Skip to content
Open
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
1 change: 1 addition & 0 deletions changelogs/unreleased/9768-Joeavaikath
Original file line number Diff line number Diff line change
@@ -0,0 +1 @@
Inherit insecureSkipTLSVerify from BSL config for CLI downloads
6 changes: 6 additions & 0 deletions pkg/builder/backup_storage_location_builder.go
Original file line number Diff line number Diff line change
Expand Up @@ -137,3 +137,9 @@ func (b *BackupStorageLocationBuilder) Credential(selector *corev1api.SecretKeyS
b.object.Spec.Credential = selector
return b
}

// Config sets the BackupStorageLocation's provider config.
func (b *BackupStorageLocationBuilder) Config(config map[string]string) *BackupStorageLocationBuilder {
b.object.Spec.Config = config
return b
}
13 changes: 11 additions & 2 deletions pkg/cmd/cli/backup/describe.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
"github.com/vmware-tanzu/velero/pkg/client"
"github.com/vmware-tanzu/velero/pkg/cmd"
"github.com/vmware-tanzu/velero/pkg/cmd/util/cacert"
"github.com/vmware-tanzu/velero/pkg/cmd/util/output"
"github.com/vmware-tanzu/velero/pkg/label"
)
Expand Down Expand Up @@ -93,13 +94,21 @@ func NewDescribeCommand(f client.Factory, use string) *cobra.Command {
fmt.Fprintf(os.Stderr, "error getting PodVolumeBackups for backup %s: %v\n", backup.Name, err)
}

// Inherit insecureSkipTLSVerify from BSL config if not set via CLI flag
effectiveInsecureSkipTLS := insecureSkipTLSVerify
bslInsecure, bslErr := cacert.GetInsecureSkipTLSVerifyFromBackup(context.Background(), kbClient, f.Namespace(), &backups.Items[i])
if bslErr != nil {
fmt.Fprintf(os.Stderr, "WARNING: Error getting insecureSkipTLSVerify from BSL for backup %s: %v\n", backup.Name, bslErr)
}
effectiveInsecureSkipTLS = effectiveInsecureSkipTLS || bslInsecure

// structured output only applies to a single backup in case of OOM
// To describe the list of backups in structured format, users could iterate over the list and describe backup one after another.
if len(backups.Items) == 1 && outputFormat != "plaintext" {
s := output.DescribeBackupInSF(context.Background(), kbClient, &backups.Items[i], deleteRequestList.Items, podVolumeBackupList.Items, details, insecureSkipTLSVerify, caCertFile, outputFormat)
s := output.DescribeBackupInSF(context.Background(), kbClient, &backups.Items[i], deleteRequestList.Items, podVolumeBackupList.Items, details, effectiveInsecureSkipTLS, caCertFile, outputFormat)
fmt.Print(s)
} else {
s := output.DescribeBackup(context.Background(), kbClient, &backups.Items[i], deleteRequestList.Items, podVolumeBackupList.Items, details, insecureSkipTLSVerify, caCertFile)
s := output.DescribeBackup(context.Background(), kbClient, &backups.Items[i], deleteRequestList.Items, podVolumeBackupList.Items, details, effectiveInsecureSkipTLS, caCertFile)
if first {
first = false
fmt.Print(s)
Expand Down
8 changes: 7 additions & 1 deletion pkg/cmd/cli/backup/download.go
Original file line number Diff line number Diff line change
Expand Up @@ -133,13 +133,19 @@ func (o *DownloadOptions) Run(c *cobra.Command, f client.Factory) error {
bslCACert = ""
}

// Inherit insecureSkipTLSVerify from BSL config if not set via CLI flag
bslInsecure, err := cacert.GetInsecureSkipTLSVerifyFromBackup(context.Background(), kbClient, f.Namespace(), backup)
if err != nil {
fmt.Fprintf(os.Stderr, "WARNING: Error getting insecureSkipTLSVerify from BSL: %v\n", err)
}

backupDest, err := os.OpenFile(o.Output, o.writeOptions, 0600)
if err != nil {
return err
}
defer backupDest.Close()

err = downloadrequest.StreamWithBSLCACert(context.Background(), kbClient, f.Namespace(), o.Name, velerov1api.DownloadTargetKindBackupContents, backupDest, o.Timeout, o.InsecureSkipTLSVerify, o.caCertFile, bslCACert)
err = downloadrequest.StreamWithBSLCACert(context.Background(), kbClient, f.Namespace(), o.Name, velerov1api.DownloadTargetKindBackupContents, backupDest, o.Timeout, o.InsecureSkipTLSVerify || bslInsecure, o.caCertFile, bslCACert)
if err != nil {
os.Remove(o.Output)
cmd.CheckError(err)
Expand Down
8 changes: 7 additions & 1 deletion pkg/cmd/cli/backup/logs.go
Original file line number Diff line number Diff line change
Expand Up @@ -86,7 +86,13 @@ func (l *LogsOptions) Run(c *cobra.Command, f client.Factory) error {
bslCACert = ""
}

err = downloadrequest.StreamWithBSLCACert(context.Background(), l.Client, f.Namespace(), l.BackupName, velerov1api.DownloadTargetKindBackupLog, os.Stdout, l.Timeout, l.InsecureSkipTLSVerify, l.CaCertFile, bslCACert)
// Inherit insecureSkipTLSVerify from BSL config if not set via CLI flag
bslInsecure, err := cacert.GetInsecureSkipTLSVerifyFromBackup(context.Background(), l.Client, f.Namespace(), backup)
if err != nil {
fmt.Fprintf(os.Stderr, "WARNING: Error getting insecureSkipTLSVerify from BSL: %v\n", err)
}

err = downloadrequest.StreamWithBSLCACert(context.Background(), l.Client, f.Namespace(), l.BackupName, velerov1api.DownloadTargetKindBackupLog, os.Stdout, l.Timeout, l.InsecureSkipTLSVerify || bslInsecure, l.CaCertFile, bslCACert)
return err
}

Expand Down
11 changes: 10 additions & 1 deletion pkg/cmd/cli/restore/describe.go
Original file line number Diff line number Diff line change
Expand Up @@ -29,6 +29,7 @@ import (
velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
"github.com/vmware-tanzu/velero/pkg/client"
"github.com/vmware-tanzu/velero/pkg/cmd"
"github.com/vmware-tanzu/velero/pkg/cmd/util/cacert"
"github.com/vmware-tanzu/velero/pkg/cmd/util/output"
"github.com/vmware-tanzu/velero/pkg/label"
)
Expand Down Expand Up @@ -80,7 +81,15 @@ func NewDescribeCommand(f client.Factory, use string) *cobra.Command {
fmt.Fprintf(os.Stderr, "error getting PodVolumeRestores for restore %s: %v\n", restore.Name, err)
}

s := output.DescribeRestore(context.Background(), kbClient, &restoreList.Items[i], podVolumeRestoreList.Items, details, insecureSkipTLSVerify, caCertFile)
// Inherit insecureSkipTLSVerify from BSL config if not set via CLI flag
effectiveInsecureSkipTLS := insecureSkipTLSVerify
bslInsecure, bslErr := cacert.GetInsecureSkipTLSVerifyFromRestore(context.Background(), kbClient, f.Namespace(), &restoreList.Items[i])
if bslErr != nil {
fmt.Fprintf(os.Stderr, "WARNING: Error getting insecureSkipTLSVerify from BSL for restore %s: %v\n", restore.Name, bslErr)
}
effectiveInsecureSkipTLS = effectiveInsecureSkipTLS || bslInsecure

s := output.DescribeRestore(context.Background(), kbClient, &restoreList.Items[i], podVolumeRestoreList.Items, details, effectiveInsecureSkipTLS, caCertFile)
if first {
first = false
fmt.Print(s)
Expand Down
8 changes: 7 additions & 1 deletion pkg/cmd/cli/restore/logs.go
Original file line number Diff line number Diff line change
Expand Up @@ -77,7 +77,13 @@ func NewLogsCommand(f client.Factory) *cobra.Command {
bslCACert = ""
}

err = downloadrequest.StreamWithBSLCACert(context.Background(), kbClient, f.Namespace(), restoreName, velerov1api.DownloadTargetKindRestoreLog, os.Stdout, timeout, insecureSkipTLSVerify, caCertFile, bslCACert)
// Inherit insecureSkipTLSVerify from BSL config if not set via CLI flag
bslInsecure, err := cacert.GetInsecureSkipTLSVerifyFromRestore(context.Background(), kbClient, f.Namespace(), restore)
if err != nil {
fmt.Fprintf(os.Stderr, "WARNING: Error getting insecureSkipTLSVerify from BSL: %v\n", err)
}

err = downloadrequest.StreamWithBSLCACert(context.Background(), kbClient, f.Namespace(), restoreName, velerov1api.DownloadTargetKindRestoreLog, os.Stdout, timeout, insecureSkipTLSVerify || bslInsecure, caCertFile, bslCACert)
cmd.CheckError(err)
},
}
Expand Down
74 changes: 74 additions & 0 deletions pkg/cmd/util/cacert/bsl_insecure_tls.go
Original file line number Diff line number Diff line change
@@ -0,0 +1,74 @@
/*
Copyright the Velero contributors.
Licensed under the Apache License, Version 2.0 (the "License");
you may not use this file except in compliance with the License.
You may obtain a copy of the License at
http://www.apache.org/licenses/LICENSE-2.0
Unless required by applicable law or agreed to in writing, software
distributed under the License is distributed on an "AS IS" BASIS,
WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
See the License for the specific language governing permissions and
limitations under the License.
*/

package cacert

import (
"context"
"strings"

"github.com/pkg/errors"
apierrors "k8s.io/apimachinery/pkg/api/errors"
kbclient "sigs.k8s.io/controller-runtime/pkg/client"

velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
)

func GetInsecureSkipTLSVerifyFromBackup(ctx context.Context, client kbclient.Client, namespace string, backup *velerov1api.Backup) (bool, error) {
return GetInsecureSkipTLSVerifyFromBSL(ctx, client, namespace, backup.Spec.StorageLocation)
}

func GetInsecureSkipTLSVerifyFromRestore(ctx context.Context, client kbclient.Client, namespace string, restore *velerov1api.Restore) (bool, error) {
backup := &velerov1api.Backup{}
key := kbclient.ObjectKey{
Namespace: namespace,
Name: restore.Spec.BackupName,
}

if err := client.Get(ctx, key, backup); err != nil {
if apierrors.IsNotFound(err) {
return false, nil
}
return false, errors.Wrapf(err, "error getting backup %s", restore.Spec.BackupName)
}

return GetInsecureSkipTLSVerifyFromBackup(ctx, client, namespace, backup)
}

func GetInsecureSkipTLSVerifyFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (bool, error) {
if bslName == "" {
return false, nil
}

bsl := &velerov1api.BackupStorageLocation{}
key := kbclient.ObjectKey{
Namespace: namespace,
Name: bslName,
}

if err := client.Get(ctx, key, bsl); err != nil {
if apierrors.IsNotFound(err) {
return false, nil
}
return false, errors.Wrapf(err, "error getting backup storage location %s", bslName)
}

if bsl.Spec.Config == nil {
return false, nil
}

return strings.EqualFold(bsl.Spec.Config["insecureSkipTLSVerify"], "true"), nil
}
Loading
Loading