Loading...

XML

Word

Printable

Type: Bug
Resolution: Unresolved
Priority: Critical
Fix Version/s: OADP 1.5.0
Affects Version/s: OADP 1.2.0, OADP 1.3.0
Component/s: bsl, encryption
Labels:

Story Points:
4
Blocked:
False
Blocked Reason:

Hide

None

Show
None
Ready:
False
QEStatus:
ToDo
Intelligence Requested:
Market:

Cost of Delay:
0
WSJF:
0.000
Risk Probability:
Very Likely
Risk Score:
0

Workstream:

None

Root Cause:
Unset
Failure Category:
Unknown

Regression:
No

SFDC Cases Links:
SFDC Cases Counter:
SFDC Cases Open:

Background - https://redhat-internal.slack.com/archives/C0144ECKUJ0/p1714577996520399

AWS - DPA ( THIS WORKS )
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: dpa-sample
  namespace: openshift-adp
spec:
  backupLocations:
  - velero:
      config:
        customerKeyEncryptionFile: /credentials/customer-key
        profile: default
        region: us-west-2
      credential:
        key: cloud
        name: cloud-credentials
      default: true
      objectStorage:
        bucket: cvpbucketuswest2
        prefix: velero
      provider: aws
  configuration:
    nodeAgent:
      enable: true
      uploaderType: kopia
    velero:
      defaultPlugins:
      - openshift
      - aws
      - csi
      featureFlags:
      - EnableCSI
  snapshotLocations:
  - velero:
      config:
        profile: default
        region: us-west-2
      provider: aws

Credentials are mounted on the velero pod in /credentials !! WIN !!

A Minio setup behaves slightly different, the aws creds are copied to /tmp/

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: dpa-sample
  namespace: openshift-adp
spec:
  backupLocations:
  - velero:
      config:
        customerKeyEncryptionFile: /credentials/customer-key
        insecureSkipTLSVerify: "true"
        profile: default
        region: minio
        s3ForcePathStyle: "true"
        s3Url: http://10.131.0.140:9000
      credential:
        key: cloud
        name: cloud-credentials
      default: true
      objectStorage:
        bucket: velero
        prefix: velero
      provider: aws
  configuration:
    nodeAgent:
      enable: true
      uploaderType: kopia
    velero:
      defaultPlugins:
      - openshift
      - aws
      - csi
      featureFlags:
      - EnableCSI

The additional cred `customerKeyEncryptionFile` is never copied nor mounted to the velero pod.

At this moment having both cloud-credentials/[cloud, customerKeyEncryptionFile] only works when using AWS S3 buckets, and does NOT work w/ s3 aws compatible storage.

Nooba may work, I need to retest.

WORKAROUND: include a snapshotLocation config:

  snapshotLocations:
  - velero:
      config:
        profile: default
        region: minio
      provider: aws

relates to

OADP-889 Mount SSE-C Encryption file for AWS plugin

Closed

links to

non-admin bsl design

openshift/openshift-docs#75824: WIP - OADP-3170: Release Notes for OADP 1.1.8

velero: Ability to add additional files from secret(s) to Velero pod without restart #7767

Assignee:: Tiger Kaovilai

Reporter:: Wes Hayutin

QA Contact:: Sachin Singla

Votes:: 0 Vote for this issue

Watchers:: 3 Start watching this issue

Created:: 2024/05/01 6:15 PM

Updated:: 2024/11/14 7:27 PM

Details

Description

Attachments

Issue Links

Easy Agile Planning Poker

Activity

People

Dates