Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-3971

Additional secrets cannot be added to velero pod without restart

XMLWordPrintable

    • 4
    • False
    • Hide

      None

      Show
      None
    • False
    • ToDo
    • 0
    • 0.000
    • Very Likely
    • 0
    • None
    • Unset
    • Unknown
    • No

      Background - https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1714577996520399

       

      AWS - DPA ( THIS WORKS )
      apiVersion: oadp.openshift.io/v1alpha1
      kind: DataProtectionApplication
      metadata:
        name: dpa-sample
        namespace: openshift-adp
      spec:
        backupLocations:
        - velero:
            config:
              customerKeyEncryptionFile: /credentials/customer-key
              profile: default
              region: us-west-2
            credential:
              key: cloud
              name: cloud-credentials
            default: true
            objectStorage:
              bucket: cvpbucketuswest2
              prefix: velero
            provider: aws
        configuration:
          nodeAgent:
            enable: true
            uploaderType: kopia
          velero:
            defaultPlugins:
            - openshift
            - aws
            - csi
            featureFlags:
            - EnableCSI
        snapshotLocations:
        - velero:
            config:
              profile: default
              region: us-west-2
            provider: aws
      

      Credentials are mounted on the velero pod in /credentials !! WIN !!

       

      A Minio setup behaves slightly different, the aws creds are copied to /tmp/

      apiVersion: oadp.openshift.io/v1alpha1
      kind: DataProtectionApplication
      metadata:
        name: dpa-sample
        namespace: openshift-adp
      spec:
        backupLocations:
        - velero:
            config:
              customerKeyEncryptionFile: /credentials/customer-key
              insecureSkipTLSVerify: "true"
              profile: default
              region: minio
              s3ForcePathStyle: "true"
              s3Url: http://10.131.0.140:9000
            credential:
              key: cloud
              name: cloud-credentials
            default: true
            objectStorage:
              bucket: velero
              prefix: velero
            provider: aws
        configuration:
          nodeAgent:
            enable: true
            uploaderType: kopia
          velero:
            defaultPlugins:
            - openshift
            - aws
            - csi
            featureFlags:
            - EnableCSI

      The additional cred `customerKeyEncryptionFile` is never copied nor mounted to the velero pod.

       

      At this moment having both cloud-credentials/[cloud, customerKeyEncryptionFile] only works when using AWS S3 buckets, and does NOT work w/ s3 aws compatible storage.  

      • Nooba may work, I need to retest.

       

      WORKAROUND:  include a snapshotLocation config:

        snapshotLocations:
        - velero:
            config:
              profile: default
              region: minio
            provider: aws

       

       

              tkaovila@redhat.com Tiger Kaovilai
              wnstb Wes Hayutin
              Sachin Singla Sachin Singla
              Votes:
              0 Vote for this issue
              Watchers:
              3 Start watching this issue

                Created:
                Updated: