Enhancement: added --insecure-tls

cmd/operator/main.go

@@ -65,6 +65,7 @@ var (
 
 			&cli.StringFlag{Destination: &cfg.Config.BackupImage, Name: "image", EnvVars: []string{"BACKUP_IMAGE"}, Value: "ghcr.io/k8up-io/k8up:latest", Usage: "URL of the restic image"},
 			&cli.StringSliceFlag{Name: argCommandRestic, EnvVars: []string{"BACKUP_COMMAND_RESTIC"}, Value: cli.NewStringSlice("/usr/local/bin/k8up", "restic"), Usage: "The command that is executed for restic backups."},
+			&cli.StringFlag{Destination: &cfg.Config.Insecure, Name: "insecure-tls", EnvVars: []string{"SET_INSECURE_TLS_FLAG"}, Value: "false", DefaultText: "disable", Usage: "enable or disable insecure connection by restic"},
 			&cli.StringSliceFlag{Name: argResticOptions, EnvVars: []string{"BACKUP_RESTIC_OPTIONS"}, Usage: "Pass custom restic options in the form 'key=value,key2=value2'. See https://restic.readthedocs.io/en/stable/manual_rest.html?highlight=--option#usage-help"},
 			&cli.StringFlag{Destination: &cfg.Config.MountPath, Name: "datapath", Aliases: []string{"mountpath"}, EnvVars: []string{"BACKUP_DATAPATH"}, Value: "/data", Usage: "to which path the PVCs should get mounted in the backup container"},
 

cmd/restic/main.go

@@ -65,6 +65,7 @@ var (
 			&cli.StringFlag{Destination: &cfg.Config.RestoreS3Endpoint, Name: restoreS3EndpointArg, EnvVars: []string{"RESTORE_S3ENDPOINT"}, Usage: "S3 endpoint to connect to when restoring, e.g. 'https://minio.svc:9000/backup"},
 			&cli.BoolFlag{Destination: &cfg.Config.VerifyRestore, Name: "verifyRestore", Usage: "If the restore should get verified, only for PVCs restore"},
 			&cli.BoolFlag{Destination: &cfg.Config.RestoreTrimPath, Name: "trimRestorePath", EnvVars: []string{"TRIM_RESTOREPATH"}, Value: true, DefaultText: "enabled", Usage: "If set, strips the value of --restoreDir from the lefts side of the remote restore path value"},
+			&cli.BoolFlag{Destination: &cfg.Config.Insecure, Name: "insecure-tls", EnvVars: []string{"SET_INSECURE_TLS_FLAG"}, Value: false, DefaultText: "disable", Usage: "enable or disable insecure connection by restic"},
 
 			&cli.StringFlag{Destination: &cfg.Config.ResticBin, Name: "resticBin", EnvVars: []string{"RESTIC_BINARY"}, Usage: "The path to the restic binary.", Value: "/usr/local/bin/restic"},
 			&cli.StringFlag{Destination: &cfg.Config.ResticRepository, Name: "resticRepository", EnvVars: []string{"RESTIC_REPOSITORY"}, Usage: "The restic repository to perform the action with", Required: true},

operator/cfg/config.go

@@ -70,6 +70,7 @@ type Configuration struct {
 	GlobalMemoryResourceRequest      string
 	GlobalMemoryResourceLimit        string
 	BackupImage                      string
+	Insecure                         string
 	BackupCommandRestic              []string
 	MetricsBindAddress               string
 	PodExecRoleName                  string

operator/executor/envvarconverter.go

@@ -87,6 +87,7 @@ func DefaultEnv(namespace string) EnvVarConverter {
 	defaults.SetString(cfg.AwsAccessKeyIDEnvName, cfg.Config.GlobalAccessKey)
 	defaults.SetString(cfg.AwsSecretAccessKeyEnvName, cfg.Config.GlobalSecretAccessKey)
 	defaults.SetString("HOSTNAME", namespace)
+	defaults.SetStringOrDefault("SET_INSECURE_TLS_FLAG", cfg.Config.Insecure, "false")
 
 	if cfg.Config.ResticOptions != "" {
 		defaults.SetString(cfg.ResticOptionsEnvName, cfg.Config.ResticOptions)

operator/restorecontroller/executor_test.go

@@ -102,11 +102,12 @@ func TestRestore_setupEnvVars(t *testing.T) {
 		"givenS3RestoreResource_whenSetupEnvVars_expectCertainEnvVars": {
 			GivenResource: newS3RestoreResource(),
 			ExpectedEnvVars: map[string]string{
-				"HOSTNAME":           "",
-				"RESTIC_PASSWORD":    "",
-				"RESTIC_REPOSITORY":  "s3:http://localhost:9000/test-backend",
-				"RESTORE_S3ENDPOINT": "http://localhost:9000/test",
-				"STATS_URL":          "",
+				"HOSTNAME":              "",
+				"RESTIC_PASSWORD":       "",
+				"RESTIC_REPOSITORY":     "s3:http://localhost:9000/test-backend",
+				"RESTORE_S3ENDPOINT":    "http://localhost:9000/test",
+				"SET_INSECURE_TLS_FLAG": "false",
+				"STATS_URL":             "",
 			},
 			ExpectedSecretKeyRefs: map[string]string{
 				"AWS_ACCESS_KEY_ID":       "accessKey-backend",
@@ -124,6 +125,7 @@ func TestRestore_setupEnvVars(t *testing.T) {
 				"RESTIC_PASSWORD":       "",
 				"RESTIC_REPOSITORY":     "s3:/",
 				"RESTORE_DIR":           "/restore",
+				"SET_INSECURE_TLS_FLAG": "false",
 				"STATS_URL":             "",
 			},
 			ExpectedSecretKeyRefs: map[string]string{},

restic/cfg/config.go

@@ -27,6 +27,7 @@ type Configuration struct {
 	DoPrune   bool
 	DoRestore bool
 	DoArchive bool
+	Insecure  bool
 
 	BackupCommandAnnotation       string
 	BackupFileExtensionAnnotation string

restic/cli/restic.go

@@ -46,6 +46,9 @@ type Restic struct {
 func New(ctx context.Context, logger logr.Logger, statsHandler StatsHandler) *Restic {
 	globalFlags := Flags{}
 
+	if cfg.Config.Insecure {
+		globalFlags.AddFlag("--insecure-tls")
+	}
 	options := strings.Split(cfg.Config.ResticOptions, ",")
 	if len(options) > 0 {
 		logger.Info("using the following restic options", "options", options)