CLI automatically discovers and uses cacert from BSL#8557
Merged
reasonerjt merged 1 commit intovelero-io:mainfrom Aug 4, 2025
Merged
CLI automatically discovers and uses cacert from BSL#8557reasonerjt merged 1 commit intovelero-io:mainfrom
reasonerjt merged 1 commit intovelero-io:mainfrom
Conversation
kaovilai
force-pushed
the
cacertcli-auto
branch
from
6d6106f to
e76e3eb
Compare
kaovilai
force-pushed
the
cacertcli-auto
branch
from
e76e3eb to
7a0f151
Compare
kaovilai
commented
May 30, 2025
kaovilai
force-pushed
the
cacertcli-auto
branch
2 times, most recently
from
a9a29c0 to
2b8407c
Compare
kaovilai
changed the title
Codecov Report❌ Patch coverage is Additional details and impacted files@@ Coverage Diff @@
## main #8557 +/- ##
==========================================
+ Coverage 59.11% 59.20% +0.08%
==========================================
Files 379 380 +1
Lines 43516 43663 +147
==========================================
+ Hits 25723 25849 +126
- Misses 16269 16278 +9
- Partials 1524 1536 +12 ☔ View full report in Codecov by Sentry. 🚀 New features to boost your workflow:
|
kaovilai
force-pushed
the
cacertcli-auto
branch
5 times, most recently
from
b1bd28f to
4b92571
Compare
kaovilai
force-pushed
the
cacertcli-auto
branch
10 times, most recently
from
1bf5e67 to
8745706
Compare
sseago
previously approved these changes
Jul 9, 2025
reasonerjt
reviewed
Jul 16, 2025
| ) | ||
|
|
||
| // GetCACertFromBackup fetches the BackupStorageLocation for a backup and returns its cacert | ||
| func GetCACertFromBackup(ctx context.Context, client kbclient.Client, namespace string, backup *velerov1api.Backup) (string, error) { |
Contributor
There was a problem hiding this comment.
Sorry for the late review but it seems GetCACertFromBackup can call GetCACertFromBSL?
Contributor
There was a problem hiding this comment.
Sorry @kaovilai but it is still not calling GetCACertFromBSL
Collaborator
Author
There was a problem hiding this comment.
I swear I pushed that change... 👁️ _ 👁️
Collaborator
Author
There was a problem hiding this comment.
seems to be a mistake during rebase.
| } | ||
| caPool.AppendCertsFromPEM(caCert) | ||
| } | ||
| if len(caCertByteString) > 0 { |
Contributor
There was a problem hiding this comment.
- If there's error opening the
caCertFileshall we fallback to BSL cert? - Seems these two "if" chunks can be combined so the
caPoolcan be reused.
kaovilai
force-pushed
the
cacertcli-auto
branch
2 times, most recently
from
ba6865f to
b0fd214
Compare
kaovilai
commented
Jul 16, 2025
Comment on lines
+88
to
+72
| if err := client.Get(ctx, key, bsl); err != nil { | ||
| if apierrors.IsNotFound(err) { | ||
| // BSL not found is not a fatal error, just means no cacert | ||
| return "", nil | ||
| } | ||
| return "", errors.Wrapf(err, "error getting backup storage location %s", bslName) | ||
| } |
Collaborator
Author
There was a problem hiding this comment.
Probably good to have agreements here if get bsl fails from client perspective, if it is better to drop the request entirely.. or proceed without cacert.
Collaborator
Author
There was a problem hiding this comment.
which will fail later if bsl is still not available.
github-actions
Bot
added
Dependencies
reasonerjt
reviewed
Jul 28, 2025
| velero backup describe my-backup --cacert <PATH_TO_CA_BUNDLE> | ||
| ``` | ||
|
|
||
| 2. **Configuring the CA certificate in the BackupStorageLocation** (recommended): |
Contributor
There was a problem hiding this comment.
I wouldn't say this is a recommended approach, b/c it's possible that the CA is injected into the worker node so velero will trust the cert of BSL, and there's no need to configure the CA cert in BSL.
| ) | ||
|
|
||
| // GetCACertFromBackup fetches the BackupStorageLocation for a backup and returns its cacert | ||
| func GetCACertFromBackup(ctx context.Context, client kbclient.Client, namespace string, backup *velerov1api.Backup) (string, error) { |
Contributor
There was a problem hiding this comment.
Sorry @kaovilai but it is still not calling GetCACertFromBSL
…uests Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> feat: Add CA cert fallback when caCertFile fails in download requests - Fallback to BSL cert when caCertFile cannot be opened - Combine certificate handling blocks to reuse CA pool initialization - Add comprehensive unit tests for fallback behavior This improves robustness by allowing downloads to proceed with BSL CA cert when the provided CA cert file is unavailable or unreadable. 🤖 Generated with [Claude Code](https://claude.ai/code) Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Co-Authored-By: Claude <noreply@anthropic.com>
shubham-pampattiwar
approved these changes
Jul 31, 2025
3 tasks
weshayutin
added a commit
to weshayutin/oadp-must-gather
that referenced
this pull request
Sep 25, 2025
* users are not reading the instructions to skip-tls * support /eng ends up w/ must-gather's that do not contain all the required logs TODO: incorporate auto discovery of certs per bsl velero-io/velero#8557 Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
openshift-merge-bot Bot
pushed a commit
to openshift/oadp-must-gather
that referenced
this pull request
Sep 25, 2025
* set skip-tls default to true * users are not reading the instructions to skip-tls * support /eng ends up w/ must-gather's that do not contain all the required logs TODO: incorporate auto discovery of certs per bsl velero-io/velero#8557 Signed-off-by: Wesley Hayutin <weshayutin@gmail.com> * update comment for insecure --------- Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/oadp-must-gather
that referenced
this pull request
Sep 25, 2025
* users are not reading the instructions to skip-tls * support /eng ends up w/ must-gather's that do not contain all the required logs TODO: incorporate auto discovery of certs per bsl velero-io/velero#8557 Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
openshift-merge-bot Bot
pushed a commit
to openshift/oadp-must-gather
that referenced
this pull request
Feb 9, 2026
* set skip-tls default to true * users are not reading the instructions to skip-tls * support /eng ends up w/ must-gather's that do not contain all the required logs TODO: incorporate auto discovery of certs per bsl velero-io/velero#8557 Signed-off-by: Wesley Hayutin <weshayutin@gmail.com> * update comment for insecure --------- Signed-off-by: Wesley Hayutin <weshayutin@gmail.com> Co-authored-by: Wesley Hayutin <weshayutin@gmail.com>
openshift-cherrypick-robot
pushed a commit
to openshift-cherrypick-robot/oadp-must-gather
that referenced
this pull request
Feb 9, 2026
* users are not reading the instructions to skip-tls * support /eng ends up w/ must-gather's that do not contain all the required logs TODO: incorporate auto discovery of certs per bsl velero-io/velero#8557 Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
kaovilai
added a commit
to kaovilai/oadp-vm-file-restore
that referenced
this pull request
Mar 26, 2026
…ate handling Replace downloadrequest.Stream() with downloadrequest.StreamWithBSLCACert() which accepts an additional bslCACert parameter for proper BSL CA certificate handling when downloading backup contents from object storage. Remove the canary test (TestStreamWithBSLCACert) since the function is now available in the Velero dependency and is being used. See: velero-io/velero#8557 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> Signed-off-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Signed-off-by: Tiger Kaovilai tkaovila@redhat.com
Thank you for contributing to Velero!
Please add a summary of your change
Allows BSL config cacert to be consumed by CLI download requests without modifying the API. The CLI now directly fetches the cacert from the BackupStorageLocation when performing download operations, rather than passing it through the DownloadRequest API.
Diagram: PR changes in green.
graph TD A[User runs velero CLI command] --> B{Command type?} B -->|backup describe| C[backup describe.go] B -->|backup download| D[backup download.go] B -->|backup logs| E[backup logs.go] B -->|restore logs| F[restore logs.go] C --> G[Get Backup from K8s API] D --> G E --> G F --> H[Get Restore from K8s API] H --> I[Get referenced Backup from Restore.Spec.BackupName] I --> G G --> J[cacert.GetCACertFromBackup] J --> K[Check if backup has StorageLocation] K -->|No| L[Return empty CA cert] K -->|Yes| M[Fetch BSL from K8s API] M --> N{BSL exists?} N -->|No| O[Log warning, return empty CA cert] N -->|Yes| P[Check BSL.Spec.ObjectStorage.CACert] P --> Q{CA cert present?} Q -->|No| R[Return empty CA cert] Q -->|Yes| S[Return CA cert as string] L --> T[downloadrequest.StreamWithBSLCACert] O --> T R --> T S --> T T --> U[Create DownloadRequest in K8s] U --> V[Wait for Velero controller to process] V --> W[Controller updates DownloadRequest.Status.DownloadURL] W --> X[HTTP client with TLS config] X --> Y{BSL CA cert provided?} Y -->|No| Z[Use system cert pool or insecureSkipTLSVerify] Y -->|Yes| AA[Create cert pool with system certs + BSL CA cert] Z --> BB[Make HTTPS request to download URL] AA --> BB BB --> CC{Request successful?} CC -->|No| DD[Return error] CC -->|Yes| EE[Stream content to output] EE --> FF{Content type?} FF -->|Logs| GG[Decompress gzip content] FF -->|Backup contents| HH[Stream raw content] GG --> II[Return content to user] HH --> II style A fill:#e1f5fe style II fill:#c8e6c9 style DD fill:#ffcdd2 %% PR Changes highlighted in green style J fill:#4caf50,color:#fff style K fill:#4caf50,color:#fff style M fill:#4caf50,color:#fff style N fill:#4caf50,color:#fff style O fill:#4caf50,color:#fff style P fill:#4caf50,color:#fff style Q fill:#4caf50,color:#fff style R fill:#4caf50,color:#fff style S fill:#4caf50,color:#fff style T fill:#4caf50,color:#fff style Y fill:#4caf50,color:#fff style AA fill:#4caf50,color:#fffDev Functional Validation
Does your change fix a particular issue?
Fixes #7730
Please indicate you've done the following:
make new-changelog) or comment/kind changelog-not-requiredon this PR.site/content/docs/main.