From ab297968f36d7a0b8100261632cca7c9e1466993 Mon Sep 17 00:00:00 2001 From: SAY-5 Date: Tue, 21 Apr 2026 19:24:36 -0700 Subject: [PATCH] fix(bsl): require region when s3Url is set on AWS BackupStorageLocation `validateAWSBackupStorageLocation` let a BSL through when `provider: aws`, a custom `s3Url` (IBM COS / MinIO / NooBaa / ...) and no `region` were all set together. The only region check we had was (config == nil || len(config[Region]) == 0) && (config[S3ForcePathStyle] == "true" || !BucketRegionIsDiscoverable(bucket)) so once `s3ForcePathStyle` stopped being required (IBM COS no longer needs it), the validation fell through to `BucketRegionIsDiscoverable` -- which queries AWS's HeadBucket API against `s3.us-east-1.amazonaws.com` and is meaningless for non-AWS endpoints. It either fails (validation works by accident) or returns a bogus region from an unrelated like-named AWS bucket (validation passes but Velero can't connect). Short-circuit that path: if `s3Url` is set and `region` is not, reject the BSL with a clear error before falling into the discovery branch. Closes #2108. --- internal/controller/bsl.go | 12 +++++++++++- 1 file changed, 11 insertions(+), 1 deletion(-) diff --git a/internal/controller/bsl.go b/internal/controller/bsl.go index fa2e95b406..832b662442 100644 --- a/internal/controller/bsl.go +++ b/internal/controller/bsl.go @@ -526,7 +526,17 @@ func (r *DataProtectionApplicationReconciler) validateAWSBackupStorageLocation(b return fmt.Errorf("prefix for AWS backupstoragelocation object storage cannot be empty. It is required for backing up images") } - // BSL region is required when + // BSL region is required when a custom s3Url is configured: the user is + // pointing to a non-AWS S3-compatible endpoint (IBM COS, MinIO, NooBaa, + // etc.) so BucketRegionIsDiscoverable cannot be trusted — it queries the + // AWS HeadBucket API, which either fails (validation works by accident) + // or returns the region for an unrelated bucket that happens to share + // the same name in AWS (validation passes but Velero cannot connect). + if bslSpec.Config != nil && len(bslSpec.Config[S3URL]) > 0 && len(bslSpec.Config[Region]) == 0 { + return fmt.Errorf("region is required when s3Url is set for AWS backupstoragelocation; region cannot be auto-discovered for non-AWS S3-compatible endpoints") + } + + // BSL region is also required when // - s3ForcePathStyle is true, because some velero processes requires region to be set and is not auto-discoverable when s3ForcePathStyle is true // imagestream backup in openshift-velero-plugin now uses the same method to discover region as the rest of the velero codebase // - even when s3ForcePathStyle is false, some aws bucket regions may not be discoverable and the user has to set it manually