Error when modifying DPA-managed BSL via --cacert#229
Conversation
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: NicholasYancey The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
|
Warning Review limit reached
Next review available in: 20 minutes Enable usage-based reviews in Billing to review now. Otherwise, wait until the next included review is available. How can I continue?After more reviews become available, a review can be triggered using the To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based reviews. How do review limits work?CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability. For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window. Please refer docs for additional details. Review details⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (2)
📝 WalkthroughWalkthroughThis change adds a pre-update guard in the CLI that blocks direct modification of BackupStorageLocations owned by a DataProtectionApplication reconciler. Helper functions detect DPA ownership and inject a PreRunE check into backup-location set subcommands. Tests validate the new behavior using a fake Kubernetes client. ChangesDPA-managed BSL guard
Estimated code review effort: 2 (Simple) | ~15 minutes Sequence Diagram(s)sequenceDiagram
participant User
participant RootCmd
participant bslCmd
participant KubeClient
User->>RootCmd: run backup-location set
RootCmd->>bslCmd: invoke PreRunE guard
bslCmd->>KubeClient: fetch BackupStorageLocation
KubeClient-->>bslCmd: return BSL with ownerReferences
bslCmd->>bslCmd: check Kind == DataProtectionApplication
alt DPA-managed
bslCmd-->>User: return error, block update
else not DPA-managed
bslCmd-->>RootCmd: proceed with set command
end
🚥 Pre-merge checks | ✅ 5✅ Passed checks (5 passed)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
There was a problem hiding this comment.
Actionable comments posted: 1
🧹 Nitpick comments (1)
cmd/root_test.go (1)
838-918: 🎯 Functional Correctness | 🔵 Trivial | ⚡ Quick winAdd a same-kind, different-group ownerReference case.
To cover the ownership contract precisely, include a BSL with
Kind: "DataProtectionApplication"but a non-OADPAPIVersionand assert it is allowed.🤖 Prompt for AI Agents
Verify each finding against current code. Fix only still-valid issues, skip the rest with a brief reason, keep changes minimal, and validate. In `@cmd/root_test.go` around lines 838 - 918, Add a test case in the BSL ownership table in cmd/root_test.go to cover a same-kind but different-group ownerReference: create a BackupStorageLocation whose OwnerReferences entry has Kind set to DataProtectionApplication but an APIVersion outside oadp.openshift.io/v1alpha1, and assert it is allowed (wantErr false). Use the existing BSL ownership test table and the related ownership validation around the BSL ownerReference handling to locate the spot.
🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.
Inline comments:
In `@cmd/root.go`:
- Around line 77-84: The ownership check in the backup location update path only
matches OwnerReference.Kind, which can incorrectly block resources owned by
unrelated CRDs with the same kind. Update the validation in the location-owner
loop to also verify ref.APIVersion matches the OADP/DataProtectionApplication
API group before returning the error, using the existing owner-reference check
in cmd/root.go so only the real DPA reconciler-managed BSLs are rejected.
---
Nitpick comments:
In `@cmd/root_test.go`:
- Around line 838-918: Add a test case in the BSL ownership table in
cmd/root_test.go to cover a same-kind but different-group ownerReference: create
a BackupStorageLocation whose OwnerReferences entry has Kind set to
DataProtectionApplication but an APIVersion outside oadp.openshift.io/v1alpha1,
and assert it is allowed (wantErr false). Use the existing BSL ownership test
table and the related ownership validation around the BSL ownerReference
handling to locate the spot.
🪄 Autofix (Beta)
Fix all unresolved CodeRabbit comments on this PR:
- Push a commit to this branch (recommended)
- Create a new PR with the fixes
ℹ️ Review info
⚙️ Run configuration
Configuration used: defaults
Review profile: CHILL
Plan: Pro
Run ID: 4869aa9c-6c83-48ac-bb2c-aa1c33502f5f
📒 Files selected for processing (2)
cmd/root.gocmd/root_test.go
30c43a4 to
5abb32f
Compare
5abb32f to
b8f05c3
Compare
Why the changes were made
When a BackupStorageLocation (BSL) is owned by a DataProtectionApplication (DPA), the DPA reconciler continuously overwrites the BSL spec. Any change made directly via oc oadp backup-location set (--cacert) has no lasting effect and silently misleads the user into thinking their change was applied.
This PR injects a PreRunE guard into the backup-location set subcommand that checks the BSL's ownerReferences before the update is attempted. If a DPA ownerReference is found, the command returns an actionable error directing the user to update the DPA spec instead. Standalone BSLs and all other backup-location subcommands are unaffected.
How to test the changes made
DPA-managed BSL:
Expected output:
Error: backup storage location "<name>" is managed by DataProtectionApplication "<dpa-name>". Direct modifications via 'oc oadp backup-location set' will be overwritten by the DPA reconciler. To change settings such as '--cacert', update the DataProtectionApplication spec instead.Standalone BSL
Expected output:
Backup storage location "<name>" configured successfully.Unit tests:
go test ./cmd/... -run TestBSLDPAManagedError -vSummary by CodeRabbit