backup-restore-operator icon indicating copy to clipboard operation
backup-restore-operator copied to clipboard

Published 20 hours ago verified publisher icon rancher

Backup pod tries listing the S3 bucket, even though write credentials should be sufficient.

Open DovydasNavickas opened this issue 5 months ago • 1 comments

Rancher Server Setup

  • Rancher version: 2.8.5
  • Installation option (Docker install/Helm Chart): Helm Chart
  • Kubernetes Version and Engine: 1.30.4+k3s1
  • Rancher backup & CRDs chart version: 104.0.1+up5.0.1

Describe the bug The Backup pod logs say (credentials and URL are random GUIDs):

INFO[2024/09/07 21:41:26] Compressing backup CR rancher-s3-recurring-backup
INFO[2024/09/07 21:41:27] invoking set s3 service client
insecure-tls-skip-verify=false s3-accessKey=8d802dc25b7143aea5aaa1e7297daa93 s3-bucketName=rancher-backups s3-endpoint=acf1fc67a82942a7be3aefe7406f947a.eu.r2.cloudflarestorage.com s3-endpoint-ca= s3-folder=backups s3-region=auto
ERRO[2024/09/07 21:41:27] error syncing 's3-recurring-backup': handler backups: failed to check if s3 bucket [rancher-backups] exists, error: 401 Unauthorized, requeuing

To Reproduce Steps to reproduce the behavior:

  1. Create a bucket in Cloudflare R2

  2. Create token with Object Read & Write permissions image

  3. Set S3 credentials for the Backup

  4. Apply configuration, wait for backup pod to proceed and observe the error

The problem is that backup pod tries to list the buckets, even though I set a specific bucket for it in the Backup specification:

apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
  name: rancher-s3-recurring-backup
spec:
  storageLocation:
    s3:
      credentialSecretName: rancher-backup-s3
      credentialSecretNamespace: cattle-resources-system
      bucketName: rancher-backups
      folder: backups
      region: auto
      endpoint: acf1fc67a82942a7be3aefe7406f947a.eu.r2.cloudflarestorage.com
  resourceSetName: rancher-resource-set
  encryptionConfigSecretName: rancher-backup-encryption-config
  schedule: "0 6 * * *"
  retentionCount: 180

I tried setting the Admin Read & Write permissions, which is basically sudo for all buckets: image

And the credentials worked.

Expected behavior The backup should not list the buckets and should try uploading the file. This way if the permissions are sufficient, it will be able to upload the file successfully. If not, it will fail and should error out.

DovydasNavickas avatar Sep 07 '24 22:09 DovydasNavickas