Merge pull request #580 from cybozu-go/backup-enable-tls

Add tls settings for BackupPolicy

CHANGELOG.md

@@ -5,6 +5,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+### Added
+- Add tls settings for BackupPolicy [#580](https://github.com/cybozu-go/moco/pull/580)
+
 ## [0.17.0] - 2023-09-11
 
 ### Breaking Changes

api/v1beta1/job_types.go

@@ -218,4 +218,8 @@ type BucketConfig struct {
  // +kubebuilder:default=s3
  // +optional
  BackendType string `json:"backendType,omitempty"`
+
+ // Path to SSL CA certificate file used in addition to system default.
+ // +optional
+ CaCert string `json:"caCert,omitempty"`
 }

api/v1beta2/job_types.go

@@ -201,6 +201,10 @@ type BucketConfig struct {
  // +kubebuilder:default=s3
  // +optional
  BackendType string `json:"backendType,omitempty"`
+
+ // Path to SSL CA certificate file used in addition to system default.
+ // +optional
+ CaCert string `json:"caCert,omitempty"`
 }
 
 // AffinityApplyConfiguration is the type defined to implement the DeepCopy method.

charts/moco/templates/generated/crds/moco_crds.yaml

@@ -422,6 +422,9 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -2452,6 +2455,9 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -7722,6 +7728,9 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -13606,6 +13615,9 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*

cmd/moco-backup/cmd/root.go

@@ -2,8 +2,11 @@ package cmd
 
 import (
  "context"
+ "crypto/tls"
+ "crypto/x509"
  "errors"
  "fmt"
+ "net/http"
  "net/url"
  "os"
 
@@ -15,12 +18,13 @@ import (
 )
 
 var commonArgs struct {
- workDir string
- threads int
- region string
- endpointURL string
- usePathStyle bool
- backendType string
+ workDir string
+ threads int
+ region string
+ endpointURL string
+ usePathStyle bool
+ backendType string
+ caCertFilePath string
 }
 
 func makeBucket(bucketName string) (bucket.Bucket, error) {
@@ -45,6 +49,27 @@ func makeS3Bucket(bucketName string) (bucket.Bucket, error) {
  if commonArgs.usePathStyle {
  opts = append(opts, bucket.WithPathStyle())
  }
+ if len(commonArgs.caCertFilePath) > 0 {
+ caCertFile, err := os.ReadFile(commonArgs.caCertFilePath)
+ if err != nil {
+ return nil, err
+ }
+ caCertPool, err := x509.SystemCertPool()
+ if err != nil {
+ return nil, err
+ }
+ if ok := caCertPool.AppendCertsFromPEM(caCertFile); !ok {
+ return nil, fmt.Errorf("failed to add ca cert")
+ }
+ transport := http.DefaultTransport.(*http.Transport).Clone()
+ if transport.TLSClientConfig == nil {
+ transport.TLSClientConfig = &tls.Config{}
+ }
+ transport.TLSClientConfig.RootCAs = caCertPool
+ opts = append(opts, bucket.WithHTTPClient(&http.Client{
+ Transport: transport,
+ }))
+ }
  return bucket.NewS3Bucket(bucketName, opts...)
 }
 
@@ -95,4 +120,5 @@ func init() {
  pf.StringVar(&commonArgs.endpointURL, "endpoint", "", "Object storage API endpoint URL")
  pf.BoolVar(&commonArgs.usePathStyle, "use-path-style", false, "Use path-style S3 API")
  pf.StringVar(&commonArgs.backendType, "backend-type", "s3", "The identifier for the object storage to be used.")
+ pf.StringVar(&commonArgs.caCertFilePath, "ca-cert", "", "Path to SSL CA certificate file used in addition to system default")
 }

config/crd/bases/moco.cybozu.com_backuppolicies.yaml

@@ -462,6 +462,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -2649,6 +2653,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*

config/crd/bases/moco.cybozu.com_mysqlclusters.yaml

@@ -3999,6 +3999,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -10430,6 +10434,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*

config/crd/tests/apiextensions.k8s.io_v1_customresourcedefinition_backuppolicies.moco.cybozu.com.yaml

@@ -461,6 +461,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -2648,6 +2652,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*

config/crd/tests/apiextensions.k8s.io_v1_customresourcedefinition_mysqlclusters.moco.cybozu.com.yaml

@@ -4009,6 +4009,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*
@@ -10440,6 +10444,10 @@ spec:
  description: The name of the bucket
  minLength: 1
  type: string
+ caCert:
+ description: Path to SSL CA certificate file used in addition
+ t
+ type: string
  endpointURL:
  description: The API endpoint URL.
  pattern: ^https?://.*

controllers/mysqlcluster_controller.go

@@ -997,6 +997,9 @@ func bucketArgs(bc mocov1beta2.BucketConfig) []string {
  if bc.BackendType != "" {
  args = append(args, "--backend-type="+bc.BackendType)
  }
+ if bc.CaCert != "" {
+ args = append(args, "--ca-cert="+bc.CaCert)
+ }
 
  return append(args, bc.BucketName)
 }

docs/crd_backuppolicy_v1beta1.md

@@ -60,6 +60,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL. Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

docs/crd_backuppolicy_v1beta2.md

@@ -60,6 +60,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL. Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

docs/crd_mysqlcluster_v1beta1.md

@@ -181,6 +181,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL. Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

docs/crd_mysqlcluster_v1beta2.md

@@ -195,6 +195,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL. Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

docs/moco-backup.md

@@ -19,6 +19,7 @@ Global Flags:
  --threads int The number of threads to be used (default 4)
  --use-path-style Use path-style S3 API
  --work-dir string The writable working directory (default "/work")
+ --ca-cert string Path to SSL CA certificate file used in addition to system default
 ```
 
 ## Subcommands

e2e/Makefile

@@ -48,6 +48,7 @@ endif
  $(KUSTOMIZE) build . | $(KUBECTL) apply -f -
  $(KUBECTL) -n moco-system wait --for=condition=available --timeout=180s --all deployments
  $(KUBECTL) apply -f minio.yaml
+ $(KUBECTL) apply -f minio-tls.yaml
  $(KUBECTL) apply -f fake-gcs-server.yaml
  $(KUBECTL) wait --timeout=60s --for=condition=Ready --all pods