Skip to content

Commit cb3383b

Browse files
kaovilaikaovilai
committed
docs: enhance documentation on external BSLs for ImageStream backups and CA certificate collection process
Signed-off-by: Tiger Kaovilai <[email protected]>
1 parent f20c229 commit cb3383b

File tree

1 file changed

+26
-2
lines changed

1 file changed

+26
-2
lines changed

docs/config/ca-certificate-bundle-for-imagestream-backups.md

Lines changed: 26 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -197,10 +197,34 @@ The AWS SDK and Docker Distribution S3 driver read CA certificates at **session
197197
**Currently collected from**:
198198

199199
- Only AWS provider BackupStorageLocations
200-
- BSLs defined in DPA `spec.backupLocations`
201-
- Additional BSLs in the same namespace (not in DPA spec)
200+
- BSLs defined in DPA `spec.backupLocations` (OADP-managed)
201+
- Additional BSLs in the same namespace (external/non-OADP BSLs)
202202
- System default CA certificates (appended for fallback)
203203

204+
**How external BSLs are discovered**:
205+
206+
**For CA certificate collection** (`internal/controller/bsl.go:processCACertForBSLs`):
207+
- Lists **all** BSLs in namespace: `r.List(r.Context, allBSLs, client.InNamespace(dpa.Namespace))`
208+
- **No label filtering** - discovers both OADP-managed and external BSLs
209+
- Filters out BSLs already processed from DPA spec by name
210+
- Only collects from AWS provider BSLs
211+
212+
**For ImageStream backup support** (`internal/controller/registry.go:545-553`):
213+
- Lists BSLs **with label filter**: `app.kubernetes.io/component: bsl`
214+
- Creates registry secrets only for labeled BSLs (required by [openshift-velero-plugin](https://github.com/openshift/openshift-velero-plugin/blob/64292f953c3e2ecd623e9388b2a65c08bb9cfbe2/velero-plugins/imagestream/shared.go#L70-L73))
215+
216+
**Using external BSLs for ImageStream backups**:
217+
218+
External BSLs (created outside DPA spec) CAN be used for ImageStream backups if you:
219+
1. Manually add the required label: `app.kubernetes.io/component: bsl`
220+
2. Ensure the BSL has AWS provider and `caCert` configured
221+
3. The OADP registry controller will then create the necessary registry secret
222+
223+
**OADP-managed BSL labels** (automatically applied):
224+
- `app.kubernetes.io/name: oadp-operator-velero`
225+
- `app.kubernetes.io/managed-by: oadp-operator`
226+
- `app.kubernetes.io/component: bsl`**Required for registry secret creation**
227+
204228
**Not collected from**:
205229

206230
- Non-AWS provider BSLs (Azure, GCP, etc.)

0 commit comments

Comments
 (0)