Merge https://github.com/velero-io/velero:main (e6d928c) into oadp-dev

[oadp-rebasebot-app]

Summary by CodeRabbit

• New Features

  • Block-level data-mover design for CBT-driven incremental backups; docs for parallel backup processing.

• Bug Fixes

  • List operations for restores now respect the installed namespace.
  • Backup deletion treats missing tarballs as permanent (avoids needless retries) and skips destructive removal on download failures.
  • Added small delay to avoid snapshot create/delete races.
  • Wildcard matching: empty include list no longer triggers expansion.

• Dependency Updates

  • external-snapshotter bumped for v1beta2 VolumeGroupSnapshot support; Debian base image updated to trixie.

• Other

  • CI path-check workflow and multiple unreleased changelog entries added.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oadp-rebasebot-app[bot]
Once this PR has been reviewed and has the lgtm label, please assign kaovilai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• DOWNSTREAM_OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Bumps several dependencies and Go module updates; migrates external-snapshotter VolumeGroupSnapshot usages from v1beta1→v1beta2; narrows PodVolumeBackup/DataUpload listings to namespace scope; increases maintenance-status queue length; adds temp VSC create/delete delay; refines tarball-download error handling; removes restic build from images; adds CI filepath-check workflow and block-data-mover design doc.

Changes

Cohort / File(s)	Summary
Go modules & deps go.mod	Bumped hashicorp plugins/logging, external-snapshotter client v8 to v8.4.0, klog v2, and several indirect deps; removed one indirect.
VolumeGroupSnapshot API migration pkg/backup/actions/csi/pvc_action.go, pkg/restore/actions/csi/volumesnapshot_action.go, pkg/restore/actions/pod_volume_restore_action.go, pkg/controller/restore_finalizer_controller.go, pkg/test/..., pkg/..._test.go	Replaced imports/types/usages from volumegroupsnapshot/v1beta1 → v1beta2 across code and tests; updated signatures/ownerRef APIVersion expectations where applicable.
Namespace-scoped listings pkg/backup/actions/csi/pvc_action.go, pkg/restore/actions/pod_volume_restore_action.go, pkg/controller/restore_controller.go	Added ListOptions.Namespace for PodVolumeBackup/DataUpload listings to limit queries to the restore/backup namespace; getDataUpload now accepts namespace.
Restore & PVR selection changes pkg/controller/pod_volume_restore_controller.go, pkg/controller/..._test.go, deleted pkg/controller/pod_volume_restore_controller_legacy.go	Replaced legacy PVR detection with uploader-type validation; removed legacy reconciler file and updated tests to require/handle uploader type.
Backup deletion & tarball error handling pkg/controller/backup_deletion_controller.go, pkg/controller/backup_deletion_controller_test.go	Classifies tarball-not-found errors, always runs offline CSI cleanup on download failure, skips backup-store deletion when earlier errors exist, and splits tests for not-found vs other errors.
Temporary VSC create/delete gap internal/delete/actions/csi/volumesnapshotcontent_action.go, internal/delete/actions/csi/volumesnapshotcontent_action_test.go	Introduces configurable 2s gap between temp VSC create and delete; added test verifying create → sleep → delete ordering.
Maintenance history queue length pkg/controller/backup_repository_controller.go, pkg/controller/backup_repository_controller_test.go	Changed default queue length constant 3 → 25 and introduced package variable maintenanceStatusQueueLength; tests set it per-subtest.
Repository & UDM changes pkg/repository/udmrepo/..., pkg/repository/udmrepo/mocks/*, pkg/uploader/kopia/*	Extended BackupRepo/ObjectWriter interfaces for metadata/snapshot APIs and WriterAt semantics; updated implementations, mocks, and tests to the new signatures.
CBT service & bitmap APIs pkg/cbtservice/service.go, pkg/uploader/cbt/*.go	Added CBT service interface/types and bitmap iterator interfaces plus helper bitmap set stub.
Kopia shim & repo tests pkg/repository/udmrepo/kopialib/lib_repo.go, pkg/repository/udmrepo/kopialib/lib_repo_test.go, pkg/uploader/kopia/shim.go	New error-returning NewObjectWriter, added placeholder metadata/snapshot methods; tests updated to assert errors/returns; shim now handles writer errors.
Log adapter pkg/plugin/clientmgmt/process/logrus_adapter.go	Added GetLevel() mapping from logrus levels to hclog levels.
Images/build changes (restic removed) Dockerfile, Dockerfile-Windows, hack/build-image/Dockerfile, hack/build-restic.sh, hack/fix_restic_cve.txt, Makefile, Tiltfile	Switched builder base images from Debian bookworm→trixie; removed restic build steps/scripts and related Make/Tilt build bits.
CI workflows .github/workflows/pr-filepath-check.yml, .github/workflows/auto_*_prs.yml	Added PR filepath UTF‑8/character-check workflow; adjusted workflow permissions and token handling across auto-assign/label/request-review workflows.
Design & docs design/block-data-mover/block-data-mover.md, site/content/docs/main/customize-installation.md, site/content/community/_index.md	Added Block Data Mover design doc; added docs for concurrent backups; updated community meeting links.
Changelogs changelogs/unreleased/*	Added multiple unreleased changelog entries documenting the above changes (namespace scoping fixes, dep bumps, base-image update, removal of restic build, maintenance queue increase, CBT/design notes, etc.).
Misc utils & small optimizations pkg/util/*, cmd/velero/...	String-builder optimizations in diagnostics, klog stderrthreshold initialization in CLI, wildcard expansion behavior change (empty includes treated as wildcard-all), and minor message text update (restore helper).

Sequence Diagram(s)

sequenceDiagram
    rect rgba(0,128,255,0.5)
    participant Controller as BackupDeletionController
    end
    rect rgba(0,200,83,0.5)
    participant Storage as BackupStore
    end
    rect rgba(255,152,0,0.5)
    participant CSI as CSI Cleanup
    end
    rect rgba(156,39,176,0.5)
    participant DB as DBR / API Objects
    end

    Controller->>Storage: Download backup tarball
    alt Download succeeds
        Controller->>Storage: Delete backup artifacts
        Controller->>DB: Remove DBR / Backup CR
    else Download fails
        Controller->>CSI: Perform offline CSI snapshot cleanup
        Controller->>Controller: isTarballNotFoundError(err)?
        alt Error is not-found
            Controller->>Storage: Delete backup artifacts
            Controller->>DB: Remove DBR / Backup CR
        else Other error
            Controller->>DB: Record download error (keep DBR)
            Controller-->>Storage: Skip backup-store deletion
            Note right of Controller: Reconcile returns error (retry)
        end
    end

Loading

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~45 minutes

🚥 Pre-merge checks | ✅ 10 | ❌ 2

❌ Failed checks (2 warnings)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	The pull request has no description provided by the author, failing to address the required template sections for change summary, issue fixes, and contribution checklist.	Add a comprehensive description explaining the PR purpose, key changes (CSI v1beta2 migration, restic removal, design additions), and confirm DCO acceptance and changelog creation.
Docstring Coverage	⚠️ Warning	Docstring coverage is 14.75% which is insufficient. The required threshold is 80.00%.	Write docstrings for the functions missing them to satisfy the coverage threshold.

✅ Passed checks (10 passed)

Check name	Status	Explanation
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Stable And Deterministic Test Names	✅ Passed	This repository uses standard Go testing package, not Ginkgo. No Ginkgo test titles exist in this PR.
Test Structure And Quality	✅ Passed	This pull request does not contain any Ginkgo test code. The repository uses standard Go testing package with table-driven tests.
Microshift Test Compatibility	✅ Passed	No new Ginkgo e2e tests are added in this PR. Only existing Go unit tests are modified.
Single Node Openshift (Sno) Test Compatibility	✅ Passed	No new Ginkgo e2e tests were added in this PR. The modified test files are unit tests using Go's standard testing package, not Ginkgo e2e tests.
Topology-Aware Scheduling Compatibility	✅ Passed	PR contains rebase of vmware-tanzu/velero with no new deployment manifests, scheduling constraints, or topology-specific configurations introduced.
Ote Binary Stdout Contract	✅ Passed	No stdout contract violations detected. Klog configuration ensures logs route to stderr, and no new direct stdout writes in process-level code found.
Ipv6 And Disconnected Network Test Compatibility	✅ Passed	This pull request does not modify any files in the test/e2e/ directory and introduces no new Ginkgo e2e tests.
Title check	✅ Passed	The title accurately describes the pull request as a merge from upstream velero main branch into oadp-dev, which aligns with the changeset's nature as an automated rebase.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @oadp-rebasebot-app[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Around line 175-179: Update the vulnerable module version: change the go.mod
entry for go.opentelemetry.io/otel/sdk from v1.42.0 to v1.43.0 (or a later
secure release) and then run the module upgrade commands to propagate changes
(e.g., `go get go.opentelemetry.io/otel/sdk@v1.43.0` and `go mod tidy`) so the
indirect entries are refreshed; ensure any references to
go.opentelemetry.io/otel/sdk in your module graph are now resolved to v1.43.0+
to mitigate CVE-2026-39883.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 876c87aa-e14e-40e9-9021-5043294874f7

📥 Commits

Reviewing files that changed from the base of the PR and between 82b0e3e and 109df40.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (10)

• .gitmodules
• changelogs/unreleased/9533-Lyndon-Li
• changelogs/unreleased/9560-Lyndon-Li
• changelogs/unreleased/9561-Lyndon-Li
• changelogs/unreleased/9634-Lyndon-Li
• changelogs/unreleased/9663-Lyndon-Li
• changelogs/unreleased/9676-Lyndon-Li
• changelogs/unreleased/9677-Lyndon-Li
• go.mod
• restic

[coderabbitai]

⚠️ Potential issue | 🔴 Critical

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "1) Confirm pinned version in go.mod"
rg -n 'go\.opentelemetry\.io/otel/sdk\s+v' go.mod

echo
echo "2) Pull OSV advisory details"
curl -s https://api.osv.dev/v1/vulns/GHSA-hfvc-g4fc-pqhx | jq '{id, summary, affected: [.affected[] | {ecosystem: .package.ecosystem, name: .package.name, ranges: .ranges}]}'

echo
echo "3) Query OSV for this exact version"
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"go.opentelemetry.io/otel/sdk"},"version":"1.42.0"}' | jq .

Repository: openshift/velero

Length of output: 4294

---

Update go.opentelemetry.io/otel/sdk from v1.42.0 to v1.43.0 or later before merge

go.opentelemetry.io/otel/sdk v1.42.0 (line 177) is affected by GHSA-hfvc-g4fc-pqhx (CVE-2026-39883), a HIGH severity vulnerability enabling arbitrary code execution via PATH hijacking on BSD/Solaris platforms. The vulnerability allows a local attacker to place a malicious kenv binary in $PATH that gets executed during OpenTelemetry resource initialization. This was fixed in v1.43.0.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 177-177: go.opentelemetry.io/otel/sdk 1.42.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` around lines 175 - 179, Update the vulnerable module version: change
the go.mod entry for go.opentelemetry.io/otel/sdk from v1.42.0 to v1.43.0 (or a
later secure release) and then run the module upgrade commands to propagate
changes (e.g., `go get go.opentelemetry.io/otel/sdk@v1.43.0` and `go mod tidy`)
so the indirect entries are refreshed; ensure any references to
go.opentelemetry.io/otel/sdk in your module graph are now resolved to v1.43.0+
to mitigate CVE-2026-39883.

[mpryc]

/ok-to-test

[mpryc]

/hold

[kaovilai]

/retest

[openshift-ci]

@oadp-rebasebot-app[bot]: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.