27,13 @@ spec:
  jobConfig:
  serviceAccountName: backup-owner
  env:
- - name: AWS_ACCESS_KEY_ID
- value: minioadmin
- - name: AWS_SECRET_ACCESS_KEY
- value: minioadmin
+  - name: AWS_ACCESS_KEY_ID
+  value: minioadmin
+  - name: AWS_SECRET_ACCESS_KEY
+  value: minioadmin
  bucketConfig:
  bucketName: moco
- endpointURL: http://minio.default.svc:9000
+ endpointURL: https://minio.default.svc:9000
  usePathStyle: true
  workVolume:
  emptyDir: {}
@@ -50,13 +50,13 @@ spec:
  podTemplate:
  spec:
  containers:
- - name: mysqld
- image: ghcr.io/cybozu-go/moco/mysql:{{ . }}
+  - name: mysqld
+  image: ghcr.io/cybozu-go/moco/mysql:{{ . }}
  volumeClaimTemplates:
- - metadata:
- name: mysql-data
- spec:
- accessModes: [ "ReadWriteOnce" ]
- resources:
- requests:
- storage: 1Gi
+  - metadata:
+  name: mysql-data
+  spec:
+  accessModes: ["ReadWriteOnce"]
+  resources:
+  requests:
+  storage: 1Gi
diff --git a/e2e/testdata/makebucket.yaml b/e2e/testdata/makebucket.yaml
@@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+ name: make-bucket
+ namespace: default
+spec:
+ template:
+ spec:
+ restartPolicy: OnFailure
+ containers:
+ - command:
+ - s3cmd
+ - --host=minio.default.svc:9000
+ - --host-bucket=minio.default.svc:9000
+ - --access_key=minioadmin
+ - --secret_key=minioadmin
+ - --ssl
+ - --no-check-certificate
+ - --ca-certs=/minio-cert/ca.crt
+ - mb
+ - s3://moco
+ image: moco-backup:dev
+ imagePullPolicy: IfNotPresent
+ name: make-bucket
+ volumeMounts:
+ - name: minio-cert
+ mountPath: /minio-cert
+ volumes:
+ - name: minio-cert
+ secret:
+ secretName: minio-cert
+ items:
+ - key: ca.crt
+ path: ca.crt