search

k8up-io / k8up

Kubernetes and OpenShift Backup Operator
https://k8up.io/
Apache License 2.0
601 stars 62 forks source link

GCS backend only allows short lived token #935

Open Critical-Impact opened 4 months ago

Critical-Impact commented 4 months ago

Description

At present when specifying a GCS bucket as the backend, you have the ability to set the following

  1. projectIDSecretRef
  2. accessTokenSecretRef
  3. bucket

This appears to set GOOGLE_ACCESS_TOKEN on the restic side which is a short lived token. This is a problem if you create a schedule as the short lived token would expire.

Additional Context

No response

Logs

No response

Expected Behavior

Would it be possible to either specify a GOOGLE_ACCESS_TOKEN or GOOGLE_APPLICATION_CREDENTIALS when using GCS? As far as I can see this is supported natively by restic https://restic.readthedocs.io/en/latest/030_preparing_a_new_repo.html#google-cloud-storage

So you'd have

  1. projectIDSecretRef
  2. accessTokenSecretRef
  3. applicationCredentialsSecretRef
  4. bucket

Steps To Reproduce

No response

Version of K8up

2.7.2

Version of Kubernetes

v1.26.13-gke.1052000

Distribution of Kubernetes

GKE