Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Validation of default secrets for cloud provider plugins without BSL/VSL #1583

Open
mateusoliveira43 opened this issue Nov 5, 2024 · 3 comments
Open

Validation of default secrets for cloud provider plugins without BSL/VSL #1583

mateusoliveira43 opened this issue Nov 5, 2024 · 3 comments
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.

Comments

@mateusoliveira43
Copy link
Contributor

Problem

If a cloud provider plugin is added to DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, OADP does not validate if its default secret exists in OADP namespace. This can cause Velero Pod to never go to running state.

How to reproduce

A DPA like this

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  creationTimestamp: '2024-11-05T18:38:46Z'
  generation: 1
  managedFields:
    ...
  name: velero-sample
  namespace: openshift-adp
  resourceVersion: '597563237'
  uid: 51330ec5-8c38-48a5-bdb9-7f7cdafe42a9
spec:
  backupLocations:
    - velero:
        config:
          profile: default
          region: <secret>
        credential:
          key: cloud
          name: cloud-credentials
        default: true
        objectStorage:
          bucket: <secret>
          prefix: velero
        provider: aws
  configuration:
    velero:
      defaultPlugins:
        - openshift
        - aws
        - gcp
status:
  conditions:
    - lastTransitionTime: '2024-11-05T18:38:46Z'
      message: Reconcile complete
      reason: Complete
      status: 'True'
      type: Reconciled

passes DPA controller validation.

But, if default secret for gcp provider is missing, the Velero Pod never succeeds. Pod Events have the following

MountVolume.SetUp failed for volume "cloud-credentials-gcp" : secret "cloud-credentials-gcp" not found

Solution

OADP should either:

  • validate that for any cloud provider plugin in DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, it default secret exists in OADP namespace
  • not add VolumeMount to Velero Deployment for any cloud provider plugin in DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations)
@mateusoliveira43
Copy link
Contributor Author

this can be an opportunity to check duplication around these 3 functions as well

oadp-operator/controllers/bsl.go

Line 21 in 215d34c

func (r *DPAReconciler) ValidateBackupStorageLocations() (bool, error) {

oadp-operator/controllers/vsl.go

Line 107 in 215d34c

func (r *DPAReconciler) ValidateVolumeSnapshotLocations() (bool, error) {

oadp-operator/controllers/validator.go

Line 91 in 215d34c

func (r *DPAReconciler) ValidateVeleroPlugins(log logr.Logger) (bool, error) {

@openshift-bot
Copy link

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Feb 4, 2025
@kaovilai
Copy link
Member

kaovilai commented Feb 5, 2025

/lifecycle frozen

@openshift-ci openshift-ci bot added lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness. and removed lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. labels Feb 5, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
lifecycle/frozen Indicates that an issue or PR should not be auto-closed due to staleness.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@openshift-bot @kaovilai @mateusoliveira43