Verified with OADP 1.5.2 1. Get caCert $ oc get configmap -n openshift-storage kube-root-ca.crt -ojsonpath='{.data.ca\.crt}' | base64 -w 0 2. Create 2 buckets using script in https://gitlab.cee.redhat.com/migrationqe/oadp-qe-automation/-/raw/main/backup-locations/mcg/deploy.sh?ref_type=heads Scenario 1:- BSL 1 uses custom caCert and BSL 2 uses system default [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get dpa -A -oyaml apiVersion: v1 items: - apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: creationTimestamp: "2025-10-01T18:55:20Z" generation: 1 name: ts-dpa namespace: openshift-adp resourceVersion: "85022" uid: 147c2f10-fd3f-4227-9496-1c872af89229 spec: backupLocations: - velero: config: profile: noobaa region: noobaa s3ForcePathStyle: "true" s3Url: https://s3-openshift-storage.apps.rdr-sg20-quay-d2b6.ibm.com credential: key: cloud name: cloud-credentials default: true objectStorage: bucket: testbucket1 caCert: prefix: velero provider: aws - velero: config: profile: default region: us-east-1 credential: key: cloud name: aws-bsl-secret objectStorage: bucket: newocpbucket prefix: velero provider: aws configuration: velero: defaultPlugins: - aws - openshift - csi disableFsBackup: false logFormat: text status: conditions: - lastTransitionTime: "2025-10-01T18:55:20Z" message: Reconcile complete reason: Complete status: "True" type: Reconciled kind: List metadata: resourceVersion: "" BSL is still in available phase after 15mins. [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get bsl NAME PHASE LAST VALIDATED AGE DEFAULT ts-dpa-1 Available 27s 8h true ts-dpa-2 Available 27s 8h Deployed sample application and created backup with BSL 1 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen1-backup-1 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T04:14:19Z" generation: 8 labels: velero.io/storage-location: ts-dpa-1 name: scen1-backup-1 namespace: openshift-adp resourceVersion: "410198" uid: 129b304c-9692-4c6a-8fd0-c610c2387aa5 spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-1 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T04:14:30Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T04:14:19Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 99 totalItems: 99 startTimestamp: "2025-10-02T04:14:19Z" version: 1 Create backup with BSL 2 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen1-backup-2 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T04:15:44Z" generation: 8 labels: velero.io/storage-location: ts-dpa-2 name: scen1-backup-2 namespace: openshift-adp resourceVersion: "411069" uid: 7944530f-9cbb-4e34-9ac4-39188610055a spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-2 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T04:15:54Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T04:15:44Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 102 totalItems: 102 startTimestamp: "2025-10-02T04:15:44Z" version: 1 Delete app namespace and restore from the first backup. [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get restore.velero.io/test-restore1 -oyaml apiVersion: velero.io/v1 kind: Restore metadata: creationTimestamp: "2025-10-02T04:18:05Z" finalizers: - restores.velero.io/external-resources-finalizer generation: 7 name: test-restore1 namespace: openshift-adp resourceVersion: "413012" uid: 21f566e0-0344-42fc-a874-45a0069c4068 spec: backupName: scen1-backup-1 excludedResources: - nodes - events - events.events.k8s.io - backups.velero.io - restores.velero.io - resticrepositories.velero.io - csinodes.storage.k8s.io - volumeattachments.storage.k8s.io - backuprepositories.velero.io itemOperationTimeout: 4h0m0s status: completionTimestamp: "2025-10-02T04:18:30Z" hookStatus: {} phase: Completed progress: itemsRestored: 45 totalItems: 45 startTimestamp: "2025-10-02T04:18:05Z" warnings: 6 Removed app namespace and restored backup from backup2 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get restore.velero.io/test-restore2a -oyaml apiVersion: velero.io/v1 kind: Restore metadata: creationTimestamp: "2025-10-02T04:25:00Z" finalizers: - restores.velero.io/external-resources-finalizer generation: 8 name: test-restore2a namespace: openshift-adp resourceVersion: "417595" uid: 49ca4a21-4005-4a09-8d21-6fc70ee2455e spec: backupName: scen1-backup-2 excludedResources: - nodes - events - events.events.k8s.io - backups.velero.io - restores.velero.io - resticrepositories.velero.io - csinodes.storage.k8s.io - volumeattachments.storage.k8s.io - backuprepositories.velero.io itemOperationTimeout: 4h0m0s status: completionTimestamp: "2025-10-02T04:25:35Z" hookStatus: {} phase: Completed progress: itemsRestored: 45 totalItems: 45 startTimestamp: "2025-10-02T04:25:00Z" warnings: 8 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get pod -n django-ns NAME READY STATUS RESTARTS AGE django-psql-persistent-1-build 0/1 Completed 0 88s django-psql-persistent-2-deploy 0/1 Completed 0 45s django-psql-persistent-2-r968h 1/1 Running 2 (40s ago) 43s postgresql-1-deploy 0/1 Completed 0 89s postgresql-1-sxs4s 1/1 Running 0 89s Scenario 2:- BSL 1 uses default cert and BSL 2 uses custom caCert. [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get dpa ts-dpa -oyaml apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: creationTimestamp: "2025-10-02T03:38:23Z" generation: 1 name: ts-dpa namespace: openshift-adp resourceVersion: "387379" uid: 4ad8a02b-1cf0-4176-aa9e-b34b71c2073a spec: backupLocations: - velero: config: profile: default region: us-east-1 credential: key: cloud name: aws-bsl-secret default: true objectStorage: bucket: newocpbucket prefix: velero provider: aws - velero: config: profile: noobaa region: noobaa s3ForcePathStyle: "true" s3Url: https://s3-openshift-storage.apps.rdr-sg20-quay-d2b6.ibm.com credential: key: cloud name: cloud-credentials objectStorage: bucket: testbucket1 caCert: prefix: velero provider: aws configuration: velero: defaultPlugins: - aws - openshift - csi disableFsBackup: false logFormat: text status: conditions: - lastTransitionTime: "2025-10-02T03:38:23Z" message: Reconcile complete reason: Complete status: "True" type: Reconciled [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get bsl NAME PHASE LAST VALIDATED AGE DEFAULT ts-dpa-1 Available 29s 93s true ts-dpa-2 Available 29s 93s Created backup with BSL1 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen2-backup-1 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T03:49:51Z" generation: 8 labels: velero.io/storage-location: ts-dpa-1 name: scen2-backup-1 namespace: openshift-adp resourceVersion: "394591" uid: 59333bb4-7d48-4b92-8220-b5df52f114f4 spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-1 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T03:50:13Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T03:49:51Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 93 totalItems: 93 startTimestamp: "2025-10-02T03:49:51Z" version: 1 Created backup with BSL2 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen2-backup-2 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T03:52:32Z" generation: 8 labels: velero.io/storage-location: ts-dpa-2 name: scen2-backup-2 namespace: openshift-adp resourceVersion: "396868" uid: 968076ba-7beb-4806-b3fa-82a6345d8c55 spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-2 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T03:53:27Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T03:52:32Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 96 totalItems: 96 startTimestamp: "2025-10-02T03:52:32Z" version: 1 Scenario3:- BSL 1 uses custom caCert, BSL 2 uses system defaults and BSL 3 uses different bucket and custom caCert. [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get dpa ts-dpa -oyaml apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: creationTimestamp: "2025-10-02T04:00:26Z" generation: 1 name: ts-dpa namespace: openshift-adp resourceVersion: "401270" uid: 1ac395c5-f61c-467f-b948-f2d5df735bc4 spec: backupLocations: - velero: config: profile: noobaa region: noobaa s3ForcePathStyle: "true" s3Url: https://s3-openshift-storage.apps.rdr-sg20-quay-d2b6.ibm.com credential: key: cloud name: cloud-credentials objectStorage: bucket: testbucket1 caCert: prefix: velero provider: aws - velero: config: profile: default region: us-east-1 credential: key: cloud name: aws-bsl-secret default: true objectStorage: bucket: newocpbucket prefix: velero provider: aws - velero: config: profile: noobaa region: noobaa s3ForcePathStyle: "true" s3Url: https://s3-openshift-storage.apps.rdr-sg20-quay-d2b6.ibm.com credential: key: cloud name: cloud-credentials objectStorage: bucket: testbucket2 caCert: prefix: velero provider: aws configuration: velero: defaultPlugins: - aws - openshift - csi disableFsBackup: false logFormat: text status: conditions: - lastTransitionTime: "2025-10-02T04:00:26Z" message: Reconcile complete reason: Complete status: "True" type: Reconciled Verified the BSLs are in available phase [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get bsl NAME PHASE LAST VALIDATED AGE DEFAULT ts-dpa-1 Available 4s 7s ts-dpa-2 Available 3s 7s true ts-dpa-3 Available 3s 7s Deployed ocp-imagestreams and ocp-django application. Created imagestream backup with each BSL - [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen3-backup-1 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T04:07:20Z" generation: 9 labels: velero.io/storage-location: ts-dpa-1 name: scen3-backup-1 namespace: openshift-adp resourceVersion: "405747" uid: 23e44117-a6d7-4e7a-98f3-857cee735aff spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns - is-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-1 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T04:07:36Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T04:07:20Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 122 totalItems: 122 startTimestamp: "2025-10-02T04:07:21Z" version: 1 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen3-backup-2 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T04:08:24Z" generation: 8 labels: velero.io/storage-location: ts-dpa-2 name: scen3-backup-2 namespace: openshift-adp resourceVersion: "406389" uid: ad3c9218-ed48-4710-8cc0-c1b36147da61 spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns - is-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-2 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T04:08:37Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T04:08:24Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 125 totalItems: 125 startTimestamp: "2025-10-02T04:08:24Z" version: 1 [root@rdr-sg20-quay-d2b6-bastion-0 sample-applications]# oc get backup.velero.io/scen3-backup-3 -oyaml apiVersion: velero.io/v1 kind: Backup metadata: annotations: velero.io/resource-timeout: 10m0s velero.io/source-cluster-k8s-gitversion: v1.33.5 velero.io/source-cluster-k8s-major-version: "1" velero.io/source-cluster-k8s-minor-version: "33" creationTimestamp: "2025-10-02T04:09:09Z" generation: 8 labels: velero.io/storage-location: ts-dpa-3 name: scen3-backup-3 namespace: openshift-adp resourceVersion: "407314" uid: 9857dca0-dd62-448c-9bbd-5a46cfceb052 spec: csiSnapshotTimeout: 10m0s defaultVolumesToFsBackup: false includedNamespaces: - django-ns - is-ns itemOperationTimeout: 4h0m0s snapshotMoveData: false storageLocation: ts-dpa-3 ttl: 720h0m0s status: backupItemOperationsAttempted: 1 backupItemOperationsCompleted: 1 completionTimestamp: "2025-10-02T04:10:06Z" csiVolumeSnapshotsAttempted: 1 csiVolumeSnapshotsCompleted: 1 expiration: "2025-11-01T04:09:09Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 128 totalItems: 128 startTimestamp: "2025-10-02T04:09:09Z" version: 1