From 8e18f07b7d8d7dd0db98adb10dc38bca4d78ebbc Mon Sep 17 00:00:00 2001 From: Valentin Maillot Date: Tue, 26 Mar 2024 14:35:26 +0100 Subject: [PATCH 1/3] feat(etcd-backup): add custom CA support Signed-off-by: Valentin Maillot --- README.md | 1 + backup-config.yaml | 4 ++++ backup.sh | 7 +++++-- 3 files changed, 10 insertions(+), 2 deletions(-) diff --git a/README.md b/README.md index 8671462..0401eef 100644 --- a/README.md +++ b/README.md @@ -62,6 +62,7 @@ The following options are used: - `OCP_BACKUP_S3`: Use S3 to store etcd-backup snapshots - `OCP_BACKUP_S3_NAME`: MinIO client host alias name - `OCP_BACKUP_S3_HOST`: S3 host endpoint (with scheme) +- `OCP_BACKUP-S3_CA`: S3 host CA (if needed) - `OCP_BACKUP_S3_BUCKET`: S3 bucket name - `OCP_BACKUP_S3_ACCESS_KEY`: access key to access S3 bucket - `OCP_BACKUP_S3_SECRET_KEY`: secret key to access S3 bucket diff --git a/backup-config.yaml b/backup-config.yaml index 59edffe..bdba32d 100644 --- a/backup-config.yaml +++ b/backup-config.yaml @@ -6,6 +6,10 @@ data: OCP_BACKUP_S3: "false" OCP_BACKUP_S3_NAME: "minio" OCP_BACKUP_S3_HOST: "http://minio.local:9000" + OCP_BACKUP_S3_CA: | + -----BEGIN CERTIFICATE----- + ... + -----END CERTIFICATE----- OCP_BACKUP_S3_BUCKET: "etcd-backup" OCP_BACKUP_S3_ACCESS_KEY: "randomaccesskey" OCP_BACKUP_S3_SECRET_KEY: "secretkey" diff --git a/backup.sh b/backup.sh index faa6f66..627945b 100755 --- a/backup.sh +++ b/backup.sh @@ -35,8 +35,11 @@ set -xeuo pipefail if [ "${OCP_BACKUP_S3}" = "true" ]; then # prepare & push backup to S3 - # update CA trust - update-ca-trust + # add custom CA if any and update CA trust + if [ "${OCP_BACKUP_S3_CA}" ]; then + echo -n "${OCP_BACKUP_S3_CA}" > /etc/pki/ca-trust/source/anchors/ca.crt + update-ca-trust + fi # configure mcli assuming the bucket already exists bash +o history From 8da506380ea7103abc3c503eeca0130a9f4b046b Mon Sep 17 00:00:00 2001 From: Valentin Maillot <74190001+vmaillot@users.noreply.github.com> Date: Tue, 26 Mar 2024 14:45:04 +0100 Subject: [PATCH 2/3] chore(README): fix typo Co-authored-by: Kevin Cottier <2429108+inisitijitty@users.noreply.github.com> --- README.md | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/README.md b/README.md index 0401eef..59289eb 100644 --- a/README.md +++ b/README.md @@ -62,7 +62,7 @@ The following options are used: - `OCP_BACKUP_S3`: Use S3 to store etcd-backup snapshots - `OCP_BACKUP_S3_NAME`: MinIO client host alias name - `OCP_BACKUP_S3_HOST`: S3 host endpoint (with scheme) -- `OCP_BACKUP-S3_CA`: S3 host CA (if needed) +- `OCP_BACKUP_S3_CA`: S3 host CA (if needed) - `OCP_BACKUP_S3_BUCKET`: S3 bucket name - `OCP_BACKUP_S3_ACCESS_KEY`: access key to access S3 bucket - `OCP_BACKUP_S3_SECRET_KEY`: secret key to access S3 bucket From 4046c126f734b431ed407f856f26b969d6f8704b Mon Sep 17 00:00:00 2001 From: Valentin Maillot Date: Tue, 26 Mar 2024 15:03:33 +0100 Subject: [PATCH 3/3] fix(etcd-backup): mount CA as file directly Signed-off-by: Valentin Maillot --- backup-cronjob.yaml | 6 ++++++ backup.sh | 7 ++----- 2 files changed, 8 insertions(+), 5 deletions(-) diff --git a/backup-cronjob.yaml b/backup-cronjob.yaml index 2ff2783..c82133c 100644 --- a/backup-cronjob.yaml +++ b/backup-cronjob.yaml @@ -53,3 +53,9 @@ spec: - name: volume-backup persistentVolumeClaim: claimName: etcd-backup-pvc + - name: custom-ca + configMap: + name: backup-config + items: + - key: OCP_BACKUP_S3_CA + path: /etc/pki/ca-trust/source/anchors/ca.crt diff --git a/backup.sh b/backup.sh index 627945b..faa6f66 100755 --- a/backup.sh +++ b/backup.sh @@ -35,11 +35,8 @@ set -xeuo pipefail if [ "${OCP_BACKUP_S3}" = "true" ]; then # prepare & push backup to S3 - # add custom CA if any and update CA trust - if [ "${OCP_BACKUP_S3_CA}" ]; then - echo -n "${OCP_BACKUP_S3_CA}" > /etc/pki/ca-trust/source/anchors/ca.crt - update-ca-trust - fi + # update CA trust + update-ca-trust # configure mcli assuming the bucket already exists bash +o history