OADP-641: Update OpenShift docker-distribution dependency to enable AWS_CA_BUNDLE support for self-signed certificates

[kaovilai]

Issue Summary

The current udistribution dependency on OpenShift docker-distribution needs to be updated to include AWS_CA_BUNDLE support for self-signed certificates, which is required for OADP internal image backup functionality.

Background

OADP issue OADP-641 has been blocked for 2+ years due to x509 certificate errors when using self-signed certificates with internal image backups. Investigation shows the solution is now available but requires dependency updates.

Current Status

OpenShift docker-distribution fork now has AWS_CA_BUNDLE support through:

• PR #44 - merged Jan 2025
• Cherry-picks distribution/distribution#4190 which preserves AWS_CA_BUNDLE functionality from distribution/distribution#3841

Dependency Chain

OADP → openshift-velero-plugin → udistribution → openshift/docker-distribution

Current go.mod in udistribution

replace github.com/distribution/distribution/v3 => github.com/openshift/docker-distribution/v3 v3.0.0-20250120104846-a24972526437

Required Action

Update the udistribution dependency to use a version of openshift/docker-distribution that includes PR #44 (merged commit: 21eefccb821fbc4b34d33da5a4b07b4ed3b964e5).

Expected Outcome

After updating the dependency, udistribution will support:

1. AWS_CA_BUNDLE environment variable for custom CA certificates
2. Proxy support with proper transport cloning
3. Self-signed certificate compatibility for S3-compatible storage

Implementation

The AWS SDK will automatically respect the AWS_CA_BUNDLE environment variable when set, allowing users to specify custom CA certificates for S3 operations without code changes.

Testing

Once updated, this should resolve certificate validation issues when:

• Using S3-compatible storage with self-signed certificates
• Setting AWS_CA_BUNDLE=/path/to/ca-bundle.pem
• Using internal registries with custom CA certificates

Related Issues

• OADP-641: Support self-signed certificate for internal image backup
• Support AWS_CA_BUNDLE when talking to the S3 API distribution/distribution#3841
• fix: use http.DefaultTransport in S3 client distribution/distribution#4190
• OCPBUGS-25981: UPSTREAM distribution/distribution: 4190 fix: use http.DefaultTransport in S3 client openshift/docker-distribution#44

This update will unblock OADP's ability to support self-signed certificates for internal image backups that has been requested for over 2 years.

[kaovilai]

Cross-Reference: Related OADP-641 Issues

This issue is part of a coordinated effort to resolve OADP-641 across the entire dependency chain:

Dependency Chain:

OADP → openshift-velero-plugin → udistribution → openshift/docker-distribution

Related GitHub Issues:

• 🔄 This issue: migtools/udistribution#139 - Update docker-distribution dependency
• 🔄 Downstream: openshift/openshift-velero-plugin#340 - Update udistribution dependency
• 🔄 Final integration: openshift/oadp-operator#1834 - Enable AWS_CA_BUNDLE support in OADP

Progress Status:

1. ✅ openshift/docker-distribution - PR #44 merged
2. 🔄 udistribution - this issue
3. ⏳ openshift-velero-plugin - waiting for udistribution update
4. ⏳ oadp-operator - waiting for plugin update

Once this issue is resolved, it will unblock the downstream dependencies and ultimately resolve the 2+ year old certificate validation issue in OADP.

[kaovilai]

Fixed by #141