Add Restic SFTP Support

Dockerfile

@@ -118,7 +118,7 @@ RUN microdnf --refresh update -y && \
     microdnf --nodocs --setopt=install_weak_deps=0 install -y \
         acl             `# rclone - getfacl/setfacl` \
         openssh         `# rsync/ssh - ssh key generation in operator` \
-        openssh-clients `# rsync/ssh - ssh client` \
+        openssh-clients `# rsync/ssh and restic - ssh client` \
         openssh-server  `# rsync/ssh - ssh server` \
         perl            `# rsync/ssh - rrsync script` \
         stunnel         `# rsync-tls` \

api/v1alpha1/replicationdestination_types.go

@@ -222,6 +222,15 @@ type ReplicationDestinationRsyncStatus struct {
 	Port *int32 `json:"port,omitempty"`
 }
 
+type ReplicationDestinationResticStatus struct {
+	// sshKeys is the name of a Secret that contains the SSH keys to be used for
+	// authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+	// generated and the appropriate keys for the remote side will be placed
+	// here.
+	//+optional
+	SSHKeys *string `json:"sshKeys,omitempty"`
+}
+
 type ReplicationDestinationResticCA CustomCASpec
 
 // ReplicationDestinationResticSpec defines the field for restic in replicationDestination.
@@ -255,6 +264,10 @@ type ReplicationDestinationResticSpec struct {
 	// +kubebuilder:validation:Format="date-time"
 	//+optional
 	RestoreAsOf *string `json:"restoreAsOf,omitempty"`
+	// sshKeys is the name of a Secret that contains the SSH keys to be used for
+	// authentication. If not provided, the keys will be generated.
+	//+optional
+	SSHKeys *string `json:"sshKeys,omitempty"`
 	// enableFileDeletion will pass the --delete flag to the restic restore command.
 	// This will remove files and directories in the pvc that do not exist in the snapshot being restored.
 	// Defaults to false.
@@ -294,6 +307,8 @@ type ReplicationDestinationStatus struct {
 	Rsync *ReplicationDestinationRsyncStatus `json:"rsync,omitempty"`
 	// rsyncTLS contains status information for Rsync-based replication over TLS.
 	RsyncTLS *ReplicationDestinationRsyncTLSStatus `json:"rsyncTLS,omitempty"`
+	// restic containers status information for Restic-based replication.
+	Restic *ReplicationDestinationResticStatus `json:"restic,omitempty"`
 	// external contains provider-specific status information. For more details,
 	// please see the documentation of the specific replication provider being
 	// used.

api/v1alpha1/replicationsource_types.go

@@ -181,6 +181,10 @@ type ReplicationSourceResticCA CustomCASpec
 // ReplicationSourceResticSpec defines the field for restic in replicationSource.
 type ReplicationSourceResticSpec struct {
 	ReplicationSourceVolumeOptions `json:",inline"`
+	// sshKeys is the name of a Secret that contains the SSH keys to be used for
+	// authentication. If not provided, the keys will be generated.
+	//+optional
+	SSHKeys *string `json:"sshKeys,omitempty"`
 	// PruneIntervalDays define how often to prune the repository
 	PruneIntervalDays *int32 `json:"pruneIntervalDays,omitempty"`
 	// Repository is the secret name containing repository info
@@ -215,6 +219,12 @@ type ReplicationSourceResticSpec struct {
 
 // ReplicationSourceResticStatus defines the field for ReplicationSourceStatus in ReplicationSourceStatus
 type ReplicationSourceResticStatus struct {
+	// sshKeys is the name of a Secret that contains the SSH keys to be used for
+	// authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+	// generated and the appropriate keys for the remote side will be placed
+	// here.
+	//+optional
+	SSHKeys *string `json:"sshKeys,omitempty"`
 	// lastPruned in the object holding the time of last pruned
 	//+optional
 	LastPruned *metav1.Time `json:"lastPruned,omitempty"`

bundle/manifests/volsync.backube_replicationdestinations.yaml

@@ -2760,6 +2760,11 @@ spec:
                       as of that time.
                     format: date-time
                     type: string
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided, the keys will be generated.
+                    type: string
                   storageClassName:
                     description: |-
                       storageClassName can be used to specify the StorageClass of the
@@ -4421,6 +4426,18 @@ spec:
                   scheduled to start (for schedule-based synchronization).
                 format: date-time
                 type: string
+              restic:
+                description: restic containers status information for Restic-based
+                  replication.
+                properties:
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+                      generated and the appropriate keys for the remote side will be placed
+                      here.
+                    type: string
+                type: object
               rsync:
                 description: rsync contains status information for Rsync-based replication.
                 properties:

bundle/manifests/volsync.backube_replicationsources.yaml

@@ -2741,6 +2741,11 @@ spec:
                         format: int32
                         type: integer
                     type: object
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided, the keys will be generated.
+                    type: string
                   storageClassName:
                     description: |-
                       storageClassName can be used to override the StorageClass of the PiT
@@ -5642,6 +5647,13 @@ spec:
                       lastUnlocked is set to the last spec.restic.unlock when a sync is done that unlocks the
                       restic repository.
                     type: string
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+                      generated and the appropriate keys for the remote side will be placed
+                      here.
+                    type: string
                 type: object
               rsync:
                 description: rsync contains status information for Rsync-based replication.

bundle/manifests/volsync.clusterserviceversion.yaml

@@ -55,7 +55,7 @@ metadata:
         }
       ]
     capabilities: Basic Install
-    createdAt: "2025-08-20T15:32:39Z"
+    createdAt: "2025-08-28T19:57:25Z"
     olm.skipRange: '>=0.4.0 <0.14.0'
     operators.operatorframework.io/builder: operator-sdk-v1.33.0
     operators.operatorframework.io/project_layout: go.kubebuilder.io/v4

config/crd/bases/volsync.backube_replicationdestinations.yaml

@@ -2760,6 +2760,11 @@ spec:
                       as of that time.
                     format: date-time
                     type: string
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided, the keys will be generated.
+                    type: string
                   storageClassName:
                     description: |-
                       storageClassName can be used to specify the StorageClass of the
@@ -4421,6 +4426,18 @@ spec:
                   scheduled to start (for schedule-based synchronization).
                 format: date-time
                 type: string
+              restic:
+                description: restic containers status information for Restic-based
+                  replication.
+                properties:
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+                      generated and the appropriate keys for the remote side will be placed
+                      here.
+                    type: string
+                type: object
               rsync:
                 description: rsync contains status information for Rsync-based replication.
                 properties:

config/crd/bases/volsync.backube_replicationsources.yaml

@@ -2741,6 +2741,11 @@ spec:
                         format: int32
                         type: integer
                     type: object
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided, the keys will be generated.
+                    type: string
                   storageClassName:
                     description: |-
                       storageClassName can be used to override the StorageClass of the PiT
@@ -5642,6 +5647,13 @@ spec:
                       lastUnlocked is set to the last spec.restic.unlock when a sync is done that unlocks the
                       restic repository.
                     type: string
+                  sshKeys:
+                    description: |-
+                      sshKeys is the name of a Secret that contains the SSH keys to be used for
+                      authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+                      generated and the appropriate keys for the remote side will be placed
+                      here.
+                    type: string
                 type: object
               rsync:
                 description: rsync contains status information for Rsync-based replication.

helm/volsync/templates/volsync.backube_replicationdestinations.yaml

@@ -2641,6 +2641,11 @@ spec:
                       description: RestoreAsOf refers to the backup that is most recent as of that time.
                       format: date-time
                       type: string
+                    sshKeys:
+                      description: |-
+                        sshKeys is the name of a Secret that contains the SSH keys to be used for
+                        authentication. If not provided, the keys will be generated.
+                      type: string
                     storageClassName:
                       description: |-
                         storageClassName can be used to specify the StorageClass of the
@@ -4238,6 +4243,17 @@ spec:
                     scheduled to start (for schedule-based synchronization).
                   format: date-time
                   type: string
+                restic:
+                  description: restic containers status information for Restic-based replication.
+                  properties:
+                    sshKeys:
+                      description: |-
+                        sshKeys is the name of a Secret that contains the SSH keys to be used for
+                        authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+                        generated and the appropriate keys for the remote side will be placed
+                        here.
+                      type: string
+                  type: object
                 rsync:
                   description: rsync contains status information for Rsync-based replication.
                   properties:

helm/volsync/templates/volsync.backube_replicationsources.yaml

@@ -2618,6 +2618,11 @@ spec:
                           format: int32
                           type: integer
                       type: object
+                    sshKeys:
+                      description: |-
+                        sshKeys is the name of a Secret that contains the SSH keys to be used for
+                        authentication. If not provided, the keys will be generated.
+                      type: string
                     storageClassName:
                       description: |-
                         storageClassName can be used to override the StorageClass of the PiT
@@ -5396,6 +5401,13 @@ spec:
                         lastUnlocked is set to the last spec.restic.unlock when a sync is done that unlocks the
                         restic repository.
                       type: string
+                    sshKeys:
+                      description: |-
+                        sshKeys is the name of a Secret that contains the SSH keys to be used for
+                        authentication. If not provided in .spec.restic.sshKeys, SSH keys will be
+                        generated and the appropriate keys for the remote side will be placed
+                        here.
+                      type: string
                   type: object
                 rsync:
                   description: rsync contains status information for Rsync-based replication.

internal/controller/mover/restic/builder.go

@@ -124,7 +124,7 @@ func (rb *Builder) FromSource(client client.Client, logger logr.Logger,
 	saHandler := utils.NewSAHandler(client, source, isSource, privileged,
 		source.Spec.Restic.MoverServiceAccount)
 
-	return &Mover{
+	mover := &Mover{
 		client:                client,
 		logger:                logger.WithValues("method", "Restic"),
 		eventRecorder:         eventRecorder,
@@ -136,6 +136,7 @@ func (rb *Builder) FromSource(client client.Client, logger logr.Logger,
 		cacheCapacity:         source.Spec.Restic.CacheCapacity,
 		cacheStorageClassName: source.Spec.Restic.CacheStorageClassName,
 		repositoryName:        source.Spec.Restic.Repository,
+		sshKeys:               source.Spec.Restic.SSHKeys,
 		isSource:              isSource,
 		paused:                source.Spec.Paused,
 		mainPVCName:           &source.Spec.SourcePVC,
@@ -147,7 +148,13 @@ func (rb *Builder) FromSource(client client.Client, logger logr.Logger,
 		sourceStatus:          source.Status.Restic,
 		latestMoverStatus:     source.Status.LatestMoverStatus,
 		moverConfig:           source.Spec.Restic.MoverConfig,
-	}, nil
+	}
+
+	if source.Spec.Restic.SSHKeys != nil {
+		mover.moverConfig.MoverSecurityContext = nil
+	}
+
+	return mover, nil
 }
 
 func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
@@ -177,7 +184,7 @@ func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
 	saHandler := utils.NewSAHandler(client, destination, isSource, privileged,
 		destination.Spec.Restic.MoverServiceAccount)
 
-	return &Mover{
+	mover := &Mover{
 		client:                      client,
 		logger:                      logger.WithValues("method", "Restic"),
 		eventRecorder:               eventRecorder,
@@ -190,6 +197,7 @@ func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
 		cacheStorageClassName:       destination.Spec.Restic.CacheStorageClassName,
 		cleanupCachePVC:             destination.Spec.Restic.CleanupCachePVC,
 		repositoryName:              destination.Spec.Restic.Repository,
+		sshKeys:                     destination.Spec.Restic.SSHKeys,
 		isSource:                    isSource,
 		paused:                      destination.Spec.Paused,
 		mainPVCName:                 destination.Spec.Restic.DestinationPVC,
@@ -201,5 +209,11 @@ func (rb *Builder) FromDestination(client client.Client, logger logr.Logger,
 		enableFileDeletionOnRestore: destination.Spec.Restic.EnableFileDeletion,
 		latestMoverStatus:           destination.Status.LatestMoverStatus,
 		moverConfig:                 destination.Spec.Restic.MoverConfig,
-	}, nil
+	}
+
+	if destination.Spec.Restic.SSHKeys != nil {
+		mover.moverConfig.MoverSecurityContext = nil
+	}
+
+	return mover, nil
 }