From 313f3635a64b73e7b807a956ed1fd92176fb8d42 Mon Sep 17 00:00:00 2001 From: rawmind0 Date: Wed, 24 Mar 2021 21:23:34 +0100 Subject: [PATCH] Base64 encoding etcd backup S3 accessKey and secretKey and passing them as env variables to rke-tools --- services/etcd.go | 30 ++++++++++++++++++++++++------ 1 file changed, 24 insertions(+), 6 deletions(-) diff --git a/services/etcd.go b/services/etcd.go index f4a20598..c0af7941 100644 --- a/services/etcd.go +++ b/services/etcd.go @@ -449,14 +449,20 @@ func DownloadEtcdSnapshotFromS3(ctx context.Context, etcdHost *hosts.Host, prsMa "--name", name, "--s3-backup=true", "--s3-endpoint=" + s3Backend.Endpoint, - "--s3-accessKey=" + s3Backend.AccessKey, - "--s3-secretKey=" + s3Backend.SecretKey, "--s3-bucketName=" + s3Backend.BucketName, "--s3-region=" + s3Backend.Region, }, Image: etcdSnapshotImage, Env: es.ExtraEnv, } + // Base64 encoding S3 accessKey and secretKey before add them as env variables + if len(s3Backend.AccessKey) > 0 || len(s3Backend.SecretKey) > 0 { + env := []string{ + "S3_ACCESS_KEY=" + base64.StdEncoding.EncodeToString([]byte(s3Backend.AccessKey)), + "S3_SECRET_KEY=" + base64.StdEncoding.EncodeToString([]byte(s3Backend.SecretKey)), + } + imageCfg.Env = append(imageCfg.Env, env...) + } s3Logline := fmt.Sprintf("[etcd] Snapshot [%s] will be downloaded on host [%s] from S3 compatible backend at [%s] from bucket [%s] using accesskey [%s]", name, etcdHost.Address, s3Backend.Endpoint, s3Backend.BucketName, s3Backend.AccessKey) if s3Backend.Region != "" { s3Logline += fmt.Sprintf(" and using region [%s]", s3Backend.Region) @@ -581,11 +587,17 @@ func RunEtcdSnapshotRemove(ctx context.Context, etcdHost *hosts.Host, prsMap map s3cmd := []string{ "--s3-backup", "--s3-endpoint=" + es.BackupConfig.S3BackupConfig.Endpoint, - "--s3-accessKey=" + es.BackupConfig.S3BackupConfig.AccessKey, - "--s3-secretKey=" + es.BackupConfig.S3BackupConfig.SecretKey, "--s3-bucketName=" + es.BackupConfig.S3BackupConfig.BucketName, "--s3-region=" + es.BackupConfig.S3BackupConfig.Region, } + // Base64 encoding S3 accessKey and secretKey before add them as env variables + if len(es.BackupConfig.S3BackupConfig.AccessKey) > 0 || len(es.BackupConfig.S3BackupConfig.SecretKey) > 0 { + env := []string{ + "S3_ACCESS_KEY=" + base64.StdEncoding.EncodeToString([]byte(es.BackupConfig.S3BackupConfig.AccessKey)), + "S3_SECRET_KEY=" + base64.StdEncoding.EncodeToString([]byte(es.BackupConfig.S3BackupConfig.SecretKey)), + } + imageCfg.Env = append(imageCfg.Env, env...) + } if es.BackupConfig.S3BackupConfig.CustomCA != "" { caStr := base64.StdEncoding.EncodeToString([]byte(es.BackupConfig.S3BackupConfig.CustomCA)) s3cmd = append(s3cmd, "--s3-endpoint-ca="+caStr) @@ -671,11 +683,17 @@ func configS3BackupImgCmd(ctx context.Context, imageCfg *container.Config, bc *v cmd = append(cmd, []string{ "--s3-backup=true", "--s3-endpoint=" + bc.S3BackupConfig.Endpoint, - "--s3-accessKey=" + bc.S3BackupConfig.AccessKey, - "--s3-secretKey=" + bc.S3BackupConfig.SecretKey, "--s3-bucketName=" + bc.S3BackupConfig.BucketName, "--s3-region=" + bc.S3BackupConfig.Region, }...) + // Base64 encoding S3 accessKey and secretKey before add them as env variables + if len(bc.S3BackupConfig.AccessKey) > 0 || len(bc.S3BackupConfig.SecretKey) > 0 { + env := []string{ + "S3_ACCESS_KEY=" + base64.StdEncoding.EncodeToString([]byte(bc.S3BackupConfig.AccessKey)), + "S3_SECRET_KEY=" + base64.StdEncoding.EncodeToString([]byte(bc.S3BackupConfig.SecretKey)), + } + imageCfg.Env = append(imageCfg.Env, env...) + } s3Logline := fmt.Sprintf("[etcd] Snapshots configured to S3 compatible backend at [%s] to bucket [%s] using accesskey [%s]", bc.S3BackupConfig.Endpoint, bc.S3BackupConfig.BucketName, bc.S3BackupConfig.AccessKey) if bc.S3BackupConfig.Region != "" { s3Logline += fmt.Sprintf(" and using region [%s]", bc.S3BackupConfig.Region)