+++ This bug was initially created as a clone of Bug #2218316 +++



Request:
--------
This BZ is raised to consider accepting the fix for 4.14.0 release

Background:
-----------
- With Fusion using the additional k8s object protection scheme with their 2.6 release, that is slated for a July 20th release, the following bug report is important for the fusion DR feature to function
- The core issue is that Velero/OADP does not trust additional certificates that are signed by non-global root CAs and hence need a certificate to be passed to their resources. This PR enables adding such certificates per S3 store to the ramen config for distribution to the managed clusters, for the k8s object protection workflow to leverage the same when creating Velero jobs

Issue details here: https://github.com/RamenDR/ramen/issues/921

Upstream PR here: https://github.com/RamenDR/ramen/pull/925

Notes for QE:
-------------
The code is exclusively triggered ONLY with additional kube object protection scheme, which is not configured for ODF based workflows via the UI. This hence does not require any additional tests as such.

The Ramen config map has an additional "optional" field, which would hence remain empty on upgrades once this PR is merged.

Questions for MCO:
------------------
@uchapaga or @vbadrina As the ramen config map has changed, does this need MCO to rebuild with the latest config map API changes: https://github.com/RamenDR/ramen/pull/925/files#diff-59e4c2e943590aec4970f817d91e1be589f19f99260a650d8b8cf020ee4b5ca2R77

--- Additional comment from Shyamsundar on 2023-06-28 18:09:07 UTC ---

Request:
--------
This BZ is raised to consider accepting the fix for 4.13.1 release

Background:
-----------
- With Fusion using the additional k8s object protection scheme with their 2.6 release, that is slated for a July 20th release, the following bug report is important for the fusion DR feature to function
- The core issue is that Velero/OADP does not trust additional certificates that are signed by non-global root CAs and hence need a certificate to be passed to their resources. This PR enables adding such certificates per S3 store to the ramen config for distribution to the managed clusters, for the k8s object protection workflow to leverage the same when creating Velero jobs

Issue details here: https://github.com/RamenDR/ramen/issues/921

Upstream PR here: https://github.com/RamenDR/ramen/pull/925

Notes for QE:
-------------
The code is exclusively triggered ONLY with additional kube object protection scheme, which is not configured for ODF based workflows via the UI. This hence does not require any additional tests as such.

The Ramen config map has an additional "optional" field, which would hence remain empty on upgrades once this PR is merged.

Questions for MCO:
------------------
@uchapaga or @vbadrina As the ramen config map has changed, does this need MCO to rebuild with the latest config map API changes: https://github.com/RamenDR/ramen/pull/925/files#diff-59e4c2e943590aec4970f817d91e1be589f19f99260a650d8b8cf020ee4b5ca2R77

--- Additional comment from RHEL Program Management on 2023-06-28 18:09:16 UTC ---

This bug having no release flag set previously, is now set with release flag 'odf‑4.14.0' to '?', and so is being proposed to be fixed at the ODF 4.14.0 release. Note that the 3 Acks (pm_ack, devel_ack, qa_ack), if any previously set while release flag was missing, have now been reset since the Acks are to be set against a release flag.

--- Additional comment from umanga on 2023-07-03 09:55:48 UTC ---

(In reply to Shyamsundar from comment #1)
> 
> Questions for MCO:
> ------------------
> @uchapaga or @vbadrina As the ramen config map has
> changed, does this need MCO to rebuild with the latest config map API
> changes:
> https://github.com/RamenDR/ramen/pull/925/files#diff-
> 59e4c2e943590aec4970f817d91e1be589f19f99260a650d8b8cf020ee4b5ca2R77
>
Yes, MCO needs to update it's dependency and rebuild.