Add --insecure-tls for Restic backup and restore command.

1. Add --insecure-tls in PodVolumeBackup and PodVolumeRestore controller. 2. Change --last flag in Restic command to --latest=1 due to Restic version update. Signed-off-by: Xun Jiang <jxun@vmware.com>
vmware-tanzu · Apr 13, 2022 · 6612366 · 6612366
1 parent 9849ab1
commit 6612366
Show file tree

Hide file tree

Showing 7 changed files with 42 additions and 12 deletions.
diff --git a/pkg/controller/pod_volume_backup_controller.go b/pkg/controller/pod_volume_backup_controller.go
@@ -281,6 +281,14 @@ func (c *podVolumeBackupController) processBackup(req *velerov1api.PodVolumeBack
 		}
 	}
 
+	// #4820: restrieve insecureSkipTLSVerify from BSL configuration for
+	// AWS plugin. If nothing is return, that means insecureSkipTLSVerify
+	// is not enable for Restic command.
+	skipTLSRet := restic.GetInsecureSkipTLSVerifyFromBSL(backupLocation, log)
+	if len(skipTLSRet) > 0 {
+		resticCmd.ExtraFlags = append(resticCmd.ExtraFlags, skipTLSRet)
+	}
+
 	var stdout, stderr string
 
 	var emptySnapshot bool
@@ -300,6 +308,15 @@ func (c *podVolumeBackupController) processBackup(req *velerov1api.PodVolumeBack
 		cmd.Env = env
 		cmd.CACertFile = caCertFile
 
+		// TODO:
+		// #4820: restrieve insecureSkipTLSVerify from BSL configuration for
+		// AWS plugin. If nothing is return, that means insecureSkipTLSVerify
+		// is not enable for Restic command.
+		skipTLSRet := restic.GetInsecureSkipTLSVerifyFromBSL(backupLocation, log)
+		if len(skipTLSRet) > 0 {
+			cmd.ExtraFlags = append(cmd.ExtraFlags, skipTLSRet)
+		}
+
 		snapshotID, err = restic.GetSnapshotID(cmd)
 		if err != nil {
 			log.WithError(err).Error("Error getting SnapshotID")

diff --git a/pkg/controller/pod_volume_restore_controller.go b/pkg/controller/pod_volume_restore_controller.go
@@ -372,9 +372,17 @@ func (c *podVolumeRestoreController) restorePodVolume(req *velerov1api.PodVolume
 	}
 	resticCmd.Env = env
 
+	// #4820: restrieve insecureSkipTLSVerify from BSL configuration for
+	// AWS plugin. If nothing is return, that means insecureSkipTLSVerify
+	// is not enable for Restic command.
+	skipTLSRet := restic.GetInsecureSkipTLSVerifyFromBSL(backupLocation, log)
+	if len(skipTLSRet) > 0 {
+		resticCmd.ExtraFlags = append(resticCmd.ExtraFlags, skipTLSRet)
+	}
+
 	var stdout, stderr string
 
-	if stdout, stderr, err = restic.RunRestore(resticCmd, log, c.updateRestoreProgressFunc(req, log)); err != nil {
+	if stdout, stderr, err = restic.RunRestore(resticCmd, log, c.updateRestoreProgressFunc(req, log), skipTLSRet); err != nil {
 		return errors.Wrapf(err, "error running restic restore, cmd=%s, stdout=%s, stderr=%s", resticCmd.String(), stdout, stderr)
 	}
 	log.Debugf("Ran command=%s, stdout=%s, stderr=%s", resticCmd.String(), stdout, stderr)

diff --git a/pkg/restic/command_factory.go b/pkg/restic/command_factory.go
@@ -64,7 +64,7 @@ func GetSnapshotCommand(repoIdentifier, passwordFile string, tags map[string]str
 		Command:        "snapshots",
 		RepoIdentifier: repoIdentifier,
 		PasswordFile:   passwordFile,
-		ExtraFlags:     []string{"--json", "--last", getSnapshotTagFlag(tags)},
+		ExtraFlags:     []string{"--json", "--latest=1", getSnapshotTagFlag(tags)},
 	}
 }
 

diff --git a/pkg/restic/command_factory_test.go b/pkg/restic/command_factory_test.go
@@ -58,7 +58,7 @@ func TestGetSnapshotCommand(t *testing.T) {
 	assert.Equal(t, "password-file", c.PasswordFile)
 
 	// set up expected flag names
-	expectedFlags := []string{"--json", "--last", "--tag"}
+	expectedFlags := []string{"--json", "--latest=1", "--tag"}
 	// for tracking actual flag names
 	actualFlags := []string{}
 	// for tracking actual --tag values as a map

diff --git a/pkg/restic/exec_commands.go b/pkg/restic/exec_commands.go
@@ -183,8 +183,12 @@ func getSummaryLine(b []byte) ([]byte, error) {
 
 // RunRestore runs a `restic restore` command and monitors the volume size to
 // provide progress updates to the caller.
-func RunRestore(restoreCmd *Command, log logrus.FieldLogger, updateFunc func(velerov1api.PodVolumeOperationProgress)) (string, string, error) {
-	snapshotSize, err := getSnapshotSize(restoreCmd.RepoIdentifier, restoreCmd.PasswordFile, restoreCmd.CACertFile, restoreCmd.Args[0], restoreCmd.Env)
+func RunRestore(restoreCmd *Command, log logrus.FieldLogger, updateFunc func(velerov1api.PodVolumeOperationProgress), insecureTLS string) (string, string, error) {
+	extraFlags := make([]string, 0)
+	if len(insecureTLS) > 0 {
+		extraFlags = append(extraFlags, insecureTLS)
+	}
+	snapshotSize, err := getSnapshotSize(restoreCmd.RepoIdentifier, restoreCmd.PasswordFile, restoreCmd.CACertFile, restoreCmd.Args[0], restoreCmd.Env, extraFlags)
 	if err != nil {
 		return "", "", errors.Wrap(err, "error getting snapshot size")
 	}
@@ -230,10 +234,11 @@ func RunRestore(restoreCmd *Command, log logrus.FieldLogger, updateFunc func(vel
 	return stdout, stderr, err
 }
 
-func getSnapshotSize(repoIdentifier, passwordFile, caCertFile, snapshotID string, env []string) (int64, error) {
+func getSnapshotSize(repoIdentifier, passwordFile, caCertFile, snapshotID string, env []string, extraFlags []string) (int64, error) {
 	cmd := StatsCommand(repoIdentifier, passwordFile, snapshotID)
 	cmd.Env = env
 	cmd.CACertFile = caCertFile
+	cmd.ExtraFlags = extraFlags
 
 	stdout, stderr, err := exec.RunCommand(cmd.Cmd())
 	if err != nil {
@@ -245,7 +250,7 @@ func getSnapshotSize(repoIdentifier, passwordFile, caCertFile, snapshotID string
 	}
 
 	if err := json.Unmarshal([]byte(stdout), &snapshotStats); err != nil {
-		return 0, errors.Wrap(err, "error unmarshalling restic stats result")
+		return 0, errors.Wrapf(err, "error unmarshalling restic stats result, stdout=%s", stdout)
 	}
 
 	return snapshotStats.TotalSize, nil

diff --git a/pkg/restic/repository_manager.go b/pkg/restic/repository_manager.go
@@ -191,10 +191,10 @@ func (rm *repositoryManager) ConnectToRepo(repo *velerov1api.ResticRepository) e
 	defer rm.repoLocker.Unlock(repo.Name)
 
 	snapshotsCmd := SnapshotsCommand(repo.Spec.ResticIdentifier)
-	// use the '--last' flag to minimize the amount of data fetched since
+	// use the '--latest=1' flag to minimize the amount of data fetched since
 	// we're just validating that the repo exists and can be authenticated
 	// to.
-	snapshotsCmd.ExtraFlags = append(snapshotsCmd.ExtraFlags, "--last")
+	snapshotsCmd.ExtraFlags = append(snapshotsCmd.ExtraFlags, "--latest=1")
 
 	return rm.exec(snapshotsCmd, repo.Spec.BackupStorageLocation)
 }
@@ -275,7 +275,7 @@ func (rm *repositoryManager) exec(cmd *Command, backupLocation string) error {
 	// #4820: restrieve insecureSkipTLSVerify from BSL configuration for
 	// AWS plugin. If nothing is return, that means insecureSkipTLSVerify
 	// is not enable for Restic command.
-	skipTLSRet := getInsecureSkipTLSVerifyFromBSL(loc, rm.log)
+	skipTLSRet := GetInsecureSkipTLSVerifyFromBSL(loc, rm.log)
 	if len(skipTLSRet) > 0 {
 		cmd.ExtraFlags = append(cmd.ExtraFlags, skipTLSRet)
 	}
@@ -296,7 +296,7 @@ func (rm *repositoryManager) exec(cmd *Command, backupLocation string) error {
 
 // getInsecureSkipTLSVerifyFromBSL get insecureSkipTLSVerify flag from BSL configuration,
 // Then return --insecure-tls flag with boolean value as result.
-func getInsecureSkipTLSVerifyFromBSL(backupLocation *velerov1api.BackupStorageLocation, logger logrus.FieldLogger) string {
+func GetInsecureSkipTLSVerifyFromBSL(backupLocation *velerov1api.BackupStorageLocation, logger logrus.FieldLogger) string {
 	result := ""
 
 	if backupLocation == nil {

diff --git a/pkg/restic/repository_manager_test.go b/pkg/restic/repository_manager_test.go
@@ -113,7 +113,7 @@ func TestGetInsecureSkipTLSVerifyFromBSL(t *testing.T) {
 
 	for _, test := range tests {
 		t.Run(test.name, func(t *testing.T) {
-			res := getInsecureSkipTLSVerifyFromBSL(test.backupLocation, test.logger)
+			res := GetInsecureSkipTLSVerifyFromBSL(test.backupLocation, test.logger)
 
 			assert.Equal(t, test.expected, res)
 		})