-
Bug
-
Resolution: Done-Errata
-
Blocker
-
OADP 1.5.1
-
Quality / Stability / Reliability
-
3
-
False
-
-
False
-
oadp-operator-bundle-container-1.5.2-2
-
ToDo
-
-
-
Very Likely
-
0
-
Customer Escalated, Customer Facing, Customer Reported
-
0
-
None
-
Unset
-
Unknown
-
None
Description of problem:
In https://github.com/openshift/oadp-operator/pull/1930 implementation, once cacert is read, the cert gets applied globally in the velero instance affecting all BSLs.
It should instead try concatenate system trusted certs as to not break other bsls.
In addition this should allow for more than one BSL with custom cacert to work simultaneously.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. Use a storage provider with a self-signed certificate such as minio, and also aws w/o additional cert
2. Backup.
Actual results:
only minio passes. aws fails x509: certificate signed by unknown authority
Expected results:
Successful on both
TEST PLAN
Test Plan.
caCert has essentially just 2 different possible validvalues, a custom CA or None. Not interested in invalid values for this test.This is essentially a binary test with order of creation mattering is unknown -> creation order matters by default.Scenarios: # BackupLocation with system defaults. AWS or Azure
- BackupLocation with custom caCert such as Minio derived from Openshift service CA.
- A combination of [1,2] and [2,1] in order of creation.
The test is considered successful if at the end of each test the DPA status.phase is Reconcile and all Velero BSL status.phase is Available and lastValidationTime is at least 5 minutes older than metadata.creationTimestamp (to allow for reconciliation passes).
- duplicates
-
OADP-6774 [DOC] Release Notes for OADP 1.5.2
-
- Release Pending
-
- is related to
-
-
- Closed
-
- links to
-
RHBA-2025:154850
OpenShift API for Data Protection (OADP) 1.5.2 security and bug fix update
- mentioned on
