Validation of default secrets for cloud provider plugins without BSL/VSL

[mateusoliveira43]

Problem

If a cloud provider plugin is added to DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, OADP does not validate if its default secret exists in OADP namespace. This can cause Velero Pod to never go to running state.

How to reproduce

A DPA like this

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  creationTimestamp: '2024-11-05T18:38:46Z'
  generation: 1
  managedFields:
    ...
  name: velero-sample
  namespace: openshift-adp
  resourceVersion: '597563237'
  uid: 51330ec5-8c38-48a5-bdb9-7f7cdafe42a9
spec:
  backupLocations:
    - velero:
        config:
          profile: default
          region: <secret>
        credential:
          key: cloud
          name: cloud-credentials
        default: true
        objectStorage:
          bucket: <secret>
          prefix: velero
        provider: aws
  configuration:
    velero:
      defaultPlugins:
        - openshift
        - aws
        - gcp
status:
  conditions:
    - lastTransitionTime: '2024-11-05T18:38:46Z'
      message: Reconcile complete
      reason: Complete
      status: 'True'
      type: Reconciled

passes DPA controller validation.

But, if default secret for gcp provider is missing, the Velero Pod never succeeds. Pod Events have the following

MountVolume.SetUp failed for volume "cloud-credentials-gcp" : secret "cloud-credentials-gcp" not found

Solution

OADP should either:

• validate that for any cloud provider plugin in DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations) that uses it, it default secret exists in OADP namespace
• not add VolumeMount to Velero Deployment for any cloud provider plugin in DPA spec.configuration.velero.defaultPlugins without a BSL (spec.backupLocations) or a VSL (spec.snapshotLocations)

[mateusoliveira43]

this can be an opportunity to check duplication around these 3 functions as well https://github.com/openshift/oadp-operator/blob/215d34c3b935f27d43b4bdb33350ba07837e123e/controllers/bsl.go#L21

https://github.com/openshift/oadp-operator/blob/215d34c3b935f27d43b4bdb33350ba07837e123e/controllers/vsl.go#L107

https://github.com/openshift/oadp-operator/blob/215d34c3b935f27d43b4bdb33350ba07837e123e/controllers/validator.go#L91