Fix/support non mandatory key file #1129
Conversation
Codecov ReportAttention:
Additional details and impacted files@@ Coverage Diff @@
## main #1129 +/- ##
==========================================
- Coverage 57.17% 57.15% -0.02%
==========================================
Files 103 103
Lines 10648 10655 +7
==========================================
+ Hits 6088 6090 +2
- Misses 4027 4032 +5
Partials 533 533
|
There was a problem hiding this comment.
Hi @JBOClara, thanks for pushing this PR!
I did a quick review and posted a few comments to start the conversation.
|
Hello @adejanovski I've no clue why is this failing. |
|
I've restarted it, since we have some flakes on the K8ssandraTask tests. Let's see how it goes. |
|
it passed ;) |
|
Hello @adejanovski Could you please review my PR and let me know if there's anything to add ? Are there any additional tests or documentation updates required to support this change? Thank you for your guidance. |
JBOClara
force-pushed
the
fix/support-non-mandatory-key-file
branch
from
25f0347 to
955baae
Compare
|
This is blocking us at the moment as well - what's required to get this into the operator? Happy to help if I can. |
if you could test this PR and verify that the feature works as expected, it would be much appreciated. |
|
Hi @adejanovski! I've deployed this PR into our staging environment, and it seems to work alright - Medusa is able to put the backups in S3 using role-based authentication, and Cassandra still seems to be running fine. If needed I can also rebase this branch on my own fork and make a new PR. |
|
thanks a lot for the quick turnaround on testing this @yesterdays-vigilante 🙏 Let's give @JBOClara a tiny bit of time to get back to this. That PR has been open for a while and I'm the one who dropped the ball on following up with it. |
|
Hi @JBOClara, it looks like you still have a conflict on |
JBOClara
force-pushed
the
fix/support-non-mandatory-key-file
branch
from
955baae to
633372c
Compare
|
@JBOClara, for the unit tests to pass you'll need to regenerate the manifests I think (using |
|
|
Thank you so much for working through this issue! I had worked around it in the past by providing an empty file via the referenced secret, but that always felt like a hack. Thanks again! |
|
Hello @JBOClara , thank you so much for this change! Is it also planned to support IRSA for Google storage and Azure storage? We have to implement similar hacks like we did for S3 in order to support Google Cloud and Azure backups. FYI @adejanovski |
|
Hi @c3-clement, I'm not able to test it on GCP or Azure. But, have you already tried? Could you share the errors encountered? Unfortunately, I don't plan to dedicate time to this topic. |
I tried the fake the secret, and using sa I created with S3 policay and role setup, I still not able to get around on this. I am getting erros inside medusa-stanadalone |
|
There is no need for a fake secret. Just use Then, check this is correctly configured :
|
|
That's a great explanation that we'd need to put in the docs @JBOClara ! |
Hello @JBOClara, Yes I already tried. I had to patch k8ssandra-operator and medusa - I don't have anymore error logs, but here is what went wrong: Azure:
Also, Azure Workload Identity auth requires to set the label Google: In the backup secret mounted to medusa pods, we have to set a field Also, in medusa codebase, the GCS list implementation is accessing unsafely the field However, if the GCS bucket is KMS encrypted, the Google API does not expose the I will open proper GitHub issues for all of this when I got a sec. |
I believe that the |
|
Here is a PR #1293 @adejanovski |
What this PR does:
While storageSecretRef is optional, there is no way to configure medusa without passing a secret. But when we want to use role with IRSA , we don't want to passe a
~/.aws/credentialsfile to medusa.Which issue(s) this PR fixes:
Fixes #1152
Fixes thelastpickle/cassandra-medusa#581
Linked to thelastpickle/cassandra-medusa#691
Checklist