search

Lirt / velero-plugin-for-openstack

Openstack Cinder, Manila and Swift plugin for Velero backups
MIT License
27 stars 16 forks source link

Add an ability to override swift endpoint URL #50

Closed kayrus closed 1 year ago

kayrus commented 1 year ago

Swift supports ACLs (https://docs.openstack.org/swift/latest/overview_acl.html) and it is possible to grant an access to http://swift/v1/AUTH_project1/container1 for a user that has a project2 scope token, e.g.

.r:*,.rlistings,user2:project2

By default gophercloud extracts the endpoint URL using the token catalog:

curl -s http://identity/v3/auth/tokens -H "Content-Type: application/json" -d'AUTH_PARAMS'| jq -r '.token.catalog[]|select(.type=="object-store")|.endpoints[]|select(.interface=="public")'
{
  "id": "project2",
  "interface": "public",
  "region_id": "region1",
  "url": "http://swift/v1/AUTH_project2",
  "region": "region1"
}

In order to override the default catalog URL, gophercloud supports specifying the custom Endpoint for the ServiceClient.

It'd be great to have a custom URL or custom projectID option for openstack velero project.

Lirt commented 1 year ago

Hello @kayrus,

I need to check this more closely, but so far I can see that as you said after openstack.NewObjectStorageV1() is executed a service client is returned and then in this service client it's possible change value of Endpoint (but not before). So something like this converted to code:

o.client, err = openstack.NewObjectStorageV1(o.provider, gophercloud.EndpointOpts{
    Region: region,
})
o.client.Endpoint = config["endpoint"]

From the user interface point of view (and how Velero works) such config overrides can be set for example in BSL:

---
apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
  ...
spec:
  accessMode: ReadWrite
  config:
    cloud: cloud1
    endpoint: "http://swift/v1/AUTH_project2" #   <--- override endpoint
  default: false
  objectStorage:
    bucket: velero-backup-cloud1
  provider: community.openstack.org/openstack

I'm not sure if there is a different place where this override could be configured from project point of view. For example I don't see any occurence of OS_ENDPOINT in gophercloud so I assume that this environment variable is not respected.

Let me know what you think. If the change is what I described above I think it will be very simple.

kayrus commented 1 year ago

Hi @Lirt , thanks for the reply. The endpoint you mentioned applicable only for keystone endpoint override. UPD: sorry, I misread your comment. I thought that this is already implemented. See my PR for implementation details and let me know what you think.