Reuse the aws session with cacerts and credentials for fetching region

[aayushrangwala]

Velero has a way to use custom CA bundle to access the objectStore behind the proxy by providing the option --cacerts at the time of velero install or velero client operations.

s3 plugin tries to communicate the objectStore for finding out the region or to push/pull the Backup manifests. If the region is not provided in the BackupStorageLocation config, while finding the region, plugin creates a new aws session config which doesnot use any session options, such as certs or credential profile.

This PR is to add the support for aws s3 plugin also to consume the ca certificate bundle passed in BackupStorageLocation with the caCerts field.

This can be tested by having a velero setup behind proxy with a sef-signed certs and pass them along with the velero install and try to perform the backup/restore operations

Fixes: vmware-tanzu/velero#3449

Signed-off-by: Ayush Rangwala [email protected]

[nrb]

High level question - would it be possible to support the CA cert with the VolumeSnapshotter API, too?

[aayushrangwala]

High level question - would it be possible to support the CA cert with the VolumeSnapshotter API, too?

@nrb Yes, its possible and we should definitely do it to make this adoption across any API calls. But this might need a bit more changes as we have to decide how should we propagate the CA certs passed via --certs, to VolumeSnapshot API. For BSL, we have an optional field in the spec caCerts which stores the encoded bundle. We can have a same field in the VolumeSnapshot CR but it will need us to change in the CRD.