From 66c749892c5a92b2fccc87b4226a4dc81cc2f0b7 Mon Sep 17 00:00:00 2001
From: kouki <kouworld0123@gmail.com>
Date: Tue, 17 Oct 2023 05:38:32 +0000
Subject: [PATCH] wip: enable tls for backup

Signed-off-by: kouki <kouworld0123@gmail.com>
---
 cmd/moco-backup/cmd/root.go  | 37 ++++++++++++++++----
 e2e/backup_test.go           |  7 ++--
 e2e/minio.yaml               | 68 +++++++++++++++++++++++++++---------
 e2e/testdata/backup.yaml     | 28 +++++++--------
 e2e/testdata/makebucket.yaml | 34 ++++++++++++++++++
 5 files changed, 134 insertions(+), 40 deletions(-)
 create mode 100644 e2e/testdata/makebucket.yaml

diff --git a/cmd/moco-backup/cmd/root.go b/cmd/moco-backup/cmd/root.go
index a71419d1b..2abf72113 100644
--- a/cmd/moco-backup/cmd/root.go
+++ b/cmd/moco-backup/cmd/root.go
@@ -2,8 +2,11 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"os"
 
@@ -15,12 +18,13 @@ import (
 )
 
 var commonArgs struct {
-	workDir      string
-	threads      int
-	region       string
-	endpointURL  string
-	usePathStyle bool
-	backendType  string
+	workDir        string
+	threads        int
+	region         string
+	endpointURL    string
+	usePathStyle   bool
+	backendType    string
+	caCertFilePath string
 }
 
 func makeBucket(bucketName string) (bucket.Bucket, error) {
@@ -45,6 +49,26 @@ func makeS3Bucket(bucketName string) (bucket.Bucket, error) {
 	if commonArgs.usePathStyle {
 		opts = append(opts, bucket.WithPathStyle())
 	}
+	if len(commonArgs.caCertFilePath) > 0 {
+		caCertFile, err := os.ReadFile(commonArgs.caCertFilePath)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		if ok := caCertPool.AppendCertsFromPEM(caCertFile); !ok {
+			return nil, fmt.Errorf("failed to add ca cert")
+		}
+		transport := http.DefaultTransport.(*http.Transport).Clone()
+		transport.TLSClientConfig = &tls.Config{
+			RootCAs: caCertPool,
+		}
+		opts = append(opts, bucket.WithHTTPClient(&http.Client{
+			Transport: transport,
+		}))
+	}
 	return bucket.NewS3Bucket(bucketName, opts...)
 }
 
@@ -95,4 +119,5 @@ func init() {
 	pf.StringVar(&commonArgs.endpointURL, "endpoint", "", "Object storage API endpoint URL")
 	pf.BoolVar(&commonArgs.usePathStyle, "use-path-style", false, "Use path-style S3 API")
 	pf.StringVar(&commonArgs.backendType, "backend-type", "s3", "The identifier for the object storage to be used.")
+	pf.StringVar(&commonArgs.caCertFilePath, "ca-cert-file-path", "", "The file path using ca-certs")
 }
diff --git a/e2e/backup_test.go b/e2e/backup_test.go
index d9e6cdffd..650b949ba 100644
--- a/e2e/backup_test.go
+++ b/e2e/backup_test.go
@@ -19,6 +19,9 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+//go:embed testdata/makebucket.yaml
+var makeBucketYAML string
+
 //go:embed testdata/backup.yaml
 var backupYAML string
 
@@ -33,9 +36,7 @@ var _ = Context("backup", func() {
 	var restorePoint time.Time
 
 	It("should create a bucket", func() {
-		kubectlSafe(nil, "run", "--command", "make-bucket", "--image=moco-backup:dev", "--",
-			"s3cmd", "--host=minio.default.svc:9000", "--host-bucket=minio.default.svc:9000", "--no-ssl",
-			"--access_key=minioadmin", "--secret_key=minioadmin", "mb", "s3://moco")
+		kubectlSafe([]byte(makeBucketYAML), "apply", "-f", "-")
 	})
 
 	It("should construct a source cluster", func() {
diff --git a/e2e/minio.yaml b/e2e/minio.yaml
index 64bc6ee70..0f99ad3d3 100644
--- a/e2e/minio.yaml
+++ b/e2e/minio.yaml
@@ -1,3 +1,25 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  namespace: default
+  name: default-selfsigned-issuer
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  namespace: default
+  name: minio-cert
+spec:
+  commonName: minio cert
+  issuerRef:
+    kind: Issuer
+    name: default-selfsigned-issuer
+  secretName: minio-cert
+  dnsNames:
+    - minio.default.svc
+---
 apiVersion: v1
 kind: Service
 metadata:
@@ -5,10 +27,10 @@ metadata:
   name: minio
 spec:
   ports:
-  - name: minio
-    port: 9000
-    targetPort: minio
-    protocol: TCP
+    - name: minio
+      port: 9000
+      targetPort: minio
+      protocol: TCP
   selector:
     name: minio
 ---
@@ -21,18 +43,30 @@ metadata:
     name: minio
 spec:
   containers:
-  - name: minio
-    image: minio/minio
-    args:
-    - server
-    - /data
-    ports:
     - name: minio
-      containerPort: 9000
-      protocol: TCP
-    volumeMounts:
-    - name: data
-      mountPath: /data
+      image: minio/minio
+      args:
+        - server
+        - /data
+      ports:
+        - name: minio
+          containerPort: 9000
+          protocol: TCP
+      volumeMounts:
+        - name: data
+          mountPath: /data
+        - name: secret-volume
+          mountPath: /root/.minio/certs
   volumes:
-  - name: data
-    emptyDir: {}
+    - name: data
+      emptyDir: {}
+    - name: secret-volume
+      secret:
+        secretName: minio-cert
+        items:
+          - key: ca.crt
+            path: public.crt
+          - key: tls.key
+            path: private.key
+          - key: ca.crt
+            path: CAs/public.crt
diff --git a/e2e/testdata/backup.yaml b/e2e/testdata/backup.yaml
index dfebab319..1bf0bfebf 100644
--- a/e2e/testdata/backup.yaml
+++ b/e2e/testdata/backup.yaml
@@ -27,13 +27,13 @@ spec:
   jobConfig:
     serviceAccountName: backup-owner
     env:
-    - name: AWS_ACCESS_KEY_ID
-      value: minioadmin
-    - name: AWS_SECRET_ACCESS_KEY
-      value: minioadmin
+      - name: AWS_ACCESS_KEY_ID
+        value: minioadmin
+      - name: AWS_SECRET_ACCESS_KEY
+        value: minioadmin
     bucketConfig:
       bucketName: moco
-      endpointURL: http://minio.default.svc:9000
+      endpointURL: https://minio.default.svc:9000
       usePathStyle: true
     workVolume:
       emptyDir: {}
@@ -50,13 +50,13 @@ spec:
   podTemplate:
     spec:
       containers:
-      - name: mysqld
-        image: ghcr.io/cybozu-go/moco/mysql:{{ . }}
+        - name: mysqld
+          image: ghcr.io/cybozu-go/moco/mysql:{{ . }}
   volumeClaimTemplates:
-  - metadata:
-      name: mysql-data
-    spec:
-      accessModes: [ "ReadWriteOnce" ]
-      resources:
-        requests:
-          storage: 1Gi
+    - metadata:
+        name: mysql-data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        resources:
+          requests:
+            storage: 1Gi
diff --git a/e2e/testdata/makebucket.yaml b/e2e/testdata/makebucket.yaml
new file mode 100644
index 000000000..43ec390e6
--- /dev/null
+++ b/e2e/testdata/makebucket.yaml
@@ -0,0 +1,34 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: make-bucket
+  namespace: default
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - command:
+            - s3cmd
+            - --host=minio.default.svc:9000
+            - --host-bucket=minio.default.svc:9000
+            - --access_key=minioadmin
+            - --secret_key=minioadmin
+            - --ssl
+            - --no-check-certificate
+            - --ca-certs=/minio-cert/ca.crt
+            - mb
+            - s3://moco
+          image: moco-backup:dev
+          imagePullPolicy: IfNotPresent
+          name: make-bucket
+          volumeMounts:
+            - name: minio-cert
+              mountPath: /minio-cert
+      volumes:
+        - name: minio-cert
+          secret:
+            secretName: minio-cert
+            items:
+              - key: ca.crt
+                path: ca.crt