Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation of default secrets for cloud provider plugins without BSL/VSL #1583

Open
mateusoliveira43 opened this issue Nov 5, 2024 · 1 comment
Open

Validation of default secrets for cloud provider plugins without BSL/VSL #1583

mateusoliveira43 opened this issue Nov 5, 2024 · 1 comment

Comments

@mateusoliveira43
Copy link
Contributor

Problem

If a cloud provider plugin is added to DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, OADP does not validate if its default secret exists in OADP namespace. This can cause Velero Pod to never go to running state.

How to reproduce

A DPA like this

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  creationTimestamp: '2024-11-05T18:38:46Z'
  generation: 1
  managedFields:
    ...
  name: velero-sample
  namespace: openshift-adp
  resourceVersion: '597563237'
  uid: 51330ec5-8c38-48a5-bdb9-7f7cdafe42a9
spec:
  backupLocations:
    - velero:
        config:
          profile: default
          region: <secret>
        credential:
          key: cloud
          name: cloud-credentials
        default: true
        objectStorage:
          bucket: <secret>
          prefix: velero
        provider: aws
  configuration:
    velero:
      defaultPlugins:
        - openshift
        - aws
        - gcp
status:
  conditions:
    - lastTransitionTime: '2024-11-05T18:38:46Z'
      message: Reconcile complete
      reason: Complete
      status: 'True'
      type: Reconciled

passes DPA controller validation.

But, if default secret for gcp provider is missing, the Velero Pod never succeeds. Pod Events have the following

MountVolume.SetUp failed for volume "cloud-credentials-gcp" : secret "cloud-credentials-gcp" not found

Solution

OADP should either:

  • validate that for any cloud provider plugin in DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, it default secret exists in OADP namespace
  • not add VolumeMount to Velero Deployment for any cloud provider plugin in DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations)
@mateusoliveira43
Copy link
Contributor Author

this can be an opportunity to check duplication around these 3 functions as well

oadp-operator/controllers/bsl.go

Line 21 in 215d34c

func (r *DPAReconciler) ValidateBackupStorageLocations() (bool, error) {

oadp-operator/controllers/vsl.go

Line 107 in 215d34c

func (r *DPAReconciler) ValidateVolumeSnapshotLocations() (bool, error) {

oadp-operator/controllers/validator.go

Line 91 in 215d34c

func (r *DPAReconciler) ValidateVeleroPlugins(log logr.Logger) (bool, error) {

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@mateusoliveira43