cybozu-go · ymmt2005 · Oct 27, 2023 · Oct 18, 2023 · Oct 18, 2023 · Oct 18, 2023
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -5,6 +5,9 @@ This project adheres to [Semantic Versioning](http://semver.org/).
 
 ## [Unreleased]
 
+### Added
+- Add tls settings for BackupPolicy [#580](https://github.com/cybozu-go/moco/pull/580)
+
 ## [0.17.0] - 2023-09-11
 
 ### Breaking Changes

diff --git a/api/v1beta1/job_types.go b/api/v1beta1/job_types.go
@@ -218,4 +218,8 @@ type BucketConfig struct {
 	// +kubebuilder:default=s3
 	// +optional
 	BackendType string `json:"backendType,omitempty"`
+
+	// Path to SSL CA certificate file used in addition to system default.
+	// +optional
+	CaCert string `json:"caCert,omitempty"`
 }
diff --git a/api/v1beta1/zz_generated.conversion.go b/api/v1beta1/zz_generated.conversion.go
diff --git a/api/v1beta2/job_types.go b/api/v1beta2/job_types.go
@@ -201,6 +201,10 @@ type BucketConfig struct {
 	// +kubebuilder:default=s3
 	// +optional
 	BackendType string `json:"backendType,omitempty"`
+
+	// Path to SSL CA certificate file used in addition to system default.
+	// +optional
+	CaCert string `json:"caCert,omitempty"`
 }
 
 // AffinityApplyConfiguration is the type defined to implement the DeepCopy method.

diff --git a/charts/moco/templates/generated/crds/moco_crds.yaml b/charts/moco/templates/generated/crds/moco_crds.yaml
@@ -422,6 +422,9 @@ spec:
                           description: The name of the bucket
                           minLength: 1
                           type: string
+                        caCert:
+                          description: Path to SSL CA certificate file used in addition t
+                          type: string
                         endpointURL:
                           description: The API endpoint URL.
                           pattern: ^https?://.*
@@ -2452,6 +2455,9 @@ spec:
                           description: The name of the bucket
                           minLength: 1
                           type: string
+                        caCert:
+                          description: Path to SSL CA certificate file used in addition t
+                          type: string
                         endpointURL:
                           description: The API endpoint URL.
                           pattern: ^https?://.*
@@ -7722,6 +7728,9 @@ spec:
                               description: The name of the bucket
                               minLength: 1
                               type: string
+                            caCert:
+                              description: Path to SSL CA certificate file used in addition t
+                              type: string
                             endpointURL:
                               description: The API endpoint URL.
                               pattern: ^https?://.*
@@ -13606,6 +13615,9 @@ spec:
                               description: The name of the bucket
                               minLength: 1
                               type: string
+                            caCert:
+                              description: Path to SSL CA certificate file used in addition t
+                              type: string
                             endpointURL:
                               description: The API endpoint URL.
                               pattern: ^https?://.*

diff --git a/cmd/moco-backup/cmd/root.go b/cmd/moco-backup/cmd/root.go
@@ -2,8 +2,11 @@ package cmd
 
 import (
 	"context"
+	"crypto/tls"
+	"crypto/x509"
 	"errors"
 	"fmt"
+	"net/http"
 	"net/url"
 	"os"
 
@@ -15,12 +18,13 @@ import (
 )
 
 var commonArgs struct {
-	workDir      string
-	threads      int
-	region       string
-	endpointURL  string
-	usePathStyle bool
-	backendType  string
+	workDir        string
+	threads        int
+	region         string
+	endpointURL    string
+	usePathStyle   bool
+	backendType    string
+	caCertFilePath string
 }
 
 func makeBucket(bucketName string) (bucket.Bucket, error) {
@@ -45,6 +49,27 @@ func makeS3Bucket(bucketName string) (bucket.Bucket, error) {
 	if commonArgs.usePathStyle {
 		opts = append(opts, bucket.WithPathStyle())
 	}
+	if len(commonArgs.caCertFilePath) > 0 {
+		caCertFile, err := os.ReadFile(commonArgs.caCertFilePath)
+		if err != nil {
+			return nil, err
+		}
+		caCertPool, err := x509.SystemCertPool()
+		if err != nil {
+			return nil, err
+		}
+		if ok := caCertPool.AppendCertsFromPEM(caCertFile); !ok {
+			return nil, fmt.Errorf("failed to add ca cert")
+		}
+		transport := http.DefaultTransport.(*http.Transport).Clone()
+		if transport.TLSClientConfig == nil {
+			transport.TLSClientConfig = &tls.Config{}
+		}
+		transport.TLSClientConfig.RootCAs = caCertPool
+		opts = append(opts, bucket.WithHTTPClient(&http.Client{
+			Transport: transport,
+		}))
+	}
 	return bucket.NewS3Bucket(bucketName, opts...)
 }
 
@@ -95,4 +120,5 @@ func init() {
 	pf.StringVar(&commonArgs.endpointURL, "endpoint", "", "Object storage API endpoint URL")
 	pf.BoolVar(&commonArgs.usePathStyle, "use-path-style", false, "Use path-style S3 API")
 	pf.StringVar(&commonArgs.backendType, "backend-type", "s3", "The identifier for the object storage to be used.")
+	pf.StringVar(&commonArgs.caCertFilePath, "ca-cert", "", "Path to SSL CA certificate file used in addition to system default")
 }
diff --git a/config/crd/bases/moco.cybozu.com_backuppolicies.yaml b/config/crd/bases/moco.cybozu.com_backuppolicies.yaml
@@ -462,6 +462,10 @@ spec:
                         description: The name of the bucket
                         minLength: 1
                         type: string
+                      caCert:
+                        description: Path to SSL CA certificate file used in addition
+                          t
+                        type: string
                       endpointURL:
                         description: The API endpoint URL.
                         pattern: ^https?://.*
@@ -2649,6 +2653,10 @@ spec:
                         description: The name of the bucket
                         minLength: 1
                         type: string
+                      caCert:
+                        description: Path to SSL CA certificate file used in addition
+                          t
+                        type: string
                       endpointURL:
                         description: The API endpoint URL.
                         pattern: ^https?://.*

diff --git a/config/crd/bases/moco.cybozu.com_mysqlclusters.yaml b/config/crd/bases/moco.cybozu.com_mysqlclusters.yaml
@@ -3999,6 +3999,10 @@ spec:
                             description: The name of the bucket
                             minLength: 1
                             type: string
+                          caCert:
+                            description: Path to SSL CA certificate file used in addition
+                              t
+                            type: string
                           endpointURL:
                             description: The API endpoint URL.
                             pattern: ^https?://.*
@@ -10430,6 +10434,10 @@ spec:
                             description: The name of the bucket
                             minLength: 1
                             type: string
+                          caCert:
+                            description: Path to SSL CA certificate file used in addition
+                              t
+                            type: string
                           endpointURL:
                             description: The API endpoint URL.
                             pattern: ^https?://.*

diff --git a/...ests/apiextensions.k8s.io_v1_customresourcedefinition_backuppolicies.moco.cybozu.com.yaml b/...ests/apiextensions.k8s.io_v1_customresourcedefinition_backuppolicies.moco.cybozu.com.yaml
@@ -461,6 +461,10 @@ spec:
                         description: The name of the bucket
                         minLength: 1
                         type: string
+                      caCert:
+                        description: Path to SSL CA certificate file used in addition
+                          t
+                        type: string
                       endpointURL:
                         description: The API endpoint URL.
                         pattern: ^https?://.*
@@ -2648,6 +2652,10 @@ spec:
                         description: The name of the bucket
                         minLength: 1
                         type: string
+                      caCert:
+                        description: Path to SSL CA certificate file used in addition
+                          t
+                        type: string
                       endpointURL:
                         description: The API endpoint URL.
                         pattern: ^https?://.*

diff --git a/...tests/apiextensions.k8s.io_v1_customresourcedefinition_mysqlclusters.moco.cybozu.com.yaml b/...tests/apiextensions.k8s.io_v1_customresourcedefinition_mysqlclusters.moco.cybozu.com.yaml
@@ -4009,6 +4009,10 @@ spec:
                             description: The name of the bucket
                             minLength: 1
                             type: string
+                          caCert:
+                            description: Path to SSL CA certificate file used in addition
+                              t
+                            type: string
                           endpointURL:
                             description: The API endpoint URL.
                             pattern: ^https?://.*
@@ -10440,6 +10444,10 @@ spec:
                             description: The name of the bucket
                             minLength: 1
                             type: string
+                          caCert:
+                            description: Path to SSL CA certificate file used in addition
+                              t
+                            type: string
                           endpointURL:
                             description: The API endpoint URL.
                             pattern: ^https?://.*

diff --git a/controllers/mysqlcluster_controller.go b/controllers/mysqlcluster_controller.go
@@ -997,6 +997,9 @@ func bucketArgs(bc mocov1beta2.BucketConfig) []string {
 	if bc.BackendType != "" {
 		args = append(args, "--backend-type="+bc.BackendType)
 	}
+	if bc.CaCert != "" {
+		args = append(args, "--ca-cert="+bc.CaCert)
+	}
 
 	return append(args, bc.BucketName)
 }

diff --git a/docs/crd_backuppolicy_v1beta1.md b/docs/crd_backuppolicy_v1beta1.md
@@ -60,6 +60,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL.  Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

diff --git a/docs/crd_backuppolicy_v1beta2.md b/docs/crd_backuppolicy_v1beta2.md
@@ -60,6 +60,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL.  Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

diff --git a/docs/crd_mysqlcluster_v1beta1.md b/docs/crd_mysqlcluster_v1beta1.md
@@ -181,6 +181,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL.  Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

diff --git a/docs/crd_mysqlcluster_v1beta2.md b/docs/crd_mysqlcluster_v1beta2.md
@@ -195,6 +195,7 @@ BucketConfig is a set of parameter to access an object storage bucket.
 | endpointURL | The API endpoint URL.  Set this for non-S3 object storages. | string | false |
 | usePathStyle | Allows you to enable the client to use path-style addressing, i.e., https?://ENDPOINT/BUCKET/KEY. By default, a virtual-host addressing is used (https?://BUCKET.ENDPOINT/KEY). | bool | false |
 | backendType | BackendType is an identifier for the object storage to be used. | string | false |
+| caCert | Path to SSL CA certificate file used in addition to system default. | string | false |
 
 [Back to Custom Resources](#custom-resources)
 

diff --git a/docs/moco-backup.md b/docs/moco-backup.md
@@ -19,6 +19,7 @@ Global Flags:
       --threads int       The number of threads to be used (default 4)
       --use-path-style    Use path-style S3 API
       --work-dir string   The writable working directory (default "/work")
+      --ca-cert string    Path to SSL CA certificate file used in addition to system default
 ```
 
 ## Subcommands

diff --git a/e2e/Makefile b/e2e/Makefile
@@ -48,6 +48,7 @@ endif
 	$(KUSTOMIZE) build . | $(KUBECTL) apply -f -
 	$(KUBECTL) -n moco-system wait --for=condition=available --timeout=180s --all deployments
 	$(KUBECTL) apply -f minio.yaml
+	$(KUBECTL) apply -f minio-tls.yaml
 	$(KUBECTL) apply -f fake-gcs-server.yaml
 	$(KUBECTL) wait --timeout=60s --for=condition=Ready --all pods