Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-3259

Make using Velero CLI via velero deployment with caCert simple.

XMLWordPrintable

    • Icon: Feature Request Feature Request
    • Resolution: Unresolved
    • Icon: Undefined Undefined
    • OADP 1.4.0
    • None
    • None
    • None
    • False
    • Hide

      None

      Show
      None
    • False
    • Not Selected
    • ToDo
    • 0
    • 0
    • Very Likely
    • 0
    • None
    • Unset
    • Unknown

      Terminology:

      • Velero CLI via velero deployment, AKA aliased velero refers to velero command via alias
      alias velero='oc -n openshift-adp exec deployment/velero -c velero -it -- ./velero'

      Potential Solutions

      • Velero CLI automatically get cacert from BSL config
      • Velero cloud provider plugin writes cacert from bsl config to some path in velero pod
      • OADP mount the caCert from bsl config in dpa automatically

      Current workaround: https://access.redhat.com/articles/5456281#using-cacert-with-velero-command-aliased-via-velero-deployment-45

      Case(s)

       
      The user experience here is sub-optimal, 100% agree.
      Shelling into the running container to execute `velero` commands is meant as convenience to avoid downloading the velero binary to a customers workstation.
      In the case where a customer is using custom certs the user experience degrades further.

      The full setup for a workstation use of the velero command would be to:
      1. install the client
      https://github.com/vmware-tanzu/velero/releases/tag/v1.13.2
      2. Ensure the workstation has the cacert / bundle on the local workstation
      3. execute the velero commands

      `./velero backup get -n openshift-adp --cacert <PATH_TO_CA_BUNDLE>`

      Noting that the user experience can be improved and that work will be done in the upstream project, unfortunately it will not be done quickly as consensus with community must be reached first. We apologize for that. We have instructed our engineers to begin work on resolving
      https://issues.redhat.com/browse/OADP-3259
      in the upstream Velero project.

      The upstream documentation can be found:
      https://velero.io/docs/v1.13/self-signed-certificates/
      By downloading the client and the certificate directly to the required workstations it should provide a permanent install of the client and the steps would not need to be repeated over and over.
      The root cause of the inconvenience is that the cacert is NOT stored as a file on the running velero container.

      We are working to improve the usability and apologize if the resolution is not complete in the expected time.

            wnstb Wes Hayutin
            tkaovila@redhat.com Tiger Kaovilai
            Votes:
            1 Vote for this issue
            Watchers:
            2 Start watching this issue

              Created:
              Updated: