New Feature, s3 bucket tagging for velero backups.

Author: c-e-brumm

deploy/credential_request.yaml

@@ -19,4 +19,7 @@ spec:
       - s3:PutBucketPublicAccessBlock
       - s3:PutEncryptionConfiguration
       - s3:PutLifecycleConfiguration
+      - s3:PutBucketTagging
+      - s3:DeleteObjectTagging
+      - s3:GetBucketTagging
       resource: "*"

pkg/controller/velero/s3.go

@@ -67,7 +67,10 @@ func (r *ReconcileVelero) provisionS3(reqLogger logr.Logger, s3Client *awss3.S3,
 				return reconcile.Result{}, fmt.Errorf("error occurred when creating bucket %v: %v", instance.Status.S3Bucket.Name, err.Error())
 			}
 		}
-
+		err = s3.TagBucket(s3Client, instance.Status.S3Bucket.Name, deafultBackupStorageLocation)
+		if err != nil {
+			return reconcile.Result{}, fmt.Errorf("error occurred when tagging bucket %v: %v", instance.Status.S3Bucket.Name, err.Error())
+		}
 	}
 
 	// Verify S3 bucket exists
@@ -115,6 +118,13 @@ func (r *ReconcileVelero) provisionS3(reqLogger logr.Logger, s3Client *awss3.S3,
 		return reconcile.Result{}, fmt.Errorf("error occurred when configuring lifecycle rules on bucket %v: %v", instance.Status.S3Bucket.Name, err.Error())
 	}
 
+	// Make sure that tags are applied to buckets
+	bucketLog.Info("Enforcing S3 Bucket tags on S3 Bucket")
+	err = s3.TagBucket(s3Client, instance.Status.S3Bucket.Name, deafultBackupStorageLocation)
+	if err != nil {
+		return reconcile.Result{}, fmt.Errorf("error occurred when tagging bucket %v: %v", instance.Status.S3Bucket.Name, err.Error())
+	}
+
 	instance.Status.S3Bucket.Provisioned = true
 	instance.Status.S3Bucket.LastSyncTimestamp = &metav1.Time{
 		Time: time.Now(),

pkg/controller/velero/velero.go

@@ -25,10 +25,11 @@ import (
 )
 
 const (
-	awsCredsSecretIDKey     = "aws_access_key_id"     // #nosec G101
-	awsCredsSecretAccessKey = "aws_secret_access_key" // #nosec G101
-	credentialsRequestName  = "velero-iam-credentials"
-	veleroImage             = "gcr.io/heptio-images/velero:v1.0.0"
+	awsCredsSecretIDKey          = "aws_access_key_id"     // #nosec G101
+	awsCredsSecretAccessKey      = "aws_secret_access_key" // #nosec G101
+	credentialsRequestName       = "velero-iam-credentials"
+	veleroImage                  = "gcr.io/heptio-images/velero:v1.0.0"
+	deafultBackupStorageLocation = "default"
 )
 
 func (r *ReconcileVelero) provisionVelero(reqLogger logr.Logger, namespace string, platformStatus *configv1.PlatformStatus, instance *veleroCR.Velero) (reconcile.Result, error) {
@@ -40,7 +41,7 @@ func (r *ReconcileVelero) provisionVelero(reqLogger logr.Logger, namespace strin
 	// Install BackupStorageLocation
 	foundBsl := &velerov1.BackupStorageLocation{}
 	bsl := veleroInstall.BackupStorageLocation(namespace, strings.ToLower(string(platformStatus.Type)), instance.Status.S3Bucket.Name, "", locationConfig)
-	if err = r.client.Get(context.TODO(), types.NamespacedName{Namespace: namespace, Name: "default"}, foundBsl); err != nil {
+	if err = r.client.Get(context.TODO(), types.NamespacedName{Namespace: namespace, Name: deafultBackupStorageLocation}, foundBsl); err != nil {
 		if errors.IsNotFound(err) {
 			// Didn't find BackupStorageLocation
 			reqLogger.Info("Creating BackupStorageLocation")

pkg/s3/bucket.go

@@ -8,6 +8,10 @@ import (
 	"github.com/aws/aws-sdk-go/service/s3"
 )
 
+const (
+	bucketTagKey = "velero.io/backup-location"
+)
+
 func CreateBucket(s3Client *s3.S3, bucketName string) error {
 	createBucketInput := &s3.CreateBucketInput{
 		ACL:    aws.String(s3.BucketCannedACLPrivate),
@@ -124,3 +128,38 @@ func SetBucketLifecycle(s3Client *s3.S3, bucketName string) error {
 
 	return err
 }
+func CreateBucketTaggingInput(bucketname string, backUpLocation string) *s3.PutBucketTaggingInput {
+	putInput := &s3.PutBucketTaggingInput{
+		Bucket: aws.String(bucketname),
+		Tagging: &s3.Tagging{
+			TagSet: []*s3.Tag{
+				{
+					Key:   aws.String(bucketTagKey),
+					Value: aws.String(backUpLocation),
+				},
+			},
+		},
+	}
+	return putInput
+}
+
+func ClearBucketTags(s3Client *s3.S3, bucketName string) (err error) {
+	deleteInput := &s3.DeleteBucketTaggingInput{Bucket: aws.String(bucketName)}
+	result, err := s3Client.DeleteBucketTagging(deleteInput)
+	fmt.Println(result)
+	return err
+}
+
+func TagBucket(s3Client *s3.S3, bucketName string, backUpLocation string) error {
+	err := ClearBucketTags(s3Client, bucketName)
+	if err != nil {
+		return fmt.Errorf("unable to clear %v bucket tags: %v", bucketName, err)
+	}
+	input := CreateBucketTaggingInput(bucketName, backUpLocation)
+	_, err = s3Client.PutBucketTagging(input)
+	if err != nil {
+		fmt.Println(err.Error())
+		return err
+	}
+	return nil
+}