Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Ability to add additional files from secret(s) to Velero pod without restart #7767

Open
kaovilai opened this issue May 2, 2024 · 1 comment
Open

Ability to add additional files from secret(s) to Velero pod without restart #7767

kaovilai opened this issue May 2, 2024 · 1 comment
Assignees
@kaovilai

Comments

@kaovilai
Copy link
Contributor

kaovilai commented May 2, 2024
edited

Describe the problem/challenge you have

In a multi-user environment sharing the same velero instance, a user should be able to add their own BackupStorageLocation without restarting velero server pod and/or node-agent pods.

Currently there exists some BackupStorageLocation configurations that will require mounting secrets to velero deployment and/or nodeagents.

Mounting interrupts running pods which we would like to avoid.

Describe the solution you'd like

Reuse current namespacedFileStore code to write additional files from secret user want to add to velero pod.

This could be a new field in BSL, perhaps bsl.spec.additionalSecrets
or a new velero custom resource where the controller will write secret content to velero pod.

We can also just write more files to the current /tmp/credentials for the other keys in the secret bsl references.

Anything else you would like to add:

Not restarting velero pod/node-agent has previously been mentioned as a requirement for non object storage support (NFS/filesystem) enhancement.

Environment:

  • Velero version (use velero version):
  • Kubernetes version (use kubectl version):
  • Kubernetes installer & version:
  • Cloud provider or hardware configuration:
  • OS (e.g. from /etc/os-release):

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

  • 👍 for "The project would be better with this feature added"
  • 👎 for "This feature will not enhance the project in a meaningful way"
@sseago
Copy link
Collaborator

sseago commented May 2, 2024

Having to augment BSL definition with a new secret list would be more work for end users and would require velero to treat plugin-specific fields differently. Instead, could we just modify the way we use /tmp?

Current behavior:
For the following BSL config:

  spec:
    credential:
      key: cloud
      name: my-credentials

Velero creates a file "/tmp/credentials/velero-ns/my-credentials-cloud".

Instead, why not create a dir "/tmp/credentials/velero-ns/my-credentials" with all keys created with keyname as filename and value as key value? That way no custom logic is needed to manage file creation. Then any BSL that uses named credentials can set:

    customerKeyEncryptionFile: "/tmp/credentials/velero-ns/secret-name/encryption-file-key-name"

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@kaovilai kaovilai

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@sseago @kaovilai