Update integrated Restic version and add insecureSkipTLSVerify for Re…

…stic CLI Fix: vmware-tanzu#4820 Signed-off-by: Xun Jiang <jxun@vmware.com>
blackpiglet · Apr 11, 2022 · 9f9c741 · 9f9c741
1 parent 9f83fc5
commit 9f9c741
Show file tree

Hide file tree

Showing 4 changed files with 40 additions and 1 deletion.
diff --git a/Makefile b/Makefile
@@ -82,7 +82,7 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v
 endef
 
 # The version of restic binary to be downloaded
-RESTIC_VERSION ?= 0.12.1
+RESTIC_VERSION ?= 0.13.1
 
 CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 linux-ppc64le
 BUILDX_PLATFORMS ?= $(subst -,/,$(ARCH))

diff --git a/changelogs/unreleased/4821-jxun b/changelogs/unreleased/4821-jxun
@@ -0,0 +1 @@
+Update integrated Restic version and add insecureSkipTLSVerify for Restic CLI.
diff --git a/pkg/restic/common.go b/pkg/restic/common.go
@@ -19,10 +19,12 @@ package restic
 import (
 	"fmt"
 	"os"
+	"strconv"
 	"strings"
 	"time"
 
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/labels"
@@ -70,6 +72,10 @@ const (
 	//
 	// TODO(2.0): remove
 	podAnnotationPrefix = "snapshot.velero.io/"
+
+	// insecureSkipTLSVerifyKey is the flag in BackupStorageLocation's config
+	// to indicate whether to skip TLS verify to setup insecure HTTPS connection.
+	insecureSkipTLSVerifyKey = "insecureSkipTLSVerify"
 )
 
 // getPodSnapshotAnnotations returns a map, of volume name -> snapshot id,
@@ -347,3 +353,27 @@ func CmdEnv(backupLocation *velerov1api.BackupStorageLocation, credentialFileSto
 
 	return env, nil
 }
+
+// GetInsecureSkipTLSVerifyFromBSLForRestic get insecureSkipTLSVerify flag from BSL configuraion,
+// Then return --insecure-tls flag with boolean value as result.
+func GetInsecureSkipTLSVerifyFromBSLForRestic(backupLocation *velerov1api.BackupStorageLocation, logger logrus.FieldLogger) string {
+	backendType := getBackendType(backupLocation.Spec.Provider)
+	result := ""
+
+	// Only check insecureSkipTLSVerifyKey for AWS compatible backend.
+	// Due to this is only possilbe for on-premise environment. On-premise
+	// environment use velero AWS plugin as object store plugin.
+	if backendType == AWSBackend {
+		if strRet, ok := backupLocation.Spec.Config[insecureSkipTLSVerifyKey]; ok {
+			_, err := strconv.ParseBool(strRet)
+			if err == nil {
+				result = "--insecure-tls" + "=" + strRet
+				return result
+			} else {
+				logger.Infof("Fail to convert string to bool for insecureSkipTLSVerifyKey flag: %s.", err.Error())
+			}
+		}
+	}
+
+	return result
+}
diff --git a/pkg/restic/repository_manager.go b/pkg/restic/repository_manager.go
@@ -265,6 +265,14 @@ func (rm *repositoryManager) exec(cmd *Command, backupLocation string) error {
 	}
 	cmd.Env = env
 
+	// #4820: restrieve insecureSkipTLSVerify from BSL configuration for
+	// AWS plugin. If nothing is return, that means insecureSkipTLSVerify
+	// is not enable for Restic command.
+	skipTLSRet := GetInsecureSkipTLSVerifyFromBSLForRestic(loc, rm.log)
+	if len(skipTLSRet) > 0 {
+		cmd.ExtraFlags = append(cmd.ExtraFlags, skipTLSRet)
+	}
+
 	stdout, stderr, err := veleroexec.RunCommand(cmd.Cmd())
 	rm.log.WithFields(logrus.Fields{
 		"repository": cmd.RepoName(),