Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-1945

caCert support for imagestream backup

XMLWordPrintable

    • False
    • Hide

      None

      Show
      None
    • False
    • ToDo
    • No
    • 0
    • 0
    • Very Likely
    • 0
    • Customer Escalated, Customer Facing
    • None
    • Unset
    • Unknown

      Description of problem:

       

      Following DPA spec with caCert should use provided caCert to communicate with s3 for imagestream backup.

      spec:
  backupLocations:
  - velero:
      objectStorage:
        caCert: <base64-of-caCert>

      Version-Release number of selected component (if applicable):

       

      How reproducible:

       

      Steps to Reproduce:
      1.
      2.
      3.

      Actual results:

       

      Expected results:

       

      Additional info:

       

      Tiger's Notes:

      Three solutions

      • PR to openshift/docker-distribution and distribution/distribution such that s3 driver code accepts CustomCABundle option.
      • Set ENV in velero pod AWS_CA_BUNDLE by OADP Operator
        • Less changes, faster to implement, may require pod restart for new ENV to take effect, and will require that CACert be specified in DPA, and won't work for BSL outside DPA.
        • we are hitting another roadblock which is 

      "

      failed to create new session with aws config: LoadCustomCABundleError: unable to load custom CA bundle, HTTPClient's transport unsupported type\ncaused by: unsupported transport

      "

      I suspect we may need to make an update to docker-distribution similar to a PR here allow using AWS specific environment variables by piotrkpc · Pull Request #3670 · kubernetes-sigs/external-dns (github.com) to move the config.WithHTTPClient after session.NewSessionWithOptions call.

       

      Today openshift/docker-distribution calls WithHTTPClient before NewSessionWithOptions which I suspect make AWS_CA_BUNDLE option not work.

      • Mount CABundle to pod's default trust ca location

      References

      Affected users:

      https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1694078622699479

        1.
        		 [RedHat QE] Verify Bug OADP-1945 - caCert support for imagestream backup Sub-task New Undefined Amos Mastbaum
        2.
        		 [IBM QE-P] Verify Bug OADP-1945 - caCert support for imagestream backup Sub-task New Undefined Sonia Garudi
        3.
        		 [IBM QE-Z] Verify Bug OADP-1945 - caCert support for imagestream backup Sub-task New Undefined Maya Anilson

            msouzaol Mateus Oliveira
            tkaovila@redhat.com Tiger Kaovilai
            Amos Mastbaum Amos Mastbaum
            Votes:
            0 Vote for this issue
            Watchers:
            3 Start watching this issue

              Created:
              Updated: