Use Credential from BSL for restic commands #3489
Conversation
zubron
force-pushed
the
provider-specific-env-for-restic
branch
7 times, most recently
from
4d39e6f to
9ccc9eb
Compare
|
This PR depends on #3442 but the restic specific commit can be reviewed: 9ccc9eb I've tested this locally with a Tilt setup with a BSL with custom creds created for each provider (AWS, Azure, GCP) and was able to successfully backup and restore a pod with restic volumes from each. I'm going to focus on docs and getting E2E tests ready. |
zubron
force-pushed
the
provider-specific-env-for-restic
branch
from
9ccc9eb to
5074e6d
Compare
zubron
added
P1 - Important
kind/release-blocker
zubron
force-pushed
the
provider-specific-env-for-restic
branch
from
5074e6d to
f5e1027
Compare
zubron
force-pushed
the
provider-specific-env-for-restic
branch
from
f5e1027 to
4fa1390
Compare
|
I am working on an E2E test for this change, but can add that in a follow up PR or it can be reviewed as a separate commit on this PR. I've marked this as ready for review now, so the main code changes and docs can be reviewed as those are ready. |
zubron
force-pushed
the
provider-specific-env-for-restic
branch
from
4fa1390 to
0e31d1f
Compare
|
@a-mccarthy Could you please review the docs changes in this PR? Thank you! |
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
|
Thanks for the great feedback, @a-mccarthy! I think I've addressed most of your comments but this will likely need more improvements. If you have further comments, I'll make issues from those and address them in a follow up PR so that we can get the code changes in and start doing some testing for the 1.6 release. |
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
There was a problem hiding this comment.
This looks solid and I appreciate the refactorings. I have only ridiculously minor requests.
Questions:
- was this tested with the 3 providers we maintain? I didn't run manual tests.
- did you think through any possible backwards compatibility issues?
Also, yes, any e2e test can be added in a new PR imo.
site/content/docs/main/locations.md
Outdated
| - Velero only supports a single set of credentials *per provider*. It's not yet possible to use different credentials for different locations, if they're for the same provider. | ||
| - Velero supports multiple credentials for `BackupStorageLocations`, allowing you to specify the credentials to use with any `BackupStorageLocation`. | ||
| However, use of this feature requires support within the plugin for the object storage provider you wish to use. | ||
| All [plugins provided by the Velero team][5] support this feature. |
site/content/docs/main/locations.md
Outdated
|
|
||
| #### Prerequisites | ||
| - This feature requires support from the [object storage provider plugin][5] you wish to use. | ||
| All plugins provided by the Velero team support this feature. |
| velero backup-location get | ||
| ``` | ||
|
|
||
| To use this new `BackupStorageLocation` when performing a backup, use the flag `--storage-location <bsl-name>` when running `velero backup create`. |
There was a problem hiding this comment.
It'd be good to also add something like:
Likewise, you may set this new
BackupStorageLocationas the default BSL with the commandvelero backup-location set --default <bsl-name>.
There was a problem hiding this comment.
Yes! I had forgotten about that aspect of it and remembered while preparing #3561. It's now on my list of things to add :)
|
|
||
| If the logs from the Velero deployment contain the error message `"config has invalid keys credentialsFile"`, the version of your object storage plugin does not yet support multiple credentials. | ||
|
|
||
| The object storage plugins [provided by the Velero team][11] support this feature, so please update your plugin to the latest version if you see the above error message. |
| if err != nil { | ||
| return nil, errors.Wrap(err, "error getting aws restic env vars") | ||
| switch backendType { | ||
| case AWSBackend: |
| cmd.CACertFile = caCertFile | ||
|
|
||
| stdout, stderr, err := exec.RunCommand(cmd.Cmd()) | ||
| func GetSnapshotID(snapshotIdCmd *Command) (string, error) { |
There was a problem hiding this comment.
Minor: there's no longer tags being passed in and also this function signature changed enough that making a change to the godoc would probably be useful.
| [5]: /plugins | ||
| [6]: overview-plugins.md | ||
| [7]: https://kubernetes.io/docs/concepts/configuration/secret/ | ||
| [8]: #create-a-storage-location-that-uses-unique-credentials |
There was a problem hiding this comment.
I dont think the links with the # are working correctly, i can't tell if this is bc there is an issue with the preview, or they will also not work on the live site?
There was a problem hiding this comment.
Ahhh, I totally thought these worked 🤦♀️ okay, let me figure out how to fix this!
|
@zubron LGTM! Great write up! i had a few comments, but they are relatively minor. Please let me know if you want to me look at anything else :) |
Signed-off-by: Bridget McErlean <[email protected]>
|
Thanks, @carlisia, these are great questions.
Yep, I tested this locally against all the 3 plugins that I made changes for. I did that testing as part of the testing for those plugins, and have run the newly added E2E test with Azure and AWS. I will do another test with GCP for completeness.
My focus with backwards compatibility was to ensure that we were continuing to set the same environment variables for each restic command. I compared the set of env vars before and after my change and checked they were the same (but with new values for the new credentials files). Previously, all restic commands used the environment from For example, in the AWS case, @carlisia Let me know if you have any further questions or concerns! Thanks for bringing these up. |
|
Thanks @zubron! |
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
* Use Credential from BSL for restic commands This change introduces support for restic to make use of per-BSL credentials. It makes use of the `credentials.FileStore` introduced in PR vmware-tanzu#3442 to write the BSL credentials to disk. To support per-BSL credentials for restic, the environment for the restic commands needs to be modified for each provider to ensure that the credentials are provided via the correct provider specific environment variables. This change introduces a new function `restic.CmdEnv` to check the BSL provider and create the correct mapping of environment variables for each provider. Previously, AWS and GCP could rely on the environment variables in the Velero deployments to obtain the credentials file, but now these environment variables need to be set with the path to the serialized credentials file if a credential is set on the BSL. For Azure, the credentials file in the environment was loaded and parsed to set the environment variables for restic. Now, we check if the BSL has a credential, and if it does, load and parse that file instead. This change also introduces a few other small improvements. Now that we are fetching the BSL to check for the `Credential` field, we can use the BSL directly to get the `CACert` which means that we can remove the `GetCACert` function. Also, now that we have a way to serialize secrets to disk, we can use the `credentials.FileStore` to get a temp file for the restic repo password and remove the `restic.TempCredentialsFile` function. Signed-off-by: Bridget McErlean <[email protected]> * Add documentation for per-BSL credentials Signed-off-by: Bridget McErlean <[email protected]> * Address review feedback Signed-off-by: Bridget McErlean <[email protected]> * Address review comments Signed-off-by: Bridget McErlean <[email protected]>
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
* Use Credential from BSL for restic commands This change introduces support for restic to make use of per-BSL credentials. It makes use of the `credentials.FileStore` introduced in PR vmware-tanzu#3442 to write the BSL credentials to disk. To support per-BSL credentials for restic, the environment for the restic commands needs to be modified for each provider to ensure that the credentials are provided via the correct provider specific environment variables. This change introduces a new function `restic.CmdEnv` to check the BSL provider and create the correct mapping of environment variables for each provider. Previously, AWS and GCP could rely on the environment variables in the Velero deployments to obtain the credentials file, but now these environment variables need to be set with the path to the serialized credentials file if a credential is set on the BSL. For Azure, the credentials file in the environment was loaded and parsed to set the environment variables for restic. Now, we check if the BSL has a credential, and if it does, load and parse that file instead. This change also introduces a few other small improvements. Now that we are fetching the BSL to check for the `Credential` field, we can use the BSL directly to get the `CACert` which means that we can remove the `GetCACert` function. Also, now that we have a way to serialize secrets to disk, we can use the `credentials.FileStore` to get a temp file for the restic repo password and remove the `restic.TempCredentialsFile` function. Signed-off-by: Bridget McErlean <[email protected]> * Add documentation for per-BSL credentials Signed-off-by: Bridget McErlean <[email protected]> * Address review feedback Signed-off-by: Bridget McErlean <[email protected]> * Address review comments Signed-off-by: Bridget McErlean <[email protected]>
This change adds an E2E test which exercises the mulitple credentials feature added in vmware-tanzu#3489. The test creates a secret from the given credentials and creates a BackupStorageLocation which uses those credentials. A backup and restore is then performed to the default BSL and to the newly created BSL. This change adds new flags to the E2E test suite to configure the BSL created and used in the test. Signed-off-by: Bridget McErlean <[email protected]>
* Use Credential from BSL for restic commands This change introduces support for restic to make use of per-BSL credentials. It makes use of the `credentials.FileStore` introduced in PR vmware-tanzu#3442 to write the BSL credentials to disk. To support per-BSL credentials for restic, the environment for the restic commands needs to be modified for each provider to ensure that the credentials are provided via the correct provider specific environment variables. This change introduces a new function `restic.CmdEnv` to check the BSL provider and create the correct mapping of environment variables for each provider. Previously, AWS and GCP could rely on the environment variables in the Velero deployments to obtain the credentials file, but now these environment variables need to be set with the path to the serialized credentials file if a credential is set on the BSL. For Azure, the credentials file in the environment was loaded and parsed to set the environment variables for restic. Now, we check if the BSL has a credential, and if it does, load and parse that file instead. This change also introduces a few other small improvements. Now that we are fetching the BSL to check for the `Credential` field, we can use the BSL directly to get the `CACert` which means that we can remove the `GetCACert` function. Also, now that we have a way to serialize secrets to disk, we can use the `credentials.FileStore` to get a temp file for the restic repo password and remove the `restic.TempCredentialsFile` function. Signed-off-by: Bridget McErlean <[email protected]> * Add documentation for per-BSL credentials Signed-off-by: Bridget McErlean <[email protected]> * Address review feedback Signed-off-by: Bridget McErlean <[email protected]> * Address review comments Signed-off-by: Bridget McErlean <[email protected]>
Please add a summary of your change
This change introduces support for restic to make use of per-BSL
credentials. It makes use of the
credentials.FileStoreintroduced inPR #3442 to write the BSL credentials to disk. To support per-BSL
credentials for restic, the environment for the restic commands needs to
be modified for each provider to ensure that the credentials are
provided via the correct provider specific environment variables.
This change introduces a new function
restic.CmdEnvto check the BSLprovider and create the correct mapping of environment variables for
each provider.
Previously, AWS and GCP could rely on the environment variables in the
Velero deployments to obtain the credentials file, but now these
environment variables need to be set with the path to the serialized
credentials file if a credential is set on the BSL.
For Azure, the credentials file in the environment was loaded and parsed
to set the environment variables for restic. Now, we check if the BSL
has a credential, and if it does, load and parse that file instead.
This change also introduces a few other small improvements. Now that we
are fetching the BSL to check for the
Credentialfield, we can use theBSL directly to get the
CACertwhich means that we can remove theGetCACertfunction. Also, now that we have a way to serialize secretsto disk, we can use the
credentials.FileStoreto get a temp file forthe restic repo password and remove the
restic.TempCredentialsFilefunction.
Does your change fix a particular issue?
Part of fixing #3304.
Please indicate you've done the following:
/kind changelog-not-required.site/content/docs/main.