Merge https://github.com/openshift/oadp-operator:oadp-dev (7e53a85) into oadp-dev

[oadp-rebasebot-app]

Summary by CodeRabbit

New Features

• DataProtectionApplication custom resource now supports ephemeral storage configuration. Users can specify ephemeral storage limits and requests for both node agent and repository maintenance pod resources. This enhancement enables more granular control over temporary storage allocation in backup and restore workflows, improving resource management and providing better flexibility for data protection operations.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

Walkthrough

Adds two optional string fields (ephemeralStorageLimit, ephemeralStorageRequest) to podResources in DataProtectionApplication CRDs, simplifies a BackupRepository CRD field description to "Deprecated", and updates multiple indirect dependency versions and a replace directive in go.mod.

Changes

Cohort / File(s)	Summary
DataProtectionApplication CRD bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml, config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml	Added optional string fields ephemeralStorageLimit and ephemeralStorageRequest to podResources under spec.configuration.nodeAgent and under spec.configuration.repositoryMaintenance / spec.repositoryMaintenance.
BackupRepository CRD description bundle/manifests/velero.io_backuprepositories.yaml, config/crd/bases/velero.io_backuprepositories.yaml	Replaced the detailed spec.resticIdentifier OpenAPI description with the single value Deprecated (type remains string).
Dependency / go.mod updates go.mod	Updated multiple indirect dependency versions (OpenTelemetry modules, golang.org/x/*, gRPC/protobuf-related modules, envoy/protobuf, etc.) and changed a replace directive for github.com/vmware-tanzu/velero to an openshift/velero pseudo-version.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

🚥 Pre-merge checks | ✅ 3 | ❌ 2

❌ Failed checks (1 warning, 1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	⚠️ Warning	No pull request description was provided; the template requires sections for 'Why the changes were made' and 'How to test the changes made'.	Add a description following the template, explaining why ephemeral storage fields were added and how to test the CRD schema changes.
Title check	❓ Inconclusive	The title is a generic merge commit message that does not clearly describe the actual changes (ephemeral storage field additions and dependency updates).	Replace with a descriptive title that summarizes the main changes, such as 'Add ephemeral storage fields to DataProtectionApplication CRD' or include key change details.

✅ Passed checks (3 passed)

Check name	Status	Explanation
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Stable And Deterministic Test Names	✅ Passed	All Ginkgo test names use static, descriptive strings with no dynamic values embedded in test titles.
Test Structure And Quality	✅ Passed	This pull request does not modify any existing Ginkgo test code. The PR is an initial repository setup/rebase commit that adds test files with 'A' (added) status rather than 'M' (modified) status.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[openshift-ci]

Hi @oadp-rebasebot-app[bot]. Thanks for your PR.

I'm waiting for a openshift member to verify that this patch is reasonable to test. If it is, they should reply with /ok-to-test on its own line. Until that is done, I will not automatically test new commits in this PR, but the usual testing commands by org members will still work.

Regular contributors should join the org to skip this step.

Once the patch is verified, the new status will be reflected by the ok-to-test label.

I understand the commands that are listed here.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

[mpryc]

/hold

[coderabbitai]

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml (1)

742-752: ⚠️ Potential issue | 🟡 Minor

Update the podResources description to include ephemeral storage.

The description still says this block only covers CPU and memory, which is no longer true after adding the new fields.

Proposed fix

-                          description: PodResources is the config for the CPU and memory resources setting.
+                          description: PodResources is the config for the CPU, memory, and ephemeral storage resource settings.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml` around
lines 742 - 752, The podResources schema description is outdated (mentions only
CPU and memory) — update the description for the podResources (PodResources)
object to include ephemeral storage as well so it reflects new fields like
ephemeralStorageLimit and ephemeralStorageRequest; locate the description key
under podResources in the CRD and change its text to mention CPU, memory and
ephemeral storage, keeping surrounding property names cpuLimit, cpuRequest,
ephemeralStorageLimit and ephemeralStorageRequest intact.

🧹 Nitpick comments (2)

bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml (1)

742-756: Consider updating the description to include ephemeral storage.

The podResources description on line 743 states "PodResources is the config for the CPU and memory resources setting" but now also includes ephemeral storage fields. Consider updating the description to reflect the expanded scope.

📝 Suggested description update

             podResources:
-              description: PodResources is the config for the CPU and memory resources setting.
+              description: PodResources is the config for the CPU, memory, and ephemeral storage resources setting.
               properties:

Note: This would need to be changed in the Go API types, then regenerated via make generate manifests.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml` around
lines 742 - 756, Update the podResources description to mention ephemeral
storage as well as CPU and memory: locate the podResources schema (property name
"podResources") and change the description text to something like "PodResources
is the config for CPU, memory, and ephemeral storage resource settings" and then
update the corresponding Go API type (the struct/field that defines
PodResources) to use the same text and run the manifest generation (make
generate manifests) so the YAML is regenerated with the new description; ensure
fields like ephemeralStorageLimit and ephemeralStorageRequest remain documented.

config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml (1)

649-652: Document the new ephemeral storage fields.

These are public CRD fields now, but without descriptions users get no guidance in oc explain or generated docs about expected quantity format or how they map to pod requests/limits. Please add source-field comments so the generated schema includes descriptions here.

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml` around
lines 649 - 652, The CRD is missing user-facing descriptions for
ephemeralStorageLimit and ephemeralStorageRequest; add source-field comments on
the corresponding API struct fields (EphemeralStorageLimit,
EphemeralStorageRequest) so the generated OpenAPI schema includes descriptions
that explain the expected quantity format (e.g., "100Mi", "1Gi", "500K") and how
these values map to pod resources (they populate container
resources.requests[ephemeral-storage] and resources.limits[ephemeral-storage]).
Include a brief example and note accepted units and that values follow
Kubernetes resource.Quantity syntax so oc explain and generated docs surface
this guidance.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml`:
- Around line 742-752: The podResources schema description is outdated (mentions
only CPU and memory) — update the description for the podResources
(PodResources) object to include ephemeral storage as well so it reflects new
fields like ephemeralStorageLimit and ephemeralStorageRequest; locate the
description key under podResources in the CRD and change its text to mention
CPU, memory and ephemeral storage, keeping surrounding property names cpuLimit,
cpuRequest, ephemeralStorageLimit and ephemeralStorageRequest intact.

---

Nitpick comments:
In `@bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml`:
- Around line 742-756: Update the podResources description to mention ephemeral
storage as well as CPU and memory: locate the podResources schema (property name
"podResources") and change the description text to something like "PodResources
is the config for CPU, memory, and ephemeral storage resource settings" and then
update the corresponding Go API type (the struct/field that defines
PodResources) to use the same text and run the manifest generation (make
generate manifests) so the YAML is regenerated with the new description; ensure
fields like ephemeralStorageLimit and ephemeralStorageRequest remain documented.

In `@config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml`:
- Around line 649-652: The CRD is missing user-facing descriptions for
ephemeralStorageLimit and ephemeralStorageRequest; add source-field comments on
the corresponding API struct fields (EphemeralStorageLimit,
EphemeralStorageRequest) so the generated OpenAPI schema includes descriptions
that explain the expected quantity format (e.g., "100Mi", "1Gi", "500K") and how
these values map to pod resources (they populate container
resources.requests[ephemeral-storage] and resources.limits[ephemeral-storage]).
Include a brief example and note accepted units and that values follow
Kubernetes resource.Quantity syntax so oc explain and generated docs surface
this guidance.

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository: openshift/coderabbit/.coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 43a8c898-971d-4f2a-88e6-be0edaeeb3d6

📥 Commits

Reviewing files that changed from the base of the PR and between 7c8a3f1 and 288a893.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (3)

• bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml
• config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml
• go.mod

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oadp-rebasebot-app[bot]
Once this PR has been reviewed and has the lgtm label, please assign shubham-pampattiwar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: oadp-rebasebot-app[bot]
Once this PR has been reviewed and has the lgtm label, please assign shubham-pampattiwar for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In `@go.mod`:
- Line 173: The go.mod entry pins the vulnerable module
go.opentelemetry.io/otel/sdk at v1.42.0; update that module requirement to
v1.43.0 or later (replace the version string for go.opentelemetry.io/otel/sdk)
and then run the Go tooling (e.g., go get go.opentelemetry.io/otel/sdk@v1.43.0
&& go mod tidy) to refresh go.sum; finally run the test/build to ensure no
breakages.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 0141758f-304a-4747-b6f5-0c6e00b01299

📥 Commits

Reviewing files that changed from the base of the PR and between 87d940a and 1b3d013.

⛔ Files ignored due to path filters (1)

• go.sum is excluded by !**/*.sum

📒 Files selected for processing (5)

• bundle/manifests/oadp.openshift.io_dataprotectionapplications.yaml
• bundle/manifests/velero.io_backuprepositories.yaml
• config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml
• config/crd/bases/velero.io_backuprepositories.yaml
• go.mod

✅ Files skipped from review due to trivial changes (2)

• bundle/manifests/velero.io_backuprepositories.yaml
• config/crd/bases/velero.io_backuprepositories.yaml

🚧 Files skipped from review as they are similar to previous changes (1)

• config/crd/bases/oadp.openshift.io_dataprotectionapplications.yaml

[coderabbitai]

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
set -euo pipefail

echo "Querying OSV for go.opentelemetry.io/otel/sdk@v1.42.0 ..."
curl -s https://api.osv.dev/v1/query \
  -H 'Content-Type: application/json' \
  -d '{"package":{"ecosystem":"Go","name":"go.opentelemetry.io/otel/sdk"},"version":"v1.42.0"}' \
  | jq -r '
    .vulns[]? as $v
    | "id=\($v.id) aliases=\(($v.aliases // [])|join(",")) summary=\($v.summary // "n/a")",
      ($v.affected[]?.ranges[]?.events[]? | select(has("fixed")) | "fixed=\(.fixed)")
  '

echo "Confirming pinned version in go.mod ..."
rg -n 'go\.opentelemetry\.io/otel/sdk v1\.42\.0' go.mod

Repository: openshift/oadp-operator

Length of output: 367

---

Fix HIGH security advisory in otel/sdk v1.42.0.

Line 173 pins go.opentelemetry.io/otel/sdk v1.42.0, which contains GHSA-hfvc-g4fc-pqhx (CVE-2026-39883)—a PATH hijacking vulnerability via unqualified BSD kenv command. Upgrade to v1.43.0 or later before merge.

🧰 Tools

🪛 OSV Scanner (2.3.5)

[HIGH] 173-173: go.opentelemetry.io/otel/sdk 1.42.0: opentelemetry-go: BSD kenv command not using absolute path enables PATH hijacking

(GHSA-hfvc-g4fc-pqhx)

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@go.mod` at line 173, The go.mod entry pins the vulnerable module
go.opentelemetry.io/otel/sdk at v1.42.0; update that module requirement to
v1.43.0 or later (replace the version string for go.opentelemetry.io/otel/sdk)
and then run the Go tooling (e.g., go get go.opentelemetry.io/otel/sdk@v1.43.0
&& go mod tidy) to refresh go.sum; finally run the test/build to ensure no
breakages.