feat(velero): add support for mitm proxy (#2170)

* feat(velero): add support for mitm proxy

* f

* f

* f

* f

* f

* f

* f

* velero use ca from host

* http proxy dryrun test

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

* f

Author: emosbaugh

cmd/installer/cli/ca.go

@@ -36,6 +36,8 @@ func findHostCABundle() (string, error) {
 
 	// Check each file in the order of preference returning the first found
 	for _, file := range certFiles {
+		// Ignore all errors to replicate the behavior of the Go standard library
+		// https://github.com/golang/go/blob/go1.24.3/src/crypto/x509/root_unix.go#L47-L81
 		if _, err := os.Stat(file); err == nil {
 			return file, nil
 		}

cmd/installer/cli/install.go

@@ -239,9 +239,17 @@ func preRunInstall(cmd *cobra.Command, flags *InstallCmdFlags) error {
 	flags.isAirgap = flags.airgapBundle != ""
 
 	runtimeconfig.ApplyFlags(cmd.Flags())
+
 	os.Setenv("KUBECONFIG", runtimeconfig.PathToKubeConfig()) // this is needed for restore as well since it shares this function
 	os.Setenv("TMPDIR", runtimeconfig.EmbeddedClusterTmpSubDir())
 
+	hostCABundlePath, err := findHostCABundle()
+	if err != nil {
+		return fmt.Errorf("unable to find host CA bundle: %w", err)
+	}
+	runtimeconfig.SetHostCABundlePath(hostCABundlePath)
+	logrus.Debugf("using host CA bundle: %s", hostCABundlePath)
+
 	if err := runtimeconfig.WriteToDisk(); err != nil {
 		return fmt.Errorf("unable to write runtime config to disk: %w", err)
 	}
@@ -256,12 +264,6 @@ func preRunInstall(cmd *cobra.Command, flags *InstallCmdFlags) error {
 }
 
 func runInstall(ctx context.Context, name string, flags InstallCmdFlags, metricsReporter preflights.MetricsReporter) error {
-	hostCABundle, err := findHostCABundle()
-	if err != nil {
-		return fmt.Errorf("unable to find host CA bundle: %w", err)
-	}
-	logrus.Debugf("using host CA bundle: %s", hostCABundle)
-
 	if err := runInstallVerifyAndPrompt(ctx, name, &flags); err != nil {
 		return err
 	}
@@ -351,7 +353,7 @@ func runInstall(ctx context.Context, name string, flags InstallCmdFlags, metrics
 		License:                 flags.license,
 		IsAirgap:                flags.airgapBundle != "",
 		Proxy:                   flags.proxy,
-		HostCABundle:            hostCABundle,
+		HostCABundlePath:        runtimeconfig.HostCABundlePath(),
 		PrivateCAs:              flags.privateCAs,
 		ServiceCIDR:             flags.cidrCfg.ServiceCIDR,
 		DisasterRecoveryEnabled: flags.license.Spec.IsDisasterRecoverySupported,
@@ -1032,7 +1034,10 @@ func waitForNode(ctx context.Context) error {
 	return nil
 }
 
-func recordInstallation(ctx context.Context, kcli client.Client, flags InstallCmdFlags, k0sCfg *k0sv1beta1.ClusterConfig, license *kotsv1beta1.License) (*ecv1beta1.Installation, error) {
+func recordInstallation(
+	ctx context.Context, kcli client.Client, flags InstallCmdFlags,
+	k0sCfg *k0sv1beta1.ClusterConfig, license *kotsv1beta1.License,
+) (*ecv1beta1.Installation, error) {
 	// ensure that the embedded-cluster namespace exists
 	if err := createECNamespace(ctx, kcli); err != nil {
 		return nil, fmt.Errorf("create embedded-cluster namespace: %w", err)

cmd/installer/cli/restore.go

@@ -364,12 +364,6 @@ func runRestoreStepNew(ctx context.Context, name string, flags InstallCmdFlags,
 		}
 	}
 
-	hostCABundle, err := findHostCABundle()
-	if err != nil {
-		return fmt.Errorf("unable to find host CA bundle: %w", err)
-	}
-	logrus.Debugf("using host CA bundle: %s", hostCABundle)
-
 	logrus.Debugf("configuring sysctl")
 	if err := configutils.ConfigureSysctl(); err != nil {
 		logrus.Debugf("unable to configure sysctl: %v", err)
@@ -443,7 +437,7 @@ func runRestoreStepNew(ctx context.Context, name string, flags InstallCmdFlags,
 	if err := addons.Install(ctx, hcli, addons.InstallOptions{
 		IsAirgap:           flags.airgapBundle != "",
 		Proxy:              flags.proxy,
-		HostCABundle:       hostCABundle,
+		HostCABundlePath:   runtimeconfig.HostCABundlePath(),
 		PrivateCAs:         flags.privateCAs,
 		ServiceCIDR:        flags.cidrCfg.ServiceCIDR,
 		IsRestore:          true,

e2e/proxy_test.go

@@ -28,12 +28,22 @@ func TestProxiedEnvironment(t *testing.T) {
 		t.Skip("skipping test for k0s versions < 1.29.0")
 	}
 
+	requiredEnvVars := []string{
+		"DR_S3_ENDPOINT",
+		"DR_S3_REGION",
+		"DR_S3_BUCKET",
+		"DR_S3_PREFIX",
+		"DR_ACCESS_KEY_ID",
+		"DR_SECRET_ACCESS_KEY",
+	}
+	RequireEnvVars(t, requiredEnvVars)
+
 	tc := lxd.NewCluster(&lxd.ClusterInput{
 		T:                   t,
 		Nodes:               4,
 		WithProxy:           true,
 		Image:               "debian/12",
-		LicensePath:         "licenses/license.yaml",
+		LicensePath:         "licenses/snapshot-license.yaml",
 		EmbeddedClusterPath: "../output/bin/embedded-cluster",
 	})
 	defer tc.Cleanup()
@@ -95,16 +105,78 @@ func TestProxiedEnvironment(t *testing.T) {
 	// check the installation state
 	checkInstallationState(t, tc)
 
+	testArgs := []string{}
+	for _, envVar := range requiredEnvVars {
+		testArgs = append(testArgs, os.Getenv(envVar))
+	}
+
+	if stdout, stderr, err := tc.RunPlaywrightTest("create-backup", testArgs...); err != nil {
+		t.Fatalf("fail to run playwright test create-backup: %v: %s: %s", err, stdout, stderr)
+	}
+
 	appUpgradeVersion := fmt.Sprintf("appver-%s-upgrade", os.Getenv("SHORT_SHA"))
-	testArgs := []string{appUpgradeVersion}
 
 	t.Logf("%s: upgrading cluster", time.Now().Format(time.RFC3339))
-	if _, _, err := tc.RunPlaywrightTest("deploy-upgrade", testArgs...); err != nil {
+	if _, _, err := tc.RunPlaywrightTest("deploy-upgrade", appUpgradeVersion); err != nil {
 		t.Fatalf("fail to run playwright test deploy-app: %v", err)
 	}
 
 	checkPostUpgradeState(t, tc)
 
+	// reset the cluster
+	runInParallel(t,
+		func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 3, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 3: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		}, func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 2, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 2: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		}, func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 1, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 1: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		}, func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 0, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 0: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		},
+	)
+
+	t.Logf("%s: waiting for nodes to reboot", time.Now().Format(time.RFC3339))
+	time.Sleep(30 * time.Second)
+
+	t.Logf("%s: restoring the installation", time.Now().Format(time.RFC3339))
+	line = append([]string{"restore-installation.exp"}, testArgs...)
+	line = append(line, "--http-proxy", lxd.HTTPProxy)
+	line = append(line, "--https-proxy", lxd.HTTPProxy)
+	line = append(line, "--no-proxy", strings.Join(tc.IPs, ","))
+	if _, _, err := tc.RunCommandOnNode(0, line, lxd.WithProxyEnv(tc.IPs)); err != nil {
+		t.Fatalf("fail to restore the installation: %v", err)
+	}
+
+	checkInstallationState(t, tc)
+
+	t.Logf("%s: checking post-restore state", time.Now().Format(time.RFC3339))
+	line = []string{"check-post-restore.sh"}
+	if stdout, stderr, err := tc.RunCommandOnNode(0, line); err != nil {
+		t.Fatalf("fail to check post-restore state: %v: %s: %s", err, stdout, stderr)
+	}
+
+	t.Logf("%s: validating restored app", time.Now().Format(time.RFC3339))
+	if _, _, err := tc.SetupPlaywrightAndRunTest("validate-restore-app"); err != nil {
+		t.Fatalf("fail to run playwright test validate-restore-app: %v", err)
+	}
+
 	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
 
@@ -194,10 +266,9 @@ func TestProxiedCustomCIDR(t *testing.T) {
 	}
 
 	appUpgradeVersion := fmt.Sprintf("appver-%s-upgrade", os.Getenv("SHORT_SHA"))
-	testArgs := []string{appUpgradeVersion}
 
 	t.Logf("%s: upgrading cluster", time.Now().Format(time.RFC3339))
-	if _, _, err := tc.RunPlaywrightTest("deploy-upgrade", testArgs...); err != nil {
+	if _, _, err := tc.RunPlaywrightTest("deploy-upgrade", appUpgradeVersion); err != nil {
 		t.Fatalf("fail to run playwright test deploy-app: %v", err)
 	}
 
@@ -211,13 +282,23 @@ func TestInstallWithMITMProxy(t *testing.T) {
 		t.Skip("skipping test for k0s versions < 1.29.0")
 	}
 
+	requiredEnvVars := []string{
+		"DR_S3_ENDPOINT",
+		"DR_S3_REGION",
+		"DR_S3_BUCKET",
+		"DR_S3_PREFIX",
+		"DR_ACCESS_KEY_ID",
+		"DR_SECRET_ACCESS_KEY",
+	}
+	RequireEnvVars(t, requiredEnvVars)
+
 	tc := lxd.NewCluster(&lxd.ClusterInput{
 		T:                   t,
 		Nodes:               4,
 		WithProxy:           true,
 		Image:               "debian/12",
 		EmbeddedClusterPath: "../output/bin/embedded-cluster",
-		LicensePath:         "licenses/license.yaml",
+		LicensePath:         "licenses/snapshot-license.yaml",
 	})
 	defer tc.Cleanup()
 
@@ -287,11 +368,19 @@ func TestInstallWithMITMProxy(t *testing.T) {
 	// check the installation state
 	checkInstallationState(t, tc)
 
+	testArgs := []string{}
+	for _, envVar := range requiredEnvVars {
+		testArgs = append(testArgs, os.Getenv(envVar))
+	}
+
+	if stdout, stderr, err := tc.RunPlaywrightTest("create-backup", testArgs...); err != nil {
+		t.Fatalf("fail to run playwright test create-backup: %v: %s: %s", err, stdout, stderr)
+	}
+
 	appUpgradeVersion := fmt.Sprintf("appver-%s-upgrade", os.Getenv("SHORT_SHA"))
-	testArgs := []string{appUpgradeVersion}
 
 	t.Logf("%s: upgrading cluster", time.Now().Format(time.RFC3339))
-	if _, _, err := tc.RunPlaywrightTest("deploy-upgrade", testArgs...); err != nil {
+	if _, _, err := tc.RunPlaywrightTest("deploy-upgrade", appUpgradeVersion); err != nil {
 		t.Fatalf("fail to run playwright test deploy-app: %v", err)
 	}
 
@@ -301,6 +390,61 @@ func TestInstallWithMITMProxy(t *testing.T) {
 		t.Fatalf("fail to check postupgrade state: %v", err)
 	}
 
+	// reset the cluster
+	runInParallel(t,
+		func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 3, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 3: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		}, func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 2, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 2: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		}, func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 1, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 1: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		}, func(t *testing.T) error {
+			stdout, stderr, err := resetInstallationWithError(t, tc, 0, resetInstallationOptions{force: true})
+			if err != nil {
+				return fmt.Errorf("fail to reset the installation on node 0: %v: %s: %s", err, stdout, stderr)
+			}
+			return nil
+		},
+	)
+
+	t.Logf("%s: waiting for nodes to reboot", time.Now().Format(time.RFC3339))
+	time.Sleep(30 * time.Second)
+
+	t.Logf("%s: restoring the installation", time.Now().Format(time.RFC3339))
+	line = append([]string{"restore-installation.exp"}, testArgs...)
+	line = append(line, "--http-proxy", lxd.HTTPMITMProxy)
+	line = append(line, "--https-proxy", lxd.HTTPMITMProxy)
+	line = append(line, "--no-proxy", strings.Join(tc.IPs, ","))
+	line = append(line, "--private-ca", "/usr/local/share/ca-certificates/proxy/ca.crt")
+	if _, _, err := tc.RunCommandOnNode(0, line, lxd.WithMITMProxyEnv(tc.IPs)); err != nil {
+		t.Fatalf("fail to restore the installation: %v", err)
+	}
+
+	checkInstallationState(t, tc)
+
+	t.Logf("%s: checking post-restore state", time.Now().Format(time.RFC3339))
+	line = []string{"check-post-restore.sh"}
+	if stdout, stderr, err := tc.RunCommandOnNode(0, line); err != nil {
+		t.Fatalf("fail to check post-restore state: %v: %s: %s", err, stdout, stderr)
+	}
+
+	t.Logf("%s: validating restored app", time.Now().Format(time.RFC3339))
+	if _, _, err := tc.SetupPlaywrightAndRunTest("validate-restore-app"); err != nil {
+		t.Fatalf("fail to run playwright test validate-restore-app: %v", err)
+	}
+
 	t.Logf("%s: test complete", time.Now().Format(time.RFC3339))
 }
 

e2e/scripts/vandoor-prepare.sh

@@ -10,8 +10,8 @@ main() {
     local license_id=
     license_id="$2"
 
-    echo "downloading from https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci/${app_version_label}"
-    retry 5 curl --retry 5 --retry-all-errors -fL -o ec-release.tgz "https://staging.replicated.app/embedded/embedded-cluster-smoke-test-staging-app/ci/${app_version_label}" -H "Authorization: ${license_id}"
+    echo "downloading from https://ec-e2e-replicated-app.testcluster.net/embedded/embedded-cluster-smoke-test-staging-app/ci/${app_version_label}"
+    retry 5 curl --retry 5 --retry-all-errors -fL -o ec-release.tgz "https://ec-e2e-replicated-app.testcluster.net/embedded/embedded-cluster-smoke-test-staging-app/ci/${app_version_label}" -H "Authorization: ${license_id}"
     tar xzf ec-release.tgz
 
     mkdir -p /assets

e2e/shared.go

@@ -54,6 +54,7 @@ type joinOptions struct {
 type downloadECReleaseOptions struct {
 	version   string
 	licenseID string
+	withEnv   map[string]string
 }
 
 type resetInstallationOptions struct {
@@ -277,7 +278,7 @@ func downloadECReleaseWithOptions(t *testing.T, tc cluster.Cluster, node int, op
 		line = append(line, LicenseID)
 	}
 
-	if stdout, stderr, err := tc.RunCommandOnNode(node, line); err != nil {
+	if stdout, stderr, err := tc.RunCommandOnNode(node, line, opts.withEnv); err != nil {
 		t.Fatalf("fail to download embedded cluster release on node %d: %v: %s: %s", node, err, stdout, stderr)
 	}
 }

kinds/apis/v1beta1/runtimeconfig_types.go

@@ -22,6 +22,8 @@ type RuntimeConfigSpec struct {
 	// OpenEBSDataDirOverride holds the override for the data directory for the OpenEBS storage
 	// provisioner. By default the data will be stored in a subdirectory of DataDir.
 	OpenEBSDataDirOverride string `json:"openEBSDataDirOverride,omitempty"`
+	// HostCABundlePath holds the path to the CA bundle for the host.
+	HostCABundlePath string `json:"hostCABundlePath,omitempty"`
 
 	// AdminConsole holds the Admin Console configuration.
 	AdminConsole AdminConsoleSpec `json:"adminConsole,omitempty"`

operator/charts/embedded-cluster-operator/charts/crds/templates/resources.yaml

@@ -606,6 +606,9 @@ spec:
                       DataDir holds the data directory for the Embedded Cluster
                       (default: /var/lib/embedded-cluster).
                     type: string
+                  hostCABundlePath:
+                    description: HostCABundlePath holds the path to the CA bundle for the host.
+                    type: string
                   k0sDataDirOverride:
                     description: |-
                       K0sDataDirOverride holds the override for the data directory for K0s. By default the data

operator/config/crd/bases/embeddedcluster.replicated.com_installations.yaml

@@ -384,6 +384,10 @@ spec:
                       DataDir holds the data directory for the Embedded Cluster
                       (default: /var/lib/embedded-cluster).
                     type: string
+                  hostCABundlePath:
+                    description: HostCABundlePath holds the path to the CA bundle
+                      for the host.
+                    type: string
                   k0sDataDirOverride:
                     description: |-
                       K0sDataDirOverride holds the override for the data directory for K0s. By default the data

pkg/addons/install.go

@@ -23,7 +23,7 @@ type InstallOptions struct {
 	License                 *kotsv1beta1.License
 	IsAirgap                bool
 	Proxy                   *ecv1beta1.ProxySpec
-	HostCABundle            string
+	HostCABundlePath        string
 	PrivateCAs              []string
 	ServiceCIDR             string
 	DisasterRecoveryEnabled bool
@@ -88,6 +88,7 @@ func getAddOnsForInstall(opts InstallOptions) []types.AddOn {
 		addOns = append(addOns, &velero.Velero{
 			ProxyRegistryDomain: domains.ProxyRegistryDomain,
 			Proxy:               opts.Proxy,
+			HostCABundlePath:    opts.HostCABundlePath,
 		})
 	}
 
@@ -118,6 +119,7 @@ func getAddOnsForRestore(opts InstallOptions) []types.AddOn {
 		&velero.Velero{
 			Proxy:               opts.Proxy,
 			ProxyRegistryDomain: domains.ProxyRegistryDomain,
+			HostCABundlePath:    opts.HostCABundlePath,
 		},
 	}
 	return addOns