setup build and tempsshdir for restic sftp

Jonnobrow · Jonnobrow · commit 786a8d557c82 · 2025-08-14T21:52:13.000+01:00
diff --git a/internal/controller/mover/restic/builder.go b/internal/controller/mover/restic/builder.go
@@ -124,7 +124,7 @@ func (rb *Builder) FromSource(client client.Client, logger logr.Logger,
 	saHandler := utils.NewSAHandler(client, source, isSource, privileged,
 		source.Spec.Restic.MoverServiceAccount)
 
-	return &Mover{
+	mover := &Mover{
 		client:                client,
 		logger:                logger.WithValues("method", "Restic"),
 		eventRecorder:         eventRecorder,
@@ -136,6 +136,7 @@ func (rb *Builder) FromSource(client client.Client, logger logr.Logger,
 		cacheCapacity:         source.Spec.Restic.CacheCapacity,
 		cacheStorageClassName: source.Spec.Restic.CacheStorageClassName,
 		repositoryName:        source.Spec.Restic.Repository,
+		sshKeys:               source.Spec.Restic.SSHKeys,
 		isSource:              isSource,
 		paused:                source.Spec.Paused,
 		mainPVCName:           &source.Spec.SourcePVC,
@@ -147,7 +148,13 @@ func (rb *Builder) FromSource(client client.Client, logger logr.Logger,
 		sourceStatus:          source.Status.Restic,
 		latestMoverStatus:     source.Status.LatestMoverStatus,
 		moverConfig:           source.Spec.Restic.MoverConfig,
-	}, nil
+	}
+
+	if source.Spec.Restic.SSHKeys != nil {
+		mover.moverConfig.MoverSecurityContext = nil
+	}
+
+	return mover, nil
 }
 
 func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
@@ -177,7 +184,7 @@ func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
 	saHandler := utils.NewSAHandler(client, destination, isSource, privileged,
 		destination.Spec.Restic.MoverServiceAccount)
 
-	return &Mover{
+	mover := &Mover{
 		client:                      client,
 		logger:                      logger.WithValues("method", "Restic"),
 		eventRecorder:               eventRecorder,
@@ -190,6 +197,7 @@ func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
 		cacheStorageClassName:       destination.Spec.Restic.CacheStorageClassName,
 		cleanupCachePVC:             destination.Spec.Restic.CleanupCachePVC,
 		repositoryName:              destination.Spec.Restic.Repository,
+		sshKeys:                     destination.Spec.Restic.SSHKeys,
 		isSource:                    isSource,
 		paused:                      destination.Spec.Paused,
 		mainPVCName:                 destination.Spec.Restic.DestinationPVC,
@@ -201,5 +209,11 @@ func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
 		enableFileDeletionOnRestore: destination.Spec.Restic.EnableFileDeletion,
 		latestMoverStatus:           destination.Status.LatestMoverStatus,
 		moverConfig:                 destination.Spec.Restic.MoverConfig,
-	}, nil
+	}
+
+	if destination.Spec.Restic.SSHKeys != nil {
+		mover.moverConfig.MoverSecurityContext = nil
+	}
+
+	return mover, nil
 }
diff --git a/internal/controller/mover/restic/mover.go b/internal/controller/mover/restic/mover.go
@@ -518,14 +518,17 @@ func (m *Mover) ensureJob(ctx context.Context, cachePVC *corev1.PersistentVolume
 		}
 		if resticSecretName != "" {
 			podSpec.Containers[0].Env = append(podSpec.Containers[0].Env, corev1.EnvVar{
-				Name: "SSH_KEYS",
+				Name:  "SSH_KEYS",
 				Value: "true",
 			})
 			// Mount the custom CA certificate
 			podSpec.Containers[0].VolumeMounts =
 				append(podSpec.Containers[0].VolumeMounts, corev1.VolumeMount{
 					Name:      "keys",
 					MountPath: "/keys",
+				}, corev1.VolumeMount{
+					Name:      "tempsshdir",
+					MountPath: "/root/.ssh",
 				})
 			podSpec.Volumes = append(podSpec.Volumes, corev1.Volume{
 				Name: "keys", VolumeSource: corev1.VolumeSource{
@@ -534,6 +537,10 @@ func (m *Mover) ensureJob(ctx context.Context, cachePVC *corev1.PersistentVolume
 						DefaultMode: ptr.To[int32](0600),
 					},
 				},
+			}, corev1.Volume{Name: "tempsshdir", VolumeSource: corev1.VolumeSource{
+				EmptyDir: &corev1.EmptyDirVolumeSource{
+					Medium: corev1.StorageMediumMemory,
+				}},
 			})
 		}
 		if m.vh.IsCopyMethodDirect() {
diff --git a/mover-restic/entry.sh b/mover-restic/entry.sh
@@ -62,7 +62,7 @@ Host *
   # Enable protocol-level keepalive to detect connection failure
   ServerAliveCountMax 4
   ServerAliveInterval 30
-  # We don't know the key of the server, so be strict
+  # We don't know the key of the server
   StrictHostKeyChecking no
   # Using protocol-level, so we don't need TCP-level
   TCPKeepAlive no
