Skip to content

OADP-8340: Error when modifying DPA-managed BSL via --cacert and --credential#229

Open
NicholasYancey wants to merge 3 commits into
migtools:oadp-devfrom
NicholasYancey:dpa-managed-bsl-set-guard
Open

OADP-8340: Error when modifying DPA-managed BSL via --cacert and --credential#229
NicholasYancey wants to merge 3 commits into
migtools:oadp-devfrom
NicholasYancey:dpa-managed-bsl-set-guard

Conversation

@NicholasYancey

@NicholasYancey NicholasYancey commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Why the changes were made

When a BackupStorageLocation (BSL) is owned by a DataProtectionApplication (DPA), the DPA reconciler continuously overwrites the BSL spec. Any change made directly via oc oadp backup-location set (--cacert) has no lasting effect and silently misleads the user into thinking their change was applied.

This PR injects a PreRunE guard into the backup-location set subcommand that checks the BSL's ownerReferences before the update is attempted. If a DPA ownerReference is found, the command returns an actionable error directing the user to update the DPA spec instead. Standalone BSLs and all other backup-location subcommands are unaffected.

How to test the changes made

DPA-managed BSL:

# Find a BSL owned by a DPA
oc get backupstoragelocation -n openshift-adp
# Attempt to modify it
oc oadp backup-location set <dpa-managed-bsl-name> -n openshift-adp --cacert /dev/null

Expected output: Error: backup storage location "<name>" is managed by DataProtectionApplication "<dpa-name>". Direct modifications via 'oc oadp backup-location set' will be overwritten by the DPA reconciler. To change settings such as '--cacert', update the DataProtectionApplication spec instead.

Standalone BSL

# Have a BSL that is not owned by a DPA and attempt to modify it
oc oadp backup-location set <standalone-bsl-name> -n openshift-adp --cacert /dev/null

Expected output: Backup storage location "<name>" configured successfully.

Unit tests:

go test ./cmd/... -run TestBSLDPAManagedError -v

Jira Link: https://redhat.atlassian.net/browse/OADP-8340

Summary by CodeRabbit

Summary by CodeRabbit

  • Bug Fixes

    • Prevented direct updates to backup storage locations managed by a DataProtectionApplication, avoiding later reconciliation overwrites.
    • Added validation during backup-location set to block protected edits (notably when certificate/credential inputs change) and return more informative errors, including the managing application name when applicable.
  • Tests

    • Added unit coverage for DataProtectionApplication-managed ownership scenarios and non-existent backup locations.

@NicholasYancey NicholasYancey self-assigned this Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: NicholasYancey
Once this PR has been reviewed and has the lgtm label, please assign sseago for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@NicholasYancey, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 57 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 124966d2-71d1-4986-a171-e01dd56deb87

📥 Commits

Reviewing files that changed from the base of the PR and between 155da48 and 0a08224.

📒 Files selected for processing (3)
  • cmd/bsl_guard.go
  • cmd/bsl_guard_test.go
  • cmd/root.go
📝 Walkthrough

Walkthrough

This change adds a CLI guard that blocks selected direct updates to BackupStorageLocation resources managed by a DataProtectionApplication. It detects ownership, wires the check into backup-location set commands, and adds fake-client unit tests.

Changes

DPA-managed BSL guard

Layer / File(s) Summary
BSL ownership guard and command wiring
cmd/root.go
Fetches the target BSL, detects DPA ownership, blocks changed --cacert or --credential values, and wires the guard into backup-location set commands.
DPA ownership detection tests
cmd/root_test.go
Tests DPA-owned, standalone, unrelated-owner, and missing BSL scenarios using a Velero scheme and fake client.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant bslCmd
  participant KubeClient

  User->>bslCmd: run backup-location set
  bslCmd->>KubeClient: fetch BackupStorageLocation
  KubeClient-->>bslCmd: return ownerReferences
  bslCmd->>bslCmd: check DPA ownership and changed flags
  alt DPA-managed credential update
    bslCmd-->>User: return blocking error
  else other update
    bslCmd-->>User: proceed with set command
  end
Loading

Suggested reviewers: kaovilai, shubham-pampattiwar, joeavaikath

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: blocking DPA-managed BSL edits via backup-location set flags.
Description check ✅ Passed The description includes both required sections and provides clear motivation plus concrete test steps and expected results.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
cmd/root_test.go (1)

838-918: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add a same-kind, different-group ownerReference case.

To cover the ownership contract precisely, include a BSL with Kind: "DataProtectionApplication" but a non-OADP APIVersion and assert it is allowed.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/root_test.go` around lines 838 - 918, Add a test case in the BSL
ownership table in cmd/root_test.go to cover a same-kind but different-group
ownerReference: create a BackupStorageLocation whose OwnerReferences entry has
Kind set to DataProtectionApplication but an APIVersion outside
oadp.openshift.io/v1alpha1, and assert it is allowed (wantErr false). Use the
existing BSL ownership test table and the related ownership validation around
the BSL ownerReference handling to locate the spot.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/root.go`:
- Around line 77-84: The ownership check in the backup location update path only
matches OwnerReference.Kind, which can incorrectly block resources owned by
unrelated CRDs with the same kind. Update the validation in the location-owner
loop to also verify ref.APIVersion matches the OADP/DataProtectionApplication
API group before returning the error, using the existing owner-reference check
in cmd/root.go so only the real DPA reconciler-managed BSLs are rejected.

---

Nitpick comments:
In `@cmd/root_test.go`:
- Around line 838-918: Add a test case in the BSL ownership table in
cmd/root_test.go to cover a same-kind but different-group ownerReference: create
a BackupStorageLocation whose OwnerReferences entry has Kind set to
DataProtectionApplication but an APIVersion outside oadp.openshift.io/v1alpha1,
and assert it is allowed (wantErr false). Use the existing BSL ownership test
table and the related ownership validation around the BSL ownerReference
handling to locate the spot.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4869aa9c-6c83-48ac-bb2c-aa1c33502f5f

📥 Commits

Reviewing files that changed from the base of the PR and between 7e52e4a and 46459b5.

📒 Files selected for processing (2)
  • cmd/root.go
  • cmd/root_test.go

Comment thread cmd/root.go Outdated
@NicholasYancey NicholasYancey force-pushed the dpa-managed-bsl-set-guard branch 2 times, most recently from 30c43a4 to 5abb32f Compare July 8, 2026 22:32
@NicholasYancey NicholasYancey force-pushed the dpa-managed-bsl-set-guard branch from 5abb32f to b8f05c3 Compare July 8, 2026 22:37
@NicholasYancey NicholasYancey changed the title Error when modifying DPA-managed BSL via --cacert OADP-8340: Error when modifying DPA-managed BSL via --cacert and --credential Jul 13, 2026
@openshift-ci-robot

openshift-ci-robot commented Jul 13, 2026

Copy link
Copy Markdown

@NicholasYancey: This pull request references OADP-8340 which is a valid jira issue.

Details

In response to this:

Why the changes were made

When a BackupStorageLocation (BSL) is owned by a DataProtectionApplication (DPA), the DPA reconciler continuously overwrites the BSL spec. Any change made directly via oc oadp backup-location set (--cacert) has no lasting effect and silently misleads the user into thinking their change was applied.

This PR injects a PreRunE guard into the backup-location set subcommand that checks the BSL's ownerReferences before the update is attempted. If a DPA ownerReference is found, the command returns an actionable error directing the user to update the DPA spec instead. Standalone BSLs and all other backup-location subcommands are unaffected.

How to test the changes made

DPA-managed BSL:

# Find a BSL owned by a DPA
oc get backupstoragelocation -n openshift-adp
# Attempt to modify it
oc oadp backup-location set <dpa-managed-bsl-name> -n openshift-adp --cacert /dev/null

Expected output: Error: backup storage location "<name>" is managed by DataProtectionApplication "<dpa-name>". Direct modifications via 'oc oadp backup-location set' will be overwritten by the DPA reconciler. To change settings such as '--cacert', update the DataProtectionApplication spec instead.

Standalone BSL

# Have a BSL that is not owned by a DPA and attempt to modify it
oc oadp backup-location set <standalone-bsl-name> -n openshift-adp --cacert /dev/null

Expected output: Backup storage location "<name>" configured successfully.

Unit tests:

go test ./cmd/... -run TestBSLDPAManagedError -v

Summary by CodeRabbit

  • Bug Fixes
  • Prevented direct updates to backup storage locations that are managed by a DataProtectionApplication, avoiding changes that would be reverted later.
  • Added clearer error messages when a protected backup location is edited or when the target backup location does not exist.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@migtools migtools deleted a comment from openshift-ci Bot Jul 14, 2026
@migtools migtools deleted a comment from openshift-ci-robot Jul 14, 2026
@migtools migtools deleted a comment from openshift-ci-robot Jul 14, 2026

@weshayutin weshayutin left a comment

Copy link
Copy Markdown
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

nice catch!

Comment thread cmd/root.go Outdated

// injectDPAManagedGuard wraps the "set" subcommand of the given backup-location command
// with a PreRunE that rejects modifications to DPA-managed BSLs before the update is attempted.
func injectDPAManagedGuard(bslCmd *cobra.Command, f clientcmd.Factory) {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The guard correctly targets only --cacert and --credential since the DPA reconciler overwrites the entire BSL spec on every reconcile, with an explicit carve-out that preserves the Default field. So --default is the only flag safe to use on DPA-managed BSLs.

One suggestion: this is a blocklist approach (block --cacert and --credential). If upstream Velero adds a new flag to backup-location set that touches a reconciler-managed spec field, it won't be caught here.

Would an allowlist be more defensive? Skip the guard only when --default is the sole changed flag, block for anything else. That way new flags are automatically guarded without code changes here.

Not blocking, the current set of flags is complete today. Just a maintainability thought.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Allowlist seems good. If any flags need to be unblocked, then they can be added to it

Comment thread cmd/root.go Outdated
}

for _, ref := range location.OwnerReferences {
if ref.Kind == "DataProtectionApplication" && strings.Contains(ref.APIVersion, "oadp.openshift.io") {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: strings.Contains(ref.APIVersion, "oadp.openshift.io") is a loose match, it would also match a hypothetical not-oadp.openshift.io/v1. Since CRD APIVersions are always /, consider:
strings.HasPrefix(ref.APIVersion, "oadp.openshift.io/") Same behavior for all real cases, slightly more precise.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

Comment thread cmd/root.go Outdated
// bslDPAManagedError returns an error if the BSL has an ownerReference pointing to a
// DataProtectionApplication, indicating the location is managed by the DPA reconciler.
// This is the testable core — it accepts a pre-built client so tests can pass a fake.
func bslDPAManagedError(ctx context.Context, kbClient kbclient.Client, namespace, bslName string) error {

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Nit: consider extracting bslDPAManagedError, checkBSLNotDPAManaged, and injectDPAManagedGuard into their own file (e.g. cmd/bsl_guard.go with cmd/bsl_guard_test.go). They're self-contained and BSL-specific, root.go is already doing a lot (command tree assembly, velero rewriting, timeout renaming, nonadmin mode).

The wiring call in NewVeleroRootCommand stays in root.go, just the logic moves out. Not blocking, just keeps root.go focused.

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

Comment thread cmd/root.go Outdated
for _, ref := range location.OwnerReferences {
if ref.Kind == "DataProtectionApplication" && strings.Contains(ref.APIVersion, "oadp.openshift.io") {
return fmt.Errorf(
"backup storage location %q is managed by DataProtectionApplication %q.\n"+

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The error message says "such as '--cacert'" but the guard also triggers for --credential. A user hitting this via --credential would see an error referencing a flag they didn't use.
Consider either listing both flags: "To change settings such as '--cacert' or '--credential', update the DataProtectionApplication spec instead"
Or making it generic: "To change these settings, update the DataProtectionApplication spec instead"

Copy link
Copy Markdown
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

added

@NicholasYancey NicholasYancey force-pushed the dpa-managed-bsl-set-guard branch from a63aafa to 0a08224 Compare July 15, 2026 21:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

4 participants