OADP-8340: Error when modifying DPA-managed BSL via --cacert and --credential#229
OADP-8340: Error when modifying DPA-managed BSL via --cacert and --credential#229NicholasYancey wants to merge 3 commits into
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: NicholasYancey The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
Next review available in: 57 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (3)
📝 WalkthroughWalkthroughThis change adds a CLI guard that blocks selected direct updates to ChangesDPA-managed BSL guard
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant User
participant bslCmd
participant KubeClient
User->>bslCmd: run backup-location set
bslCmd->>KubeClient: fetch BackupStorageLocation
KubeClient-->>bslCmd: return ownerReferences
bslCmd->>bslCmd: check DPA ownership and changed flags
alt DPA-managed credential update
bslCmd-->>User: return blocking error
else other update
bslCmd-->>User: proceed with set command
end
Suggested reviewers: 🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
cmd/root_test.go (1)
838-918: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winAdd a same-kind, different-group ownerReference case.
To cover the ownership contract precisely, include a BSL with
Kind: "DataProtectionApplication"but a non-OADPAPIVersionand assert it is allowed.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/root_test.go` around lines 838 - 918, Add a test case in the BSL ownership table in cmd/root_test.go to cover a same-kind but different-group ownerReference: create a BackupStorageLocation whose OwnerReferences entry has Kind set to DataProtectionApplication but an APIVersion outside oadp.openshift.io/v1alpha1, and assert it is allowed (wantErr false). Use the existing BSL ownership test table and the related ownership validation around the BSL ownerReference handling to locate the spot.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/root.go`:
- Around line 77-84: The ownership check in the backup location update path only
matches OwnerReference.Kind, which can incorrectly block resources owned by
unrelated CRDs with the same kind. Update the validation in the location-owner
loop to also verify ref.APIVersion matches the OADP/DataProtectionApplication
API group before returning the error, using the existing owner-reference check
in cmd/root.go so only the real DPA reconciler-managed BSLs are rejected.
---
Nitpick comments:
In `@cmd/root_test.go`:
- Around line 838-918: Add a test case in the BSL ownership table in
cmd/root_test.go to cover a same-kind but different-group ownerReference: create
a BackupStorageLocation whose OwnerReferences entry has Kind set to
DataProtectionApplication but an APIVersion outside oadp.openshift.io/v1alpha1,
and assert it is allowed (wantErr false). Use the existing BSL ownership test
table and the related ownership validation around the BSL ownerReference
handling to locate the spot.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4869aa9c-6c83-48ac-bb2c-aa1c33502f5f
📒 Files selected for processing (2)
cmd/root.gocmd/root_test.go
30c43a4 to
5abb32f
Compare
5abb32f to
b8f05c3
Compare
|
@NicholasYancey: This pull request references OADP-8340 which is a valid jira issue. DetailsIn response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
|
|
||
| // injectDPAManagedGuard wraps the "set" subcommand of the given backup-location command | ||
| // with a PreRunE that rejects modifications to DPA-managed BSLs before the update is attempted. | ||
| func injectDPAManagedGuard(bslCmd *cobra.Command, f clientcmd.Factory) { |
There was a problem hiding this comment.
The guard correctly targets only --cacert and --credential since the DPA reconciler overwrites the entire BSL spec on every reconcile, with an explicit carve-out that preserves the Default field. So --default is the only flag safe to use on DPA-managed BSLs.
One suggestion: this is a blocklist approach (block --cacert and --credential). If upstream Velero adds a new flag to backup-location set that touches a reconciler-managed spec field, it won't be caught here.
Would an allowlist be more defensive? Skip the guard only when --default is the sole changed flag, block for anything else. That way new flags are automatically guarded without code changes here.
Not blocking, the current set of flags is complete today. Just a maintainability thought.
There was a problem hiding this comment.
Allowlist seems good. If any flags need to be unblocked, then they can be added to it
| } | ||
|
|
||
| for _, ref := range location.OwnerReferences { | ||
| if ref.Kind == "DataProtectionApplication" && strings.Contains(ref.APIVersion, "oadp.openshift.io") { |
There was a problem hiding this comment.
Nit: strings.Contains(ref.APIVersion, "oadp.openshift.io") is a loose match, it would also match a hypothetical not-oadp.openshift.io/v1. Since CRD APIVersions are always /, consider:
strings.HasPrefix(ref.APIVersion, "oadp.openshift.io/") Same behavior for all real cases, slightly more precise.
| // bslDPAManagedError returns an error if the BSL has an ownerReference pointing to a | ||
| // DataProtectionApplication, indicating the location is managed by the DPA reconciler. | ||
| // This is the testable core — it accepts a pre-built client so tests can pass a fake. | ||
| func bslDPAManagedError(ctx context.Context, kbClient kbclient.Client, namespace, bslName string) error { |
There was a problem hiding this comment.
Nit: consider extracting bslDPAManagedError, checkBSLNotDPAManaged, and injectDPAManagedGuard into their own file (e.g. cmd/bsl_guard.go with cmd/bsl_guard_test.go). They're self-contained and BSL-specific, root.go is already doing a lot (command tree assembly, velero rewriting, timeout renaming, nonadmin mode).
The wiring call in NewVeleroRootCommand stays in root.go, just the logic moves out. Not blocking, just keeps root.go focused.
| for _, ref := range location.OwnerReferences { | ||
| if ref.Kind == "DataProtectionApplication" && strings.Contains(ref.APIVersion, "oadp.openshift.io") { | ||
| return fmt.Errorf( | ||
| "backup storage location %q is managed by DataProtectionApplication %q.\n"+ |
There was a problem hiding this comment.
The error message says "such as '--cacert'" but the guard also triggers for --credential. A user hitting this via --credential would see an error referencing a flag they didn't use.
Consider either listing both flags: "To change settings such as '--cacert' or '--credential', update the DataProtectionApplication spec instead"
Or making it generic: "To change these settings, update the DataProtectionApplication spec instead"
a63aafa to
0a08224
Compare
Why the changes were made
When a BackupStorageLocation (BSL) is owned by a DataProtectionApplication (DPA), the DPA reconciler continuously overwrites the BSL spec. Any change made directly via oc oadp backup-location set (--cacert) has no lasting effect and silently misleads the user into thinking their change was applied.
This PR injects a PreRunE guard into the backup-location set subcommand that checks the BSL's ownerReferences before the update is attempted. If a DPA ownerReference is found, the command returns an actionable error directing the user to update the DPA spec instead. Standalone BSLs and all other backup-location subcommands are unaffected.
How to test the changes made
DPA-managed BSL:
Expected output:
Error: backup storage location "<name>" is managed by DataProtectionApplication "<dpa-name>". Direct modifications via 'oc oadp backup-location set' will be overwritten by the DPA reconciler. To change settings such as '--cacert', update the DataProtectionApplication spec instead.Standalone BSL
Expected output:
Backup storage location "<name>" configured successfully.Unit tests:
go test ./cmd/... -run TestBSLDPAManagedError -vJira Link: https://redhat.atlassian.net/browse/OADP-8340
Summary by CodeRabbit
Summary by CodeRabbit
Bug Fixes
backup-location setto block protected edits (notably when certificate/credential inputs change) and return more informative errors, including the managing application name when applicable.Tests