Skip to content

OADP-6235: Add CaCert support for DPT #1862

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 3 commits into
base: oadp-dev
Choose a base branch
from
Open

OADP-6235: Add CaCert support for DPT #1862

wants to merge 3 commits into from
+821 −4

Conversation

shubham-pampattiwar
Copy link
Member

@shubham-pampattiwar shubham-pampattiwar commented Jul 31, 2025
edited
Loading

Why the changes were made

This PR adds CA certificate support for Data Protection Tests (DPT) to enable secure connections to object storage backends that use custom or self-signed certificates. This enhancement allows DPT to work with enterprise environments and private cloud deployments where object storage services use custom certificate authorities, addressing scenarios where the default system certificate store doesn't contain the required CA certificates.

The changes implement a flexible TLS configuration system that respects user preferences while maintaining security by:

  • Supporting custom CA certificates from Backup Storage Location (BSL) specifications
  • Allowing TLS verification bypass when explicitly configured

How to test the changes made

  1. Test with skipTLSVerify enabled:
  apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionTest
  metadata:
    name: dpt-skip-tls
  spec:
    skipTLSVerify: true
    backupLocationSpec:
      provider: aws
      objectStorage:
        bucket: test-bucket
  1. Test with custom CA certificate:
  apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionTest
  metadata:
    name: dpt-custom-ca
  spec:
    skipTLSVerify: false
    backupLocationSpec:
      provider: aws
      objectStorage:
        bucket: test-bucket
        caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...  # Base64-encoded PEM certificate
  1. Verify TLS configuration priority:
    - When skipTLSVerify: true is set, it takes precedence over any CA certificate configuration
    - When CA certificate is provided without skipTLSVerify, the custom certificate is used

🤖 Generated with https://claude.ai/code

Co-Authored-By: Claude [email protected]

@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Jul 31, 2025
@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Jul 31, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@shubham-pampattiwar shubham-pampattiwar changed the title Add CaCert support for DPT OADP-6235: Add CaCert support for DPT Jul 31, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Jul 31, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Jul 31, 2025
edited by openshift-ci bot
Loading

@shubham-pampattiwar: This pull request references OADP-6235 which is a valid jira issue.

In response to this:

Why the changes were made

This PR adds CA certificate support for Data Protection Tests (DPT) to enable secure connections to object storage backends that use custom or self-signed certificates. This enhancement allows DPT to work with enterprise environments and private cloud deployments where object storage services use custom certificate authorities, addressing scenarios where the default system certificate store doesn't contain the required CA certificates.

The changes implement a flexible TLS configuration system that respects user preferences while maintaining security by:

  • Supporting custom CA certificates from Backup Storage Location (BSL) specifications
  • Allowing TLS verification bypass when explicitly configured

How to test the changes made

  1. Test with skipTLSVerify enabled:
 apiVersion: oadp.openshift.io/v1alpha1
 kind: DataProtectionTest
 metadata:
   name: dpt-skip-tls
 spec:
   skipTLSVerify: true
   backupLocationSpec:
     provider: aws
     objectStorage:
       bucket: test-bucket
  1. Test with custom CA certificate:
 apiVersion: oadp.openshift.io/v1alpha1
 kind: DataProtectionTest
 metadata:
   name: dpt-custom-ca
 spec:
   skipTLSVerify: false
   backupLocationSpec:
     provider: aws
     objectStorage:
       bucket: test-bucket
       caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0t...  # Base64-encoded PEM certificate
  1. Verify TLS configuration priority:
  • When skipTLSVerify: true is set, it takes precedence over any CA certificate configuration
  • When CA certificate is provided without skipTLSVerify, the custom certificate is used

🤖 Generated with https://claude.ai/code

Co-Authored-By: Claude [email protected]

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 31, 2025
@shubham-pampattiwar
Copy link
Member Author

/cherry-pick oadp-1.5

@openshift-cherrypick-robot
Copy link
Contributor

@shubham-pampattiwar: once the present PR merges, I will cherry-pick it on top of oadp-1.5 in a new PR and assign it to you.

In response to this:

/cherry-pick oadp-1.5

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

@shubham-pampattiwar
Copy link
Member Author

✅ Dev Testing Results - CA Certificate Support for DPT

Successfully tested the CA certificate functionality for DataProtectionTest with MinIO using custom TLS certificates.

Test Environment

  • Target: MinIO S3 with self-signed certificates
  • BSL: minio-bsl with custom caCert configured
  • Test File: 50MB upload test

BackupStorageLocation Configuration

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
  name: minio-bsl
  namespace: openshift-adp
spec:
  config:
    region: minio
    s3ForcePathStyle: "true"
    s3Url: https://minio-s3-minio.apps.mtvoadpvgs.rhos-psi.cnv-qe.rhood.us
  credential:
    key: cloud
    name: cloud-credentials-minio
  objectStorage:
    bucket: dpt-minio-test
    caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0t... # [REDACTED - Base64 encoded CA cert]
    prefix: velero
  provider: aws
status:
  lastSyncedTime: "2025-08-05T20:32:47Z"
  lastValidationTime: "2025-08-05T20:32:57Z"
  phase: Available

Test Results

✅ Test 1: With TLS Verification Enabled (skipTLSVerify: false)

DPT Spec:

spec:
  backupLocationName: minio-bsl
  forceRun: false
  skipTLSVerify: false
  uploadSpeedTestConfig:
    fileSize: 50MB
    timeout: 90s

DPT Status:

status:
  bucketMetadata:
    encryptionAlgorithm: None
    versioningStatus: None
  lastTested: "2025-08-05T20:29:16Z"
  phase: Complete
  s3Vendor: MinIO
  uploadTest:
    duration: 453ms
    speedMbps: 925
    success: true

Result Summary:

$ oc get dpt
NAME            PHASE      UPLOADSPEED(MBPS)   ENCRYPTION   VERSIONING
dpt-minio-test  Complete   925                 None         None

✅ Test 2: With TLS Verification Disabled (skipTLSVerify: true)

DPT Spec:

spec:
  backupLocationName: minio-bsl
  forceRun: false
  skipTLSVerify: true
  uploadSpeedTestConfig:
    fileSize: 50MB
    timeout: 90s

DPT Status:

status:
  bucketMetadata:
    encryptionAlgorithm: None
    versioningStatus: None
  lastTested: "2025-08-05T20:32:08Z"
  phase: Complete
  s3Vendor: MinIO
  uploadTest:
    duration: 379ms
    speedMbps: 1104
    success: true

Result Summary:

$ oc get dpt
NAME            PHASE      UPLOADSPEED(MBPS)   ENCRYPTION   VERSIONING
dpt-minio-test  Complete   1104                None         None

✅ BSL Validation

$ oc get bsl
NAME       PHASE      LAST VALIDATED   DEFAULT
minio-bsl  Available  12s             true

Key Validation Points

  • CA Certificate Integration: DPT successfully uses custom CA cert from BSL objectStorage.caCert field
  • TLS Validation: Proper certificate validation without requiring skipTLSVerify
  • Performance: Consistent high-speed uploads (900+ Mbps) in both modes
  • S3 Vendor Detection: Correctly identifies MinIO backend
  • Bucket Metadata: Successfully retrieves encryption and versioning information
  • BSL Compatibility: BSL remains Available and functional with CA cert configuration

Conclusion

The CA certificate support is working as expected. DPT can now validate TLS connections to S3-compatible storage using custom certificates, eliminating the need for skipTLSVerify: true in secure environments.

@shubham-pampattiwar shubham-pampattiwar marked this pull request as ready for review August 5, 2025 20:48
@openshift-ci openshift-ci bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 5, 2025
@openshift-ci openshift-ci bot requested review from mpryc and mrnold August 5, 2025 20:49
kaovilai
kaovilai previously approved these changes Aug 5, 2025
View reviewed changes
Copy link
Member

@kaovilai kaovilai left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Just my opinion non blockers

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 12, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, shubham-pampattiwar

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:
  • OWNERS [kaovilai,shubham-pampattiwar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci OpenShift CI
Copy link

openshift-ci bot commented Aug 13, 2025

@shubham-pampattiwar: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@kaovilai kaovilai kaovilai approved these changes

@mpryc mpryc Awaiting requested review from mpryc

@mrnold mrnold Awaiting requested review from mrnold

At least 2 approving reviews are required to merge this pull request.

Assignees
No one assigned
Labels
approved Indicates a PR has been approved by an approver from all required OWNERS files. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type.
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@shubham-pampattiwar @openshift-ci-robot @openshift-cherrypick-robot @kaovilai