From c1578a2035406805b63c52647870274505d80e88 Mon Sep 17 00:00:00 2001 From: arjunajesh <34989598+arjunajesh@users.noreply.github.com> Date: Thu, 22 Jun 2023 16:10:41 -0400 Subject: [PATCH 1/2] certificates can be passed through env vars --- changelog/unreleased/issue-1926 | 6 ++++++ cmd/restic/global.go | 4 +++- doc/040_backup.rst | 2 ++ 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 changelog/unreleased/issue-1926 diff --git a/changelog/unreleased/issue-1926 b/changelog/unreleased/issue-1926 new file mode 100644 index 000000000..8d16bb8db --- /dev/null +++ b/changelog/unreleased/issue-1926 @@ -0,0 +1,6 @@ +Enhancemnet: Certificates can be passed through environment variables + +Restic will now read the paths to the certificates from the environment variables `RESTIC_CACERT` or `RESTIC_TLS_CLIENT_CERT` if `--cacert` or `--tls-client-cert` is not specified. + +https://github.com/restic/restic/issues/1926 +https://github.com/restic/restic/pull/4384 diff --git a/cmd/restic/global.go b/cmd/restic/global.go index 823a82e36..3f55e1cbe 100644 --- a/cmd/restic/global.go +++ b/cmd/restic/global.go @@ -135,7 +135,7 @@ func init() { f.StringVar(&globalOptions.CacheDir, "cache-dir", "", "set the cache `directory`. (default: use system default cache directory)") f.BoolVar(&globalOptions.NoCache, "no-cache", false, "do not use a local cache") f.StringSliceVar(&globalOptions.RootCertFilenames, "cacert", nil, "`file` to load root certificates from (default: use system certificates)") - f.StringVar(&globalOptions.TLSClientCertKeyFilename, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key") + f.StringVar(&globalOptions.TLSClientCertKeyFilename, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key (default: $RESTIC_TLS_CLIENT_CERT)") f.BoolVar(&globalOptions.InsecureTLS, "insecure-tls", false, "skip TLS certificate verification when connecting to the repository (insecure)") f.BoolVar(&globalOptions.CleanupCache, "cleanup-cache", false, "auto remove old cache directories") f.Var(&globalOptions.Compression, "compression", "compression mode (only available for repository format version 2), one of (auto|off|max) (default: $RESTIC_COMPRESSION)") @@ -151,6 +151,8 @@ func init() { globalOptions.PasswordFile = os.Getenv("RESTIC_PASSWORD_FILE") globalOptions.KeyHint = os.Getenv("RESTIC_KEY_HINT") globalOptions.PasswordCommand = os.Getenv("RESTIC_PASSWORD_COMMAND") + globalOptions.RootCertFilenames = strings.Split(os.Getenv("RESTIC_CACERT"), ",") + globalOptions.TLSClientCertKeyFilename = os.Getenv("RESTIC_TLS_CLIENT_CERT") comp := os.Getenv("RESTIC_COMPRESSION") if comp != "" { // ignore error as there's no good way to handle it diff --git a/doc/040_backup.rst b/doc/040_backup.rst index 7856875f0..8ab2a50d6 100644 --- a/doc/040_backup.rst +++ b/doc/040_backup.rst @@ -567,6 +567,8 @@ environment variables. The following lists these environment variables: RESTIC_PASSWORD The actual password for the repository RESTIC_PASSWORD_COMMAND Command printing the password for the repository to stdout RESTIC_KEY_HINT ID of key to try decrypting first, before other keys + RESTIC_CACERT Location(s) of certificate file(s), comma seperated if multiple (replaces --cacert) + RESTIC_TLS_CLIENT_CERT Location of TLS client certificate and private key (replaces --tls-client-cert) RESTIC_CACHE_DIR Location of the cache directory RESTIC_COMPRESSION Compression mode (only available for repository format version 2) RESTIC_PROGRESS_FPS Frames per second by which the progress bar is updated From cc3c218bafc02b7ba230cc387845f21d9fbe4069 Mon Sep 17 00:00:00 2001 From: Michael Eischer Date: Sat, 8 Jul 2023 09:44:20 +0200 Subject: [PATCH 2/2] small cleanups for certificate environment variables --- changelog/unreleased/issue-1926 | 6 ++++-- cmd/restic/global.go | 2 +- doc/040_backup.rst | 2 +- 3 files changed, 6 insertions(+), 4 deletions(-) diff --git a/changelog/unreleased/issue-1926 b/changelog/unreleased/issue-1926 index 8d16bb8db..9f172b1f8 100644 --- a/changelog/unreleased/issue-1926 +++ b/changelog/unreleased/issue-1926 @@ -1,6 +1,8 @@ -Enhancemnet: Certificates can be passed through environment variables +Enhancement: Certificates can be passed through environment variables -Restic will now read the paths to the certificates from the environment variables `RESTIC_CACERT` or `RESTIC_TLS_CLIENT_CERT` if `--cacert` or `--tls-client-cert` is not specified. +Restic will now read the paths to the certificates from the environment +variables `RESTIC_CACERT` or `RESTIC_TLS_CLIENT_CERT` if `--cacert` or +`--tls-client-cert` are not specified. https://github.com/restic/restic/issues/1926 https://github.com/restic/restic/pull/4384 diff --git a/cmd/restic/global.go b/cmd/restic/global.go index 3f55e1cbe..487fa9673 100644 --- a/cmd/restic/global.go +++ b/cmd/restic/global.go @@ -134,7 +134,7 @@ func init() { f.BoolVarP(&globalOptions.JSON, "json", "", false, "set output mode to JSON for commands that support it") f.StringVar(&globalOptions.CacheDir, "cache-dir", "", "set the cache `directory`. (default: use system default cache directory)") f.BoolVar(&globalOptions.NoCache, "no-cache", false, "do not use a local cache") - f.StringSliceVar(&globalOptions.RootCertFilenames, "cacert", nil, "`file` to load root certificates from (default: use system certificates)") + f.StringSliceVar(&globalOptions.RootCertFilenames, "cacert", nil, "`file` to load root certificates from (default: use system certificates or $RESTIC_CACERT)") f.StringVar(&globalOptions.TLSClientCertKeyFilename, "tls-client-cert", "", "path to a `file` containing PEM encoded TLS client certificate and private key (default: $RESTIC_TLS_CLIENT_CERT)") f.BoolVar(&globalOptions.InsecureTLS, "insecure-tls", false, "skip TLS certificate verification when connecting to the repository (insecure)") f.BoolVar(&globalOptions.CleanupCache, "cleanup-cache", false, "auto remove old cache directories") diff --git a/doc/040_backup.rst b/doc/040_backup.rst index 8ab2a50d6..b01683929 100644 --- a/doc/040_backup.rst +++ b/doc/040_backup.rst @@ -567,7 +567,7 @@ environment variables. The following lists these environment variables: RESTIC_PASSWORD The actual password for the repository RESTIC_PASSWORD_COMMAND Command printing the password for the repository to stdout RESTIC_KEY_HINT ID of key to try decrypting first, before other keys - RESTIC_CACERT Location(s) of certificate file(s), comma seperated if multiple (replaces --cacert) + RESTIC_CACERT Location(s) of certificate file(s), comma separated if multiple (replaces --cacert) RESTIC_TLS_CLIENT_CERT Location of TLS client certificate and private key (replaces --tls-client-cert) RESTIC_CACHE_DIR Location of the cache directory RESTIC_COMPRESSION Compression mode (only available for repository format version 2)