RCloneCredential resource

This section describes the RCloneCredential custom resource (CR) used in the MOSK management API to configure rclone credentials for a MOSK or management cluster.

The RCloneCredential CR contains the following fields:

  • apiVersion

    API version of the object that is kaas.mirantis.com/v1alpha1.

  • kind

    Object type that is RCloneCredential.

  • metadata

    Metadata of the RCloneCredential CR that contains the following fields:

    • name

      Name of the RCloneCredential object.

    • namespace

      Project name of the cluster that relates to RCloneCredential.

  • spec

    Specification of the RCloneCredential CR that contains the following fields:

    • remoteConfig

      Configuration of rclone for Amazon Simple Storage Service (S3). Can contain any fields supported by rclone for S3. For details, see rclone documentation.

      Must contain at least the following fields:

      • access_key_id

        Access key ID for the remote backup storage.

      • endpoint

        Endpoint of the remote backup storage.

      • type

        Type of the remote backup storage that must be set to s3.

      The values from the remoteConfig section will be included in the remoteName section of the rclone configuration file as-is.

    • remoteConfigSecretKey

      Name of the configuration file key that will contain the secret data. The value of this key is the S3 secret_access_key for the remote backup storage. The key is stored in the Kubernetes secret specified in the remoteSecret field.

    • remoteName

      Valid name of the remote storage. For example, swift. Will be transformed into the remote section name in the rclone configuration file.

    • remoteSecret

      Name of the Kubernetes secret that contains the secret access key for the remote backup storage. Contains the following field:

      • secret

        Name of the Kubernetes secret that contains the secret access key for the remote backup storage. Contains the following field:

        • value

          Secret access key for the remote backup storage.

      Once the RCloneCredential object is created, remoteSecret is mutated by moving the clear-text secret value into a secret generated by MOSK management and removing this value from the RCloneCredential object.

Once an RCloneCredential object is created, backup-controller transforms it to the following rclone configuration file:

[swift]
access_key_id = <KEY ID>
endpoint = <ENDPOINT>
secret_access_key = <KEY>
type = s3

Configuration example of an RCloneCredential object before creation:

apiVersion: kaas.mirantis.com/v1alpha1
kind: RCloneCredential
metadata:
  name: swift-s3
  namespace: default
spec:
  remoteConfig:
    access_key_id: <KEY ID>
    endpoint: <ENDPOINT>
    type: s3
  remoteConfigSecretKey: secret_access_key
  remoteName: swift
  remoteSecret:
    secret:
      value: <KEY>

Configuration example of an RCloneCredential object after creation containing the mutated remoteSecret section:

apiVersion: kaas.mirantis.com/v1alpha1
kind: RCloneCredential
metadata:
  creationTimestamp: "2025-12-02T15:25:57Z"
  generation: 1
  name: swift-s3
  namespace: default
  resourceVersion: "100013"
  uid: 9f572090-e737-4f0e-bbe5-6bc7f4ced7a5
spec:
  remoteConfig:
    access_key_id: <KEY ID>
    endpoint: <ENDPOINT>
    type: s3
  remoteConfigSecretKey: secret_access_key
  remoteName: swift
  remoteSecret:
    secret:
      key: value
      name: swift-s3-dt6h9