Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Design: Velero client download APIServer #7344
base: main
Are you sure you want to change the base?
Design: Velero client download APIServer #7344
Changes from all commits
792a67f
1a39871
4fa20ef
e2403f6
119ac46
File filter
Filter by extension
Conversations
Jump to
There are no files selected for viewing
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
What is the command used here for?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is for the case where user shell only has kubectl, and not velero CLI. They can access velero CLI via kubectl exec command.
If executing velero CLI from velero pod, it would be possible to use cluster.local address and/or localhost address.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I am a little confused about when this is used. Is this just for documentation for a user to be able to access things if they don't have a velero CLI installed?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
A little technique, that could have code dedicated to it. Since download api server is a fallback, we can move this out of scope or remove entirely.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
An example of where we told folks they could alias velero command so they don't need to actually install anything to their machine to use velero CLI functions.
https://access.redhat.com/articles/5456281#:~:text=alias%20velero%3D%27oc%20%2Dn%20openshift%2Dadp%20exec%20deployment/velero%20%2Dc%20velero%20%2Dit%20%2D%2D%20./velero%27
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could you add a section about what the endpoint looks like?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes. Will do. I think we can simply use the same path pattern as to how the files are stored today.. so something like
/backups/<backupName>/<contents>/...
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Velero CLI isn't the only client talks to the server, so it's possible there is no kubeconfig file.
How about we follow the similar way the object storage uses that generate a signed URL with a secret? Only the requests with the signed URL are valid.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I was not aware. Can you clarify what else talks to the server in this way?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
In our downstream product, the client runs inside the pod and uses CRs directly to talk to the server.
Currently, if users have permission to create the
DownloadReqeust
then they have permission to download data from the object storage, and a signed URL is returned. The permission checking happens actually against theDownloadRequest
. The object storage only checks the request is signed and valid. So we can follow the same pattern that in the download server side we only check the request is signed and valid.There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Ok so just as long as DownloadRequests is able to get created, and the velero CLI have permission to read its status, then the signedUrl there should be usable without the kubeconfig mechanism proposed.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is scary to have URLs that contain the entire backup that could be world accessible.
If we go down this path I think you have to have the link expire at some reasonable time
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Yes, we can follow the way how object storage does
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This should be configurable
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would also explore when an ingress/router can use a CA cert and doesn't want to re-encrypt to talk to the service.