Correct the version for the backup encryption feature (#2376)

* Correct the version for the backup encryption feature

Author: johscheuer

api/v1beta2/foundationdb_version.go

@@ -165,5 +165,5 @@ var Versions = struct {
 	SupportsRecoveryState:             Version{api.Version{Major: 7, Minor: 1, Patch: 22}},
 	SupportsLocalityBasedExclusions71: Version{api.Version{Major: 7, Minor: 1, Patch: 42}},
 	SupportsLocalityBasedExclusions:   Version{api.Version{Major: 7, Minor: 3, Patch: 26}},
-	SupportsBackupEncryption:          Version{api.Version{Major: 7, Minor: 3, Patch: 0}},
+	SupportsBackupEncryption:          Version{api.Version{Major: 7, Minor: 4, Patch: 6}},
 }

api/v1beta2/foundationdbbackup_types.go

@@ -99,7 +99,8 @@ type FoundationDBBackupSpec struct {
 	// This is the configuration of the target blobstore for this backup.
 	BlobStoreConfiguration *BlobStoreConfiguration `json:"blobStoreConfiguration,omitempty"`
 
-	// The path to the encryption key used to encrypt the backup.
+	// The path to the encryption key used to encrypt the backup. This feature is only supported in FDB versions 7.4.6
+	// or newer. Older versions will not use this flag.
 	// +kubebuilder:validation:MaxLength=4096
 	EncryptionKeyPath string `json:"encryptionKeyPath,omitempty"`
 

docs/backup_spec.md

@@ -108,7 +108,7 @@ FoundationDBBackupSpec describes the desired state of the backup for a cluster.
 | customParameters | CustomParameters defines additional parameters to pass to the backup agents. | FoundationDBCustomParameters | false |
 | allowTagOverride | This setting defines if a user provided image can have it's own tag rather than getting the provided version appended. You have to ensure that the specified version in the Spec is compatible with the given version in your custom image. **Deprecated: use ImageConfigs instead.** | *bool | false |
 | blobStoreConfiguration | This is the configuration of the target blobstore for this backup. | *[BlobStoreConfiguration](#blobstoreconfiguration) | false |
-| encryptionKeyPath | The path to the encryption key used to encrypt the backup. | string | false |
+| encryptionKeyPath | The path to the encryption key used to encrypt the backup. This feature is only supported in FDB versions 7.4.6 or newer. Older versions will not use this flag. | string | false |
 | mainContainer | MainContainer defines customization for the foundationdb container. Note: The enableTls setting is ignored for backup agents - use TLS environment variables instead. | ContainerOverrides | false |
 | sidecarContainer | SidecarContainer defines customization for the foundationdb-kubernetes-sidecar container. | ContainerOverrides | false |
 | imageType | ImageType defines the image type that should be used for the FoundationDBCluster deployment. When the type is set to \"unified\" the deployment will use the new fdb-kubernetes-monitor. Otherwise the main container and the sidecar container will use different images. Default: split | *ImageType | false |

e2e/fixtures/fdb_backup.go

@@ -275,7 +275,7 @@ func (fdbBackup *FdbBackup) WaitForRestorableVersion(version uint64) uint64 {
 		g.Expect(status.LatestRestorablePoint).NotTo(gomega.BeNil())
 
 		return ptr.Deref(status.LatestRestorablePoint.Version, 0)
-	}).WithTimeout(10*time.Minute).WithPolling(2*time.Second).Should(gomega.BeNumerically(">", version), "error waiting for restorable version")
+	}).WithTimeout(10*time.Minute).WithPolling(2*time.Second).Should(gomega.BeNumerically(">=", version), "error waiting for restorable version")
 	return restorableVersion
 }
 

e2e/fixtures/fdb_operator_client.go

@@ -400,8 +400,8 @@ spec:
             - name: fdb-binaries
               mountPath: /var/output-files
           securityContext:
-            runAsUser: 0
-            runAsGroup: 0
+            runAsUser: 4059
+            runAsGroup: 4059
         {{ end }}
       containers:
       - command:

e2e/test_operator_backups/operator_backup_test.go

@@ -36,9 +36,10 @@ import (
 )
 
 var (
-	factory     *fixtures.Factory
-	fdbCluster  *fixtures.FdbCluster
-	testOptions *fixtures.FactoryOptions
+	factory            *fixtures.Factory
+	fdbCluster         *fixtures.FdbCluster
+	testOptions        *fixtures.FactoryOptions
+	supportsEncryption fdbv1beta2.Version
 )
 
 func init() {
@@ -62,6 +63,9 @@ var _ = BeforeSuite(func() {
 		Skip("Skip backup tests with 7.1.63 as this version has a bug in the fdbbackup agent")
 	}
 
+	supportsEncryption, err = fdbv1beta2.ParseFdbVersion("7.4.6")
+	Expect(err).NotTo(HaveOccurred())
+
 	// Create a blobstore for testing backups and restore.
 	factory.CreateBlobstoreIfAbsent(factory.SingleNamespace())
 })
@@ -126,9 +130,10 @@ var _ = Describe("Operator Backup", Label("e2e", "pr"), func() {
 					// In case of the one time backup we have to first write the keys and then do the backup.
 					keyValues = fdbCluster.GenerateRandomValues(10, prefix)
 					fdbCluster.WriteKeyValues(keyValues)
+					currentVersion := fdbCluster.GetClusterVersion()
 					backup = factory.CreateBackupForCluster(fdbCluster, backupConfiguration)
 					restorableVersion = backup.WaitForRestorableVersion(
-						fdbCluster.GetClusterVersion(),
+						currentVersion,
 					)
 				}
 
@@ -157,22 +162,23 @@ var _ = Describe("Operator Backup", Label("e2e", "pr"), func() {
 
 				When("encryption is enabled", func() {
 					BeforeEach(func() {
-						requiredFdbVersion, err := fdbv1beta2.ParseFdbVersion("7.4.5")
-						Expect(err).NotTo(HaveOccurred())
-
-						version := factory.GetFDBVersion()
-						if !version.IsAtLeast(requiredFdbVersion) {
+						if !factory.GetFDBVersion().IsAtLeast(supportsEncryption) {
 							Skip(
-								"version has a bug in the backup version that prevents tests to succeed",
+								"version doesn't support the encryption feature",
 							)
 						}
 
 						backupConfiguration.EncryptionEnabled = true
 					})
 
-					It("should restore the cluster successfully with a restorable version", func() {
-						Expect(fdbCluster.GetRange([]byte{prefix}, 25, 60)).Should(Equal(keyValues))
-					})
+					It(
+						"should restore the cluster successfully with a restorable version",
+						func() {
+							Expect(
+								fdbCluster.GetRange([]byte{prefix}, 25, 60),
+							).Should(Equal(keyValues))
+						},
+					)
 				})
 
 				// TODO (johscheuer): Enable test once the CRD in CI is updated.
@@ -203,13 +209,9 @@ var _ = Describe("Operator Backup", Label("e2e", "pr"), func() {
 
 				When("encryption is enabled", func() {
 					BeforeEach(func() {
-						requiredFdbVersion, err := fdbv1beta2.ParseFdbVersion("7.4.5")
-						Expect(err).NotTo(HaveOccurred())
-
-						version := factory.GetFDBVersion()
-						if !version.IsAtLeast(requiredFdbVersion) {
+						if !factory.GetFDBVersion().IsAtLeast(supportsEncryption) {
 							Skip(
-								"version has a bug in the backup version that prevents tests to succeed",
+								"version doesn't support the encryption feature",
 							)
 						}
 

fdbclient/admin_client_test.go

@@ -1209,15 +1209,15 @@ protocol fdb00b071010000`,
 		),
 		Entry(
 			"version that supports backup encryption without key",
-			"7.3.1",
+			fdbv1beta2.Versions.SupportsBackupEncryption.String(),
 			"",
 			nil,
 			false,
 			false,
 		),
 		Entry(
 			"version that supports backup encryption with key",
-			"7.3.1",
+			fdbv1beta2.Versions.SupportsBackupEncryption.String(),
 			"/path/to/key",
 			nil,
 			true,