allow individual backup storage locations to be read-only (#1517)

* allow individual backup storage locations to be read-only

Signed-off-by: Steve Kriss <krisss@vmware.com>

pkg/cmd/cli/backuplocation/create.go

@@ -18,13 +18,14 @@ package backuplocation
 
 import (
 	"fmt"
+	"strings"
 
 	"github.com/pkg/errors"
 	"github.com/spf13/cobra"
 	"github.com/spf13/pflag"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
-	api "github.com/heptio/velero/pkg/apis/velero/v1"
+	velerov1api "github.com/heptio/velero/pkg/apis/velero/v1"
 	"github.com/heptio/velero/pkg/client"
 	"github.com/heptio/velero/pkg/cmd"
 	"github.com/heptio/velero/pkg/cmd/util/flag"
@@ -53,17 +54,23 @@ func NewCreateCommand(f client.Factory, use string) *cobra.Command {
 }
 
 type CreateOptions struct {
-	Name     string
-	Provider string
-	Bucket   string
-	Prefix   string
-	Config   flag.Map
-	Labels   flag.Map
+	Name       string
+	Provider   string
+	Bucket     string
+	Prefix     string
+	Config     flag.Map
+	Labels     flag.Map
+	AccessMode *flag.Enum
 }
 
 func NewCreateOptions() *CreateOptions {
 	return &CreateOptions{
 		Config: flag.NewMap(),
+		AccessMode: flag.NewEnum(
+			string(velerov1api.BackupStorageLocationAccessModeReadWrite),
+			string(velerov1api.BackupStorageLocationAccessModeReadWrite),
+			string(velerov1api.BackupStorageLocationAccessModeReadOnly),
+		),
 	}
 }
 
@@ -73,6 +80,11 @@ func (o *CreateOptions) BindFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&o.Prefix, "prefix", o.Prefix, "prefix under which all Velero data should be stored within the bucket. Optional.")
 	flags.Var(&o.Config, "config", "configuration key-value pairs")
 	flags.Var(&o.Labels, "labels", "labels to apply to the backup storage location")
+	flags.Var(
+		o.AccessMode,
+		"access-mode",
+		fmt.Sprintf("access mode for the backup storage location. Valid values are %s", strings.Join(o.AccessMode.AllowedValues(), ",")),
+	)
 }
 
 func (o *CreateOptions) Validate(c *cobra.Command, args []string, f client.Factory) error {
@@ -97,21 +109,22 @@ func (o *CreateOptions) Complete(args []string, f client.Factory) error {
 }
 
 func (o *CreateOptions) Run(c *cobra.Command, f client.Factory) error {
-	backupStorageLocation := &api.BackupStorageLocation{
+	backupStorageLocation := &velerov1api.BackupStorageLocation{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: f.Namespace(),
 			Name:      o.Name,
 			Labels:    o.Labels.Data(),
 		},
-		Spec: api.BackupStorageLocationSpec{
+		Spec: velerov1api.BackupStorageLocationSpec{
 			Provider: o.Provider,
-			StorageType: api.StorageType{
-				ObjectStorage: &api.ObjectStorageLocation{
+			StorageType: velerov1api.StorageType{
+				ObjectStorage: &velerov1api.ObjectStorageLocation{
 					Bucket: o.Bucket,
 					Prefix: o.Prefix,
 				},
 			},
-			Config: o.Config.Data(),
+			Config:     o.Config.Data(),
+			AccessMode: velerov1api.BackupStorageLocationAccessMode(o.AccessMode.String()),
 		},
 	}
 

pkg/cmd/server/server.go

@@ -194,7 +194,7 @@ func NewCommand() *cobra.Command {
 	command.Flags().StringVar(&config.metricsAddress, "metrics-address", config.metricsAddress, "the address to expose prometheus metrics")
 	command.Flags().DurationVar(&config.backupSyncPeriod, "backup-sync-period", config.backupSyncPeriod, "how often to ensure all Velero backups in object storage exist as Backup API objects in the cluster")
 	command.Flags().DurationVar(&config.podVolumeOperationTimeout, "restic-timeout", config.podVolumeOperationTimeout, "how long backups/restores of pod volumes should be allowed to run before timing out")
-	command.Flags().BoolVar(&config.restoreOnly, "restore-only", config.restoreOnly, "run in a mode where only restores are allowed; backups, schedules, and garbage-collection are all disabled")
+	command.Flags().BoolVar(&config.restoreOnly, "restore-only", config.restoreOnly, "run in a mode where only restores are allowed; backups, schedules, and garbage-collection are all disabled. DEPRECATED: this flag will be removed in v2.0. Use read-only backup storage locations instead.")
 	command.Flags().StringSliceVar(&config.disabledControllers, "disable-controllers", config.disabledControllers, fmt.Sprintf("list of controllers to disable on startup. Valid values are %s", strings.Join(disableControllerList, ",")))
 	command.Flags().StringSliceVar(&config.restoreResourcePriorities, "restore-resource-priorities", config.restoreResourcePriorities, "desired order of resource restores; any resource not in the list will be restored alphabetically after the prioritized resources")
 	command.Flags().StringVar(&config.defaultBackupLocation, "default-backup-storage-location", config.defaultBackupLocation, "name of the default backup storage location")
@@ -629,6 +629,7 @@ func (s *server) runControllers(defaultVolumeSnapshotLocations map[string]string
 			s.sharedInformerFactory.Velero().V1().Backups(),
 			s.sharedInformerFactory.Velero().V1().DeleteBackupRequests(),
 			s.veleroClient.VeleroV1(),
+			s.sharedInformerFactory.Velero().V1().BackupStorageLocations(),
 		)
 
 		return controllerRunInfo{

pkg/cmd/util/output/backup_storage_location_printer.go

@@ -26,7 +26,7 @@ import (
 )
 
 var (
-	backupStorageLocationColumns = []string{"NAME", "PROVIDER", "BUCKET/PREFIX"}
+	backupStorageLocationColumns = []string{"NAME", "PROVIDER", "BUCKET/PREFIX", "ACCESS MODE"}
 )
 
 func printBackupStorageLocationList(list *v1.BackupStorageLocationList, w io.Writer, options printers.PrintOptions) error {
@@ -52,12 +52,18 @@ func printBackupStorageLocation(location *v1.BackupStorageLocation, w io.Writer,
 		bucketAndPrefix += "/" + location.Spec.ObjectStorage.Prefix
 	}
 
+	accessMode := location.Spec.AccessMode
+	if accessMode == "" {
+		accessMode = v1.BackupStorageLocationAccessModeReadWrite
+	}
+
 	if _, err := fmt.Fprintf(
 		w,
-		"%s\t%s\t%s",
+		"%s\t%s\t%s\t%s",
 		name,
 		location.Spec.Provider,
 		bucketAndPrefix,
+		accessMode,
 	); err != nil {
 		return err
 	}