diff --git a/pkg/backup.go b/pkg/backup.go index 01fd34586..ce18c176d 100644 --- a/pkg/backup.go +++ b/pkg/backup.go @@ -253,16 +253,24 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic return nil, err } - appBindingSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{}) + authSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{}) if err != nil { return nil, err } - err = appBinding.TransformSecret(opt.kubeClient, appBindingSecret.Data) + err = appBinding.TransformSecret(opt.kubeClient, authSecret.Data) if err != nil { return nil, err } + var tlsSecret *core.Secret + if appBinding.Spec.TLSSecret != nil { + tlsSecret, err = opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.TLSSecret.Name, metav1.GetOptions{}) + if err != nil { + return nil, err + } + } + hostname, err := appBinding.Hostname() if err != nil { return nil, err @@ -320,6 +328,10 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic } if appBinding.Spec.ClientConfig.CABundle != nil { + if tlsSecret == nil { + return nil, errors.Wrap(err, "spec.tlsSecret needs to be set in appbinding for TLS secured database.") + } + if err := os.WriteFile(filepath.Join(opt.setupOptions.ScratchDir, MongoTLSCertFileName), appBinding.Spec.ClientConfig.CABundle, os.ModePerm); err != nil { return nil, err } @@ -337,13 +349,13 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic // get certificate secret to get client certificate var pemBytes []byte var ok bool - pemBytes, ok = appBindingSecret.Data[MongoClientPemFileName] + pemBytes, ok = tlsSecret.Data[MongoClientPemFileName] if !ok { - crt, ok := appBindingSecret.Data[core.TLSCertKey] + crt, ok := tlsSecret.Data[core.TLSCertKey] if !ok { return nil, errors.Wrap(err, "unable to retrieve tls.crt from secret.") } - key, ok := appBindingSecret.Data[core.TLSPrivateKeyKey] + key, ok := tlsSecret.Data[core.TLSPrivateKeyKey] if !ok { return nil, errors.Wrap(err, "unable to retrieve tls.key from secret.") } @@ -363,32 +375,16 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic "--authenticationDatabase", "$external", } mongoCreds = append(mongoCreds, userAuth...) - username := StashUserName - if parameters.ConfigServer == "" { - username = string(appBindingSecret.Data[MongoUserKey]) - } - dumpCreds = append(dumpCreds, []interface{}{ - fmt.Sprintf("--username=%s", username), - fmt.Sprintf("--password=%s", appBindingSecret.Data[MongoPasswordKey]), - "--authenticationDatabase", opt.authenticationDatabase, - }...) + dumpCreds = append(dumpCreds, userAuth...) } else { userAuth := []interface{}{ - fmt.Sprintf("--username=%s", appBindingSecret.Data[MongoUserKey]), - fmt.Sprintf("--password=%s", appBindingSecret.Data[MongoPasswordKey]), + fmt.Sprintf("--username=%s", authSecret.Data[MongoUserKey]), + fmt.Sprintf("--password=%s", authSecret.Data[MongoPasswordKey]), "--authenticationDatabase", opt.authenticationDatabase, } mongoCreds = append(mongoCreds, userAuth...) - username := StashUserName - if parameters.ConfigServer == "" { - username = string(appBindingSecret.Data[MongoUserKey]) - } - dumpCreds = append(dumpCreds, []interface{}{ - fmt.Sprintf("--username=%s", username), - fmt.Sprintf("--password=%s", appBindingSecret.Data[MongoPasswordKey]), - "--authenticationDatabase", opt.authenticationDatabase, - }...) + dumpCreds = append(dumpCreds, userAuth...) } getBackupOpt := func(mongoDSN, hostKey string, isStandalone bool) restic.BackupOptions { @@ -480,7 +476,7 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic // We need to create a role and user and backup using that user. This should be removed if the issue is fixed. // Issue ref: https://jira.mongodb.org/browse/TOOLS-3203?jql=project%20%3D%20TOOLS%20AND%20component%20%3D%20mongodump - err = createStashRoleAndUser(parameters.ConfigServer, string(appBindingSecret.Data[MongoPasswordKey])) + err = createStashRoleAndUser(parameters.ConfigServer, string(authSecret.Data[MongoPasswordKey])) if err != nil { klog.Errorf("error while creating user for %v. error: %v", parameters.ConfigServer, err) return nil, err @@ -527,7 +523,7 @@ func (opt *mongoOptions) backupMongoDB(targetRef api_v1beta1.TargetRef) (*restic // We need to create a role and user and backup using that user for shard. // These role and user should be removed if the issue is fixed. // Issue ref: https://jira.mongodb.org/browse/TOOLS-3203?jql=project%20%3D%20TOOLS%20AND%20component%20%3D%20mongodump - err = createStashRoleAndUser(host, string(appBindingSecret.Data[MongoPasswordKey])) + err = createStashRoleAndUser(host, string(authSecret.Data[MongoPasswordKey])) if err != nil { klog.Errorf("error while creating user for %v. error: %v", host, err) return nil, err diff --git a/pkg/restore.go b/pkg/restore.go index 153c36832..b48133dfc 100644 --- a/pkg/restore.go +++ b/pkg/restore.go @@ -186,16 +186,24 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti return nil, err } - appBindingSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{}) + authSecret, err := opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.Secret.Name, metav1.GetOptions{}) if err != nil { return nil, err } - err = appBinding.TransformSecret(opt.kubeClient, appBindingSecret.Data) + err = appBinding.TransformSecret(opt.kubeClient, authSecret.Data) if err != nil { return nil, err } + var tlsSecret *core.Secret + if appBinding.Spec.TLSSecret != nil { + tlsSecret, err = opt.kubeClient.CoreV1().Secrets(opt.appBindingNamespace).Get(context.TODO(), appBinding.Spec.TLSSecret.Name, metav1.GetOptions{}) + if err != nil { + return nil, err + } + } + hostname, err := appBinding.Hostname() if err != nil { return nil, err @@ -263,13 +271,13 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti // get certificate secret to get client certificate var pemBytes []byte var ok bool - pemBytes, ok = appBindingSecret.Data[MongoClientPemFileName] + pemBytes, ok = tlsSecret.Data[MongoClientPemFileName] if !ok { - crt, ok := appBindingSecret.Data[core.TLSCertKey] + crt, ok := tlsSecret.Data[core.TLSCertKey] if !ok { return nil, errors.Wrap(err, "unable to retrieve tls.crt from secret.") } - key, ok := appBindingSecret.Data[core.TLSPrivateKeyKey] + key, ok := tlsSecret.Data[core.TLSPrivateKeyKey] if !ok { return nil, errors.Wrap(err, "unable to retrieve tls.key from secret.") } @@ -293,8 +301,8 @@ func (opt *mongoOptions) restoreMongoDB(targetRef api_v1beta1.TargetRef) (*resti } else { userAuth := []interface{}{ - fmt.Sprintf("--username=%s", appBindingSecret.Data[MongoUserKey]), - fmt.Sprintf("--password=%s", appBindingSecret.Data[MongoPasswordKey]), + fmt.Sprintf("--username=%s", authSecret.Data[MongoUserKey]), + fmt.Sprintf("--password=%s", authSecret.Data[MongoPasswordKey]), "--authenticationDatabase", opt.authenticationDatabase, } mongoCreds = append(mongoCreds, userAuth...)