UNCLASSIFIED - NO CUI

Integrated bb-common

Jimmy Bourquerequested to merge
172-bb-common-integration into main

General MR

Summary

  • Replaced static resources with bb-common generated resources
  • Updated scripted test to remove minio bucket creation (this is now done in our test-values.yaml)

Relevant logs/screenshots

Before integration:

kubectl get netpol -n velero

NAME                       POD-SELECTOR                                                                                                                                AGE
allow-egress-api           <none>                                                                                                                                      3h11m
allow-egress-minio         <none>                                                                                                                                      3h11m
allow-egress-storage       app.kubernetes.io/instance=velero-velero,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=velero                                    3h11m
allow-in-ns                <none>                                                                                                                                      3h11m
allow-istio                <none>                                                                                                                                      3h11m
allow-scraping             app.kubernetes.io/instance=velero-velero,app.kubernetes.io/managed-by=Helm,app.kubernetes.io/name=velero,helm.sh/chart=velero-11.3.2-bb.0   3h11m
allow-sidecar-scraping     <none>                                                                                                                                      3h11m
allow-tempo-egress         <none>                                                                                                                                      3h11m
allow-velero-test-script   service.istio.io/canonical-name=velero-script-test                                                                                          3h11m
default-deny               <none>                                                                                                                                      3h11m
egress-dns                 <none>                                                                                                                                      3h11m

kubectl get ap -n velero

NAME                           ACTION   AGE
allow-http-envoy-prom-policy   ALLOW    3h11m
allow-http-policy              ALLOW    3h11m
monitoring-authz-policy        ALLOW    3h11m
tempo-authz-policy             ALLOW    3h11m

kubectl get se -n velero

NAME                               HOSTS                                                                           LOCATION        RESOLUTION   AGE
allow-minio-api-9000-for-velero    ["minio-api.dev.bigbang.mil"]                                                   MESH_EXTERNAL   DNS          3h11m
allow-minio-api-https-for-velero   ["minio-api.dev.bigbang.mil"]                                                   MESH_EXTERNAL   DNS          3h11m
allow-neuvector-for-velero         ["neuvector.dev.bigbang.mil"]                                                   MESH_EXTERNAL   DNS          3h11m
cypress-service-entries-velero     ["registry.npmjs.org","download.cypress.io","cdn.cypress.io","repo1.dso.mil"]   MESH_EXTERNAL   DNS          3h11m

kubectl get pa -n velero

NAME             MODE     AGE
default-velero   STRICT   3h11m

image

After bb-common Integration:

kubectl get netpol -n velero

NAME                                                                      POD-SELECTOR                                       AGE
allow-egress-api                                                          <none>                                             3h55m
allow-egress-from-velero-to-kubeapi                                       app.kubernetes.io/name=velero                      3m23s
allow-egress-from-velero-to-ns-minio-pod-minio-instance-tcp-port-9000     app.kubernetes.io/name=velero                      3m23s
allow-egress-from-velero-to-ns-tempo-pod-tempo-tcp-port-9411              app.kubernetes.io/name=velero                      3m23s
allow-egress-from-velero-to-storage-subnets                               app.kubernetes.io/name=velero                      3m23s
allow-ingress-to-velero-tcp-port-8085-from-ns-monitoring-pod-prometheus   app.kubernetes.io/name=velero                      3m23s
default-egress-allow-all-in-ns                                            <none>                                             3m23s
default-egress-allow-istiod                                               <none>                                             3m23s
default-egress-allow-kube-dns                                             <none>                                             3m23s
default-egress-deny-all                                                   <none>                                             3m23s
default-ingress-allow-all-in-ns                                           <none>                                             3m23s
default-ingress-allow-prometheus-to-istio-sidecar                         <none>                                             3m23s
default-ingress-deny-all                                                  <none>                                             3m23s

kubectl get ap -n velero

NAME                                                                                                           ACTION   AGE
allow-ingress-to-velero-tcp-port-8085-from-ns-monitoring-with-identity-monitoring-monitoring-kube-prometheus   ALLOW    3m28s
default-authz-allow-all-in-ns                                                                                  ALLOW    3m28s
default-authz-allow-nothing                                                                                             3m28s

kubectl get se -n velero

No resources found in velero namespace. (None were needed)

kubectl get pa -n velero

NAME                MODE     AGE
default-peer-auth   STRICT   3m50s

image

image

image

Backup Storage location is now available by default without the test needing to be run (if using test-values.yaml):

kubectl get bsl -n velero

NAME      PHASE       LAST VALIDATED   AGE   DEFAULT
default   Available   64s              16m   true

velero backup create monitoringbackup --include-namespaces=monitoring

Backup request "monitoringbackup" submitted successfully.
Run `velero backup describe monitoringbackup` or `velero backup logs monitoringbackup` for more details.

velero backup describe monitoringbackup

Name:         monitoringbackup
Namespace:    velero
Labels:       velero.io/storage-location=default
Annotations:  velero.io/resource-timeout=10m0s
              velero.io/source-cluster-k8s-gitversion=v1.34.1+k3s1
              velero.io/source-cluster-k8s-major-version=1
              velero.io/source-cluster-k8s-minor-version=34

Phase:  Completed


Namespaces:
  Included:  monitoring
  Excluded:  <none>

Resources:
  Included cluster-scoped:    <none>
  Excluded cluster-scoped:    volumesnapshotcontents.snapshot.storage.k8s.io
  Included namespace-scoped:  *
  Excluded namespace-scoped:  volumesnapshots.snapshot.storage.k8s.io

Label selector:  <none>

Storage Location:  default

Velero-Native Snapshot PVs:  auto

TTL:  720h0m0s

CSISnapshotTimeout:    10m0s
ItemOperationTimeout:  4h0m0s

Hooks:  <none>

Backup Format Version:  1.1.0

Started:    2026-01-23 14:37:47 -0600 CST
Completed:  2026-01-23 14:37:49 -0600 CST

Expiration:  2026-02-22 14:37:47 -0600 CST

Total items to be backed up:  426
Items backed up:              426

Velero-Native Snapshots: <none included>

Linked Issue

issue

Upgrade Notices

Velero is now leveraging our bb-common integration for network policies and all istio-related resources. Please refer to this blog post for additional information on the integration.

Umbrella Branch

bb-common-velero

Edited by Jimmy Bourque

Merge request reports

UNCLASSIFIED - NO CUI