OADP-4817, OADP-1945, OADP-641: Add AWS_CA_BUNDLE support for custom CA certificates in BSLs

[kaovilai]

Cherry-pick of #1930 (master) / #1943 (oadp-1.5) adapted for oadp-1.4 branch structure.

Summary

• Add processCACertForBSLs() to extract CA certificates from BSL configurations and create velero-ca-bundle ConfigMap
• Add processCACertificatesForVelero() to mount the ConfigMap and set AWS_CA_BUNDLE environment variable in the Velero deployment
• AWS_CA_BUNDLE triggers AWS SDK native CA certificate functionality for S3 operations, enabling imagestream backup in air-gapped environments with custom CAs
• Comprehensive unit tests for both functions (6 test cases)

Adaptation notes

oadp-1.4 uses controllers/ package with DPAReconciler (master uses internal/controller/ with DataProtectionApplicationReconciler). DPA is passed as a function parameter since oadp-1.4's reconciler has no r.dpa field.

Known limitation

If any BSL has caCert, the AWS_CA_BUNDLE env var applies to all BSLs' imagestream S3 client (env var is container-wide).

Related

• Master: OADP-641: Add AWS_CA_BUNDLE support for BSL custom CA certificates #1930
• oadp-1.5: [oadp-1.5] OADP-641: Add AWS_CA_BUNDLE support for BSL custom CA certificates #1943
• Jira: OADP-1945, OADP-4817, OADP-641

Corresponding openshift-velero-plugin PRs (already merged to oadp-1.4)

• openshift-velero-plugin#290 — docker-distribution fix (master)
• openshift-velero-plugin#293 — oadp-1.4 backport of Fix permissions in kubebuilder annotations #290
• openshift-velero-plugin#375 — updated udist for oadp-1.4 (replacement for OADP Operator installation on Azure Red Hat Openshift - Issues with Velero instance creation on azure cloud #293)

[openshift-ci-robot]

@kaovilai: This pull request references OADP-641 which is a valid jira issue.

Details

In response to this:

Cherry-pick of #1930 (master) / #1943 (oadp-1.5) adapted for oadp-1.4 branch structure.\n\n## Summary\n\n- Add processCACertForBSLs() to extract CA certificates from BSL configurations and create velero-ca-bundle ConfigMap\n- Add processCACertificatesForVelero() to mount the ConfigMap and set AWS_CA_BUNDLE environment variable in the Velero deployment\n- AWS_CA_BUNDLE triggers AWS SDK native CA certificate functionality for S3 operations, enabling imagestream backup in air-gapped environments with custom CAs\n- Comprehensive unit tests for both functions (6 test cases)\n\n## Adaptation notes\n\noadp-1.4 uses controllers/ package with DPAReconciler (master uses internal/controller/ with DataProtectionApplicationReconciler). DPA is passed as a function parameter since oadp-1.4's reconciler has no r.dpa field.\n\n## Known limitation\n\nIf any BSL has caCert, the AWS_CA_BUNDLE env var applies to all BSLs' imagestream S3 client (env var is container-wide).\n\n## Related\n\n- Master: #1930\n- oadp-1.5: #1943\n- Jira: OADP-1945, OADP-641

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[coderabbitai]

Important

Review skipped

Auto reviews are disabled on base/target branches other than the default branch.

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Enterprise

Run ID: 23be52e4-11bb-4a31-8e62-6a9bbc5175f0

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

• 🔍 Trigger review

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@kaovilai: This pull request references OADP-1945 which is a valid jira issue.

This pull request references OADP-641 which is a valid jira issue.

Details

In response to this:

Cherry-pick of #1930 (master) / #1943 (oadp-1.5) adapted for oadp-1.4 branch structure.\n\n## Summary\n\n- Add processCACertForBSLs() to extract CA certificates from BSL configurations and create velero-ca-bundle ConfigMap\n- Add processCACertificatesForVelero() to mount the ConfigMap and set AWS_CA_BUNDLE environment variable in the Velero deployment\n- AWS_CA_BUNDLE triggers AWS SDK native CA certificate functionality for S3 operations, enabling imagestream backup in air-gapped environments with custom CAs\n- Comprehensive unit tests for both functions (6 test cases)\n\n## Adaptation notes\n\noadp-1.4 uses controllers/ package with DPAReconciler (master uses internal/controller/ with DataProtectionApplicationReconciler). DPA is passed as a function parameter since oadp-1.4's reconciler has no r.dpa field.\n\n## Known limitation\n\nIf any BSL has caCert, the AWS_CA_BUNDLE env var applies to all BSLs' imagestream S3 client (env var is container-wide).\n\n## Related\n\n- Master: #1930\n- oadp-1.5: #1943\n- Jira: OADP-1945, OADP-641

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kaovilai]

Note

Responses generated with Claude

This cherry-pick was opened as a courtesy for the assignee of OADP-1945 (Michal Pryc), which targets OADP 1.4.11. The velero plugin side is already merged (openshift-velero-plugin#293, #375) — this PR is the only remaining piece needed for caCert/imagestream backup to work on oadp-1.4.

[openshift-ci-robot]

@kaovilai: This pull request references OADP-4817 which is a valid jira issue.

This pull request references OADP-1945 which is a valid jira issue.

This pull request references OADP-641 which is a valid jira issue.

Details

In response to this:

Cherry-pick of #1930 (master) / #1943 (oadp-1.5) adapted for oadp-1.4 branch structure.

Summary

• Add processCACertForBSLs() to extract CA certificates from BSL configurations and create velero-ca-bundle ConfigMap
• Add processCACertificatesForVelero() to mount the ConfigMap and set AWS_CA_BUNDLE environment variable in the Velero deployment
• AWS_CA_BUNDLE triggers AWS SDK native CA certificate functionality for S3 operations, enabling imagestream backup in air-gapped environments with custom CAs
• Comprehensive unit tests for both functions (6 test cases)

Adaptation notes

oadp-1.4 uses controllers/ package with DPAReconciler (master uses internal/controller/ with DataProtectionApplicationReconciler). DPA is passed as a function parameter since oadp-1.4's reconciler has no r.dpa field.

Known limitation

If any BSL has caCert, the AWS_CA_BUNDLE env var applies to all BSLs' imagestream S3 client (env var is container-wide).

Related

• Master: OADP-641: Add AWS_CA_BUNDLE support for BSL custom CA certificates #1930
• oadp-1.5: [oadp-1.5] OADP-641: Add AWS_CA_BUNDLE support for BSL custom CA certificates #1943
• Jira: OADP-1945, OADP-641

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

[kaovilai]

/retest

[openshift-ci]

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.