Bug 2219395

Summary: [DR][4.14 clone] Pass-through CA certificates to Velero for k8s object protection to function
Product: [Red Hat Storage] Red Hat OpenShift Data Foundation Reporter: Karolin Seeger <kseeger>
Component: odf-drAssignee: Shyamsundar <srangana>
odf-dr sub component: ramen QA Contact: Sidhant Agrawal <sagrawal>
Status: CLOSED ERRATA Docs Contact:
Severity: unspecified    
Priority: unspecified CC: kramdoss, kseeger, muagarwa, odf-bz-bot, rtalur, srangana, uchapaga, vbadrina
Version: 4.14   
Target Milestone: ---   
Target Release: ODF 4.14.0   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: No Doc Update
Doc Text:
Story Points: ---
Clone Of: 2218316 Environment:
Last Closed: 2023-11-08 18:52:10 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2218316    
Bug Blocks: 2218492    

Description Karolin Seeger 2023-07-03 13:18:45 UTC 
+++ This bug was initially created as a clone of Bug #2218316 +++



Request:
--------
This BZ is raised to consider accepting the fix for 4.14.0 release

Background:
-----------
- With Fusion using the additional k8s object protection scheme with their 2.6 release, that is slated for a July 20th release, the following bug report is important for the fusion DR feature to function
- The core issue is that Velero/OADP does not trust additional certificates that are signed by non-global root CAs and hence need a certificate to be passed to their resources. This PR enables adding such certificates per S3 store to the ramen config for distribution to the managed clusters, for the k8s object protection workflow to leverage the same when creating Velero jobs

Issue details here: https://github.com/RamenDR/ramen/issues/921

Upstream PR here: https://github.com/RamenDR/ramen/pull/925

Notes for QE:
-------------
The code is exclusively triggered ONLY with additional kube object protection scheme, which is not configured for ODF based workflows via the UI. This hence does not require any additional tests as such.

The Ramen config map has an additional "optional" field, which would hence remain empty on upgrades once this PR is merged.

Questions for MCO:
------------------
@uchapaga or @vbadrina As the ramen config map has changed, does this need MCO to rebuild with the latest config map API changes: https://github.com/RamenDR/ramen/pull/925/files#diff-59e4c2e943590aec4970f817d91e1be589f19f99260a650d8b8cf020ee4b5ca2R77

--- Additional comment from Shyamsundar on 2023-06-28 18:09:07 UTC ---

Request:
--------
This BZ is raised to consider accepting the fix for 4.13.1 release

Background:
-----------
- With Fusion using the additional k8s object protection scheme with their 2.6 release, that is slated for a July 20th release, the following bug report is important for the fusion DR feature to function
- The core issue is that Velero/OADP does not trust additional certificates that are signed by non-global root CAs and hence need a certificate to be passed to their resources. This PR enables adding such certificates per S3 store to the ramen config for distribution to the managed clusters, for the k8s object protection workflow to leverage the same when creating Velero jobs

Issue details here: https://github.com/RamenDR/ramen/issues/921

Upstream PR here: https://github.com/RamenDR/ramen/pull/925

Notes for QE:
-------------
The code is exclusively triggered ONLY with additional kube object protection scheme, which is not configured for ODF based workflows via the UI. This hence does not require any additional tests as such.

The Ramen config map has an additional "optional" field, which would hence remain empty on upgrades once this PR is merged.

Questions for MCO:
------------------
@uchapaga or @vbadrina As the ramen config map has changed, does this need MCO to rebuild with the latest config map API changes: https://github.com/RamenDR/ramen/pull/925/files#diff-59e4c2e943590aec4970f817d91e1be589f19f99260a650d8b8cf020ee4b5ca2R77

--- Additional comment from RHEL Program Management on 2023-06-28 18:09:16 UTC ---

This bug having no release flag set previously, is now set with release flag 'odf‑4.14.0' to '?', and so is being proposed to be fixed at the ODF 4.14.0 release. Note that the 3 Acks (pm_ack, devel_ack, qa_ack), if any previously set while release flag was missing, have now been reset since the Acks are to be set against a release flag.

--- Additional comment from umanga on 2023-07-03 09:55:48 UTC ---

(In reply to Shyamsundar from comment #1)
> 
> Questions for MCO:
> ------------------
> @uchapaga or @vbadrina As the ramen config map has
> changed, does this need MCO to rebuild with the latest config map API
> changes:
> https://github.com/RamenDR/ramen/pull/925/files#diff-
> 59e4c2e943590aec4970f817d91e1be589f19f99260a650d8b8cf020ee4b5ca2R77
>
Yes, MCO needs to update it's dependency and rebuild.
Comment 4 krishnaram Karthick 2023-10-16 04:06:25 UTC 
This bug is to be verified based on regression
Comment 11 errata-xmlrpc 2023-11-08 18:52:10 UTC 
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory (Important: Red Hat OpenShift Data Foundation 4.14.0 security, enhancement & bug fix update), and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://access.redhat.com/errata/RHSA-2023:6832