openshift-docs/modules/oadp-1-5-0-release-notes.adoc

// Module included in the following assemblies:
//
// * backup_and_restore/oadp-1-5-release-notes.adoc
:_mod-docs-content-type: REFERENCE

[id="oadp-1-5-0-release-notes_{context}"]
= OADP 1.5.0 release notes

The {oadp-first} 1.5.0 release notes lists resolved issues and known issues.

[id="new-features-1-5-0_{context}"]
== New features

.OADP 1.5.0 introduces a new Self-Service feature

{oadp-short} 1.5.0 introduces a new feature named {oadp-short} Self-Service, enabling namespace admin users to back up and restore applications on the {product-title}.
In the earlier versions of {oadp-short}, you needed the cluster-admin role to perform {oadp-short} operations such as backing up and restoring an application, creating a backup storage location, and so on.

From {oadp-short} 1.5.0 onward, you do not need the cluster-admin role to perform the backup and restore operations. You can use {oadp-short} with the namespace admin role. The namespace admin role has administrator access only to the namespace the user is assigned to.
You can use the Self-Service feature only after the cluster administrator installs the {oadp-short} Operator and provides the necessary permissions.

link:https://issues.redhat.com/browse/OADP-4001[OADP-4001]

.Collecting logs with the `must-gather` tool has been improved with a Markdown summary

You can collect logs, and information about {oadp-first} custom resources by using the `must-gather` tool. The `must-gather` data must be attached to all customer cases.
This tool generates a Markdown output file with the collected information, which is located in the `must-gather` logs clusters directory.

link:https://issues.redhat.com/browse/OADP-5384[OADP-5384]

.`dataMoverPrepareTimeout` and `resourceTimeout` parameters are now added to `nodeAgent` within the DPA

The `nodeAgent` field in Data Protection Application (DPA) now includes the following parameters:

* `dataMoverPrepareTimeout`: Defines the duration the `DataUpload` or `DataDownload` process will wait. The default value is 30 minutes.

* `resourceTimeout`: Sets the timeout for resource processes not addressed by other specific timeout parameters. The default value is 10 minutes.

link:https://issues.redhat.com/browse/OADP-3736[OADP-3736]

.Use the `spec.configuration.nodeAgent` parameter in DPA for configuring `nodeAgent` daemon set

Velero no longer uses the `node-agent-config` config map for configuring the `nodeAgent` daemon set. With this update, you must use the new `spec.configuration.nodeAgent` parameter in a Data Protection Application (DPA) for configuring the `nodeAgent` daemon set.

link:https://issues.redhat.com/browse/OADP-5042[OADP-5042]

.Configuring DPA with the backup repository configuration config map is now possible

With Velero 1.15 and later, you can now configure the total size of a cache per repository. This prevents pods from being removed due to running out of ephemeral storage. See the following new parameters added to the `NodeAgentConfig` field in DPA:

* `cacheLimitMB`: Sets the local data cache size limit in megabytes.
* `fullMaintenanceInterval`: The default value is 24 hours. Controls the removal rate of deleted Velero backups from the Kopia repository using the following override options:
** `normalGC: 24 hours`
** `fastGC: 12 hours`
** `eagerGC: 6 hours`

link:https://issues.redhat.com/browse/OADP-5900[OADP-5900]

.Enhancing the node-agent security

With this update, the following changes are added:

* A new `configuration` option is now added to the `velero` field in DPA.
* The default value for the `disableFsBackup` parameter is `false` or `non-existing`. With this update, the following options are added to the `SecurityContext` field:
** `Privileged: true`
** `AllowPrivilegeEscalation: true`
* If you set the `disableFsBackup` parameter to `true`, it removes the following mounts from the node-agent:
** `host-pods`
** `host-plugins`
* Modifies that the node-agent is always run as a non-root user.
* Changes the root file system to read only.
* Updates the following mount points with the write access:
** `/home/velero`
** `tmp/credentials`
* Uses the `SeccompProfileTypeRuntimeDefault` option for the `SeccompProfile` parameter.

link:https://issues.redhat.com/browse/OADP-5031[OADP-5031]

.Adds DPA support for parallel item backup

By default, only one thread processes an item block. Velero 1.16 supports a parallel item backup, where multiple items within a backup can be processed in parallel.

You can use the optional Velero server parameter `--item-block-worker-count` to run additional worker threads to process items in parallel. To enable this in OADP, set the `dpa.Spec.Configuration.Velero.ItemBlockWorkerCount` parameter to an integer value greater than zero.
[NOTE]
====
Running multiple full backups in parallel is not yet supported.
====

link:https://issues.redhat.com/browse/OADP-5635[OADP-5635]

.OADP logs are now available in the JSON format

With the of release {oadp-short} 1.5.0, the logs are now available in the JSON format. It helps to have pre-parsed data in their Elastic logs management system.

link:https://issues.redhat.com/browse/OADP-3391[OADP-3391]

.The `oc get dpa` command now displays `RECONCILED` status

With this release, the `oc get dpa` command now displays `RECONCILED` status instead of displaying only `NAME` and `AGE` to improve user experience. For example:

[source,terminal]
----
$ oc get dpa -n openshift-adp
NAME            RECONCILED   AGE
velero-sample   True         2m51s
----

link:https://issues.redhat.com/browse/OADP-1338[OADP-1338]

[id="resolved-issues-1-5-0_{context}"]
== Resolved issues

.Containers now use `FallbackToLogsOnError` for `terminationMessagePolicy`

With this release, the `terminationMessagePolicy` field can now set the `FallbackToLogsOnError` value for the {oadp-first} Operator containers such as `operator-manager`, `velero`, `node-agent`, and `non-admin-controller`.

This change ensures that if a container exits with an error and the termination message file is empty, {OCP-short} uses the last portion of the container logs output as the termination message.

link:https://issues.redhat.com/browse/OADP-5183[OADP-5183]

.Namespace admin can now access the application after restore

Previously, the namespace admin could not execute an application after the restore operation with the following errors:

* `exec operation is not allowed because the pod's security context exceeds your permissions`
* `unable to validate against any security context constraint`
* `not usable by user or serviceaccount, provider restricted-v2`

With this update, this issue is now resolved and the namespace admin can access the application successfully after the restore.

link:https://issues.redhat.com/browse/OADP-5611[OADP-5611]

.Specifying status restoration at the individual resource instance level using the annotation is now possible

Previously, status restoration was only configured at the resource type using the `restoreStatus` field in the `Restore` custom resource (CR).

With this release, you can now specify the status restoration at the individual resource instance level using the following annotation:

[source,terminal]
----
metadata:
  annotations:
    velero.io/restore-status: "true"
----

link:https://issues.redhat.com/browse/OADP-5968[OADP-5968]


.Restore is now successful with `excludedClusterScopedResources`

Previously, on performing the backup of an application with the `excludedClusterScopedResources` field set to `storageclasses`, `Namespace` parameter, the backup was successful but the restore partially failed.
With this update, the restore is successful.

link:https://issues.redhat.com/browse/OADP-5239[OADP-5239]

.Backup is completed even if it gets restarted during the `waitingForPluginOperations` phase

Previously, a backup was marked as failed with the following error message:
[Source,terminal]
----
failureReason: found a backup with status "InProgress" during the server starting,
mark it as "Failed"
----

With this update, the backup is completed if it gets restarted during the `waitingForPluginOperations` phase.

link:https://issues.redhat.com/browse/OADP-2941[OADP-2941]

.Error messages are now more informative when the` disableFsbackup` parameter is set to `true` in DPA

Previously, when the `spec.configuration.velero.disableFsBackup` field from a Data Protection Application (DPA) was set to `true`, the backup partially failed with an error, which was not informative.

This update makes error messages more useful for troubleshooting issues. For example, error messages indicating that `disableFsBackup: true` is the issue in a DPA or not having access to a DPA if it is for non-administrator users.

link:https://issues.redhat.com/browse/OADP-5952[OADP-5952]

.Handles AWS STS credentials in the parseAWSSecret

Previously, AWS credentials using STS authentication were not properly validated.

With this update, the `parseAWSSecret` function detects STS-specific fields, and updates the `ensureSecretDataExists` function to handle STS profiles correctly.

link:https://issues.redhat.com/browse/OADP-6105[OADP-6105]

.The `repositoryMaintenance` job affinity config is available to configure

Previously, the new configurations for repository maintenance job pod affinity was missing from a DPA specification.

With this update, the `repositoryMaintenance` job affinity config is now available to map a `BackupRepository` identifier to its configuration.

link:https://issues.redhat.com/browse/OADP-6134[OADP-6134]

.The `ValidationErrors` field fades away once the CR specification is correct

Previously, when a schedule CR was created with a wrong `spec.schedule` value and the same was later patched with a correct value, the `ValidationErrors` field still existed. Consequently, the `ValidationErrors` field was displaying incorrect information even though the spec was correct.

With this update, the `ValidationErrors` field fades away once the CR specification is correct.

link:https://issues.redhat.com/browse/OADP-5419[OADP-5419]

.The `volumeSnapshotContents` custom resources are restored when the `includedNamesapces` field is used in `restoreSpec`

Previously, when a restore operation was triggered with the `includedNamespace` field in a restore specification, restore operation was completed successfully but no `volumeSnapshotContents` custom resources (CR) were created and the PVCs were in a `Pending` status.

With this update, `volumeSnapshotContents` CR are restored even when the `includedNamesapces` field is used in `restoreSpec`. As a result, an application pod is in a `Running` state after restore.

link:https://issues.redhat.com/browse/OADP-5939[OADP-5939]

.OADP operator successfully creates bucket on top of AWS

Previously, the container was configured with the `readOnlyRootFilesystem: true` setting for security, but the code attempted to create temporary files in the `/tmp` directory using the `os.CreateTemp()` function. Consequently, while using the AWS STS authentication with the Cloud Credential Operator (CCO) flow, {oadp-short} failed to create temporary files that were required for AWS credential handling with the following error:
[source,terminal]
----
ERROR unable to determine if bucket exists. {"error": "open /tmp/aws-shared-credentials1211864681: read-only file system"}
----
With this update, the following changes are added to address this issue:

* A new `emptyDir` volume named `tmp-dir` to the controller pod specification.
* A volume mount to the container, which mounts this volume to the `/tmp` directory.
* For security best practices, the `readOnlyRootFilesystem: true` is maintained.
* Replaced the deprecated `ioutil.TempFile()` function with the recommended `os.CreateTemp()` function.
* Removed the unnecessary `io/ioutil` import, which is no longer needed.

link:https://issues.redhat.com/browse/OADP-6019[OADP-6019]

For a complete list of all issues resolved in this release, see the list of link:https://issues.redhat.com/issues/?filter=12462673[OADP 1.5.0 resolved issues] in Jira.


[id="known-issues-1-5-0_{context}"]
== Known issues

.Kopia does not delete all the artifacts after backup expiration

Even after deleting a backup, Kopia does not delete the volume artifacts from the `${bucket_name}/kopia/${namespace}` on the S3 location after the backup expired. Information related to the expired and removed data files remains in the metadata.
To ensure that {oadp-first} functions properly, the data is not deleted, and it exists in the `/kopia/` directory, for example:

* `kopia.repository`: Main repository format information such as encryption, version, and other details.
* `kopia.blobcfg`: Configuration for how data blobs are named.
* `kopia.maintenance`: Tracks maintenance owner, schedule, and last successful build.
* `log`: Log blobs.

link:https://issues.redhat.com/browse/OADP-5131[OADP-5131]

For a complete list of all known issues in this release, see the list of link:https://issues.redhat.com/issues/?filter=12472334[OADP 1.5.0 known issues] in Jira.

[id="deprecated-features-1-5-0_{context}"]
== Deprecated features

.The `configuration.restic` specification field has been deprecated

With {oadp-first} 1.5.0, the `configuration.restic` specification field has been deprecated. Use the `nodeAgent` section with the `uploaderType` field for selecting `kopia` or `restic` as a `uploaderType`. Note that, Restic is deprecated in {oadp-first} 1.5.0.

link:https://issues.redhat.com/browse/OADP-5158[OADP-5158]


[id="technoloy-preview-1-5-0_{context}"]
== Technology Preview

.Support for HyperShift hosted OpenShift clusters is available as a Technology Preview

{oadp-short} can support and facilitate application migrations within HyperShift hosted {OCP-short} clusters as a Technology Preview. It ensures a seamless backup and restore operation for applications in hosted clusters.

For more information about the support scope of Red{nbsp}Hat Technology Preview features, see link:https://access.redhat.com/support/offerings/techpreview/[Technology Preview Features Support Scope].

link:https://issues.redhat.com/browse/OADP-3930[OADP-3930]