feat: Use CloudStorage creationSecret as fallback for BSL credentials

When a DataProtectionApplication references a CloudStorage CR without
providing explicit credentials, the BSL controller now uses the
CloudStorage's creationSecret as a fallback for authentication.

Changes:
- Enhanced BSL reconciliation to fallback to CloudStorage's creationSecret
  when DPA doesn't specify credentials
- Moved fallback logic into centralized getSecretNameAndKeyFromCloudStorage
  function for better code organization
- Updated validation to allow nil credentials when CloudStorage is referenced
- Fixed related test cases to handle the new fallback behavior

This allows users to avoid duplicating credential configuration between
CloudStorage and DataProtectionApplication resources.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>

Author: kaovilai

internal/controller/bsl.go

@@ -182,7 +182,18 @@ func (r *DataProtectionApplicationReconciler) ReconcileBackupStorageLocations(lo
 					}
 					bsl.Spec.Config["enableSharedConfig"] = "true"
 				}
-				bsl.Spec.Credential = bslSpec.CloudStorage.Credential
+				// Use DPA's CloudStorage credential if provided, otherwise fallback to CloudStorage's creationSecret
+				if bslSpec.CloudStorage.Credential != nil {
+					bsl.Spec.Credential = bslSpec.CloudStorage.Credential
+				} else {
+					// Use CloudStorage's creationSecret as the BSL credential
+					bsl.Spec.Credential = &corev1.SecretKeySelector{
+						LocalObjectReference: corev1.LocalObjectReference{
+							Name: bucket.Spec.CreationSecret.Name,
+						},
+						Key: bucket.Spec.CreationSecret.Key,
+					}
+				}
 				bsl.Spec.Default = bslSpec.CloudStorage.Default
 				bsl.Spec.ObjectStorage = &velerov1.ObjectStorageLocation{
 					Bucket: bucket.Spec.Name,
@@ -537,21 +548,15 @@ func (r *DataProtectionApplicationReconciler) ensureSecretDataExists(bsl *oadpv1
 
 	// Get secret details from either CloudStorage or Velero
 	if bsl.CloudStorage != nil {
-		// Make sure credentials are specified.
-		if bsl.CloudStorage.Credential == nil {
-			return fmt.Errorf("must provide a valid credential secret")
-		}
-		if bsl.CloudStorage.Credential.Name == "" {
-			return fmt.Errorf("must provide a valid credential secret name")
-		}
-		// Check if user specified empty credential key
-		if bsl.CloudStorage.Credential.Key == "" {
-			return fmt.Errorf("must provide a valid credential secret key")
-		}
+		// Get credentials - this will fallback to CloudStorage CR if needed
 		secretName, secretKey, err = r.getSecretNameAndKeyFromCloudStorage(bsl.CloudStorage)
 		if err != nil {
 			return err
 		}
+		// If still no secret found, it means CloudStorage CR doesn't exist or has no credentials
+		if secretName == "" {
+			return fmt.Errorf("must provide credentials either in DPA or CloudStorage CR")
+		}
 
 		// Get provider type from CloudStorage
 		if bsl.CloudStorage.CloudStorageRef.Name != "" {

internal/controller/bsl_test.go

@@ -4564,7 +4564,7 @@ AZURE_CLOUD_NAME=AzurePublicCloud`),
 			wantErr: false,
 		},
 		{
-			name: "CloudStorage without credentials",
+			name: "CloudStorage without credentials - should use CloudStorage's creationSecret",
 			dpa: &oadpv1alpha1.DataProtectionApplication{
 				ObjectMeta: metav1.ObjectMeta{
 					Name:      "test-dpa",
@@ -4584,8 +4584,34 @@ AZURE_CLOUD_NAME=AzurePublicCloud`),
 					Credential: nil,
 				},
 			},
-			wantErr: true,
-			errMsg:  "must provide a valid credential secret",
+			objects: []client.Object{
+				&oadpv1alpha1.CloudStorage{
+					ObjectMeta: metav1.ObjectMeta{
+						Name:      "no-cred-cs",
+						Namespace: "test-ns",
+					},
+					Spec: oadpv1alpha1.CloudStorageSpec{
+						Name:     "test-bucket",
+						Provider: oadpv1alpha1.AWSBucketProvider,
+						CreationSecret: corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "cloud-creds",
+							},
+							Key: "cloud",
+						},
+					},
+				},
+			},
+			secret: &corev1.Secret{
+				ObjectMeta: metav1.ObjectMeta{
+					Name:      "cloud-creds",
+					Namespace: "test-ns",
+				},
+				Data: map[string][]byte{
+					"cloud": []byte("[default]\naws_access_key_id=test\naws_secret_access_key=test"),
+				},
+			},
+			wantErr: false, // Should succeed using CloudStorage's creationSecret
 		},
 		{
 			name: "CloudStorage with empty credential name",
@@ -4613,7 +4639,7 @@ AZURE_CLOUD_NAME=AzurePublicCloud`),
 				},
 			},
 			wantErr: true,
-			errMsg:  "must provide a valid credential secret name",
+			errMsg:  "Secret key specified in CloudStorage cannot be empty",
 		},
 		{
 			name: "CloudStorage with empty credential key",
@@ -4642,7 +4668,7 @@ AZURE_CLOUD_NAME=AzurePublicCloud`),
 				},
 			},
 			wantErr: true,
-			errMsg:  "must provide a valid credential secret key",
+			errMsg:  "Secret key specified in CloudStorage cannot be empty",
 		},
 		{
 			name: "CloudStorage not found",

internal/controller/registry.go

@@ -251,6 +251,15 @@ func (r *DataProtectionApplicationReconciler) getSecretNameAndKeyFromCloudStorag
 		err := r.verifySecretContent(secretName, secretKey)
 		return secretName, secretKey, err
 	}
+
+	// If no credential is specified, fallback to CloudStorage's creationSecret
+	if cloudStorage.CloudStorageRef.Name != "" {
+		bucket := &oadpv1alpha1.CloudStorage{}
+		if err := r.Get(r.Context, client.ObjectKey{Namespace: r.dpa.Namespace, Name: cloudStorage.CloudStorageRef.Name}, bucket); err == nil {
+			return bucket.Spec.CreationSecret.Name, bucket.Spec.CreationSecret.Key, nil
+		}
+	}
+
 	return "", "", nil
 }
 

internal/controller/registry_test.go

@@ -316,6 +316,11 @@ func TestDPAReconciler_getSecretNameAndKeyFromCloudStorage(t *testing.T) {
 				Log:           logr.Discard(),
 				Context:       newContextForTest(),
 				EventRecorder: record.NewFakeRecorder(10),
+				dpa: &oadpv1alpha1.DataProtectionApplication{
+					ObjectMeta: metav1.ObjectMeta{
+						Namespace: "test-ns",
+					},
+				},
 			}
 
 			if tt.wantProfile == "aws-cloud-cred" {

internal/controller/validator_test.go

@@ -557,12 +557,19 @@ func TestDPAReconciler_ValidateDataProtectionCR(t *testing.T) {
 						Namespace: "test-ns",
 					},
 					Spec: oadpv1alpha1.CloudStorageSpec{
+						Name:     "test-bucket",
 						Provider: "aws",
+						CreationSecret: corev1.SecretKeySelector{
+							LocalObjectReference: corev1.LocalObjectReference{
+								Name: "", // Empty secret name
+							},
+							Key: "cloud",
+						},
 					},
 				},
 			},
 			wantErr:    true,
-			messageErr: "must provide a valid credential secret",
+			messageErr: "must provide credentials either in DPA or CloudStorage CR",
 		},
 		{
 			name: "given valid DPA CR bucket BSL configured and AWS Default Plugin with secret",