Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Velero Kopia Integration - Don't support Self-signed Certificate for S3 Compatible Storage #5123

Closed
Lyndon-Li opened this issue Jul 15, 2022 · 11 comments
Closed

Velero Kopia Integration - Don't support Self-signed Certificate for S3 Compatible Storage #5123

Lyndon-Li opened this issue Jul 15, 2022 · 11 comments
Assignees
@Lyndon-Li
Labels
area/kopia-integration fix-by-upgrade kind/release-note Kopia
Milestone
v1.12

Comments

@Lyndon-Li
Copy link
Contributor

Some S3 compatible storage provides secure connection with self-signed certificate.
The Restic path supports this already since restic accepts a flag in all its related CLIs, so that the caller could provides a certificate file.
However, the Kopia path doesn't support this at present, because the backend Kopia repository doesn't accept a certificate file. There is a Kopia issue kopia/kopia#1443.

We will mark this as a limitation in Velero for now. When Kopia fix the above issue, we will be able to fix this limitation with minor code change to Velero.
@Lyndon-Li Lyndon-Li self-assigned this Jul 15, 2022
@reasonerjt reasonerjt added this to the 1.10 milestone Jul 18, 2022
@reasonerjt
Copy link
Contributor

Thanks @Lyndon-Li
Let's make sure this is documented in the release note.

@vrabbi
Copy link

vrabbi commented Aug 9, 2022

Couldnt this be solved by mounting the certificate into the ca store on the container via a secret?

@Lyndon-Li
Copy link
Contributor Author

@vrabbi The problem is there is no way to tell Kopia to search a certificate outside of the system's CA store. On the other hand, there is not an easy way to make a certificate into the system's CA store without changing the docker image.

@Lyndon-Li Lyndon-Li added the Kopia label Sep 1, 2022
@blackpiglet blackpiglet removed this from the 1.10 milestone Oct 26, 2022
@blackpiglet
Copy link
Contributor

Remove from v1.10 due to limitation.

@Lyndon-Li Lyndon-Li mentioned this issue Jan 9, 2023
Closed
@babs
Copy link

babs commented Mar 21, 2023

I have a PR'd an attempt to solve this issue: kopia/kopia#2845

@Lyndon-Li
Copy link
Contributor Author

@babs Thanks for letting us know, we will track the issue and PR.

@reasonerjt reasonerjt added this to the v1.12 milestone Apr 12, 2023
@reasonerjt
Copy link
Contributor

Let's bump up Kopia to fix this issue in v1.12 timeframe.

@babs
Copy link

babs commented Apr 12, 2023

@reasonerjt Kopia 0.13 including the fix is in RC phase, couldn't it be integrated in 1.11 if kopia goes stable before ?

@Lyndon-Li
Copy link
Contributor Author

@babs
We are not planning to back porting the kopia bump to Velero v1.10 and v1.11.
The primary reason is that bumping up kopia involves upgrading some of other dependencies of Velero, which conflict with the current version of controller-gen tool(v0.7) used by Velero, specifically, the tool keeps crashing after upgrading the dependencies due to this known issue.
On the other side, upgrade the controller-gen tool will change the content of CRDs generated and we think it is risky to do this in a patch release.

@Lyndon-Li Lyndon-Li mentioned this issue May 15, 2023
Merged
@Lyndon-Li
Copy link
Contributor Author

Fixed by #6268

@babs
Copy link

babs commented May 15, 2023

Good news, thanks!

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@Lyndon-Li Lyndon-Li

Labels
area/kopia-integration fix-by-upgrade kind/release-note Kopia
Projects
None yet
Milestone
v1.12
Development

No branches or pull requests
5 participants
@babs @reasonerjt @vrabbi @blackpiglet @Lyndon-Li