Make secret file optional on install (#1699)

* Make secret file optional on install Fixes #1689 Signed-off-by: Nolan Brubaker <brubakern@vmware.com>
2026-01-07 05:46:37 +00:00 · 2019-08-01 18:57:36 -04:00
parent 2a6929d453
commit 635dd27e1a
9 changed files with 92 additions and 63 deletions
--- a/pkg/cmd/cli/install/install.go
+++ b/pkg/cmd/cli/install/install.go
@@ -55,6 +55,7 @@ type InstallOptions struct {
 	ResticPodMemLimit    string
 	RestoreOnly          bool
 	SecretFile           string
+	NoSecret             bool
 	DryRun               bool
 	BackupStorageConfig  flag.Map
 	VolumeSnapshotConfig flag.Map
@@ -67,7 +68,8 @@ type InstallOptions struct {
 func (o *InstallOptions) BindFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&o.ProviderName, "provider", o.ProviderName, "provider name for backup and volume storage")
 	flags.StringVar(&o.BucketName, "bucket", o.BucketName, "name of the object storage bucket where backups should be stored")
-	flags.StringVar(&o.SecretFile, "secret-file", o.SecretFile, "file containing credentials for backup and volume provider")
+	flags.StringVar(&o.SecretFile, "secret-file", o.SecretFile, "file containing credentials for backup and volume provider. If not specified, --no-secret must be used for confirmation. Optional.")
+	flags.BoolVar(&o.NoSecret, "no-secret", o.NoSecret, "flag indicating if a secret should be created. Must be used as confirmation if --secret-file is not provided. Optional.")
 	flags.StringVar(&o.Image, "image", o.Image, "image to use for the Velero and restic server pods. Optional.")
 	flags.StringVar(&o.Prefix, "prefix", o.Prefix, "prefix under which all Velero data should be stored within the bucket. Optional.")
 	flags.Var(&o.PodAnnotations, "pod-annotations", "annotations to add to the Velero and restic pods. Optional. Format is key1=value1,key2=value2")
@@ -112,13 +114,16 @@ func NewInstallOptions() *InstallOptions {

 // AsVeleroOptions translates the values provided at the command line into values used to instantiate Kubernetes resources
 func (o *InstallOptions) AsVeleroOptions() (*install.VeleroOptions, error) {
-	realPath, err := filepath.Abs(o.SecretFile)
-	if err != nil {
-		return nil, err
-	}
-	secretData, err := ioutil.ReadFile(realPath)
-	if err != nil {
-		return nil, err
+	var secretData []byte
+	if o.SecretFile != "" && !o.NoSecret {
+		realPath, err := filepath.Abs(o.SecretFile)
+		if err != nil {
+			return nil, err
+		}
+		secretData, err = ioutil.ReadFile(realPath)
+		if err != nil {
+			return nil, err
+		}
 	}
 	veleroPodResources, err := parseResourceRequests(o.VeleroPodCPURequest, o.VeleroPodMemRequest, o.VeleroPodCPULimit, o.VeleroPodMemLimit)
 	if err != nil {
@@ -179,7 +184,7 @@ This is useful as a starting point for more customized installations.

 	# velero install --bucket gcp-backups --provider gcp --secret-file ./gcp-creds.json --wait

-	# velero install --bucket backups --provider aws --backup-location-config region=us-west-2 --secret-file ./an-empty-file --snapshot-location-config region=us-west-2 --pod-annotations iam.amazonaws.com/role=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<VELERO_ROLE_NAME>
+	# velero install --bucket backups --provider aws --backup-location-config region=us-west-2 --snapshot-location-config region=us-west-2 --no-secret --pod-annotations iam.amazonaws.com/role=arn:aws:iam::<AWS_ACCOUNT_ID>:role/<VELERO_ROLE_NAME>

 	# velero install --bucket gcp-backups --provider gcp --secret-file ./gcp-creds.json --velero-pod-cpu-request=1000m --velero-pod-cpu-limit=5000m --velero-pod-mem-request=512Mi --velero-pod-mem-limit=1024Mi

@@ -238,6 +243,9 @@ func (o *InstallOptions) Run(c *cobra.Command, f client.Factory) error {
 			return errors.Wrap(err, errorMsg)
 		}
 	}
+	if o.SecretFile == "" {
+		fmt.Printf("\nNo secret file was specified, no Secret created.\n\n")
+	}
 	fmt.Printf("Velero is installed! ⛵ Use 'kubectl logs deployment/velero -n %s' to view the status.\n", o.Namespace)
 	return nil
 }
@@ -268,8 +276,11 @@ func (o *InstallOptions) Validate(c *cobra.Command, args []string, f client.Fact
 		return errors.New("--provider is required")
 	}

-	if o.SecretFile == "" {
-		return errors.New("--secret-file is required")
+	switch {
+	case o.SecretFile == "" && !o.NoSecret:
+		return errors.New("One of --secret-file or --no-secret is required")
+	case o.SecretFile != "" && o.NoSecret:
+		return errors.New("Cannot use both --secret-file and --no-secret")
 	}

 	return nil