Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Normal
Fix Version/s: OADP 1.2.6
Affects Version/s: OADP 1.1.0, OADP 1.2.0
Component/s: registry
Labels:

Story Points:
1
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
QEStatus:
ToDo
Intelligence Requested:
Market:

Cost of Delay:
0
WSJF:
0.000
Risk Probability:
Very Likely
Risk Score:
0
Customer Impact:

Customer Escalated, Customer Facing

Workstream:

None

Root Cause:
Unset
Failure Category:
Unknown

Regression:
No

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

PX Priority Data:
PX Impact Score:
PX Review Complete:

Description of problem:

Following DPA spec with caCert should use provided caCert to communicate with s3 for imagestream backup.

spec:
  backupLocations:
  - velero:
      objectStorage:
        caCert: <base64-of-caCert>

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1.
2.
3.

Actual results:

Expected results:

Additional info:

Tiger's Notes:

Three solutions

PR to openshift/docker-distribution and distribution/distribution such that s3 driver code accepts CustomCABundle option.
- Cleaner result, can accept updated BSL's customca without restarting velero pod
- Like so: s3: support custom ca cert by kaovilai · Pull Request #3734 · distribution/distribution (github.com)
Set ENV in velero pod AWS_CA_BUNDLE by OADP Operator
- Less changes, faster to implement, may require pod restart for new ENV to take effect, and will require that CACert be specified in DPA, and won't work for BSL outside DPA.
- we are hitting another roadblock which is

failed to create new session with aws config: LoadCustomCABundleError: unable to load custom CA bundle, HTTPClient's transport unsupported type\ncaused by: unsupported transport

I suspect we may need to make an update to docker-distribution similar to a PR here allow using AWS specific environment variables by piotrkpc · Pull Request #3670 · kubernetes-sigs/external-dns (github.com) to move the config.WithHTTPClient after session.NewSessionWithOptions call.

Today openshift/docker-distribution calls WithHTTPClient before NewSessionWithOptions which I suspect make AWS_CA_BUNDLE option not work.

Mount CABundle to pod's default trust ca location

References

Affected users:

https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1694078622699479

is related to

OADP-4815 Imagestream backups are partially failing when dpa is configured with caCert

OADP-4817 Imagestream backups are partially failing when dpa is configured with caCert

1.	[RedHat QE] Verify Bug OADP-1945 - caCert support for imagestream backup	New	Amos Mastbaum
2.	[IBM QE-P] Verify Bug OADP-1945 - caCert support for imagestream backup	New	Sonia Garudi
3.	[IBM QE-Z] Verify Bug OADP-1945 - caCert support for imagestream backup	New	Maya Anilson (Inactive)

Assignee:: Mateus Oliveira

Reporter:: Tiger Kaovilai

QA Contact:: Amos Mastbaum

Votes:: 0 Vote for this issue

Watchers:: 4 Start watching this issue

Created:: 2023/05/17 1:22 PM

Updated:: 2024/11/07 6:30 AM

Details

Description

Description of problem:

Actual results:

Attachments

Issue Links

Easy Agile Planning Poker

Sub-Tasks

Activity

People

Dates