fix(bsl): require region when s3Url is set on AWS BackupStorageLocation#2175
fix(bsl): require region when s3Url is set on AWS BackupStorageLocation#2175SAY-5 wants to merge 1 commit intoopenshift:oadp-devfrom
Conversation
`validateAWSBackupStorageLocation` let a BSL through when `provider:
aws`, a custom `s3Url` (IBM COS / MinIO / NooBaa / ...) and no `region`
were all set together. The only region check we had was
(config == nil || len(config[Region]) == 0) &&
(config[S3ForcePathStyle] == "true" || !BucketRegionIsDiscoverable(bucket))
so once `s3ForcePathStyle` stopped being required (IBM COS no longer
needs it), the validation fell through to `BucketRegionIsDiscoverable`
-- which queries AWS's HeadBucket API against `s3.us-east-1.amazonaws.com`
and is meaningless for non-AWS endpoints. It either fails (validation
works by accident) or returns a bogus region from an unrelated
like-named AWS bucket (validation passes but Velero can't connect).
Short-circuit that path: if `s3Url` is set and `region` is not,
reject the BSL with a clear error before falling into the discovery
branch.
Closes #2108.
|
No actionable comments were generated in the recent review. 🎉 ℹ️ Recent review info⚙️ Run configurationConfiguration used: Repository: openshift/coderabbit/.coderabbit.yaml Review profile: CHILL Plan: Pro Plus Run ID: 📒 Files selected for processing (1)
WalkthroughUpdated AWS Backup Storage Location validation to require an explicit Changes
Estimated code review effort🎯 2 (Simple) | ⏱️ ~10 minutes 🚥 Pre-merge checks | ✅ 12✅ Passed checks (12 passed)
✏️ Tip: You can configure your own custom pre-merge checks in the settings. ✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
openshift-ci
Bot
added
the
needs-ok-to-test
|
Hi @SAY-5. Thanks for your PR. I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with Regular contributors should join the org to skip this step. Once the patch is verified, the new status will be reflected by the I understand the commands that are listed here. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. |
|
/lgtm |
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mpryc, SAY-5 The full list of commands accepted by this bot can be found here. The pull request process is described here DetailsNeeds approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
Bot
added
the
approved
|
/ok-to-test |
openshift-ci
Bot
added
ok-to-test
|
/hold I will allow others to review as well, just wondering if minimal unit test could be added here, something along the : {
name: "test AWS BSL with s3Url but no region",
dpa: &oadpv1alpha1.DataProtectionApplication{
ObjectMeta: metav1.ObjectMeta{
Name: "foo",
Namespace: "test-ns",
},
Spec: oadpv1alpha1.DataProtectionApplicationSpec{
Configuration: &oadpv1alpha1.ApplicationConfig{
Velero: &oadpv1alpha1.VeleroConfig{},
},
BackupLocations: []oadpv1alpha1.BackupLocation{
{
Velero: &velerov1.BackupStorageLocationSpec{
Provider: "aws",
Config: map[string]string{
S3URL: "https://s3.example.com",
},
// ... ObjectStorage, Credential, etc.
},
},
},
},
},
want: false,
wantErr: true,
secret: &corev1.Secret{...},
},
|
openshift-ci
Bot
added
the
do-not-merge/hold
|
@SAY-5: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
|
#2109 also implement this fyi. If we prefer this pr feel free to copy unit test over |
3 participants
Closes #2108.
Problem
`validateAWSBackupStorageLocation` in `internal/controller/bsl.go` accepted BSLs where `provider: aws`, a custom `s3Url` and no `region` were all set together. The only region check was:
```go
if (config == nil || len(config[Region]) == 0) &&
(config[S3ForcePathStyle] == "true" || !aws.BucketRegionIsDiscoverable(bucket)) {
return ...
}
```
Once `s3ForcePathStyle` stopped being required (IBM COS no longer needs it), validation fell through to `BucketRegionIsDiscoverable`, which queries AWS's HeadBucket API against `s3.us-east-1.amazonaws.com`. That's meaningless for non-AWS S3-compatible endpoints (IBM COS, MinIO, NooBaa): either discovery fails and validation works by accident, or discovery succeeds against an unrelated like-named AWS bucket and validation passes — but Velero can't connect to the actual backend.
Fix
Short-circuit that path: if `s3Url` is set and `region` is not, reject the BSL before falling into the discovery branch, with the message the issue suggests:
Scoped to exactly the configuration the issue calls out (`s3Url` present, `region` absent); everything else in `validateAWSBackupStorageLocation` stays unchanged.
Verification
I considered adding a focused unit test next to `TestValidatePEMCertificate`, but `validateAWSBackupStorageLocation` dereferences a real `client.Client` via `validateProviderPluginAndSecret` before reaching the config check, so a standalone call panics without a fake client. The existing table-driven `TestDPAReconciler_ValidateBackupStorageLocations` is the right place to add coverage — I'd rather wire that up as a follow-up (it's a big table and I don't want to bury this change in scaffolding noise). Happy to push that if reviewers would prefer it bundled here.
Summary by CodeRabbit