diff --git a/Makefile b/Makefile index c17e241476..df82b92ef4 100644 --- a/Makefile +++ b/Makefile @@ -82,7 +82,7 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v endef # The version of restic binary to be downloaded -RESTIC_VERSION ?= 0.12.1 +RESTIC_VERSION ?= 0.13.1 CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 linux-ppc64le BUILDX_PLATFORMS ?= $(subst -,/,$(ARCH)) diff --git a/changelogs/unreleased/4821-jxun b/changelogs/unreleased/4821-jxun new file mode 100644 index 0000000000..d3ee746d82 --- /dev/null +++ b/changelogs/unreleased/4821-jxun @@ -0,0 +1 @@ +Update integrated Restic version and add insecureSkipTLSVerify for Restic CLI. \ No newline at end of file diff --git a/pkg/restic/common.go b/pkg/restic/common.go index e8648cd6cb..359444edf9 100644 --- a/pkg/restic/common.go +++ b/pkg/restic/common.go @@ -19,10 +19,12 @@ package restic import ( "fmt" "os" + "strconv" "strings" "time" "github.com/pkg/errors" + "github.com/sirupsen/logrus" corev1api "k8s.io/api/core/v1" metav1 "k8s.io/apimachinery/pkg/apis/meta/v1" "k8s.io/apimachinery/pkg/labels" @@ -70,6 +72,10 @@ const ( // // TODO(2.0): remove podAnnotationPrefix = "snapshot.velero.io/" + + // insecureSkipTLSVerifyKey is the flag in BackupStorageLocation's config + // to indicate whether to skip TLS verify to setup insecure HTTPS connection. + insecureSkipTLSVerifyKey = "insecureSkipTLSVerify" ) // getPodSnapshotAnnotations returns a map, of volume name -> snapshot id, @@ -347,3 +353,27 @@ func CmdEnv(backupLocation *velerov1api.BackupStorageLocation, credentialFileSto return env, nil } + +// GetInsecureSkipTLSVerifyFromBSLForRestic get insecureSkipTLSVerify flag from BSL configuration, +// Then return --insecure-tls flag with boolean value as result. +func GetInsecureSkipTLSVerifyFromBSLForRestic(backupLocation *velerov1api.BackupStorageLocation, logger logrus.FieldLogger) string { + backendType := getBackendType(backupLocation.Spec.Provider) + result := "" + + // Only check insecureSkipTLSVerifyKey for AWS compatible backend. + // Due to this is only possible for on-premise environment. On-premise + // environment use velero AWS plugin as object store plugin. + if backendType == AWSBackend { + if strRet, ok := backupLocation.Spec.Config[insecureSkipTLSVerifyKey]; ok { + _, err := strconv.ParseBool(strRet) + if err == nil { + result = "--insecure-tls" + "=" + strRet + return result + } else { + logger.Infof("Fail to convert string to bool for insecureSkipTLSVerifyKey flag: %s.", err.Error()) + } + } + } + + return result +} diff --git a/pkg/restic/repository_manager.go b/pkg/restic/repository_manager.go index b456bfc02a..9d42a9ac4a 100644 --- a/pkg/restic/repository_manager.go +++ b/pkg/restic/repository_manager.go @@ -265,6 +265,14 @@ func (rm *repositoryManager) exec(cmd *Command, backupLocation string) error { } cmd.Env = env + // #4820: restrieve insecureSkipTLSVerify from BSL configuration for + // AWS plugin. If nothing is return, that means insecureSkipTLSVerify + // is not enable for Restic command. + skipTLSRet := GetInsecureSkipTLSVerifyFromBSLForRestic(loc, rm.log) + if len(skipTLSRet) > 0 { + cmd.ExtraFlags = append(cmd.ExtraFlags, skipTLSRet) + } + stdout, stderr, err := veleroexec.RunCommand(cmd.Cmd()) rm.log.WithFields(logrus.Fields{ "repository": cmd.RepoName(),