Validation of default secrets for cloud provider plugins without BSL/VSL #1583
Description
Problem
If a cloud provider plugin is added to DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, OADP does not validate if its default secret exists in OADP namespace. This can cause Velero Pod to never go to running state.
How to reproduce
A DPA like this
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
creationTimestamp: '2024-11-05T18:38:46Z'
generation: 1
managedFields:
...
name: velero-sample
namespace: openshift-adp
resourceVersion: '597563237'
uid: 51330ec5-8c38-48a5-bdb9-7f7cdafe42a9
spec:
backupLocations:
- velero:
config:
profile: default
region: <secret>
credential:
key: cloud
name: cloud-credentials
default: true
objectStorage:
bucket: <secret>
prefix: velero
provider: aws
configuration:
velero:
defaultPlugins:
- openshift
- aws
- gcp
status:
conditions:
- lastTransitionTime: '2024-11-05T18:38:46Z'
message: Reconcile complete
reason: Complete
status: 'True'
type: Reconciledpasses DPA controller validation.
But, if default secret for gcp provider is missing, the Velero Pod never succeeds. Pod Events have the following
MountVolume.SetUp failed for volume "cloud-credentials-gcp" : secret "cloud-credentials-gcp" not found
Solution
OADP should either:
- validate that for any cloud provider plugin in DPA
spec.configuration.velero.defaultPluginswithout a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, it default secret exists in OADP namespace - not add VolumeMount to Velero Deployment for any cloud provider plugin in DPA
spec.configuration.velero.defaultPluginswithout a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations)