Support custom CA for Backup Backends

Author: Debakel Orakel

class/defaults.yml

@@ -184,6 +184,7 @@ parameters:
         bucket: k8up-${cluster:name}-syn-keycloak
         accessKey: "?{vaultkv:${cluster:tenant}/${cluster:name}/keycloak/k8up-s3-accesskey}"
         secretKey: "?{vaultkv:${cluster:tenant}/${cluster:name}/keycloak/k8up-s3-secretkey}"
+      customCA: null
 
     helm_values:
       image:

component/main.jsonnet

@@ -185,6 +185,18 @@ local k8up_s3_secret_ref = {
   secretkeyname: 'password',
 };
 
+local k8up_custom_ca = if params.k8up.customCA != null then {
+  apiVersion: 'v1',
+  kind: 'ConfigMap',
+  metadata: {
+    name: 'k8up-custom-ca',
+  },
+  data: {
+    'ca.crt': params.k8up.customCA,
+  },
+};
+local k8up_custom_ca_name = if params.k8up.customCA != null then k8up_custom_ca.metadata.name else null;
+
 local k8up_schedule =
   k8up.Schedule(
     'backup',
@@ -194,6 +206,7 @@ local k8up_schedule =
     backupkey=k8up_repo_secret_ref,
     s3secret=k8up_s3_secret_ref,
     create_bucket=false,
+    caConfigMap=k8up_custom_ca_name,
   ).schedule + k8up.PruneSpec('@daily-random', 30, 20);
 
 // Define outputs below
@@ -206,5 +219,5 @@ local k8up_schedule =
   [if create_keycloak_cert_secret then '13_keycloak_certs']: keycloak_cert_secret,
   [if create_ingress_cert_secret then '14_ingress_certs']: ingress_tls_secret,
   [if create_ingress_cert then '20_le_cert']: cert_manager_cert,
-  [if params.k8up.enabled then '30_k8up']: [ k8up_repo_secret, k8up_s3_secret, k8up_schedule ],
+  [if params.k8up.enabled then '30_k8up']: [ k8up_repo_secret, k8up_s3_secret, k8up_schedule ] + if params.k8up.customCA != null then [ k8up_custom_ca ] else [],
 }

docs/modules/ROOT/pages/references/parameters.adoc

@@ -774,6 +774,14 @@ default:: `?{vaultkv:${cluster:tenant}/${cluster:name}/keycloak/k8up-s3-secretke
 
 S3 secret key to the bucket where the backups gets stored.
 
+== `k8up.s3.customCA`
+
+[horizontal]
+type:: dict
+default:: `null`
+
+Configure a custom CA for connecting to the backend.
+
 
 == `helm_values`
 

tests/golden/openshift/openshift/openshift/30_k8up.yaml

@@ -0,0 +1,80 @@
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: openshift
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    name: k8up-repo
+  name: k8up-repo
+stringData:
+  password: t-silent-test-1234/c-green-test-1234/keycloak/k8up-repo-password
+type: Opaque
+---
+apiVersion: v1
+data: {}
+kind: Secret
+metadata:
+  annotations: {}
+  labels:
+    app.kubernetes.io/component: keycloak
+    app.kubernetes.io/instance: openshift
+    app.kubernetes.io/managed-by: commodore
+    app.kubernetes.io/name: keycloak
+    name: k8up-s3-credentials
+  name: k8up-s3-credentials
+stringData:
+  password: t-silent-test-1234/c-green-test-1234/keycloak/k8up-s3-secretkey
+  username: t-silent-test-1234/c-green-test-1234/keycloak/k8up-s3-accesskey
+type: Opaque
+---
+apiVersion: k8up.io/v1
+kind: Schedule
+metadata:
+  name: backup
+spec:
+  backend:
+    repoPasswordSecretRef:
+      key: password
+      name: k8up-repo
+    s3:
+      accessKeyIDSecretRef:
+        key: username
+        name: k8up-s3-credentials
+      bucket: k8up-c-green-test-1234-syn-keycloak
+      endpoint: null
+      secretAccessKeySecretRef:
+        key: password
+        name: k8up-s3-credentials
+    tlsOptions:
+      caCert: /mnt/ca/ca.crt
+    volumeMounts:
+      - mountPath: /mnt/ca/
+        name: ca
+  backup:
+    keepJobs: 3
+    schedule: '@hourly-random'
+    volumes:
+      - configMap:
+          name: k8up-custom-ca
+        name: ca
+  check:
+    schedule: 30 3 * * *
+  prune:
+    retention:
+      keepDaily: 30
+      keepLast: 20
+    schedule: '@daily-random'
+---
+apiVersion: v1
+data:
+  ca.crt: |
+    -----BEGIN CERTIFICATE-----
+    MY AWESOME CA
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: k8up-custom-ca

tests/openshift.yml

@@ -3,6 +3,17 @@ parameters:
   facts:
     distribution: openshift4
 
+  kapitan:
+    dependencies:
+      - type: https
+        source: https://raw.githubusercontent.com/projectsyn/component-backup-k8up/master/lib/backup-k8up.libjsonnet
+        output_path: vendor/lib/backup-k8up.libjsonnet
+
+  backup_k8up:
+    global_backup_config:
+      s3_endpoint: null
+    prometheus_push_gateway: null
+
   keycloak:
     namespace: keycloak-dev
     tls:
@@ -79,3 +90,10 @@ parameters:
         name: themes
         mountPath: /opt/keycloak/themes/dev-app2
         subPath: dev-app2
+
+    k8up:
+      enabled: true
+      customCA: |
+        -----BEGIN CERTIFICATE-----
+        MY AWESOME CA
+        -----END CERTIFICATE-----