OADP-5777: Add automatic S3 bucket region detection and document AWS HeadBucket API behavior by kaovilai · Pull Request #1740 · openshift/oadp-operator

kaovilai · 2025-05-02T20:41:54Z

Why the changes were made

This PR implements automatic S3 bucket region detection for AWS BackupStorageLocations (BSLs) and documents the expected AWS behavior for the GetBucketRegion function, based on AWS Security's official confirmation.

Key Improvements

Automatic Region Detection: BSLs using AWS S3 will now automatically detect and configure the correct bucket region when not explicitly specified
AWS Security Confirmation: Documents that anonymous credentials work for region detection on both public and private buckets (confirmed by AWS as expected behavior)

Background

We discovered that the AWS SDK's GetBucketRegion function works with anonymous credentials on both public and private S3 buckets. AWS Security has confirmed this is expected behavior, not a security vulnerability:

The HeadBucket API endpoint (used internally by GetBucketRegion) does not enforce s3:ListBucket permissions for region retrieval
AWS Security Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg

Changes Made

1. S3 Region Detection (`pkg/storage/aws/s3.go`)

Updated GetBucketRegion to use anonymous credentials via credentials.NewStaticCredentialsProvider
Added comprehensive comments explaining AWS Security's confirmation
Documented that this works for both public and private buckets

2. Auto-Region Detection (`pkg/common/common.go`)

Added automatic region detection in UpdateBackupStorageLocation for AWS BSLs
Auto-detection triggers when:
- Provider is "aws"
- No custom s3Url is configured (indicating real AWS S3, not S3-compatible storage)
- No region is already specified in the config
- A bucket name is provided in ObjectStorage
Falls back gracefully if auto-detection fails

3. Test Coverage (`pkg/common/common_test.go` & `pkg/storage/aws/s3_test.go`)

Added test cases for region auto-detection scenarios:
- Region already specified (no auto-detection)
- S3-compatible storage with custom URL (no auto-detection)
- Real AWS bucket auto-detection with openshift-velero-plugin-s3-auto-region-test-1
Enhanced comments in S3 tests documenting AWS behavior for both public and private buckets

Benefits

Reduced Configuration Errors: Automatically configures the correct region for AWS S3 buckets
Simplified Setup: Users don't need to manually specify regions for AWS BSLs
Backwards Compatible: Only applies to actual AWS S3, not S3-compatible storage
Well-Documented: Clear documentation of AWS's confirmed behavior with engagement ID reference

How to test the changes made

Run the S3 region tests:

go test -v ./pkg/storage/aws/... -run TestGetBucketRegion

Run the BSL update tests:

go test -v ./pkg/common/... -run TestUpdateBackupStorageLocation

The tests demonstrate that:

GetBucketRegion successfully retrieves region information for both public and private buckets using anonymous credentials
Auto-detection correctly adds region to BSL configs when appropriate
Auto-detection is properly skipped for S3-compatible storage or when region is already specified

Manual Testing

Create a BSL with AWS provider without specifying a region
Verify the region is automatically detected and added to the configuration
Confirm S3-compatible storage (with s3Url) doesn't trigger auto-detection

Fixes: https://issues.redhat.com/browse/OADP-5777

Note

Responses generated with Claude

openshift-ci-robot · 2025-05-02T20:41:58Z

@kaovilai: This pull request references OADP-5777 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the bug to target the "4.20.0" version, but no target version was set.

Details

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci · 2025-05-02T20:41:59Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

kaovilai · 2025-05-05T15:32:32Z

/test unit-test

weshayutin · 2025-08-04T18:15:00Z

/retest

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

openshift-ci-robot · 2025-10-16T17:26:01Z

@kaovilai: This pull request references OADP-5777 which is a valid jira issue.

Details

In response to this:

Why the changes were made

This PR documents the expected AWS behavior for the GetBucketRegion function using anonymous credentials, based on AWS Security's official response.

Background

We discovered that the AWS SDK's GetBucketRegion function works with anonymous credentials on both public and private S3 buckets, which appeared to contradict AWS documentation stating that s3:ListBucket permission is required for the HeadBucket API.

AWS Security Response

AWS Security has confirmed this is expected behavior, not a security vulnerability:

The HeadBucket API endpoint (used internally by GetBucketRegion) does not enforce s3:ListBucket permissions for retrieving bucket region information

This works for both public and private buckets with anonymous credentials

AWS Security Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg

Changes Made

Added clarifying comments in pkg/storage/aws/s3.go explaining this is expected AWS behavior

Updated test comments in pkg/storage/aws/s3_test.go to document the actual requirements

Included AWS Security engagement ID for future reference

How to test the changes made

Run the existing S3 region tests:
go test -v ./pkg/storage/aws/... -run TestGetBucketRegion
The tests demonstrate that GetBucketRegion successfully retrieves region information for both public and private buckets using anonymous credentials, confirming AWS's intended behavior.

Fixes: https://issues.redhat.com/browse/OADP-5777

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

This commit adds automatic region detection for AWS S3 buckets in BackupStorageLocation configurations when using actual AWS S3 (not S3-compatible storage). Changes: - Modified UpdateBackupStorageLocation in pkg/common/common.go to auto-detect and set the region when: * Provider is "aws" * No custom s3Url is configured (meaning it's real AWS S3) * No region is already specified in the config * A bucket name is provided in ObjectStorage - The implementation uses aws.GetBucketRegion() which AWS Security confirmed works with anonymous credentials for both public and private buckets (Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg) - Added comprehensive test cases to verify: * Region auto-detection is skipped when region is already specified * Region auto-detection is skipped for S3-compatible storage (with s3Url) * Region auto-detection works with real AWS bucket (tested with openshift-velero-plugin-s3-auto-region-test-1) Benefits: - Prevents configuration errors from incorrect region specifications - Reduces manual configuration requirements for AWS BSLs - Works seamlessly with existing anonymous credential approach 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

kaovilai · 2025-10-16T17:56:41Z

+		// s3:ListBucket permissions for retrieving bucket region information.
+		// Reference: AWS Security response (Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg)
+		// This is expected AWS behavior, not a security vulnerability.
+		o.Credentials = credentials.NewStaticCredentialsProvider("anon-credentials", "anon-secret", "")


The reason we are using here is

simplifies unit test.

why not. it works for prod too.

Update DoesBSLSpecMatchesDpa function to accept that DPA spec can have an empty region while the deployed BSL has an auto-detected region. The test now properly handles the scenario where: - DPA spec doesn't specify a region - No custom s3Url is configured (real AWS S3) - The deployed BSL has an auto-detected region This ensures the E2E test "DPA CR without Region, without S3ForcePathStyle and with BackupImages false" passes with the new auto-detection feature. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com>

weshayutin · 2025-10-17T17:17:19Z

/test 4.19-e2e-test-aws

weshayutin

/LGTM

openshift-ci · 2025-11-17T20:37:11Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai, shubham-pampattiwar, weshayutin

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

~~OWNERS~~ [kaovilai,shubham-pampattiwar]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

coderabbitai · 2025-11-17T20:37:16Z

Walkthrough

This PR implements AWS region auto-detection for S3 buckets by refactoring AWS SDK v2 dependencies (shifting credentials from indirect to direct), adding auto-detection logic to the backup storage location update flow, replacing anonymous credential handling with inline setup, and updating end-to-end test helpers to account for auto-detected regions.

Changes

Cohort / File(s)	Summary
Dependency rewiring `go.mod`	Shifted AWS credentials from indirect to direct dependency (v1.17.26) while marking core aws-sdk-go-v2 (v1.30.3) as indirect instead of direct.
Region auto-detection logic `pkg/common/common.go`	Added conditional logic to auto-detect AWS region for real S3 buckets when no s3Url or region is configured and a bucket name is present; calls GetBucketRegion and assigns result to bslSpec.Config if successful.
Common logic tests `pkg/common/common_test.go`	Added three test cases to TestUpdateBackupStorageLocation covering region preservation when already specified, skipping auto-detection for S3-compatible storage (with s3Url), and successful auto-detection to "us-east-1" for a real test bucket.
S3 credential handling `pkg/storage/aws/s3.go`	Replaced SDK's AnonymousCredentials provider with inline static anonymous credential setup within the GetBucketRegion call options; added credentials import and retained region hinting via us-east-1.
S3 storage tests `pkg/storage/aws/s3_test.go`	Added extensive inline comments to existing TestGetBucketRegion test cases for clarity; no functional code changes.
End-to-end testing helpers `tests/e2e/lib/dpa_helpers.go`	Enhanced DoesBSLSpecMatchesDpa to inject auto-detected AWS region into DPA BSL spec when provider is AWS and real BSL has region but DPA config lacks s3Url and region; ensures checksumAlgorithm synchronization.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~35 minutes

AWS SDK credential handling: Review inline anonymous credential setup in pkg/storage/aws/s3.go to confirm proper authentication assumptions (e.g., HeadBucket permissions for region retrieval).
Auto-detection conditional logic: Verify guard conditions in pkg/common/common.go (no s3Url, no region, non-empty bucket) to ensure region auto-detection only applies to real S3.
Test case coverage: Cross-check new test cases in pkg/common/common_test.go (especially real bucket test) against actual bucket name and expected auto-detected region.
E2E BSL spec matching: Ensure the region injection logic in tests/e2e/lib/dpa_helpers.go correctly aligns DPA expectations with deployed BSL state.

✨ Finishing touches

📝 Generate docstrings

🧪 Generate unit tests (beta)

Create PR with unit tests
Post copyable unit tests in a comment

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Actionable comments posted: 1

🧹 Nitpick comments (1)

pkg/storage/aws/s3.go (1)

10-10: Clarify static “anon” credentials usage and consider configuring them at config-load time

The pattern of using credentials.NewStaticCredentialsProvider("anon-credentials", "anon-secret", "") in the GetBucketRegion call is a reasonable way to avoid requiring real AWS credentials while still exercising the region lookup. Two small suggestions:

The comment at Lines 32–35 talks about “anonymous credentials”, but the behavior is now implemented in the per-call options (Lines 41–48) with static (signed) credentials; tightening the wording there would make the intent clearer to future readers.

To avoid any reliance on the default credential chain and keep behavior fully explicit, you could set the static provider directly in config.LoadDefaultConfig via config.WithCredentialsProvider(credentials.NewStaticCredentialsProvider(...)) instead of only via the s3.Options callback.

Please also ensure TestGetBucketRegion is run in an environment without real AWS credentials to confirm region detection still behaves as expected with these static “anon” credentials.

Also applies to: 32-35, 41-48

📜 Review details

Configuration used: CodeRabbit UI

Review profile: CHILL

Plan: Pro

Cache: Disabled due to data retention organization setting

Knowledge base: Disabled due to Reviews -> Disable Knowledge Base setting

📥 Commits

Reviewing files that changed from the base of the PR and between 5c1e63f and b0cdbf6.

📒 Files selected for processing (6)

go.mod (2 hunks)
pkg/common/common.go (1 hunks)
pkg/common/common_test.go (1 hunks)
pkg/storage/aws/s3.go (2 hunks)
pkg/storage/aws/s3_test.go (1 hunks)
tests/e2e/lib/dpa_helpers.go (1 hunks)

🧰 Additional context used

📓 Path-based instructions (1)

**

⚙️ CodeRabbit configuration file

-Focus on major issues impacting performance, readability, maintainability and security. Avoid nitpicks and avoid verbosity.

Files:

pkg/common/common.go
pkg/common/common_test.go
tests/e2e/lib/dpa_helpers.go
pkg/storage/aws/s3.go
go.mod
pkg/storage/aws/s3_test.go

🔇 Additional comments (6)

go.mod (1)

35-35: AWS SDK v2 dependency reshuffle is consistent with usage

Promoting github.com/aws/aws-sdk-go-v2/credentials v1.17.26 to a direct dependency and marking the core module as indirect matches the new import pattern in pkg/storage/aws/s3.go and keeps the module graph tidy. No issues from a correctness or maintainability standpoint.

Also applies to: 63-63

pkg/storage/aws/s3_test.go (1)

17-38: Expanded TestGetBucketRegion documentation is helpful

The additional comments around the public and private bucket cases clearly document the expected AWS HeadBucket behavior and the rationale for using anonymous-style access in tests. Since there are no code changes here, there’s no impact on test behavior.

Also applies to: 45-48

pkg/common/common.go (1)

340-360: AWS region auto-detection logic is well-scoped and safe

The new branch only calls aws.GetBucketRegion when there’s no s3Url, no existing region, and a non-empty bucket, which correctly targets real AWS S3 while leaving S3-compatible endpoints and explicitly configured regions untouched. On failure it simply skips setting the region, so this is a safe, backwards-compatible enhancement.

tests/e2e/lib/dpa_helpers.go (1)

328-340: E2E BSL spec normalization correctly accounts for auto-detected AWS region

The added normalization (copying the BSL’s config["region"] into the expected spec when there’s no s3Url and no region set on the DPA side) cleanly aligns the comparison helper with the new auto-detection behavior. It’s scoped to AWS only and safely handles a nil config map before writing, so it shouldn’t introduce regressions for other providers.

pkg/common/common_test.go (2)

463-496: LGTM: Region preservation test is correct.

The test properly verifies that pre-configured regions are not overridden by the auto-detection logic.

497-530: LGTM: S3-compatible storage skip test is correct.

The test properly verifies that region auto-detection is bypassed for S3-compatible storage backends.

coderabbitai · 2025-11-17T20:45:35Z

+		{
+			name: "AWS region auto-detection - real bucket (openshift-velero-plugin-s3-auto-region-test-1)",
+			bsl:  &velerov1.BackupStorageLocation{},
+			bslSpec: velerov1.BackupStorageLocationSpec{
+				Provider: "aws",
+				Config:   map[string]string{},
+				StorageType: velerov1.StorageType{
+					ObjectStorage: &velerov1.ObjectStorageLocation{
+						Bucket: "openshift-velero-plugin-s3-auto-region-test-1",
+					},
+				},
+			},
+			expectedBsl: &velerov1.BackupStorageLocation{
+				ObjectMeta: metav1.ObjectMeta{
+					Labels: map[string]string{
+						RegistryDeploymentLabel: "True",
+					},
+				},
+				Spec: velerov1.BackupStorageLocationSpec{
+					Provider: "aws",
+					Config: map[string]string{
+						"region":            "us-east-1",
+						"checksumAlgorithm": "",
+					},
+					StorageType: velerov1.StorageType{
+						ObjectStorage: &velerov1.ObjectStorageLocation{
+							Bucket: "openshift-velero-plugin-s3-auto-region-test-1",
+						},
+					},
+				},
+			},
+		},


⚠️ Potential issue | 🟠 Major

Consider mocking AWS API calls or relocating to integration tests.

This test makes actual AWS API calls to detect the region of a real bucket, introducing several concerns:

Network dependency: Requires AWS connectivity, making tests slower and potentially flaky.

External resource dependency: Bucket must exist and remain accessible; deletion or renaming breaks the test.

CI/CD reliability: May fail in restricted network environments or during AWS outages.

Unit test principles: Unit tests should be fast, isolated, and deterministic.

Consider either mocking the GetBucketRegion call for unit tests or moving this test to an integration test suite (e.g., tests/e2e/) where external dependencies are acceptable.

🤖 Prompt for AI Agents

In pkg/common/common_test.go around lines 531 to 562 the unit test performs a real AWS API call to detect the S3 bucket region which introduces network and external-resource flakiness; either (A) convert the test to use a mock for the AWS region lookup by injecting a small interface around the GetBucketRegion call and in the test replace the real client with a fake that returns the desired region (and adjust the expectedBsl.Region value accordingly), or (B) move this test out of the unit tests into an integration/e2e suite (e.g., tests/e2e/) and mark it to run only in environments with AWS access; pick one approach and remove any hard dependency on the real bucket name from the unit test.

openshift-ci-robot · 2025-11-17T23:25:52Z

/retest-required

Remaining retests: 0 against base HEAD c1f3aaa and 2 for PR HEAD b0cdbf6 in total

kaovilai · 2025-11-18T11:16:54Z

/retest

ai-retester: The e2e tests for the oadp-operator failed because the Mongo application DATAMOVER test timed out after 540 seconds, and subsequent steps involving volume provisioning were unable to complete successfully, which resulted in a ContainerFailed status.

kaovilai · 2025-11-18T14:09:54Z

/retest

ai-retester: The e2e-test-aws-e2e step failed because the MySQL application two Vol CSI test timed out after 540 seconds.

kaovilai · 2025-11-18T16:55:49Z

/retest

ai-retester: The e2e-test-aws-e2e step failed because the Mongo application DATAMOVER test timed out after 540 seconds. The todolist pod also failed to meet all conditions..

kaovilai · 2025-11-18T18:52:30Z

from prior fail

 Event: Waiting for a volume to be created either by the external provisioner 'ebs.csi.aws.com' or manually by the system administrator. If volume creation is delayed, please verify that the provisioner is running and correctly registered., Type: Normal, Count: 2, Src: {PersistentVolumeClaim mongo-persistent mongo 5ccae848-3d44-425a-8def-47f2832d9175 v1 44970 }, Reason: ExternalProvisioning
  Event: failed to provision volume with StorageClass "gp3-csi": claim Selector is not supported, Type: Warning, Count: 5, Src: {PersistentVolumeClaim mongo-persistent mongo 5ccae848-3d44-425a-8def-47f2832d9175 v1 44970 }, Reason: ProvisioningFailed
  Event: External provisioner is provisioning volume for claim "mongo-persistent/mongo", Type: Normal, Count: 5, Src: {PersistentVolumeClaim mongo-persistent mongo 5ccae848-3d44-425a-8def-47f2832d9175 v1 44970 }, Reason: Provisioning
  Event: volume "pvc-21341a50-49db-4f02-b7d3-7f17deb2f895" already bound to a different claim., Type: Warning, Count: 1, Src: {PersistentVolumeClaim mongo-persistent mongo 5ccae848-3d44-425a-8def-47f2832d9175 v1 45218 }, Reason: FailedBinding

kaovilai · 2025-11-18T19:04:40Z

timeout and stuck on Trying to connect to mongo DB port post restore per https://gcsweb-ci.apps.ci.l2s4.p1.openshiftapps.com/gcs/test-platform-results/pr-logs/pull/openshift_oadp-operator/1740/pull-ci-openshift-oadp-operator-oadp-dev-4.20-e2e-test-aws/1990784722178936832/artifacts/e2e-test-aws/gather-extra/artifacts/pods/mongo-persistent_todolist-6d7bb9554c-gnk9r_init-myservice.log

openshift-ci-robot · 2025-11-18T19:54:51Z

/retest-required

Remaining retests: 0 against base HEAD 24e3758 and 1 for PR HEAD b0cdbf6 in total

kaovilai · 2025-11-18T22:47:59Z

/retest

ai-retester: The Mongo application DATAMOVER e2e test timed out after 540 seconds, indicating a problem with backup and restore operations using the DATAMOVER feature. A known FLAKE was not reported. The step where it failed: e2e-test-aws-e2e

openshift-ci · 2025-11-19T04:48:36Z

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

kaovilai · 2025-11-19T18:09:14Z

/retest

ai-retester: The e2e tests for "Mongo application DATAMOVER" failed because the todolist container in the test pod todolist-6d7bb9554c-vptxn remained in the PodInitializing state, resulting in a timeout. The error message "container "todolist" in pod "todolist-6d7bb9554c-vptxn" is waiting to start: PodInitializing" suggests an issue preventing the container from initializing correctly.

kaovilai · 2025-11-19T18:09:42Z

testing that node now reply to correct PR :) should work now.

…HeadBucket API behavior (openshift#1740) * Add tests for auto bucket region on priv/pubic bucket Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> * OADP-5777: Add automatic S3 bucket region detection for AWS BSLs This commit adds automatic region detection for AWS S3 buckets in BackupStorageLocation configurations when using actual AWS S3 (not S3-compatible storage). Changes: - Modified UpdateBackupStorageLocation in pkg/common/common.go to auto-detect and set the region when: * Provider is "aws" * No custom s3Url is configured (meaning it's real AWS S3) * No region is already specified in the config * A bucket name is provided in ObjectStorage - The implementation uses aws.GetBucketRegion() which AWS Security confirmed works with anonymous credentials for both public and private buckets (Engagement ID: CACenGS4Mha_KeJ=e3jBSLD6rPZ2iNtfuJUv9QJViaCOt7GVNDg) - Added comprehensive test cases to verify: * Region auto-detection is skipped when region is already specified * Region auto-detection is skipped for S3-compatible storage (with s3Url) * Region auto-detection works with real AWS bucket (tested with openshift-velero-plugin-s3-auto-region-test-1) Benefits: - Prevents configuration errors from incorrect region specifications - Reduces manual configuration requirements for AWS BSLs - Works seamlessly with existing anonymous credential approach 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> * OADP-5777: Fix E2E test to accept auto-detected region in BSL Update DoesBSLSpecMatchesDpa function to accept that DPA spec can have an empty region while the deployed BSL has an auto-detected region. The test now properly handles the scenario where: - DPA spec doesn't specify a region - No custom s3Url is configured (real AWS S3) - The deployed BSL has an auto-detected region This ensures the E2E test "DPA CR without Region, without S3ForcePathStyle and with BackupImages false" passes with the new auto-detection feature. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude <noreply@anthropic.com> --------- Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Co-authored-by: Claude <noreply@anthropic.com>

When DPA backupLocations has no config section, bslSpec.Config is nil, causing UpdateBackupStorageLocation to skip all AWS-specific logic including region auto-detection and checksumAlgorithm defaults. This is the root cause of OADP-5777 still reproducing after PR openshift#1740. Initialize config map when nil so AWS logic runs regardless of whether user specifies a config section. Add test coverage for nil config with both discoverable and undiscoverable buckets. Fixes: https://issues.redhat.com/browse/OADP-5777 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

When DPA backupLocations has no config section, bslSpec.Config is nil, causing UpdateBackupStorageLocation to skip all AWS-specific logic including region auto-detection and checksumAlgorithm defaults. This is the root cause of OADP-5777 still reproducing after PR #1740. Initialize config map when nil so AWS logic runs regardless of whether user specifies a config section. Add test coverage for nil config with both discoverable and undiscoverable buckets. Fixes: https://issues.redhat.com/browse/OADP-5777 Generated with [Claude Code](https://claude.ai/code) via [Happy](https://happy.engineering) Co-Authored-By: Claude <noreply@anthropic.com> Co-Authored-By: Happy <yesreply@happy.engineering> Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label May 2, 2025

openshift-ci Bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label May 2, 2025

openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label May 2, 2025

kaovilai force-pushed the OADP-5777 branch from 442ddbd to 3ab1dcd Compare May 2, 2025 21:18

kaovilai force-pushed the OADP-5777 branch from 3ab1dcd to 0c5e316 Compare August 4, 2025 22:39

openshift-merge-robot added the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 4, 2025

kaovilai force-pushed the OADP-5777 branch from 0c5e316 to ffc4443 Compare August 4, 2025 22:45

kaovilai changed the title ~~WIP: OADP-5777: auto region cred test~~ OADP-5777: auto region cred test Aug 4, 2025

kaovilai marked this pull request as ready for review August 4, 2025 22:45

openshift-ci Bot removed the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Aug 4, 2025

openshift-ci Bot requested review from shubham-pampattiwar and sseago August 4, 2025 22:45

kaovilai force-pushed the OADP-5777 branch from ffc4443 to ac1e1e2 Compare August 4, 2025 22:47

openshift-merge-robot removed the needs-rebase Indicates a PR cannot be merged because it has merge conflicts with HEAD. label Aug 4, 2025

kaovilai force-pushed the OADP-5777 branch from ac1e1e2 to 44029e8 Compare October 16, 2025 17:20

Add tests for auto bucket region on priv/pubic bucket

aa14556

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

kaovilai force-pushed the OADP-5777 branch from 44029e8 to aa14556 Compare October 16, 2025 17:23

kaovilai changed the title ~~OADP-5777: auto region cred test~~ OADP-5777: Document AWS HeadBucket API behavior for GetBucketRegion with anonymous credentials Oct 16, 2025

kaovilai changed the title ~~OADP-5777: Document AWS HeadBucket API behavior for GetBucketRegion with anonymous credentials~~ OADP-5777: Add automatic S3 bucket region detection and document AWS HeadBucket API behavior Oct 16, 2025

kaovilai commented Oct 16, 2025

View reviewed changes

shubham-pampattiwar approved these changes Oct 20, 2025

View reviewed changes

weshayutin approved these changes Nov 17, 2025

View reviewed changes

openshift-ci Bot assigned weshayutin Nov 17, 2025

openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Nov 17, 2025

coderabbitai Bot reviewed Nov 17, 2025

View reviewed changes

openshift-merge-bot Bot merged commit 2abf698 into openshift:oadp-dev Nov 19, 2025
15 checks passed

kaovilai mentioned this pull request Apr 28, 2026

OADP-5777: Require region in BSL validation when s3Url is set, fix nil config skipping region auto-detection #2109

Merged

Conversation

kaovilai commented May 2, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

Key Improvements

Background

Changes Made

1. S3 Region Detection (pkg/storage/aws/s3.go)

2. Auto-Region Detection (pkg/common/common.go)

3. Test Coverage (pkg/common/common_test.go & pkg/storage/aws/s3_test.go)

Benefits

How to test the changes made

Run the S3 region tests:

Run the BSL update tests:

Manual Testing

Uh oh!

openshift-ci-robot commented May 2, 2025 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci Bot commented May 2, 2025

Uh oh!

kaovilai commented May 5, 2025

Uh oh!

weshayutin commented Aug 4, 2025

Uh oh!

openshift-ci-robot commented Oct 16, 2025 • edited by openshift-ci Bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

Background

AWS Security Response

Changes Made

How to test the changes made

Uh oh!

kaovilai Oct 16, 2025

Choose a reason for hiding this comment

Uh oh!

weshayutin commented Oct 17, 2025

Uh oh!

weshayutin left a comment

Choose a reason for hiding this comment

Uh oh!

openshift-ci Bot commented Nov 17, 2025

Uh oh!

coderabbitai Bot commented Nov 17, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

coderabbitai Bot left a comment

Choose a reason for hiding this comment

Uh oh!

coderabbitai Bot Nov 17, 2025

Choose a reason for hiding this comment

Uh oh!

openshift-ci-robot commented Nov 17, 2025

Uh oh!

kaovilai commented Nov 18, 2025

Uh oh!

kaovilai commented Nov 18, 2025

Uh oh!

kaovilai commented Nov 18, 2025

Uh oh!

kaovilai commented Nov 18, 2025

Uh oh!

kaovilai commented Nov 18, 2025

Uh oh!

openshift-ci-robot commented Nov 18, 2025

Uh oh!

kaovilai commented Nov 18, 2025

Uh oh!

openshift-ci Bot commented Nov 19, 2025

Uh oh!

Uh oh!

kaovilai commented Nov 19, 2025

Uh oh!

kaovilai commented Nov 19, 2025

Uh oh!

kaovilai commented May 2, 2025 •

edited

Loading

1. S3 Region Detection (`pkg/storage/aws/s3.go`)

2. Auto-Region Detection (`pkg/common/common.go`)

3. Test Coverage (`pkg/common/common_test.go` & `pkg/storage/aws/s3_test.go`)

openshift-ci-robot commented May 2, 2025 •

edited by openshift-ci Bot

Loading

openshift-ci-robot commented Oct 16, 2025 •

edited by openshift-ci Bot

Loading

coderabbitai Bot commented Nov 17, 2025 •

edited

Loading