Skip to content

Error when modifying DPA-managed BSL via --cacert#229

Open
NicholasYancey wants to merge 1 commit into
migtools:oadp-devfrom
NicholasYancey:dpa-managed-bsl-set-guard
Open

Error when modifying DPA-managed BSL via --cacert#229
NicholasYancey wants to merge 1 commit into
migtools:oadp-devfrom
NicholasYancey:dpa-managed-bsl-set-guard

Conversation

@NicholasYancey

@NicholasYancey NicholasYancey commented Jul 8, 2026

Copy link
Copy Markdown
Contributor

Why the changes were made

When a BackupStorageLocation (BSL) is owned by a DataProtectionApplication (DPA), the DPA reconciler continuously overwrites the BSL spec. Any change made directly via oc oadp backup-location set (--cacert) has no lasting effect and silently misleads the user into thinking their change was applied.

This PR injects a PreRunE guard into the backup-location set subcommand that checks the BSL's ownerReferences before the update is attempted. If a DPA ownerReference is found, the command returns an actionable error directing the user to update the DPA spec instead. Standalone BSLs and all other backup-location subcommands are unaffected.

How to test the changes made

DPA-managed BSL:

# Find a BSL owned by a DPA
oc get backupstoragelocation -n openshift-adp
# Attempt to modify it
oc oadp backup-location set <dpa-managed-bsl-name> -n openshift-adp --cacert /dev/null

Expected output: Error: backup storage location "<name>" is managed by DataProtectionApplication "<dpa-name>". Direct modifications via 'oc oadp backup-location set' will be overwritten by the DPA reconciler. To change settings such as '--cacert', update the DataProtectionApplication spec instead.

Standalone BSL

# Have a BSL that is not owned by a DPA and attempt to modify it
oc oadp backup-location set <standalone-bsl-name> -n openshift-adp --cacert /dev/null

Expected output: Backup storage location "<name>" configured successfully.

Unit tests:

go test ./cmd/... -run TestBSLDPAManagedError -v

Summary by CodeRabbit

  • Bug Fixes
    • Prevented direct updates to backup storage locations that are managed by a DataProtectionApplication, avoiding changes that would be reverted later.
    • Added clearer error messages when a protected backup location is edited or when the target backup location does not exist.

@NicholasYancey NicholasYancey self-assigned this Jul 8, 2026
@openshift-ci

openshift-ci Bot commented Jul 8, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: NicholasYancey
Once this PR has been reviewed and has the lgtm label, please assign sseago for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@coderabbitai

coderabbitai Bot commented Jul 8, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@NicholasYancey, you've reached your PR review limit, so we couldn't start this review.

Next review available in: 20 minutes

Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available.
You're only billed for reviews past your plan's rate limits ($0.25/file).

How can I continue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews.

How do review limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please refer docs for additional details.

Review details
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 67cfe3bf-0a62-49c5-b57b-0631d9707247

📥 Commits

Reviewing files that changed from the base of the PR and between 46459b5 and b8f05c3.

📒 Files selected for processing (2)
  • cmd/root.go
  • cmd/root_test.go
📝 Walkthrough

Walkthrough

This change adds a pre-update guard in the CLI that blocks direct modification of BackupStorageLocations owned by a DataProtectionApplication reconciler. Helper functions detect DPA ownership and inject a PreRunE check into backup-location set subcommands. Tests validate the new behavior using a fake Kubernetes client.

Changes

DPA-managed BSL guard

Layer / File(s) Summary
DPA ownership detection and PreRunE guard
cmd/root.go
Adds helpers to fetch a BackupStorageLocation and check its ownerReferences for Kind == "DataProtectionApplication", returns an error when direct edits would be overwritten, and wraps the backup-location set subcommands with this PreRunE guard, wiring the guarded command into the root command.
Tests for DPA-managed BSL detection
cmd/root_test.go
Adds TestBSLDPAManagedError using a fake controller-runtime client and Velero v1 scheme to verify error behavior across DPA-owned, standalone, unrelated-owner, and non-existent BSL scenarios.

Estimated code review effort: 2 (Simple) | ~15 minutes

Sequence Diagram(s)

sequenceDiagram
  participant User
  participant RootCmd
  participant bslCmd
  participant KubeClient

  User->>RootCmd: run backup-location set
  RootCmd->>bslCmd: invoke PreRunE guard
  bslCmd->>KubeClient: fetch BackupStorageLocation
  KubeClient-->>bslCmd: return BSL with ownerReferences
  bslCmd->>bslCmd: check Kind == DataProtectionApplication
  alt DPA-managed
    bslCmd-->>User: return error, block update
  else not DPA-managed
    bslCmd-->>RootCmd: proceed with set command
  end
Loading
🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly matches the main change: blocking modifications to DPA-managed BSLs during backup-location updates.
Description check ✅ Passed The description includes the required why and how-to-test sections and provides concrete behavior and test commands.
Docstring Coverage ✅ Passed No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🧹 Nitpick comments (1)
cmd/root_test.go (1)

838-918: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick win

Add a same-kind, different-group ownerReference case.

To cover the ownership contract precisely, include a BSL with Kind: "DataProtectionApplication" but a non-OADP APIVersion and assert it is allowed.

🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In `@cmd/root_test.go` around lines 838 - 918, Add a test case in the BSL
ownership table in cmd/root_test.go to cover a same-kind but different-group
ownerReference: create a BackupStorageLocation whose OwnerReferences entry has
Kind set to DataProtectionApplication but an APIVersion outside
oadp.openshift.io/v1alpha1, and assert it is allowed (wantErr false). Use the
existing BSL ownership test table and the related ownership validation around
the BSL ownerReference handling to locate the spot.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In `@cmd/root.go`:
- Around line 77-84: The ownership check in the backup location update path only
matches OwnerReference.Kind, which can incorrectly block resources owned by
unrelated CRDs with the same kind. Update the validation in the location-owner
loop to also verify ref.APIVersion matches the OADP/DataProtectionApplication
API group before returning the error, using the existing owner-reference check
in cmd/root.go so only the real DPA reconciler-managed BSLs are rejected.

---

Nitpick comments:
In `@cmd/root_test.go`:
- Around line 838-918: Add a test case in the BSL ownership table in
cmd/root_test.go to cover a same-kind but different-group ownerReference: create
a BackupStorageLocation whose OwnerReferences entry has Kind set to
DataProtectionApplication but an APIVersion outside oadp.openshift.io/v1alpha1,
and assert it is allowed (wantErr false). Use the existing BSL ownership test
table and the related ownership validation around the BSL ownerReference
handling to locate the spot.
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 4869aa9c-6c83-48ac-bb2c-aa1c33502f5f

📥 Commits

Reviewing files that changed from the base of the PR and between 7e52e4a and 46459b5.

📒 Files selected for processing (2)
  • cmd/root.go
  • cmd/root_test.go

Comment thread cmd/root.go
@NicholasYancey NicholasYancey force-pushed the dpa-managed-bsl-set-guard branch 2 times, most recently from 30c43a4 to 5abb32f Compare July 8, 2026 22:32
@NicholasYancey NicholasYancey force-pushed the dpa-managed-bsl-set-guard branch from 5abb32f to b8f05c3 Compare July 8, 2026 22:37
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant