- Notifications
You must be signed in to change notification settings - Fork72
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to ourterms of service andprivacy statement. We’ll occasionally send you account related emails.
Already on GitHub?Sign in to your account
Enhancement: added --insecure-tls#926
Open
eunames wants to merge5 commits intok8up-io:masterChoose a base branch
base:master
Could not load branches
Branch not found:{{ refName }}
Loading
Could not load tags
Nothing to show
Loading
Are you sure you want to change the base?
Some commits from the old base branch may be removed from the timeline, and old review comments may become outdated.
Open
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.Learn more about bidirectional Unicode characters
Kidswiss requested changesMar 6, 2024
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others.Learn more.
Hi@eunames
Thank you for the PR!
I feel like adding this as an operator level configuration is not very flexible. With this each and every backup either has it enabled or disabled.
This might be fine for a k8s cluster with only one tenant, however K8up is frequently used in a multi-tenant environment. Setting a security critical configuration globally is not a good idea in such a scenario, as it could compromise the security of the tenants.
So instead, it would be the more flexible approach to add a new flag in the backup CRD and then setSET_INSECURE_TLS_FLAG accordingly on the restic jobs. This way each tenant can configure the setting for each backup individually.
Can you please have a look at my suggestion? From what you already have it shouldn't be too hard to add it to the CRD and pass it to the restic jobs.
Hi template:spec:containers: -args: -operatorenv: -name:BACKUP_ENABLE_LEADER_ELECTIONvalue:"true" -name:BACKUP_OPERATOR_NAMESPACEvalueFrom:fieldRef:apiVersion:v1fieldPath:metadata.namespace -name:SET_INSECURE_TLS_FLAGvalue:"true" Or/and in the backup card set a flag insecureTLS apiVersion:k8up.io/v1kind:Backupmetadata:name:backup-truespec:failedJobsHistoryLimit:2successfulJobsHistoryLimit:2backend:repoPasswordSecretRef:.....insecureTLS:trues3:.... A value TRUE in the operator level has priority over a value FALSE in the backup card But I'm not sure that I've considered all the options when customer can use an insecire connection!!! and testing...... Sorry :( |
This feels somewhat like the wrong way around. All other operator level options have less precedence than the options in the backup object. Also, are you still testing, or is this ready for a re-review from my side? |
Ready. |
You're right, a few tests are currently failing. Could you take a look at them? |
commit1e7871cMerge:d996d160f1228fAuthor: Bigli <9610820+TheBigLee@users.noreply.github.com>Date: Tue May 28 13:17:19 2024 +0200 Merge pull requestk8up-io#974 from k8up-io/gh/pr_template_co_sign Adjust the PR template to include signing off the commitscommit0f1228fAuthor: Nicolas Bigler <nicolas.bigler@vshn.ch>Date: Tue May 28 12:44:20 2024 +0200 Adjust the PR template to include signing off the commits Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>commitd996d16Merge:0b29883c0efc71Author: Bigli <9610820+TheBigLee@users.noreply.github.com>Date: Tue May 28 12:41:08 2024 +0200 Merge pull requestk8up-io#967 from SchoolGuy/add-grafana-dashboard feat: Helm - Grafana Dashboardcommitc0efc71Author: Enno Gotthold <matrixfueller@gmail.com>Date: Thu May 9 12:35:41 2024 +0200 [ADD] Helm - Grafana Dashboard Signed-off-by: Enno Gotthold <matrixfueller@gmail.com> Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>commit0b29883Merge:60e75b6f6648ddAuthor: Bigli <9610820+TheBigLee@users.noreply.github.com>Date: Tue May 28 10:18:14 2024 +0200 Merge pull requestk8up-io#971 from k8up-io/tutorial/update_crd_version Update the tutorial to the latest k8up versioncommitf6648ddAuthor: Nicolas Bigler <nicolas.bigler@vshn.ch>Date: Mon May 27 15:31:27 2024 +0200 Update the tutorial to the latest k8up version Signed-off-by: Nicolas Bigler <nicolas.bigler@vshn.ch>commit60e75b6Merge:212a033162e16bAuthor: Kidswiss <simon.beck@vshn.ch>Date: Wed May 15 10:20:29 2024 +0200 Merge pull requestk8up-io#969 from k8up-io/bump_chart Bump K8up versioncommit162e16bAuthor: Simon Beck <simon.beck@vshn.ch>Date: Wed May 15 09:45:16 2024 +0200 Bump K8up version Signed-off-by: Simon Beck <simon.beck@vshn.ch>commit212a033Merge:2ddb6eec8e9202Author: Kidswiss <simon.beck@vshn.ch>Date: Wed May 15 09:36:03 2024 +0200 Merge pull requestk8up-io#968 from k8up-io/add/pod_spec Add full podSpec to all job typescommitc8e9202Author: Simon Beck <simon.beck@vshn.ch>Date: Wed May 15 09:04:58 2024 +0200 Remove unnecessary RBAC Signed-off-by: Simon Beck <simon.beck@vshn.ch>commitd21f019Author: Simon Beck <simon.beck@vshn.ch>Date: Tue May 14 16:01:26 2024 +0200 Correctly flag test for integration Signed-off-by: Simon Beck <simon.beck@vshn.ch>commitedea9f6Author: Simon Beck <simon.beck@vshn.ch>Date: Tue May 14 15:29:02 2024 +0200 Add make test to actions Signed-off-by: Simon Beck <simon.beck@vshn.ch>commit21494caAuthor: Simon Beck <simon.beck@vshn.ch>Date: Mon May 13 13:26:56 2024 +0200 Add docs Signed-off-by: Simon Beck <simon.beck@vshn.ch>commit2666a12Author: Simon Beck <simon.beck@vshn.ch>Date: Mon May 13 12:50:07 2024 +0200 Fix using the index to delay execution It did not actually do a staggered delay for each instance. Signed-off-by: Simon Beck <simon.beck@vshn.ch>commitdd9f657Author: Simon Beck <simon.beck@vshn.ch>Date: Mon May 13 12:49:52 2024 +0200 Add full podSpec to all job types With this commit it's now possible to specify a full podSpec for each job type available. Signed-off-by: Simon Beck <simon.beck@vshn.ch>commit2ddb6eeMerge:5ab0be415f78acAuthor: Kidswiss <simon.beck@vshn.ch>Date: Tue Apr 30 15:34:54 2024 +0200 Merge pull requestk8up-io#963 from k8up-io/bump-chart Bump versions in the chartcommit15f78acAuthor: Simon Beck <simon.beck@vshn.ch>Date: Tue Apr 30 15:10:27 2024 +0200 Bump versions in the chart Signed-off-by: Simon Beck <simon.beck@vshn.ch>commit5ab0be4Merge:5d67b1651b7fd7Author: Kidswiss <simon.beck@vshn.ch>Date: Tue Apr 30 14:47:07 2024 +0200 Merge pull requestk8up-io#962 from amghazanfari/master bug: Add operator as mandatory argumentcommit51b7fd7Author: Amir M. Ghazanfari <a.m.ghazanfari76@gmail.com>Date: Sun Apr 28 12:37:15 2024 +0330 Add operator as mandatory argument Signed-off-by: amghazanfari <a.m.ghazanfari76@gmail.com> Signed-off-by: Amir Ghazanfari <a.ghazanfari@devopsyar.com>commit5d67b16Merge:2971c49ccd6bceAuthor: Kidswiss <simon.beck@vshn.ch>Date: Fri Apr 12 11:12:03 2024 +0200 Merge pull requestk8up-io#954 from M0NsTeRRR/master [enhancement] add support for dual stack clusterscommit2971c49Merge:108811880b2dddAuthor: Kidswiss <simon.beck@vshn.ch>Date: Fri Apr 12 10:22:25 2024 +0200 Merge pull requestk8up-io#949 from poyaz/feature/custom-tls [enhancement] Adding new feature for supporting self-signed certificatecommit80b2dddAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 17:33:31 2024 +0330 [ADD] Add integration test for TLS and Mutual TLS options Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitad78959Author: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 17:32:40 2024 +0330 [FIX] Fix execute ps for alpine and BusyBox Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit1fc3b16Author: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 17:32:05 2024 +0330 [UPDATE] Rename argument "--varDir" to "-varDir" Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitdf889cbAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 17:14:02 2024 +0330 [UPDATE] Add unit test for utils file and refactoring ZeroLen function Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit22de53eAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 00:56:30 2024 +0330 [DELETE] Delete e2e test self signed tls becuase it has too many test case and spend too much time Move restore and archive test case to two separated files Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit7d121ffAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 00:53:42 2024 +0330 [ADD] Add two e2e test for restore and archive Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitdc9f803Author: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 00:52:56 2024 +0330 [ADD] Add cmctl command for check cert-manager is ready Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit0acef98Author: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 00:32:34 2024 +0330 [UPDATE] Refactoring code for duplciate fucntions in operators These functions is created in utils: - AppendTLSOptionsArgs: for generate env for backend and restore specs - AttachTLSVolumes: for create volumes for pods AttachTLSVolumeMounts: for create volumeMount for backend and restore specs Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitb59589aAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Thu Apr 11 00:30:11 2024 +0330 [UPDATE] Update documents because of changing options to tlsOptions Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit01cb120Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Apr 8 14:21:24 2024 +0330 [CHANGE] Rename options to tlsOptions Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commit9b4216aAuthor: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Apr 8 11:01:50 2024 +0330 [DELETE] Delete unnecessary error param in setupArgs function Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commitccd6bceAuthor: Ludovic Ortega <ludovic.ortega@adminafk.fr>Date: Sat Apr 6 17:59:17 2024 +0200 feat: add support for dual stack clusters Signed-off-by: Ludovic Ortega <ludovic.ortega@adminafk.fr>commitd1319f0Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Sat Apr 6 13:43:25 2024 +0330 [FIX] Fix typo and document's grammers Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commit8713c81Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Sat Apr 6 13:40:33 2024 +0330 [UPDATE] Formatting go files to old style (Remove idea customziation formatter) Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commitf6b0f12Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Sat Apr 6 11:20:33 2024 +0330 [DELETE] Delete command "sleep 3" Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commit1088118Merge:b16b4bf29cdb0aAuthor: Tobias Brunner <tobias.brunner@vshn.ch>Date: Thu Apr 4 08:36:45 2024 +0200 Merge pull requestk8up-io#952 from halil-bugol/patch-1 Add Kubezy as adoptercommit29cdb0aAuthor: Halil İbrahim BUGÖL <60687576+halil-bugol@users.noreply.github.com>Date: Thu Apr 4 00:53:48 2024 +0300 Update ADOPTERS.md Signed-off-by: Halil Bugol <halil@kubezy.com> Signed-off-by: Halil İbrahim BUGÖL <halil@kubezy.com>commit9f776feAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 17:05:19 2024 +0330 [FIX] Fix test for expected args Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit295e5bfAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 16:55:12 2024 +0330 [ADD] Adding variable GO_EXEC in Makefile to choose different versions of Golang Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitc668b25Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 16:53:54 2024 +0330 [FIX] Fixing integration test for restic s3. Missing CaCert arguments Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitda60a0bAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 15:03:13 2024 +0330 ADD] Adding e2e test over using env for TLS and mTls Also fixing bug in get lentgh of archive object in minio-mc Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit41825f9Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 15:03:06 2024 +0330 [ADD] Adding e2e definitaions for using env for TLS and mTls Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitbd2c880Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 15:01:04 2024 +0330 [UPDATE] Update cert-manager to v1.14.4 Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit6b659b8Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 13:14:10 2024 +0330 [UPDATE] Update api-refrence according to supporting volume, volumeMount, and options Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitb2b83e1Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 13:12:30 2024 +0330 [ADD] Adding document about how to use TLS and mTls in api refrence Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitfe51211Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 13:12:03 2024 +0330 [FIX] Removing unnecessary snipped tag (tag: <SNIP>) Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit800b819Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 13:10:27 2024 +0330 [UPDATE] Update operator and restic cli help according to new values is added Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit11f0945Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 13:09:48 2024 +0330 [ADD] Adding RESTORE_CA_CERT_FILE, RESTORE_CA_CERT_FILE, RESTORE_CLIENT_KEY_FILE env instead of filling TLS and mTls options in restore method Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commita9cf8fdAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:08:07 2024 +0330 [FIX] Fixning problem in attach mode when failer happend in pod Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit97e03e0Merge:5270d54b16b4bfAuthor: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:06:15 2024 +0330 Merge remote-tracking branch 'upstream/master' into feature/custom-tls Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit5270d54Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:05:02 2024 +0330 [ADD] Adding new e2e test for supporting self-signed issuer This test contains below sections: - Testing backup API for TLS and mTLS mode - Testing restore API in pvc for TLS and mTLS mode - Testing restore API in S3 for TLS and mTLS mode - Testing archive API in S3 for TLS and mTLS mode - Testin check API for TLS and mTLS mode Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitf391110Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:04:44 2024 +0330 [ADD] Add some fucntions for checking e2e test These fucntions add: - Adding "mc" function for using minio client for using download files, remove buckets, get list of files - Adding "given_a_clean_archive" function for clear archive bucket - Adding "given_a_subject_dl" function for apply deployment for checking last backup when restore in S3 - Adding "give_self_signed_issuer" function for create self-signed issuer - Adding "expect_dl_file_in_container" function for checking is last backup was uploaded in S3 is okay Also fix some bugs: - Fixing empty output when get last dump of snapshot - becuase of syncing and storing file in disk, fetching last dump is took and the output of "run restic dump latest" is empty - Adding sleep before running restic and mc Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commit2af7fd6Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:04:23 2024 +0330 [ADD] Adding new resource definitions for e2e test in TLS and mTls mode These definitions contain below: - Adding archive Adding restore Adding backup Adding nginx for use reverse proxy in TLS and mTls mode Adding cert-manager for genrate self-signed issuer Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commita56d465Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:03:58 2024 +0330 [UPDATE] Generating new crd according to adding VolumeMounts to BackendSpec and RestoreMethodSpec Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitece84c7Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:03:46 2024 +0330 [UPDATE] Addin VolumeMounts to BackendSpec and RestoreMethod Change: - Removing VolumeMounts from S3Spec and RestServerSpec in BackendSpec. Adding to BackendSpec (File: v1/backend.go) - Adding VolumeMounts to RestoreMethod (File: v1/restore_types.go) Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commitc42e748Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:02:47 2024 +0330 [UPDATE] Generating new crd according to adding VolumeMounts to BackendSpec and RestoreMethodSpec Also these changes appends: - Running linter - Fixing check null pointer error if BackendSpec or Volume of Spec is null - Fixing check add duplicate VolumeMount in archive and restore API - Refactoring setupArgs Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commita0f78d7Author: poyaz <pooya_azarpour@yahoo.com>Date: Sat Mar 23 02:01:14 2024 +0330 [ADD] Adding container volumes when they are mounting Signed-off-by: poyaz <pooya_azarpour@yahoo.com>commite2622c6Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Mar 18 19:45:22 2024 +0330 [ADD] Supporting self certificate authority and mTls when using S3 object storage Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commite13ba45Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Mar 18 19:43:39 2024 +0330 [ADD] Add vardir command option for mount emptyDir in pod Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commit8eb0703Author: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Mar 18 19:41:40 2024 +0330 [ADD] Add Volume for using secret or configmap in k8s, Add VolumeMounts for mount volume, Add BackendOpts for using custom options in k8up or restic Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commit2ea688aAuthor: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Mar 18 19:39:05 2024 +0330 [ADD] Add GO_EXEC variable for using multiply version of go binary Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>commit43f750cAuthor: Pooya Azarpour <pooya_azarpour@yahoo.com>Date: Mon Mar 18 19:37:59 2024 +0330 [ADD] Ignoring vagrant dir in git Signed-off-by: Pooya Azarpour <pooya_azarpour@yahoo.com>
Signed-off-by: eunames <eu505@hotmail.com>
Sign up for freeto join this conversation on GitHub. Already have an account?Sign in to comment
Labels
None yet
2 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Summary
Checklist
For Code changes
bug,enhancement,documentation,change,breaking,dependencyas they show up in the changelog
area:operatorcharts/directory.Added the oportunity to set a flag --insecure-tls for the restic command.
If you want to set the flag --insecure-tls you should set env SET_INSECURE_TLS_FLAG to true in deployment of k8up operator.
Example:
fixed:
#792
#882
#881