Rebase bot - oadp-1.5 branch against v1.16.2 tag (#431)

* Add BSL status check for backup/restore operations.

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>

* Bump golang to v1.23.10 to fix CVEs for 1.16.2 release (vmware-tanzu#9058)

* Bump golang to v1.23.10 to fix CVEs

Signed-off-by: Adarsh Saxena <adarsh.saxena@acquia.com>

* Dockerfile restic miss 1.23.10

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

* restic cve go1.23.10

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

---------

Signed-off-by: Adarsh Saxena <adarsh.saxena@acquia.com>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
Co-authored-by: Tiger Kaovilai <tkaovila@redhat.com>

* Allow for proper tracking of multiple hooks per container

Signed-off-by: Scott Seago <sseago@redhat.com>

* Mounted cloud credentials should not be world-readable (vmware-tanzu#8919) (vmware-tanzu#9094)

Signed-off-by: Scott Seago <sseago@redhat.com>

* issue 9077: don't block backup deletion on list VS error (vmware-tanzu#9101)

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Fix missing defaultVolumesToFsBackup flag output in Velero describe backup cmd (vmware-tanzu#9056)

add changelog file

Show defaultVolumesToFsBackup in describe only when set by the user

minor ut fix

minor fix

Signed-off-by: Shubham Pampattiwar <spampatt@redhat.com>
(cherry picked from commit 60a6c73)

update changelog filename

Signed-off-by: Shubham Pampattiwar <spampatt@redhat.com>

* Update Backup describe string for DefaultVolumesToFSBackup flag (vmware-tanzu#9105)

add changelog file

Signed-off-by: Shubham Pampattiwar <spampatt@redhat.com>
(cherry picked from commit aa2e09c)

* Add imagePullSecrets inheritance for VGDP pod and maintenance job. (vmware-tanzu#9102)

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>

* Bump Golang, Ubuntu, and golang.org/x/oauth2 to fix CVEs. (vmware-tanzu#9104)

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>

* 1.16.2 changelog

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Bump the Velero and plugin image versions for the upgrade and migration tests.

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>

* skip subresource in resource discovery (vmware-tanzu#6688)

Signed-off-by: lou <alex1988@outlook.com>
Co-authored-by: lou <alex1988@outlook.com>

* fix issue 6753

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Update restore controller logic for restore deletion (vmware-tanzu#6761)

1. Skip deleting the restore files from storage if the backup/BSL is not found
2. Allow deleting the restore files from storage even though the BSL is readonly

Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>

* Fix vmware-tanzu#6752: add namespace exclude check.

Add PSA audit and warn labels.

Signed-off-by: Xun Jiang <jxun@vmware.com>

* add csi snapshot data movement doc

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Modify changelogs for v1.12

Signed-off-by: allenxu404 <qix2@vmware.com>

* issue 6786:always delete VSC regardless of the deletion policy

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* issue: move plugin depdending podvolume functions to util pkg

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* issue 6880: set ParallelUploadAboveSize as MaxInt64

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* changelog

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

* Add support for block volumes (vmware-tanzu#6680) (vmware-tanzu#6897)

(cherry picked from commit 8e01d1b)

Signed-off-by: David Zaninovic <dzaninovic@catalogicsoftware.com>

* Replace the base image with paketobuildpacks image

Replace the base image with paketobuildpacks image

Fixes vmware-tanzu#6851

Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>

* issue 6734: spread backup pod evenly

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Add doc links for new features to release note

Signed-off-by: allenxu404 <qix2@vmware.com>

* fix issue 6647

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Perf improvements for existing resource restore

Use informer cache with dynamic client for Get calls on restore
When enabled, also make the Get call before create.

Add server and install parameter to allow disabling this feature,
but enable by default

Signed-off-by: Scott Seago <sseago@redhat.com>

* issue vmware-tanzu#6807: Retry failed create when using generateName

When creating resources with generateName, apimachinery
does not guarantee uniqueness when it appends the random
suffix to the generateName stub, so if it fails with
already exists error, we need to retry.

Signed-off-by: Scott Seago <sseago@redhat.com>

* Import auth provider plugins

Signed-off-by: Sebastian Glab <sglab@catalogicsoftware.com>

* Add v1.12.1 changelog

Signed-off-by: allenxu404 <qix2@vmware.com>

* Make Windows build skip BlockMode code.

PVC block mode backup and restore introduced some OS specific
system calls. Those calls are not available for Windows, so
add both non Windows version and Windows version code, and
return error for block mode on the Windows platform.

Signed-off-by: Xun Jiang <jxun@vmware.com>

* udmrepo use region specified in BSL when s3URL is empty

Signed-off-by: Lyndon-Li <lyonghui@vmware.com>

* Change v1.12.1 changelog

Signed-off-by: allenxu404 <qix2@vmware.com>

* Dockerfile.ubi/travis local files

add UBI dockerfiles
Use numeric user for velero-restic-restore-helper
Enable multiarch builds (#135)
Use arm64-graviton2 for arm builds (#137)
Add required keys for arm builds (#139)
Update Travis build job to work w/o changes on new branches
Use a full VM for arm
Use numeric non-root user for nonroot SCC compatibility

* Add BZ + Publish automation to repo (#82)

(cherry picked from commit ccb545f)

Update PR-BZ automation mapping (#84)

(cherry picked from commit aa2b019)

Update PR-BZ automation (#92)

Co-authored-by: Rayford Johnson <rjohnson@redhat.com>
(cherry picked from commit ecc563f)

Add publish workflow (#108)

(cherry picked from commit f87b779)

* remove dependabot config from fork

* Create Makefile.prow

Code-gen no longer required on verify

due to vmware-tanzu#6039

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

oadp-1.2: Update Makefile.prow to velero-restore-helper

* set HOME in velero image for kopia, update controller-gen for CI (#280)

Signed-off-by: Scott Seago <sseago@redhat.com>

* build velero-helper binary for datamover pod

* restore: Use warning when Create IsAlreadyExist and Get error

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

* kopia/repository/config/aws.go: Set session.Options profile from config

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

* use ubi9-latest to build

* OADP-4225: add tzdata to Dockerfile.ubi

* fix: CI (#316)

Signed-off-by: Mateus Oliveira <msouzaol@redhat.com>

* fix: ARM images (#332)

* fix: ARM images

Signed-off-by: Mateus Oliveira <msouzaol@redhat.com>

* fixup! fix: ARM images

Signed-off-by: Mateus Oliveira <msouzaol@redhat.com>

---------

Signed-off-by: Mateus Oliveira <msouzaol@redhat.com>

* ubi: BUILDPLATFORM to build stage to enable cross compile. (#336)

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

* OADP-4640: Downstream only to allow override kopia default algorithms (#334) (#338)

add missing unit test for kopia hashing algo (#337)

Introduction of downstream only option to override Kopia default:
 - hashing algorithm
 - splitting algorithm
 - encryption algorithm

With introduction of 3 environment variables it is possible to override
Kopia algorithms used by Velero:

KOPIA_HASHING_ALGORITHM
KOPIA_SPLITTER_ALGORITHM
KOPIA_ENCRYPTION_ALGORITHM

If the env algorithms are not set or they are not within
Kopia SupportedAlgorithms, the default algorithm will be used.
This behavior is consistent with current behavior without this
change.

Signed-off-by: Michal Pryc <mpryc@redhat.com>
Signed-off-by: Shubham Pampattiwar <shubhampampattiwar7@gmail.com>

* Downstream only: Rework of Makefile and incusion of lint

The rework of Makefile to make it more readable and
inclusion of lint as a target as well extract
golangci-lint version from the upstream Dockerfile,
so we test in PROW or locally on the same version as upstream.

Signed-off-by: Michal Pryc <mpryc@redhat.com>

* Downstream only - fix lint error in downtream change (#343)

This fixes the PR #334 where one additional line was
in the code. This was not exposed previously as we
did not had downstream CI Lint jobs.

Signed-off-by: Michal Pryc <mpryc@redhat.com>

* run oadp-operator e2e test from the velero repo (#353)

* run oadp-operator e2e test from the velero repo

execute openshift/oadp-operator e2e tests directly
against the velero repo locally or via prow ci

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* update variable names, add a cleanup

* make sure env variable overrides default velero_image

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* add options to build, push, and only test

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* add arch to name

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* remove duplicated clean/rm operator checkout

* simplify by dropping export var and use a oneliner

Co-authored-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>

* drop export and use oneliner

Co-authored-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>

* just in case, allow oadp to be deployed from makefile

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* Update Makefile.prow

Co-authored-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>

---------

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
Co-authored-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>

* DS Owners

* updated controller-gen version

* Include velero-restore-helper binary in velero image (#375)

Co-authored-by: Scott Seago <sseago@redhat.com>

* OADP-5952: downstream only, update error message disableFsBackup (#380)

* OADP-5952: clear error for disableFsBackup

This error message can be carried in OADP-1.5
Upstream issue:
vmware-tanzu#8185

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* fix error message and test

---------

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* Summary of Changes: (#381)

Move PVC Request Size Patch to Backup CSI Action
Shifted the logic that patches the PVC request size (to match the corresponding VolumeSnapshot size) from the CSI Restore action to the CSI Backup action.
✅ This enables restoring a PVC independently using label selectors, without requiring the VolumeSnapshot to be restored first.

Include VolumeSnapshot in CSI Additional Items for PVC
Added VolumeSnapshot as an additional item in the PVC CSI backup logic to ensure necessary metadata is available during restore.

Include VolumeSnapshotContent in CSI Restore Additional Items
Added VolumeSnapshotContent to the additional items in the CSI restore action to support a more complete restore workflow.
✅ This to make sure those resources are restored even if filters out by label from the resources list to restore

Author:    Amos Mastbaum <amastbau@redhat.com>
Signed-off-by: Amos Mastbaum <68001528+amastbau@users.noreply.github.com>

fixing-after-michal

wait-for-vsc.Status.RestoreSize

wait-for-vsc.Status.RestoreSize

Update pkg/util/csi/volume_snapshot.go

Update pkg/util/csi/volume_snapshot.go

Update pkg/util/csi/volume_snapshot.go

Co-authored-by: Scott Seago <sseago@redhat.com>

* Prep for Konflux (#385)

* Prep for Konflux

* Update git submodule restic commit

---------

Co-authored-by: Rayford Johnson <rayfordj@users.noreply.github.com>

* Red Hat Konflux update oadp-velero-oadp-1-5 (#386)

* Red Hat Konflux update oadp-velero-oadp-1-5
Signed-off-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>

* hermetic, prefetch-input

---------

Co-authored-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>
Co-authored-by: Rayford Johnson <rayfordj@users.noreply.github.com>

* Konflux: multiarch, tags, labels (#402)

* build-platforms

* generate-labels, LABELS

* ADDITIONAL_TAGS

---------

Co-authored-by: Rayford Johnson <rayfordj@users.noreply.github.com>

* Red Hat Konflux update oadp-velero-oadp-1-5 (#411)

* Red Hat Konflux update oadp-velero-oadp-1-5
Signed-off-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>

* Konflux: openshift-preflight: failed: HasLicense

"suggestion": "Create a directory named /licenses and include all
relevant licensing and/or terms and conditions as text file(s) in that
directory."

https://docs.redhat.com/en/documentation/red_hat_software_certification/2025/html-single/red_hat_openshift_software_certification_policy_guide/index#assembly-requirements-for-container-ima

> Container images must contain a “licenses” directory. Use this
> directory to add files containing software terms and conditions for your
> product and any open source software included in the image.
>
> Test name: HasLicense

---------

Co-authored-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>
Co-authored-by: Rayford Johnson <rayfordj@users.noreply.github.com>

* chore(deps): update konflux references (#394)

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

* chore(deps): update konflux references (#413)

Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>

* add velero release to the velero container tags (#424)

Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>

* oadp-1.5: Update Konflux references (#430)

* oadp-1.5: Update Konflux references

Update konflux-ci image references

Changes committed via automation for oadp-1-5/velero.

* Use restic's release branch

---------

Co-authored-by: Rayford Johnson <rayfordj@users.noreply.github.com>

---------

Signed-off-by: Xun Jiang <xun.jiang@broadcom.com>
Signed-off-by: Adarsh Saxena <adarsh.saxena@acquia.com>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
Signed-off-by: Scott Seago <sseago@redhat.com>
Signed-off-by: Lyndon-Li <lyonghui@vmware.com>
Signed-off-by: Shubham Pampattiwar <spampatt@redhat.com>
Signed-off-by: lou <alex1988@outlook.com>
Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>
Signed-off-by: Xun Jiang <jxun@vmware.com>
Signed-off-by: allenxu404 <qix2@vmware.com>
Signed-off-by: David Zaninovic <dzaninovic@catalogicsoftware.com>
Signed-off-by: Sebastian Glab <sglab@catalogicsoftware.com>
Signed-off-by: Mateus Oliveira <msouzaol@redhat.com>
Signed-off-by: Michal Pryc <mpryc@redhat.com>
Signed-off-by: Shubham Pampattiwar <shubhampampattiwar7@gmail.com>
Signed-off-by: Wesley Hayutin <weshayutin@gmail.com>
Signed-off-by: red-hat-konflux <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: Xun Jiang <xun.jiang@broadcom.com>
Co-authored-by: Wenkai Yin(尹文开) <yinw@vmware.com>
Co-authored-by: Adarsh Saxena <adarsh.saxena@acquia.com>
Co-authored-by: Tiger Kaovilai <tkaovila@redhat.com>
Co-authored-by: Scott Seago <sseago@redhat.com>
Co-authored-by: lyndon-li <98304688+Lyndon-Li@users.noreply.github.com>
Co-authored-by: Shubham Pampattiwar <spampatt@redhat.com>
Co-authored-by: Xun Jiang/Bruce Jiang <59276555+blackpiglet@users.noreply.github.com>
Co-authored-by: Lyndon-Li <lyonghui@vmware.com>
Co-authored-by: Daniel Jiang <jiangd@vmware.com>
Co-authored-by: lou <alex1988@outlook.com>
Co-authored-by: Xun Jiang <jxun@vmware.com>
Co-authored-by: allenxu404 <qix2@vmware.com>
Co-authored-by: David Zaninovic <74072514+dzaninovic@users.noreply.github.com>
Co-authored-by: Sebastian Glab <sglab@catalogicsoftware.com>
Co-authored-by: Dylan Murray <dymurray@redhat.com>
Co-authored-by: RayfordJ <rayfordj@users.noreply.github.com>
Co-authored-by: Mateus Oliveira <msouzaol@redhat.com>
Co-authored-by: Wesley Hayutin <138787+weshayutin@users.noreply.github.com>
Co-authored-by: Tiger Kaovilai <passawit.kaovilai@gmail.com>
Co-authored-by: OpenShift Cherrypick Robot <openshift-cherrypick-robot@redhat.com>
Co-authored-by: RayfordJ <4580787+rayfordj@users.noreply.github.com>
Co-authored-by: red-hat-konflux[bot] <126015336+red-hat-konflux[bot]@users.noreply.github.com>
Co-authored-by: red-hat-konflux <konflux@no-reply.konflux-ci.dev>

Author: 21 people

Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.23.8-bookworm AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.23.11-bookworm AS velero-builder
 
 ARG GOPROXY
 ARG BIN
@@ -49,7 +49,7 @@ RUN mkdir -p /output/usr/bin && \
     go clean -modcache -cache
 
 # Restic binary build section
-FROM --platform=$BUILDPLATFORM golang:1.23.8-bookworm AS restic-builder
+FROM --platform=$BUILDPLATFORM golang:1.23.11-bookworm AS restic-builder
 
 ARG GOPROXY
 ARG BIN
@@ -73,7 +73,7 @@ RUN mkdir -p /output/usr/bin && \
     go clean -modcache -cache
 
 # Velero image packing section
-FROM paketobuildpacks/run-jammy-tiny:0.2.60
+FROM paketobuildpacks/run-jammy-tiny:0.2.73
 
 LABEL maintainer="Xun Jiang <jxun@vmware.com>"
 
@@ -82,4 +82,3 @@ COPY --from=velero-builder /output /
 COPY --from=restic-builder /output /
 
 USER cnb:cnb
-

Dockerfile-Windows

@@ -15,7 +15,7 @@
 ARG OS_VERSION=1809
 
 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.23.8-bookworm AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.23.10-bookworm AS velero-builder
 
 ARG GOPROXY
 ARG BIN

Tiltfile

@@ -52,7 +52,7 @@ git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip(
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.23.8 as tilt-helper
+FROM golang:1.23.11 as tilt-helper
 
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \

changelogs/CHANGELOG-1.16.md

@@ -1,3 +1,27 @@
+## v1.16.2
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.16.2
+
+### Container Image
+`velero/velero:v1.16.2`
+
+### Documentation
+https://velero.io/docs/v1.16/
+
+### Upgrading
+https://velero.io/docs/v1.16/upgrade-to-1.16/
+
+### All Changes
+  * Update "Default Volumes to Fs Backup" to "File System Backup (Default)" (#9105, @shubham-pampattiwar)
+  * Fix missing defaultVolumesToFsBackup flag output in Velero describe backup cmd (#9103, @shubham-pampattiwar)
+  * Add imagePullSecrets inheritance for VGDP pod and maintenance job. (#9102, @blackpiglet)
+  * Fix issue #9077, don't block backup deletion on list VS error (#9101, @Lyndon-Li)
+  * Mounted cloud credentials should not be world-readable (#9094, @sseago)
+  * Allow for proper tracking of multiple hooks per container (#9060, @sseago)
+  * Add BSL status check for backup/restore operations. (#9010, @blackpiglet)
+
+
 ## v1.16.1
 
 ### Download

go.mod

@@ -2,7 +2,7 @@ module github.com/vmware-tanzu/velero
 
 go 1.23.0
 
-toolchain go1.23.8
+toolchain go1.23.11
 
 require (
 	cloud.google.com/go/storage v1.50.0

hack/build-image/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM --platform=$TARGETPLATFORM golang:1.23.8-bookworm
+FROM --platform=$TARGETPLATFORM golang:1.23.11-bookworm
 
 ARG GOPROXY
 

hack/fix_restic_cve.txt

@@ -1,8 +1,8 @@
 diff --git a/go.mod b/go.mod
-index 5f939c481..5c5db077f 100644
+index 5f939c481..3ff6e6fa1 100644
 --- a/go.mod
 +++ b/go.mod
-@@ -24,32 +24,32 @@ require (
+@@ -24,32 +24,31 @@ require (
  	github.com/restic/chunker v0.4.0
  	github.com/spf13/cobra v1.6.1
  	github.com/spf13/pflag v1.0.5
@@ -16,7 +16,7 @@ index 5f939c481..5c5db077f 100644
 -	google.golang.org/api v0.106.0
 +	golang.org/x/crypto v0.36.0
 +	golang.org/x/net v0.38.0
-+	golang.org/x/oauth2 v0.7.0
++	golang.org/x/oauth2 v0.27.0
 +	golang.org/x/sync v0.12.0
 +	golang.org/x/sys v0.31.0
 +	golang.org/x/term v0.30.0
@@ -27,10 +27,10 @@ index 5f939c481..5c5db077f 100644
  require (
 -	cloud.google.com/go v0.108.0 // indirect
 -	cloud.google.com/go/compute v1.15.1 // indirect
-+	cloud.google.com/go v0.110.0 // indirect
-+	cloud.google.com/go/compute v1.19.1 // indirect
- 	cloud.google.com/go/compute/metadata v0.2.3 // indirect
+-	cloud.google.com/go/compute/metadata v0.2.3 // indirect
 -	cloud.google.com/go/iam v0.10.0 // indirect
++	cloud.google.com/go v0.110.0 // indirect
++	cloud.google.com/go/compute/metadata v0.3.0 // indirect
 +	cloud.google.com/go/iam v0.13.0 // indirect
  	github.com/Azure/azure-sdk-for-go/sdk/internal v1.1.2 // indirect
  	github.com/cpuguy83/go-md2man/v2 v2.0.2 // indirect
@@ -49,7 +49,7 @@ index 5f939c481..5c5db077f 100644
  	github.com/inconshreveable/mousetrap v1.1.0 // indirect
  	github.com/json-iterator/go v1.1.12 // indirect
  	github.com/klauspost/cpuid/v2 v2.2.3 // indirect
-@@ -63,11 +63,13 @@ require (
+@@ -63,11 +62,13 @@ require (
  	go.opencensus.io v0.24.0 // indirect
  	golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 // indirect
  	google.golang.org/appengine v1.6.7 // indirect
@@ -66,26 +66,27 @@ index 5f939c481..5c5db077f 100644
 -go 1.18
 +go 1.23.0
 +
-+toolchain go1.23.7
++toolchain go1.23.11
+\ No newline at end of file
 diff --git a/go.sum b/go.sum
-index 026e1d2fa..836a9b274 100644
+index 026e1d2fa..d7857bb2b 100644
 --- a/go.sum
 +++ b/go.sum
-@@ -1,23 +1,26 @@
+@@ -1,23 +1,24 @@
  cloud.google.com/go v0.26.0/go.mod h1:aQUYkXzVsufM+DwF1aE+0xfcU+56JwCaLick0ClmMTw=
 -cloud.google.com/go v0.108.0 h1:xntQwnfn8oHGX0crLVinvHM+AhXvi3QHQIEcX/2hiWk=
 -cloud.google.com/go v0.108.0/go.mod h1:lNUfQqusBJp0bgAg6qrHgYFYbTB+dOiob1itwnlD33Q=
 -cloud.google.com/go/compute v1.15.1 h1:7UGq3QknM33pw5xATlpzeoomNxsacIVvTqTTvbfajmE=
 -cloud.google.com/go/compute v1.15.1/go.mod h1:bjjoF/NtFUrkD/urWfdHaKuOPDR5nWIs63rR+SXhcpA=
-+cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
-+cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
-+cloud.google.com/go/compute v1.19.1 h1:am86mquDUgjGNWxiGn+5PGLbmgiWXlE/yNWpIpNvuXY=
-+cloud.google.com/go/compute v1.19.1/go.mod h1:6ylj3a05WF8leseCdIf77NK0g1ey+nj5IKd5/kvShxE=
- cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
- cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
+-cloud.google.com/go/compute/metadata v0.2.3 h1:mg4jlk7mCAj6xXp9UJ4fjI9VUI5rubuGBW5aJ7UnBMY=
+-cloud.google.com/go/compute/metadata v0.2.3/go.mod h1:VAV5nSsACxMJvgaAuX6Pk2AawlZn8kiOGuCv6gTkwuA=
 -cloud.google.com/go/iam v0.10.0 h1:fpP/gByFs6US1ma53v7VxhvbJpO2Aapng6wabJ99MuI=
 -cloud.google.com/go/iam v0.10.0/go.mod h1:nXAECrMt2qHpF6RZUZseteD6QyanL68reN4OXPw0UWM=
 -cloud.google.com/go/longrunning v0.3.0 h1:NjljC+FYPV3uh5/OwWT6pVU+doBqMg2x/rZlE+CamDs=
++cloud.google.com/go v0.110.0 h1:Zc8gqp3+a9/Eyph2KDmcGaPtbKRIoqq4YTlL4NMD0Ys=
++cloud.google.com/go v0.110.0/go.mod h1:SJnCLqQ0FCFGSZMUNUf84MV3Aia54kn7pi8st7tMzaY=
++cloud.google.com/go/compute/metadata v0.3.0 h1:Tz+eQXMEqDIKRsmY3cHTL6FVaynIjX2QxYC4trgAKZc=
++cloud.google.com/go/compute/metadata v0.3.0/go.mod h1:zFmK7XCadkQkj6TtorcaGlCW1hT1fIilQDwofLpJ20k=
 +cloud.google.com/go/iam v0.13.0 h1:+CmB+K0J/33d0zSQ9SlFWUeCCEn5XJA0ZMZ3pHE9u8k=
 +cloud.google.com/go/iam v0.13.0/go.mod h1:ljOg+rcNfzZ5d6f1nAUJ8ZIxOaZUVoS14bKCtaLZ/D0=
 +cloud.google.com/go/longrunning v0.4.1 h1:v+yFJOfKC3yZdY6ZUI933pIYdhyhV8S3NpWrXWmg7jM=
@@ -105,15 +106,15 @@ index 026e1d2fa..836a9b274 100644
  github.com/BurntSushi/toml v0.3.1/go.mod h1:xHWCNGjB5oqiDr8zfno3MHue2Ht5sIBksp03qcyfWMU=
  github.com/Julusian/godocdown v0.0.0-20170816220326-6d19f8ff2df8/go.mod h1:INZr5t32rG59/5xeltqoCJoNY7e5x/3xoY9WSWVWg74=
  github.com/anacrolix/fuse v0.2.0 h1:pc+To78kI2d/WUjIyrsdqeJQAesuwpGxlI3h1nAv3Do=
-@@ -54,6 +57,7 @@ github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNu
+@@ -54,6 +55,7 @@ github.com/felixge/fgprof v0.9.3/go.mod h1:RdbpDgzqYVh/T9fPELJyV7EYJuHB55UTEULNu
  github.com/go-ole/go-ole v1.2.6 h1:/Fpf6oFPoeFik9ty7siob0G6Ke8QvQEuVcuChpwXzpY=
  github.com/go-ole/go-ole v1.2.6/go.mod h1:pprOEPIfldk/42T2oK7lQ4v4JSDwmV0As9GaiUsvbm0=
  github.com/golang-jwt/jwt v3.2.1+incompatible h1:73Z+4BJcrTC+KczS6WvTPvRGOp1WmfEP4Q1lOd9Z/+c=
 +github.com/golang-jwt/jwt v3.2.1+incompatible/go.mod h1:8pz2t5EyA70fFQQSrl6XZXzqecmYZeUEB8OUGHkxJ+I=
  github.com/golang/glog v0.0.0-20160126235308-23def4e6c14b/go.mod h1:SBH7ygxi8pfUlaOkMMuAQtPIUF8ecWP5IEl/CR7VP2Q=
  github.com/golang/groupcache v0.0.0-20200121045136-8c9f03a8e57e/go.mod h1:cIg4eruTrX1D+g88fzRXU5OdNfaM+9IcxsU14FzY7Hc=
  github.com/golang/groupcache v0.0.0-20210331224755-41bb18bfe9da h1:oI5xCqsCo564l8iNU+DwB5epxmsaqB+rhGL0m5jtYqE=
-@@ -70,8 +74,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
+@@ -70,8 +72,8 @@ github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvq
  github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
  github.com/golang/protobuf v1.4.3/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
  github.com/golang/protobuf v1.5.0/go.mod h1:FsONVRAS9T7sI+LIUmWTfcYkHO4aIWwzhcaSAoJOfIk=
@@ -124,7 +125,7 @@ index 026e1d2fa..836a9b274 100644
  github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
  github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
  github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
-@@ -82,17 +86,18 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
+@@ -82,17 +84,18 @@ github.com/google/go-cmp v0.5.5/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/
  github.com/google/go-cmp v0.5.9 h1:O2Tfq5qg4qc4AmwVlvv0oLiVAGB7enBSJ2x2DqQFi38=
  github.com/google/go-cmp v0.5.9/go.mod h1:17dUlkBOakJ0+DkrSSNjCkIjxS6bF9zb3elmeNGIjoY=
  github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -148,23 +149,23 @@ index 026e1d2fa..836a9b274 100644
  github.com/hashicorp/golang-lru/v2 v2.0.1 h1:5pv5N1lT1fjLg2VQ5KWc7kmucp2x/kvFOnxuVTqZ6x4=
  github.com/hashicorp/golang-lru/v2 v2.0.1/go.mod h1:QeFd9opnmA6QUJc5vARoKUSoFhyfM2/ZepoAG6RGpeM=
  github.com/ianlancetaylor/demangle v0.0.0-20210905161508-09a460cdf81d/go.mod h1:aYm2/VgdVmcIU8iMfdMvDMsRAQjcfZSKFby6HOFvi/w=
-@@ -114,6 +119,7 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
+@@ -114,6 +117,7 @@ github.com/kr/fs v0.1.0/go.mod h1:FFnZGqtBN9Gxj7eW1uZ42v5BccTP0vu6NEaFoC2HwRg=
  github.com/kurin/blazer v0.5.4-0.20211030221322-ba894c124ac6 h1:nz7i1au+nDzgExfqW5Zl6q85XNTvYoGnM5DHiQC0yYs=
  github.com/kurin/blazer v0.5.4-0.20211030221322-ba894c124ac6/go.mod h1:4FCXMUWo9DllR2Do4TtBd377ezyAJ51vB5uTBjt0pGU=
  github.com/kylelemons/godebug v1.1.0 h1:RPNrshWIDI6G2gRW9EHilWtl7Z6Sb1BR0xunSBf0SNc=
 +github.com/kylelemons/godebug v1.1.0/go.mod h1:9/0rRGxNHcop5bhtWyNeEfOS8JIWk580+fNqagV/RAw=
  github.com/minio/md5-simd v1.1.2 h1:Gdi1DZK69+ZVMoNHRXJyNcxrMA4dSxoYHZSQbirFg34=
  github.com/minio/md5-simd v1.1.2/go.mod h1:MzdKDxYpY2BT9XQFocsiZf/NKVtR7nkE4RoEpN+20RM=
  github.com/minio/minio-go/v7 v7.0.46 h1:Vo3tNmNXuj7ME5qrvN4iadO7b4mzu/RSFdUkUhaPldk=
-@@ -129,6 +135,7 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P
+@@ -129,6 +133,7 @@ github.com/modocache/gover v0.0.0-20171022184752-b58185e213c5/go.mod h1:caMODM3P
  github.com/ncw/swift/v2 v2.0.1 h1:q1IN8hNViXEv8Zvg3Xdis4a3c4IlIGezkYz09zQL5J0=
  github.com/ncw/swift/v2 v2.0.1/go.mod h1:z0A9RVdYPjNjXVo2pDOPxZ4eu3oarO1P91fTItcb+Kg=
  github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4 h1:Qj1ukM4GlMWXNdMBuXcXfz/Kw9s1qm0CLY32QxuSImI=
 +github.com/pkg/browser v0.0.0-20210115035449-ce105d075bb4/go.mod h1:N6UoU20jOqggOuDwUaBQpluzLNDqif3kq9z2wpdYEfQ=
  github.com/pkg/errors v0.9.1 h1:FEBLx1zS214owpjy7qsBeixbURkuhQAwrK5UwLGTwt4=
  github.com/pkg/errors v0.9.1/go.mod h1:bwawxfHBFNV+L2hUp1rHADufV3IMtnDRdf1r5NINEl0=
  github.com/pkg/profile v1.7.0 h1:hnbDkaNWPCLMO9wGLdBFTIZvzDrDfBM2072E1S9gJkA=
-@@ -172,8 +179,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
+@@ -172,8 +177,8 @@ golang.org/x/crypto v0.0.0-20190308221718-c2843e01d9a2/go.mod h1:djNgcEr1/C05ACk
  golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8UmvKecakEJjdnWj3jj499lnFckfCI=
  golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
  golang.org/x/crypto v0.0.0-20211215153901-e495a2d5b3d3/go.mod h1:IxCIyHEi3zRg3s0A5j5BB6A9Jmi73HwBIUl50j+osU4=
@@ -175,7 +176,7 @@ index 026e1d2fa..836a9b274 100644
  golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
  golang.org/x/lint v0.0.0-20181026193005-c67002cb31c3/go.mod h1:UVdnD1Gm6xHRNCYTkRU2/jEulfH38KcIWyp/GAMgvoE=
  golang.org/x/lint v0.0.0-20190227174305-5b3e6a55c961/go.mod h1:wehouNa3lNwaWXcvxsM5YxQ5yQlVC4a0KAMCusXpPoU=
-@@ -189,17 +196,17 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
+@@ -189,17 +194,17 @@ golang.org/x/net v0.0.0-20190620200207-3b0461eec859/go.mod h1:z5CRVTTTmAJ677TzLL
  golang.org/x/net v0.0.0-20200226121028-0de0cce0169b/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
  golang.org/x/net v0.0.0-20201110031124-69a78807bb2b/go.mod h1:sp8m0HH+o8qH0wwXwYZr8TS3Oi6o0r6Gce1SSxlDquU=
  golang.org/x/net v0.0.0-20211112202133-69e39bad7dc2/go.mod h1:9nx3DQGgdP8bBQD5qxJ1jj9UTztislL4KSBs9R2vV5Y=
@@ -186,8 +187,8 @@ index 026e1d2fa..836a9b274 100644
  golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 -golang.org/x/oauth2 v0.4.0 h1:NF0gk8LVPg1Ml7SSbGyySuoxdsXitj7TvgvuRxIMc/M=
 -golang.org/x/oauth2 v0.4.0/go.mod h1:RznEsdpjGAINPTOF0UH/t+xJ75L18YO3Ho6Pyn+uRec=
-+golang.org/x/oauth2 v0.7.0 h1:qe6s0zUXlPX80/dITx3440hWZ7GwMwgDDyrSGTPJG/g=
-+golang.org/x/oauth2 v0.7.0/go.mod h1:hPLQkd9LyjfXTiRohC/41GhcFqxisoUQ99sCUOHO9x4=
++golang.org/x/oauth2 v0.27.0 h1:da9Vo7/tDv5RH/7nZDz1eMGS/q1Vv1N/7FCrBhI9I3M=
++golang.org/x/oauth2 v0.27.0/go.mod h1:onh5ek6nERTohokkhCD/y2cV4Do3fxFHFuAejCkRWT8=
  golang.org/x/sync v0.0.0-20180314180146-1d60e4601c6f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
  golang.org/x/sync v0.0.0-20181108010431-42b317875d0f/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
  golang.org/x/sync v0.0.0-20190423024810-112230192c58/go.mod h1:RxMgew5VJxzue5/jJTE5uejpjVlOe/izrB70Jof72aM=
@@ -199,7 +200,7 @@ index 026e1d2fa..836a9b274 100644
  golang.org/x/sys v0.0.0-20180830151530-49385e6e1522/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
  golang.org/x/sys v0.0.0-20190215142949-d0b11bdaac8a/go.mod h1:STP8DvDyc/dI5b8T5hshtkjS+E42TnysNCUPdjciGhY=
  golang.org/x/sys v0.0.0-20190412213103-97732733099d/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
-@@ -214,17 +221,17 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
+@@ -214,17 +219,17 @@ golang.org/x/sys v0.0.0-20211216021012-1d35b9e2eb4e/go.mod h1:oPkhp1MJrh7nUepCBc
  golang.org/x/sys v0.0.0-20220408201424-a24fb2fb8a0f/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
  golang.org/x/sys v0.0.0-20220704084225-05e143d24a9e/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
  golang.org/x/sys v0.0.0-20220715151400-c0bba94af5f8/go.mod h1:oPkhp1MJrh7nUepCBck5+mAzfO9JrbApNNgaTdGDITg=
@@ -223,7 +224,7 @@ index 026e1d2fa..836a9b274 100644
  golang.org/x/tools v0.0.0-20180917221912-90fa682c2a6e/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
  golang.org/x/tools v0.0.0-20190114222345-bf090417da8b/go.mod h1:n7NCudcB/nEzxVGmLbDWY5pfWTLqBcC2KZ6jyYvM4mQ=
  golang.org/x/tools v0.0.0-20190226205152-f727befe758c/go.mod h1:9Yl7xja0Znq3iFh3HoIrodX9oNMXvdceNzlUR8zjMvY=
-@@ -237,8 +244,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
+@@ -237,8 +242,8 @@ golang.org/x/xerrors v0.0.0-20191011141410-1b5146add898/go.mod h1:I/5z698sn9Ka8T
  golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
  golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2 h1:H2TDz8ibqkAF6YGhCdN3jS9O0/s90v0rJh3X/OLHEUk=
  golang.org/x/xerrors v0.0.0-20220907171357-04be3eba64a2/go.mod h1:K8+ghG5WaK9qNqU5K3HdILfMLy1f3aNYFI/wnl100a8=
@@ -234,7 +235,7 @@ index 026e1d2fa..836a9b274 100644
  google.golang.org/appengine v1.1.0/go.mod h1:EbEs0AVv82hx2wNQdGPgUI5lhzA/G0D9YwlJXL52JkM=
  google.golang.org/appengine v1.4.0/go.mod h1:xpcJRLb0r/rnEns0DIKYYv+WjYCduHsrkT7/EB5XEv4=
  google.golang.org/appengine v1.6.7 h1:FZR1q0exgwxzPzp/aF+VccGrSfxfPpkBqjIIEq3ru6c=
-@@ -246,15 +253,15 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID
+@@ -246,15 +251,15 @@ google.golang.org/appengine v1.6.7/go.mod h1:8WjMMxjGQR8xUklV/ARdw2HLXBOI7O7uCID
  google.golang.org/genproto v0.0.0-20180817151627-c66870c02cf8/go.mod h1:JiN7NxoALGmiZfu7CAH4rXhgtRTLTxftemlI0sWmxmc=
  google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98Agz4BDEuKkezgsaosCRResVns1a3J2ZsMNc=
  google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
@@ -254,7 +255,7 @@ index 026e1d2fa..836a9b274 100644
  google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
  google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
  google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
-@@ -266,14 +273,15 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
+@@ -266,14 +271,15 @@ google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpAD
  google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
  google.golang.org/protobuf v1.26.0-rc.1/go.mod h1:jlhhOSvTdKEhbULTjvd4ARK9grFBp09yW+WbY/TyQbw=
  google.golang.org/protobuf v1.26.0/go.mod h1:9q0QmTI4eRPtz6boOQmLYwt+qCgq0jsYwAQnmE0givc=

internal/credentials/file_store.go

@@ -71,7 +71,8 @@ func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (strin
 
 	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
 
-	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0644)
+	// owner RW perms, group R perms, no public perms
+	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE|os.O_TRUNC, 0640)
 	if err != nil {
 		return "", errors.Wrap(err, "unable to open credentials file for writing")
 	}