OADP-641: Update udistribution dependency to enable AWS_CA_BUNDLE support for self-signed certificates

[kaovilai]

Issue Summary

The openshift-velero-plugin needs to update its udistribution dependency to support AWS_CA_BUNDLE for self-signed certificates, resolving long-standing OADP internal image backup issues.

Background

OADP issue OADP-641 has been tracking x509 certificate errors with self-signed certificates for 2+ years. The solution is now available through updated dependencies.

Dependency Chain Status

OADP → openshift-velero-plugin → udistribution → openshift/docker-distribution

Recent updates:

1. ✅ openshift/docker-distribution - PR #44 merged (Jan 2025)
2. ✅ udistribution - needs update (tracked in migtools/udistribution#139)
3. 🔄 openshift-velero-plugin - [oadp-1.5] Update go mod after velero rebase #344 for 1.5, chore: update udistribution dependency to v0.0.15-oadp-1.5 #345 for master

Current Implementation

In velero-plugins/imagestream/shared.go:57, the plugin uses udistribution for image operations:

func GetUdistributionTransportForLocation(uid k8stypes.UID, location, namespace string, log logrus.FieldLogger) (*udistribution.UdistributionTransport, error) {
    // ...
    envs, err := GetRegistryEnvsForLocation(location, namespace)
    if err != nil {
        return nil, fmt.Errorf("errors getting registryenv: %v", err)
    }
    ut, err := udistribution.NewTransportFromNewConfig("", envs)
    // ...
}

Required Action

1. Wait for udistribution update: Monitor migtools/udistribution#139 completion
2. Update go.mod: Bump udistribution to version that includes the updated OpenShift docker-distribution fork
3. Test integration: Verify AWS_CA_BUNDLE environment variable support works end-to-end

Expected Behavior After Update

Users will be able to resolve self-signed certificate issues by:

1. Setting AWS_CA_BUNDLE environment variable:

   AWS_CA_BUNDLE=/path/to/ca-bundle.pem

2. Or using OpenShift certificate injection:

   metadata:
     labels:
       config.openshift.io/inject-trusted-cabundle: "true"

Testing Scenarios

Once updated, test with:

• Internal S3-compatible storage with self-signed certificates
• Private container registries with custom CA certificates
• Both AWS_CA_BUNDLE and OpenShift certificate injection methods

Impact

This resolves:

• OADP-641: Long-standing certificate validation issues
• Enables OADP usage with internal/air-gapped environments
• Supports enterprise PKI infrastructure requirements

Related Issues & PRs

• OADP-641: Support self-signed certificate for internal image backup
• migtools/udistribution#139
• openshift/docker-distribution#44
• distribution/distribution#3841
• distribution/distribution#4190

Documentation Update Needed

Update OADP documentation to include AWS_CA_BUNDLE usage instructions for self-signed certificate scenarios.

[kaovilai]

Cross-Reference: Related OADP-641 Issues

This issue is part of a coordinated effort to resolve OADP-641 across the entire dependency chain:

Dependency Chain:

OADP → openshift-velero-plugin → udistribution → openshift/docker-distribution

Related GitHub Issues:

• 🔄 Upstream dependency: migtools/udistribution#139 - Update docker-distribution dependency
• 🔄 This issue: openshift/openshift-velero-plugin#340 - Update udistribution dependency
• 🔄 Downstream integration: openshift/oadp-operator#1834 - Enable AWS_CA_BUNDLE support in OADP

Progress Status:

1. ✅ openshift/docker-distribution - PR #44 merged
2. 🔄 udistribution - migtools/udistribution#139 (blocks this issue)
3. 🔄 openshift-velero-plugin - this issue
4. ⏳ oadp-operator - waiting for plugin update

Dependencies:

• ⏳ Blocked by: migtools/udistribution#139 must be completed first
• 🔄 Blocks: openshift/oadp-operator#1834 waits for this issue

This coordinated effort will resolve the 2+ year old certificate validation issue affecting OADP users with self-signed certificates.