Skip to content

OADP-6669: Use CloudStorage creationSecret and config as fallback for BSL #1942

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 2 commits into
base: oadp-dev
Choose a base branch
from
Open

OADP-6669: Use CloudStorage creationSecret and config as fallback for BSL #1942

wants to merge 2 commits into from
+183 −21

Conversation

kaovilai
Copy link
Member

@kaovilai kaovilai commented Sep 5, 2025
edited
Loading

Description

This PR enhances the CloudStorage integration in DataProtectionApplication (DPA) resources by implementing automatic fallback mechanisms for both credentials and configuration when using CloudStorage CRs.

Changes

1. Credential Fallback (commit aa93572)

When a DPA references a CloudStorage CR without explicit credentials, the BSL controller now automatically uses the CloudStorage's creationSecret as a fallback for authentication.

Benefits:

  • Eliminates credential duplication between CloudStorage and DPA resources
  • Simplifies configuration when using CloudStorage CRs
  • Maintains backward compatibility with existing configurations

2. Configuration and Region Fallback (commit 345b342)

The BSL now inherits configuration values from the CloudStorage CR as fallback, including automatic region propagation.

Implementation details:

  • CloudStorage CR's config field values are used as base configuration
  • CloudStorage CR's region field is automatically added to BSL config
  • DPA's CloudStorageLocation.Config values override CloudStorage CR values (higher priority)
  • Supports all provider-specific configurations (AWS, Azure, GCP)

Example use case:

# CloudStorage CR defines base configuration
apiVersion: oadp.openshift.io/v1alpha1
kind: CloudStorage
metadata:
  name: my-storage
spec:
  provider: aws
  region: us-west-2
  config:
    serverSideEncryption: "AES256"
    s3ForcePathStyle: "true"
  creationSecret:
    name: cloud-creds
    key: credentials

---
# DPA can reference CloudStorage without duplicating config
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: my-dpa
spec:
  backupLocations:
    - cloudStorage:
        cloudStorageRef:
          name: my-storage
        # No need to specify credential or config - inherited from CloudStorage
        # Can optionally override specific values:
        config:
          profile: "custom"  # This overrides while keeping other CloudStorage configs

Testing

  • Added comprehensive test coverage for both credential and config fallback scenarios
  • Updated existing tests to account for inherited region configuration
  • All tests passing: go test ./internal/controller/ -run TestDPAReconciler_ReconcileBackupStorageLocations

Impact

This change is backward compatible and improves the user experience by:

  1. Reducing configuration duplication
  2. Centralizing cloud storage settings in CloudStorage CRs
  3. Maintaining flexibility to override at the DPA level when needed

Fixes #[issue_number] (if applicable)

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 5, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 5, 2025
@kaovilai kaovilai changed the title feat: Use CloudStorage creationSecret as fallback for BSL credentials OADP-6669: Use CloudStorage creationSecret as fallback for BSL credentials Sep 5, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 5, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 5, 2025
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-6669 which is a valid jira issue.

In response to this:

When a DataProtectionApplication references a CloudStorage CR without
providing explicit credentials, the BSL controller now uses the
CloudStorage's creationSecret as a fallback for authentication.

Changes:

  • Enhanced BSL reconciliation to fallback to CloudStorage's creationSecret
    when DPA doesn't specify credentials
  • Moved fallback logic into centralized getSecretNameAndKeyFromCloudStorage
    function for better code organization
  • Updated validation to allow nil credentials when CloudStorage is referenced
  • Fixed related test cases to handle the new fallback behavior

This allows users to avoid duplicating credential configuration between
CloudStorage and DataProtectionApplication resources.

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

Why the changes were made

How to test the changes made

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kaovilai @claude
feat: Use CloudStorage creationSecret as fallback for BSL credentials
aa93572 
When a DataProtectionApplication references a CloudStorage CR without
providing explicit credentials, the BSL controller now uses the
CloudStorage's creationSecret as a fallback for authentication.

Changes:
- Enhanced BSL reconciliation to fallback to CloudStorage's creationSecret
  when DPA doesn't specify credentials
- Moved fallback logic into centralized getSecretNameAndKeyFromCloudStorage
  function for better code organization
- Updated validation to allow nil credentials when CloudStorage is referenced
- Fixed related test cases to handle the new fallback behavior

This allows users to avoid duplicating credential configuration between
CloudStorage and DataProtectionApplication resources.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@kaovilai kaovilai force-pushed the dpaFallBackCloudstorageCreds branch from d7f5abf to aa93572 Compare September 5, 2025 18:39
@kaovilai @claude
feat: Add CloudStorage config and region fallback to BSL
345b342 
When a DataProtectionApplication references a CloudStorage CR, the BSL
now inherits configuration values from the CloudStorage CR as fallback,
similar to the credential fallback mechanism.

Changes:
- BSL now uses CloudStorage CR's Config field as base configuration
- CloudStorage CR's Region field is automatically added to BSL config
- DPA's CloudStorageLocation.Config values override CloudStorage values
- Added comprehensive test coverage for config fallback behavior

This enhancement allows users to define provider-specific settings once
in the CloudStorage CR without needing to duplicate them in the DPA,
while still maintaining the ability to override specific values at the
DPA level when needed.

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 5, 2025
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-6669 which is a valid jira issue.

In response to this:

Description

This PR enhances the CloudStorage integration in DataProtectionApplication (DPA) resources by implementing automatic fallback mechanisms for both credentials and configuration when using CloudStorage CRs.

Changes

1. Credential Fallback (commit aa93572)

When a DPA references a CloudStorage CR without explicit credentials, the BSL controller now automatically uses the CloudStorage's creationSecret as a fallback for authentication.

Benefits:

  • Eliminates credential duplication between CloudStorage and DPA resources
  • Simplifies configuration when using CloudStorage CRs
  • Maintains backward compatibility with existing configurations

2. Configuration and Region Fallback (commit 345b342)

The BSL now inherits configuration values from the CloudStorage CR as fallback, including automatic region propagation.

Implementation details:

  • CloudStorage CR's config field values are used as base configuration
  • CloudStorage CR's region field is automatically added to BSL config
  • DPA's CloudStorageLocation.Config values override CloudStorage CR values (higher priority)
  • Supports all provider-specific configurations (AWS, Azure, GCP)

Example use case:

# CloudStorage CR defines base configuration
apiVersion: oadp.openshift.io/v1alpha1
kind: CloudStorage
metadata:
 name: my-storage
spec:
 provider: aws
 region: us-west-2
 config:
   serverSideEncryption: "AES256"
   s3ForcePathStyle: "true"
 creationSecret:
   name: cloud-creds
   key: credentials

---
# DPA can reference CloudStorage without duplicating config
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: my-dpa
spec:
 backupLocations:
   - cloudStorage:
       cloudStorageRef:
         name: my-storage
       # No need to specify credential or config - inherited from CloudStorage
       # Can optionally override specific values:
       config:
         profile: "custom"  # This overrides while keeping other CloudStorage configs

Testing

  • Added comprehensive test coverage for both credential and config fallback scenarios
  • Updated existing tests to account for inherited region configuration
  • All tests passing: go test ./internal/controller/ -run TestDPAReconciler_ReconcileBackupStorageLocations

Impact

This change is backward compatible and improves the user experience by:

  1. Reducing configuration duplication
  2. Centralizing cloud storage settings in CloudStorage CRs
  3. Maintaining flexibility to override at the DPA level when needed

Fixes #[issue_number] (if applicable)

🤖 Generated with Claude Code

Co-Authored-By: Claude [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kaovilai kaovilai changed the title OADP-6669: Use CloudStorage creationSecret as fallback for BSL credentials OADP-6669: Use CloudStorage creationSecret and config as fallback for BSL Sep 5, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Sep 5, 2025

@kaovilai: The following tests failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name Commit Details Required Rerun command
ci/prow/unit-test 345b342 link true /test unit-test
ci/prow/4.20-e2e-test-hcp-aws 345b342 link false /test 4.20-e2e-test-hcp-aws

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@mpryc mpryc Awaiting requested review from mpryc

@shubham-pampattiwar shubham-pampattiwar Awaiting requested review from shubham-pampattiwar

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@kaovilai @openshift-ci-robot