Pass configured BSL credential to plugin via config (#3442)

* Load credentials and pass to ObjectStorage plugins Update NewObjectBackupStore to take a CredentialsGetter which can be used to get the credentials for a BackupStorageLocation if it has been configured with a Credential. If the BSL has a credential, use that SecretKeySelector to fetch the secret, write the contents to a temp file and then pass that file through to the plugin via the config map using the key `credentialsFile`. This relies on the plugin being able to use this new config field. This does not yet handle VolumeSnapshotLocations or ResticRepositories. Signed-off-by: Bridget McErlean <bmcerlean@vmware.com> * Address code reviews Add godocs and comments. Improve formatting and test names. Signed-off-by: Bridget McErlean <bmcerlean@vmware.com> * Address code reviews Signed-off-by: Bridget McErlean <bmcerlean@vmware.com>
2026-01-06 05:25:40 +00:00 · 2021-03-04 16:43:15 -05:00
parent c46fe71b12
commit b9a8c0b254
19 changed files with 433 additions and 64 deletions
--- a/internal/credentials/file_store.go
+++ b/internal/credentials/file_store.go
@@ -0,0 +1,88 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	corev1api "k8s.io/api/core/v1"
+	kbclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/vmware-tanzu/velero/pkg/util/filesystem"
+	"github.com/vmware-tanzu/velero/pkg/util/kube"
+)
+
+// FileStore defines operations for interacting with credentials
+// that are stored on a file system.
+type FileStore interface {
+	// Path returns a path on disk where the secret key defined by
+	// the given selector is serialized.
+	Path(selector *corev1api.SecretKeySelector) (string, error)
+}
+
+type namespacedFileStore struct {
+	client    kbclient.Client
+	namespace string
+	fsRoot    string
+	fs        filesystem.Interface
+}
+
+// NewNamespacedFileStore returns a FileStore which can interact with credentials
+// for the given namespace and will store them under the given fsRoot.
+func NewNamespacedFileStore(client kbclient.Client, namespace string, fsRoot string, fs filesystem.Interface) (FileStore, error) {
+	fsNamespaceRoot := filepath.Join(fsRoot, namespace)
+
+	if err := fs.MkdirAll(fsNamespaceRoot, 0755); err != nil {
+		return nil, err
+	}
+
+	return &namespacedFileStore{
+		client:    client,
+		namespace: namespace,
+		fsRoot:    fsNamespaceRoot,
+		fs:        fs,
+	}, nil
+}
+
+// Path returns a path on disk where the secret key defined by
+// the given selector is serialized.
+func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (string, error) {
+	creds, err := kube.GetSecretKey(n.client, n.namespace, selector)
+	if err != nil {
+		return "", errors.Wrap(err, "unable to get key for secret")
+	}
+
+	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
+
+	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE, 0644)
+	if err != nil {
+		return "", errors.Wrap(err, "unable to open credentials file for writing")
+	}
+
+	if _, err := file.Write(creds); err != nil {
+		return "", errors.Wrap(err, "unable to write credentials to store")
+	}
+
+	if err := file.Close(); err != nil {
+		return "", errors.Wrap(err, "unable to close credentials file")
+	}
+
+	return keyFilePath, nil
+}
--- a/internal/credentials/file_store_test.go
+++ b/internal/credentials/file_store_test.go
@@ -0,0 +1,93 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/vmware-tanzu/velero/pkg/builder"
+	velerotest "github.com/vmware-tanzu/velero/pkg/test"
+)
+
+func TestNamespacedFileStore(t *testing.T) {
+	testCases := []struct {
+		name             string
+		namespace        string
+		fsRoot           string
+		secrets          []*corev1.Secret
+		secretSelector   *corev1.SecretKeySelector
+		wantErr          string
+		expectedPath     string
+		expectedContents string
+	}{
+		{
+			name:           "returns an error if the secret can't be found",
+			secretSelector: builder.ForSecretKeySelector("non-existent-secret", "secret-key").Result(),
+			wantErr:        "unable to get key for secret: secrets \"non-existent-secret\" not found",
+		},
+		{
+			name:           "returns a filepath formed using fsRoot, namespace, secret name and key, with secret contents",
+			namespace:      "ns1",
+			fsRoot:         "/tmp/credentials",
+			secretSelector: builder.ForSecretKeySelector("credential", "key2").Result(),
+			secrets: []*corev1.Secret{
+				builder.ForSecret("ns1", "credential").Data(map[string][]byte{
+					"key1": []byte("ns1-secretdata1"),
+					"key2": []byte("ns1-secretdata2"),
+					"key3": []byte("ns1-secretdata3"),
+				}).Result(),
+				builder.ForSecret("ns2", "credential").Data(map[string][]byte{
+					"key2": []byte("ns2-secretdata2"),
+				}).Result(),
+			},
+			expectedPath:     "/tmp/credentials/ns1/credential-key2",
+			expectedContents: "ns1-secretdata2",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			client := velerotest.NewFakeControllerRuntimeClient(t)
+
+			for _, secret := range tc.secrets {
+				require.NoError(t, client.Create(context.Background(), secret))
+			}
+
+			fs := velerotest.NewFakeFileSystem()
+			fileStore, err := NewNamespacedFileStore(client, tc.namespace, tc.fsRoot, fs)
+			require.NoError(t, err)
+
+			path, err := fileStore.Path(tc.secretSelector)
+
+			if tc.wantErr != "" {
+				require.EqualError(t, err, tc.wantErr)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.Equal(t, path, tc.expectedPath)
+
+			contents, err := fs.ReadFile(path)
+			require.NoError(t, err)
+			require.Equal(t, []byte(tc.expectedContents), contents)
+		})
+	}
+}