Background
The upstream Velero project added support for caCertRef in PR velero-io/velero#9141, which allows referencing a Secret containing the CA certificate bundle instead of embedding it directly in the caCert field.
Current State
In PR #2096, the caCertRef field was added to the CRD manifests:
bundle/manifests/oadp.openshift.io_dataprotectionapplications.yamlconfig/crd/bases/oadp.openshift.io_dataprotectionapplications.yamlbundle/manifests/oadp.openshift.io_dataprotectiontests.yamlconfig/crd/bases/oadp.openshift.io_dataprotectiontests.yaml
However, the OADP controller does not yet implement support for this field. The controller only handles the CACert byte array field in:
- Go type:
api/v1alpha1/dataprotectionapplication_types.go (ObjectStorageLocation struct)
- Controller:
internal/controller/bsl.go
This means if users set caCertRef, it will be silently ignored, potentially leading to broken TLS verification.
Required Implementation
To properly support caCertRef, we need to:
-
Update Go types (api/v1alpha1/dataprotectionapplication_types.go):
- Add
CACertRef *corev1.SecretKeySelector field to ObjectStorageLocation struct
- Ensure it matches the CRD schema (name, key, optional fields)
-
Update BSL controller (internal/controller/bsl.go):
- Add logic to resolve the referenced Secret when
CACertRef is set
- Respect the name, key, and optional fields
- Load the Secret contents and populate the
CACert byte slice for TLS verification
- Handle error cases (Secret not found, key not present, etc.)
-
Validation:
- Ensure CRD validation (
required: [key]) aligns with Go type
- Consider mutual exclusivity between
CACert and CACertRef (if needed)
Related
Requested by: @kaovilai
Background
The upstream Velero project added support for
caCertRefin PR velero-io/velero#9141, which allows referencing a Secret containing the CA certificate bundle instead of embedding it directly in thecaCertfield.Current State
In PR #2096, the
caCertReffield was added to the CRD manifests:bundle/manifests/oadp.openshift.io_dataprotectionapplications.yamlconfig/crd/bases/oadp.openshift.io_dataprotectionapplications.yamlbundle/manifests/oadp.openshift.io_dataprotectiontests.yamlconfig/crd/bases/oadp.openshift.io_dataprotectiontests.yamlHowever, the OADP controller does not yet implement support for this field. The controller only handles the
CACertbyte array field in:api/v1alpha1/dataprotectionapplication_types.go(ObjectStorageLocationstruct)internal/controller/bsl.goThis means if users set
caCertRef, it will be silently ignored, potentially leading to broken TLS verification.Required Implementation
To properly support
caCertRef, we need to:Update Go types (
api/v1alpha1/dataprotectionapplication_types.go):CACertRef *corev1.SecretKeySelectorfield toObjectStorageLocationstructUpdate BSL controller (
internal/controller/bsl.go):CACertRefis setCACertbyte slice for TLS verificationValidation:
required: [key]) aligns with Go typeCACertandCACertRef(if needed)Related
Requested by: @kaovilai