Add a BSL controller to handle validation + update BSL status phase (#2674)

* Add BSL controller Signed-off-by: Carlisia <carlisia@vmware.com> * Add changelog Signed-off-by: Carlisia <carlisia@vmware.com> * Make update Signed-off-by: Carlisia <carlisia@vmware.com> * Update docs Signed-off-by: Carlisia <carlisia@vmware.com> * Add kubebuilder dependency Signed-off-by: Carlisia <carlisia@vmware.com> * Add export Signed-off-by: Carlisia <carlisia@vmware.com> * add kubebuilder binaries into velero builder image Signed-off-by: Ashish Amarnath <ashisham@vmware.com> * Reset velero dockerfile Signed-off-by: Carlisia <carlisia@vmware.com> * Consolidate all logic Signed-off-by: Carlisia <carlisia@vmware.com> * Add copyright header Signed-off-by: Carlisia <carlisia@vmware.com> * Clean up + add "last validated" column Signed-off-by: Carlisia <carlisia@vmware.com> * Better tests Signed-off-by: Carlisia <carlisia@vmware.com> * Add more tests Signed-off-by: Carlisia <carlisia@vmware.com> * Better logging Signed-off-by: Carlisia <carlisia@vmware.com> * Format Signed-off-by: Carlisia <carlisia@vmware.com> * Code reviews Signed-off-by: Carlisia <carlisia@vmware.com> * Address code review Signed-off-by: Carlisia <carlisia@vmware.com> * Remove redundant logic Signed-off-by: Carlisia <carlisia@vmware.com> Co-authored-by: Ashish Amarnath <ashisham@vmware.com>
2026-01-04 04:04:02 +00:00 · 2020-07-14 14:47:00 -07:00
parent 3d3b9e312a
commit dbd0aa4915
19 changed files with 1015 additions and 92 deletions
--- a/changelogs/unreleased/2674-carlisia
+++ b/changelogs/unreleased/2674-carlisia
@@ -0,0 +1 @@
+Add a BSL controller to handle validation + update BSL status phase (validation removed from the server and no longer blocks when there's any invalid BSL)
--- a/config/crd/bases/velero.io_backupstoragelocations.yaml
+++ b/config/crd/bases/velero.io_backupstoragelocations.yaml
@@ -13,6 +13,11 @@ spec:
    description: Backup Storage Location status such as Available/Unavailable
    name: Phase
    type: string
+  - JSONPath: .status.lastValidationTime
+    description: LastValidationTime is the last time the backup store location was
+      validated
+    name: Last Validated
+    type: date
  - JSONPath: .metadata.creationTimestamp
    name: Age
    type: date
@@ -86,6 +91,11 @@ spec:
            provider:
              description: Provider is the provider of the backup storage.
              type: string
+            validationFrequency:
+              description: ValidationFrequency defines how frequently to validate
+                the corresponding object storage. A value of 0 disables validation.
+              nullable: true
+              type: string
          required:
          - objectStorage
          - provider
@@ -114,6 +124,12 @@ spec:
              format: date-time
              nullable: true
              type: string
+            lastValidationTime:
+              description: LastValidationTime is the last time the backup store location
+                was validated the cluster.
+              format: date-time
+              nullable: true
+              type: string
            phase:
              description: Phase is the current state of the BackupStorageLocation.
              enum:
--- a/config/crd/crds/crds.go
+++ b/config/crd/crds/crds.go
--- a/go.mod
+++ b/go.mod
@@ -15,12 +15,14 @@ require (
 	github.com/go-ini/ini v1.28.2 // indirect
 	github.com/gobwas/glob v0.2.3
 	github.com/gofrs/uuid v3.2.0+incompatible
-	github.com/golang/protobuf v1.3.2
+	github.com/golang/protobuf v1.4.2
 	github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd
 	github.com/hashicorp/go-plugin v0.0.0-20190610192547-a1bc61569a26
 	github.com/jmespath/go-jmespath v0.0.0-20160202185014-0b12d6b521d8 // indirect
 	github.com/joho/godotenv v1.3.0
 	github.com/kubernetes-csi/external-snapshotter/v2 v2.1.0
+	github.com/onsi/ginkgo v1.13.0
+	github.com/onsi/gomega v1.10.1
 	github.com/pkg/errors v0.8.1
 	github.com/prometheus/client_golang v1.0.0
 	github.com/robfig/cron v0.0.0-20170309132418-df38d32658d8
@@ -30,8 +32,11 @@ require (
 	github.com/spf13/cobra v0.0.5
 	github.com/spf13/pflag v1.0.5
 	github.com/stretchr/testify v1.4.0
-	golang.org/x/net v0.0.0-20200602114024-627f9648deb9
-	google.golang.org/grpc v1.26.0
+	golang.org/x/net v0.0.0-20200625001655-4c5254603344
+	golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae // indirect
+	golang.org/x/text v0.3.3 // indirect
+	google.golang.org/grpc v1.27.0
+	google.golang.org/protobuf v1.25.0 // indirect
 	k8s.io/api v0.17.4
 	k8s.io/apiextensions-apiserver v0.17.4
 	k8s.io/apimachinery v0.17.4
--- a/go.sum
+++ b/go.sum
@@ -120,6 +120,8 @@ github.com/evanphx/json-patch v4.5.0+incompatible/go.mod h1:50XU6AFN0ol/bzJsmQLi
 github.com/fatih/color v1.7.0/go.mod h1:Zm6kSWBoL9eyXnKyktHP6abPY2pDugNf5KwzbycvMj4=
 github.com/fsnotify/fsnotify v1.4.7 h1:IXs+QLmnXW2CcXuY+8Mzv/fWEsPGWxqefPtCP5CnV9I=
 github.com/fsnotify/fsnotify v1.4.7/go.mod h1:jwhsz4b93w/PPRr/qN1Yymfu8t87LnFCMoQvtojpjFo=
+github.com/fsnotify/fsnotify v1.4.9 h1:hsms1Qyu0jgnwNXIxa+/V/PDsU6CfLf6CNO8H7IWoS4=
+github.com/fsnotify/fsnotify v1.4.9/go.mod h1:znqG4EE+3YCdAaPaxE2ZRY/06pZUdp0tY4IgpuI1SZQ=
 github.com/ghodss/yaml v0.0.0-20150909031657-73d445a93680/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/ghodss/yaml v1.0.0/go.mod h1:4dBDuWmgqj2HViK6kFavaiC9ZROes6MMH2rRYeMEF04=
 github.com/globalsign/mgo v0.0.0-20180905125535-1ca0a4f7cbcb/go.mod h1:xkRDCp4j0OGD1HRkm4kmhM+pmpv3AKq5SU7GMg4oO/Q=
@@ -197,12 +199,23 @@ github.com/golang/protobuf v1.2.0/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5y
 github.com/golang/protobuf v1.3.1/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
 github.com/golang/protobuf v1.3.2 h1:6nsPYzhq5kReh6QImI3k5qWzO4PEbvbIW2cwSfR/6xs=
 github.com/golang/protobuf v1.3.2/go.mod h1:6lQm79b+lXiMfvg/cZm0SGofjICqVBUtrP5yJMmIC1U=
+github.com/golang/protobuf v1.4.0-rc.1/go.mod h1:ceaxUfeHdC40wWswd/P6IGgMaK3YpKi5j83Wpe3EHw8=
+github.com/golang/protobuf v1.4.0-rc.1.0.20200221234624-67d41d38c208/go.mod h1:xKAWHe0F5eneWXFV3EuXVDTCmh+JuBKY0li0aMyXATA=
+github.com/golang/protobuf v1.4.0-rc.2/go.mod h1:LlEzMj4AhA7rCAGe4KMBDvJI+AwstrUpVNzEA03Pprs=
+github.com/golang/protobuf v1.4.0-rc.4.0.20200313231945-b860323f09d0/go.mod h1:WU3c8KckQ9AFe+yFwt9sWVRKCVIyN9cPHBJSNnbL67w=
+github.com/golang/protobuf v1.4.0/go.mod h1:jodUvKwWbYaEsadDk5Fwe5c77LiNKVO9IDvqG2KuDX0=
+github.com/golang/protobuf v1.4.1/go.mod h1:U8fpvMrcmy5pZrNK1lt4xCsGvpyWQ/VVv6QDs8UjoX8=
+github.com/golang/protobuf v1.4.2 h1:+Z5KGCizgyZCbGh1KZqA0fcLLkwbsjIzS4aV2v7wJX0=
+github.com/golang/protobuf v1.4.2/go.mod h1:oDoupMAO8OvCJWAcko0GGGIgR6R6ocIYbsSw735rRwI=
 github.com/google/btree v0.0.0-20180813153112-4030bb1f1f0c/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/btree v1.0.0/go.mod h1:lNA+9X1NB3Zf8V7Ke586lFgjr2dZNuvo3lPJSGZ5JPQ=
 github.com/google/go-cmp v0.2.0/go.mod h1:oXzfMopK8JAjlY9xF4vHSVASa0yLyX7SntLO5aqRK0M=
 github.com/google/go-cmp v0.3.0/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
 github.com/google/go-cmp v0.3.1 h1:Xye71clBPdm5HgqGwUkwhbynsUJZhDbS20FvLhQ2izg=
 github.com/google/go-cmp v0.3.1/go.mod h1:8QqcDgzrUqlUb/G2PQTWiueGozuR1884gddMywk6iLU=
+github.com/google/go-cmp v0.4.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
+github.com/google/go-cmp v0.5.0 h1:/QaMHBdZ26BB3SSst0Iwl10Epc+xhTquomWX0oZEB6w=
+github.com/google/go-cmp v0.5.0/go.mod h1:v8dTdLbMG2kIc/vJvl+f65V22dbkXbowE6jgT/gNBxE=
 github.com/google/gofuzz v0.0.0-20161122191042-44d81051d367/go.mod h1:HP5RmnzzSNb993RKQDq4+1A4ia9nllfqcQFTQJedwGI=
 github.com/google/gofuzz v1.0.0 h1:A8PeW59pxE9IoFRqBp37U+mSNaQoZ46F1f0f863XSXw=
 github.com/google/gofuzz v1.0.0/go.mod h1:dBl0BpW6vV/+mYPU4Po3pmUjxk6FQPldtuIdl/M65Eg=
@@ -307,6 +320,8 @@ github.com/munnerz/goautoneg v0.0.0-20120707110453-a547fc61f48d/go.mod h1:+n7T8m
 github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822/go.mod h1:+n7T8mK8HuQTcFwEeznm/DIxMOiR9yIdICNftLE1DvQ=
 github.com/mwitkow/go-conntrack v0.0.0-20161129095857-cc309e4a2223/go.mod h1:qRWi+5nqEBWmkhHvq77mSJWrCKwh8bxhgT7d/eI7P4U=
 github.com/mxk/go-flowrate v0.0.0-20140419014527-cca7078d478f/go.mod h1:ZdcZmHo+o7JKHSa8/e818NopupXU1YMK5fe1lsApnBw=
+github.com/nxadm/tail v1.4.4 h1:DQuhQpB1tVlglWS2hLQ5OV6B5r8aGxSrPc5Qo6uTN78=
+github.com/nxadm/tail v1.4.4/go.mod h1:kenIhsEOeOJmVchQTgglprH7qJGnHDVpk1VPCcaMI8A=
 github.com/oklog/run v1.0.0 h1:Ru7dDtJNOyC66gQ5dQmaCa0qIsAUFY3sFpK1Xk8igrw=
 github.com/oklog/run v1.0.0/go.mod h1:dlhp/R75TPv97u0XWUtDeV/lRKWPKSdTuV0TZvrmrQA=
 github.com/olekukonko/tablewriter v0.0.0-20170122224234-a0225b3f23b5/go.mod h1:vsDQFd/mU46D+Z4whnwzcISnGGzXWMclvtLoiIKAKIo=
@@ -317,11 +332,17 @@ github.com/onsi/ginkgo v1.10.2 h1:uqH7bpe+ERSiDa34FDOF7RikN6RzXgduUF8yarlZp94=
 github.com/onsi/ginkgo v1.10.2/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
 github.com/onsi/ginkgo v1.11.0 h1:JAKSXpt1YjtLA7YpPiqO9ss6sNXEsPfSGdwN0UHqzrw=
 github.com/onsi/ginkgo v1.11.0/go.mod h1:lLunBs/Ym6LB5Z9jYTR76FiuTmxDTDusOGeTQH+WWjE=
+github.com/onsi/ginkgo v1.12.1/go.mod h1:zj2OWP4+oCPe1qIXoGWkgMRwljMUYCdkwsT2108oapk=
+github.com/onsi/ginkgo v1.13.0 h1:M76yO2HkZASFjXL0HSoZJ1AYEmQxNJmY41Jx1zNUq1Y=
+github.com/onsi/ginkgo v1.13.0/go.mod h1:+REjRxOmWfHCjfv9TTWB1jD1Frx4XydAD3zm1lskyM0=
 github.com/onsi/gomega v0.0.0-20170829124025-dcabb60a477c/go.mod h1:C1qb7wdrVGGVU+Z6iS04AVkA3Q65CEZX59MT0QO5uiA=
 github.com/onsi/gomega v1.7.0 h1:XPnZz8VVBHjVsy1vzJmRwIcSwiUO+JFfrv/xGiigmME=
 github.com/onsi/gomega v1.7.0/go.mod h1:ex+gbHU/CVuBBDIJjb2X0qEXbFg53c61hWP/1CpauHY=
+github.com/onsi/gomega v1.7.1/go.mod h1:XdKZgCCFLUoM/7CFJVPcG8C1xQ1AJ0vpAezJrB7JYyY=
 github.com/onsi/gomega v1.8.1 h1:C5Dqfs/LeauYDX0jJXIe2SWmwCbGzx9yF8C8xy3Lh34=
 github.com/onsi/gomega v1.8.1/go.mod h1:Ho0h+IUsWyvy1OpqCwxlQ/21gkhVunqlU8fDGcoTdcA=
+github.com/onsi/gomega v1.10.1 h1:o0+MgICZLuZ7xjH7Vx6zS/zcu93/BEp1VwkIW1mEXCE=
+github.com/onsi/gomega v1.10.1/go.mod h1:iN09h71vgCQne3DLsj+A5owkum+a2tYe+TOCB1ybHNo=
 github.com/pborman/uuid v1.2.0/go.mod h1:X/NO0urCmaxf9VXbdlT7C2Yzkj2IKimNn4k+gtPdI/k=
 github.com/pelletier/go-toml v1.2.0/go.mod h1:5z9KED0ma1S8pY6P1sdut58dfprrGBbd/94hg7ilaic=
 github.com/peterbourgon/diskv v2.0.1+incompatible/go.mod h1:uqqh8zWWbv1HBMNONnaR/tNboyR3/BZd58JJSHlUSCU=
@@ -350,6 +371,7 @@ github.com/robfig/cron v0.0.0-20170309132418-df38d32658d8/go.mod h1:JGuDeoQd7Z6y
 github.com/rogpeppe/fastuuid v0.0.0-20150106093220-6724a57986af/go.mod h1:XWv6SoW27p1b0cqNHllgS5HIMJraePCO15w5zCzIWYg=
 github.com/rogpeppe/go-internal v1.3.0/go.mod h1:M8bDsm7K2OlrFYOpmOWEs/qY81heoFRclV5y23lUDJ4=
 github.com/russross/blackfriday v1.5.2/go.mod h1:JO/DiYxRf+HjHt06OyowR9PTA263kcR/rfWxYHBV53g=
+github.com/sclevine/agouti v3.0.0+incompatible/go.mod h1:b4WX9W9L1sfQKXeJf1mUTLZKJ48R1S7H23Ji7oFO5Bw=
 github.com/sergi/go-diff v1.0.0/go.mod h1:0CfEIISq7TuYL3j771MWULgwwjU+GofnZX9QAmXWZgo=
 github.com/sirupsen/logrus v1.2.0/go.mod h1:LxeOpSwHxABJmUn/MG1IvRgCAasNZTLOkJPxbbu5VWo=
 github.com/sirupsen/logrus v1.4.2 h1:SPIRibHv4MatM3XXNO2BJeFLZwZ2LvZgfQ5+UNI2im4=
@@ -390,6 +412,7 @@ github.com/vektah/gqlparser v1.1.2/go.mod h1:1ycwN7Ij5njmMkPPAOaRFY4rET2Enx7IkVv
 github.com/xiang90/probing v0.0.0-20190116061207-43a291ad63a2/go.mod h1:UETIi67q53MR2AWcXfiuqkDkRtnGDLqkBTpCHuJHxtU=
 github.com/xordataexchange/crypt v0.0.3-0.20170626215501-b2862e3d0a77/go.mod h1:aYKd//L2LvnjZzWKhF00oedf4jCCReLcmhLdhm1A27Q=
 go.etcd.io/bbolt v1.3.3/go.mod h1:IbVyRI1SCnLcuJnV2u8VeU0CEYM7e686BmAb1XKL+uU=
+go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738 h1:VcrIfasaLFkyjk6KNlXQSzO+B0fZcnECiDrKJsfxka0=
 go.etcd.io/etcd v0.0.0-20191023171146-3cf2f69b5738/go.mod h1:dnLIgRNXwCJa5e+c6mIZCrds/GIG4ncV9HhK5PX7jPg=
 go.mongodb.org/mongo-driver v1.0.3/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
 go.mongodb.org/mongo-driver v1.1.1/go.mod h1:u7ryQJ+DOzQmeO7zB6MHyr8jkEQvC8vH7qLUO4lqsUM=
@@ -416,6 +439,8 @@ golang.org/x/crypto v0.0.0-20191011191535-87dc89f01550/go.mod h1:yigFU9vqHzYiE8U
 golang.org/x/crypto v0.0.0-20191206172530-e9b2fee46413/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975 h1:/Tl7pH94bvbAAHBdZJT947M/+gp0+CqQXDtMRC0fseo=
 golang.org/x/crypto v0.0.0-20200220183623-bac4c82f6975/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9 h1:psW17arqaxU48Z5kZ0CQnkZWQJsqcURM6tKiBApRjXI=
+golang.org/x/crypto v0.0.0-20200622213623-75b288015ac9/go.mod h1:LzIPMQfyMNhhGPhUkYOs5KpL4U8rLKemX1yGLhDgUto=
 golang.org/x/exp v0.0.0-20190121172915-509febef88a4/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190125153040-c74c464bbbf2/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
 golang.org/x/exp v0.0.0-20190306152737-a1d7652674e8/go.mod h1:CJ0aWSM057203Lf6IL+f9T1iT9GByDxfZKAQTCR3kQA=
@@ -456,8 +481,9 @@ golang.org/x/net v0.0.0-20190827160401-ba9fcec4b297/go.mod h1:z5CRVTTTmAJ677TzLL
 golang.org/x/net v0.0.0-20191004110552-13f9640d40b9/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553 h1:efeOvDhwQ29Dj3SdAV/MJf8oukgn+8D8WgaCaRMchF8=
 golang.org/x/net v0.0.0-20191209160850-c0dbc17a3553/go.mod h1:z5CRVTTTmAJ677TzLLGU+0bjPO0LkuOLi4/5GtJWs/s=
-golang.org/x/net v0.0.0-20200602114024-627f9648deb9 h1:pNX+40auqi2JqRfOP1akLGtYcn15TUbkhwuCO3foqqM=
-golang.org/x/net v0.0.0-20200602114024-627f9648deb9/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7/go.mod h1:qpuaurCH72eLCgpAm/N6yyVIVM9cpaDIP3A8BGJEC5A=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344 h1:vGXIOMxbNfDTk/aXCmfdLgkrSV+Z2tcbze+pEc3v5W4=
+golang.org/x/net v0.0.0-20200625001655-4c5254603344/go.mod h1:/O7V0waA8r7cgGh81Ro3o1hOxt32SMVPicZroKQ2sZA=
 golang.org/x/oauth2 v0.0.0-20180821212333-d2e6202438be/go.mod h1:N/0e6XlmueqKjAGxoOufVs8QHGRruUQn6yWY3a++T0U=
 golang.org/x/oauth2 v0.0.0-20190226205417-e64efc72b421/go.mod h1:gOpvHmFTYa4IltrdGE7lF6nIHvwfUNPOp7c8zoXwtLw=
 golang.org/x/oauth2 v0.0.0-20190604053449-0f29369cfe45 h1:SVwTIAaPC2U/AvvLNZ2a7OVsmBpC8L5BlwK1whH3hm0=
@@ -487,16 +513,24 @@ golang.org/x/sys v0.0.0-20190606165138-5da285871e9c/go.mod h1:h1NjWce9XRLGQEsW7w
 golang.org/x/sys v0.0.0-20190616124812-15dcb6c0061f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190624142023-c5567b49c5d0/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190826190057-c7b8b68b1456/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20190904154756-749cb33beabd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20190922100055-0a153f010e69/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191005200804-aed5e4c7ecf9/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20191120155948-bd437916bb0e/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20191220220014-0732a990476f h1:72l8qCJ1nGxMGH26QVBVIxKd/D34cfGt0OvrPtpemyY=
 golang.org/x/sys v0.0.0-20191220220014-0732a990476f/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd h1:xhmwyvizuTgC2qz7ZlMluP20uW+C3Rm0FD/WLDX8884=
 golang.org/x/sys v0.0.0-20200323222414-85ca7c5b95cd/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200519105757-fe76b779f299/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae h1:Ih9Yo4hSPImZOpfGuA4bR/ORKTAbhZo2AbWNRCnevdo=
+golang.org/x/sys v0.0.0-20200625212154-ddb9806d33ae/go.mod h1:h1NjWce9XRLGQEsW7wpKNCjG9DtNlClVuFLEZdDNbEs=
 golang.org/x/text v0.0.0-20160726164857-2910a502d2bf/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.0/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.1-0.20180807135948-17ff2d5776d2/go.mod h1:NqM8EUOU14njkJ3fqMW+pc6Ldnwhi/IjpwHt7yyuwOQ=
 golang.org/x/text v0.3.2 h1:tW2bmiBqwgJj/UpqtC8EpXEZVYOwU0yG4iWbprSVAcs=
 golang.org/x/text v0.3.2/go.mod h1:bEr9sfX3Q8Zfm5fL9x+3itogRgK3+ptLWKqgva+5dAk=
+golang.org/x/text v0.3.3 h1:cokOdA+Jmi5PJGXLlLllQSgYigAEfHXJAERHVMaCc2k=
+golang.org/x/text v0.3.3/go.mod h1:5Zoc/QRtKVWzQhOtBMvqHzDpF6irO9z98xDceosuGiQ=
 golang.org/x/time v0.0.0-20180412165947-fbb02b2291d2/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20181108054448-85acf8d2951c/go.mod h1:tRJNPiyCQ0inRvYxbN9jk5I+vvW/OXSQhTDSoE431IQ=
 golang.org/x/time v0.0.0-20190308202827-9d24e82272b4 h1:SvFZT6jyqRaOeXpc5h/JSfZenJ2O330aBsf7JfSUXmQ=
@@ -526,6 +560,8 @@ golang.org/x/tools v0.0.0-20190911174233-4f2ddba30aff/go.mod h1:b+2E5dAYhXwXZwtn
 golang.org/x/tools v0.0.0-20190920225731-5eefd052ad72/go.mod h1:b+2E5dAYhXwXZwtnZ6UAqBI28+e2cm9otk0dWdXHAEo=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7 h1:9zdDQZ7Thm29KFXgAX/+yaf3eVbP7djjWp/dXAppNCc=
 golang.org/x/xerrors v0.0.0-20190717185122-a985d3407aa7/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543 h1:E7g+9GITq07hpfrRu66IVDexMakfv52eLZ2CXBWiKr4=
+golang.org/x/xerrors v0.0.0-20191204190536-9bdfabe68543/go.mod h1:I/5z698sn9Ka8TeJc9MKroUUfqBBauWjQqLJ2OPfmY0=
 gomodules.xyz/jsonpatch/v2 v2.0.1 h1:xyiBuvkD2g5n7cYzx6u2sxQvsAy4QJsZFCzGVdzOXZ0=
 gomodules.xyz/jsonpatch/v2 v2.0.1/go.mod h1:IhYNNY4jnS53ZnfE4PAmpKtDpTCj1JFXc+3mwe7XcUU=
 gonum.org/v1/gonum v0.0.0-20190331200053-3d26580ed485/go.mod h1:2ltnJ7xHfj0zHS40VVPYEAAMTa3ZGguvHGBSJeRWqE0=
@@ -550,6 +586,8 @@ google.golang.org/genproto v0.0.0-20190819201941-24fa4b261c55/go.mod h1:DMBHOl98
 google.golang.org/genproto v0.0.0-20190911173649-1774047e7e51/go.mod h1:IbNlFCBrqXvoKpeg0TB2l7cyZUmoaFKYIwrEpbDKLA8=
 google.golang.org/genproto v0.0.0-20191220175831-5c49e3ecc1c1 h1:PlscBL5CvF+v1mNR82G+i4kACGq2JQvKDnNq7LSS65o=
 google.golang.org/genproto v0.0.0-20191220175831-5c49e3ecc1c1/go.mod h1:n3cpQtvxv34hfy77yVDNjmbRyujviMdxYliBSkLhpCc=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013 h1:+kGHl1aib/qcwaRi1CbqBZ1rk19r85MNUf8HaBghugY=
+google.golang.org/genproto v0.0.0-20200526211855-cb27e3aa2013/go.mod h1:NbSheEEYHJ7i3ixzK3sjbqSGDJWnxyFXZblF3eUsNvo=
 google.golang.org/grpc v1.14.0/go.mod h1:yo6s7OP7yaDglbqo1J04qKzAhqBH6lvTonzMVmEdcZw=
 google.golang.org/grpc v1.19.0/go.mod h1:mqu4LbDTu4XGKhr4mRzUsmM4RtVoemTSY81AxZiDr8c=
 google.golang.org/grpc v1.20.1/go.mod h1:10oTOabMzJvdu6/UiuZezV6QK5dSlG84ov/aaiqXj38=
@@ -558,6 +596,19 @@ google.golang.org/grpc v1.23.0/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyac
 google.golang.org/grpc v1.23.1/go.mod h1:Y5yQAOtifL1yxbo5wqy6BxZv8vAUGQwXBOALyacEbxg=
 google.golang.org/grpc v1.26.0 h1:2dTRdpdFEEhJYQD8EMLB61nnrzSCTbG38PhqdhvOltg=
 google.golang.org/grpc v1.26.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/grpc v1.27.0 h1:rRYRFMVgRv6E0D70Skyfsr28tDXIuuPZyWGMPdMcnXg=
+google.golang.org/grpc v1.27.0/go.mod h1:qbnxyOmOxrQa7FizSgH+ReBfzJrCY1pSN7KXBS8abTk=
+google.golang.org/protobuf v0.0.0-20200109180630-ec00e32a8dfd/go.mod h1:DFci5gLYBciE7Vtevhsrf46CRTquxDuWsQurQQe4oz8=
+google.golang.org/protobuf v0.0.0-20200221191635-4d8936d0db64/go.mod h1:kwYJMbMJ01Woi6D6+Kah6886xMZcty6N08ah7+eCXa0=
+google.golang.org/protobuf v0.0.0-20200228230310-ab0ca4ff8a60/go.mod h1:cfTl7dwQJ+fmap5saPgwCLgHXTUD7jkjRqWcaiX5VyM=
+google.golang.org/protobuf v1.20.1-0.20200309200217-e05f789c0967/go.mod h1:A+miEFZTKqfCUM6K7xSMQL9OKL/b6hQv+e19PK+JZNE=
+google.golang.org/protobuf v1.21.0/go.mod h1:47Nbq4nVaFHyn7ilMalzfO3qCViNmqZ2kzikPIcrTAo=
+google.golang.org/protobuf v1.22.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.0 h1:4MY060fB1DLGMB/7MBTLnwQUY6+F09GEiz6SsrNqyzM=
+google.golang.org/protobuf v1.23.0/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.23.1-0.20200526195155-81db48ad09cc/go.mod h1:EGpADcykh3NcUnDUJcl1+ZksZNG86OlYog2l/sGQquU=
+google.golang.org/protobuf v1.25.0 h1:Ejskq+SyPohKW+1uil0JJMtmHCgJPJ/qWTxr8qp+R4c=
+google.golang.org/protobuf v1.25.0/go.mod h1:9JNX74DMeImyA3h4bdi1ymwjUzf21/xIlbajtzgsN7c=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6 h1:jMFz6MfLP0/4fUyZle81rXUoxOBFi19VUFKVDOQfozc=
 gopkg.in/alecthomas/kingpin.v2 v2.2.6/go.mod h1:FMv+mEhP44yOT+4EoQTLFTRgOQ1FBLkstjWtayDeSgw=
 gopkg.in/check.v1 v0.0.0-20161208181325-20d25e280405/go.mod h1:Co6ibVJAznAaIkqp8huTwlJQCZ016jof/cbN4VW5Yz0=
@@ -582,6 +633,8 @@ gopkg.in/yaml.v2 v2.2.4/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.7/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gopkg.in/yaml.v2 v2.2.8 h1:obN1ZagJSUGI0Ek/LBmuj4SNLPfIny3KsKFopxRdj10=
 gopkg.in/yaml.v2 v2.2.8/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
+gopkg.in/yaml.v2 v2.3.0 h1:clyUAQHOM3G0M3f5vQj7LuJrETvjVot3Z5el9nffUtU=
+gopkg.in/yaml.v2 v2.3.0/go.mod h1:hI93XBmqTisBFMUTm0b8Fm+jr3Dg1NNxqwp+5A1VGuI=
 gotest.tools v2.2.0+incompatible/go.mod h1:DsYFclhRJ6vuDpmuTbkuFWG+y2sxOXAzmJt81HFBacw=
 honnef.co/go/tools v0.0.0-20190102054323-c2f93a96b099/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
 honnef.co/go/tools v0.0.0-20190106161140-3f1c8253044a/go.mod h1:rf3lG4BRIbNafJWhAfAdb/ePZxsR/4RtNHQocxwk9r4=
--- a/hack/build-image/Dockerfile
+++ b/hack/build-image/Dockerfile
@@ -24,6 +24,13 @@ WORKDIR /go/src/k8s.io
 RUN git config --global advice.detachedHead false
 RUN git clone -b kubernetes-1.17.0 https://github.com/kubernetes/code-generator

+RUN wget --quiet https://github.com/kubernetes-sigs/kubebuilder/releases/download/v2.3.1/kubebuilder_2.3.1_linux_amd64.tar.gz && \
+    tar -zxvf kubebuilder_2.3.1_linux_amd64.tar.gz && \
+    mv kubebuilder_2.3.1_linux_amd64 /usr/local/kubebuilder && \
+    chmod +x /usr/local/kubebuilder && \
+    export PATH=$PATH:/usr/local/kubebuilder/bin && \
+    rm kubebuilder_2.3.1_linux_amd64.tar.gz
+
 # get controller-tools
 RUN go get sigs.k8s.io/controller-tools/cmd/controller-gen@v0.2.4

--- a/internal/velero/storagelocation.go
+++ b/internal/velero/storagelocation.go
@@ -0,0 +1,132 @@
+/*
+Copyright 2020 the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package velero
+
+import (
+	"context"
+	"errors"
+	"time"
+
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/vmware-tanzu/velero/pkg/persistence"
+
+	"github.com/sirupsen/logrus"
+
+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+	"github.com/vmware-tanzu/velero/pkg/plugin/clientmgmt"
+)
+
+// StorageLocation holds information for connecting with storage
+// for a backup storage location.
+type StorageLocation struct {
+	Client client.Client
+	Ctx    context.Context
+
+	DefaultStorageLocation          string
+	DefaultStoreValidationFrequency time.Duration
+
+	// use variables to refer to these functions so they can be
+	// replaced with fakes for testing.
+	NewPluginManager func(logrus.FieldLogger) clientmgmt.Manager
+	NewBackupStore   func(*velerov1api.BackupStorageLocation, persistence.ObjectStoreGetter, logrus.FieldLogger) (persistence.BackupStore, error)
+}
+
+// IsReadyToValidate calculates if a given backup storage location is ready to be validated.
+//
+// Rules:
+// Users can choose a validation frequency per location. This will overrite the server's default value
+// To skip/stop validation, set the frequency to zero
+// This will always return "true" for the first attempt at validating a location, regardless of its validation frequency setting
+// Otherwise, it returns "ready" only when NOW is equal to or after the next validation time
+// (next validation time: last validation time + validation frequency)
+func (p *StorageLocation) IsReadyToValidate(location *velerov1api.BackupStorageLocation, log logrus.FieldLogger) bool {
+	validationFrequency := p.DefaultStoreValidationFrequency
+	// If the bsl validation frequency is not specifically set, skip this block and continue, using the server's default
+	if location.Spec.ValidationFrequency != nil {
+		validationFrequency = location.Spec.ValidationFrequency.Duration
+	}
+
+	if validationFrequency == 0 {
+		log.Debug("Validation period for this backup location is set to 0, skipping validation")
+		return false
+	}
+
+	if validationFrequency < 0 {
+		log.Debugf("Validation period must be non-negative, changing from %d to %d", validationFrequency, p.DefaultStoreValidationFrequency)
+		validationFrequency = p.DefaultStoreValidationFrequency
+	}
+
+	lastValidation := location.Status.LastValidationTime
+	if lastValidation != nil { // always ready to validate the first time around, so only even do this check if this has happened before
+		nextValidation := lastValidation.Add(validationFrequency) // next validation time: last validation time + validation frequency
+		if time.Now().UTC().Before(nextValidation) {              // ready only when NOW is equal to or after the next validation time
+			return false
+		}
+	}
+
+	return true
+}
+
+// IsValidFor verifies if a storage is valid for a given backup storage location.
+func (p *StorageLocation) IsValid(location *velerov1api.BackupStorageLocation, log logrus.FieldLogger) error {
+	pluginManager := p.NewPluginManager(log)
+	defer pluginManager.CleanupClients()
+
+	backupStore, err := p.NewBackupStore(location, pluginManager, log)
+	if err != nil {
+		return err
+	}
+
+	if err := backupStore.IsValid(); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// PatchStatus patches the status.phase field as well as the status.lastValidationTime to the current time
+func (p *StorageLocation) PatchStatus(location *velerov1api.BackupStorageLocation, phase velerov1api.BackupStorageLocationPhase) error {
+	statusPatch := client.MergeFrom(location.DeepCopyObject())
+	location.Status.Phase = phase
+	location.Status.LastValidationTime = &metav1.Time{Time: time.Now().UTC()}
+	if err := p.Client.Status().Patch(p.Ctx, location, statusPatch); err != nil {
+		return err
+	}
+
+	return nil
+}
+
+// ListBackupStorageLocations verifies if there are any backup storage locations.
+// For all purposes, if either there is an error while attempting to fetch items or
+// if there are no items an error would be returned since the functioning of the system
+// would be haulted.
+func ListBackupStorageLocations(kbClient client.Client, ctx context.Context, namespace string) (velerov1api.BackupStorageLocationList, error) {
+	var locations velerov1api.BackupStorageLocationList
+	if err := kbClient.List(ctx, &locations, &client.ListOptions{
+		Namespace: namespace,
+	}); err != nil {
+		return velerov1api.BackupStorageLocationList{}, err
+	}
+
+	if len(locations.Items) == 0 {
+		return velerov1api.BackupStorageLocationList{}, errors.New("no backup storage locations found")
+	}
+
+	return locations, nil
+}
--- a/internal/velero/storagelocation_test.go
+++ b/internal/velero/storagelocation_test.go
@@ -0,0 +1,261 @@
+/*Copyright 2020 the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package velero
+
+import (
+	"context"
+	"errors"
+	"testing"
+	"time"
+
+	. "github.com/onsi/gomega"
+	"github.com/sirupsen/logrus"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+	"github.com/vmware-tanzu/velero/pkg/builder"
+	"github.com/vmware-tanzu/velero/pkg/generated/clientset/versioned/scheme"
+	"github.com/vmware-tanzu/velero/pkg/persistence"
+	persistencemocks "github.com/vmware-tanzu/velero/pkg/persistence/mocks"
+	"github.com/vmware-tanzu/velero/pkg/plugin/clientmgmt"
+	pluginmocks "github.com/vmware-tanzu/velero/pkg/plugin/mocks"
+	velerotest "github.com/vmware-tanzu/velero/pkg/test"
+)
+
+func TestIsReadyToValidate(t *testing.T) {
+	tests := []struct {
+		name                             string
+		serverDefaultValidationFrequency time.Duration
+		backupLocation                   *velerov1api.BackupStorageLocation
+		ready                            bool
+	}{
+		{
+			name:                             "don't validate, since frequency is set to zero",
+			serverDefaultValidationFrequency: 0,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-2").ValidationFrequency(0).Result(),
+			ready:                            false,
+		},
+		{
+			name:                             "validate as per location setting, as that takes precedence, and always if it has never been validated before regardless of the frequency setting",
+			serverDefaultValidationFrequency: 0,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-1").ValidationFrequency(1 * time.Hour).Result(),
+			ready:                            true,
+		},
+		{
+			name:                             "don't validate as per location setting, as it is set to zero and that takes precedence",
+			serverDefaultValidationFrequency: 1,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-1").ValidationFrequency(0).Result(),
+			ready:                            false,
+		},
+		{
+			name:                             "validate as per default setting when location setting is not set",
+			serverDefaultValidationFrequency: 1,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-2").Result(),
+			ready:                            true,
+		},
+		{
+			name:                             "don't validate when default setting is set to zero and the location setting is not set",
+			serverDefaultValidationFrequency: 0,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-2").Result(),
+			ready:                            false,
+		},
+		{
+			name:                             "don't validate when now is before the NEXT validation time (validation frequency + last validation time)",
+			serverDefaultValidationFrequency: 0,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-1").ValidationFrequency(1 * time.Second).LastValidationTime(time.Now()).Result(),
+			ready:                            false,
+		},
+		{
+			name:                             "validate when now is equal to the NEXT validation time (validation frequency + last validation time)",
+			serverDefaultValidationFrequency: 0,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-2").ValidationFrequency(1 * time.Second).LastValidationTime(time.Now().Add(-1 * time.Second)).Result(),
+			ready:                            true,
+		},
+		{
+			name:                             "validate when now is after the NEXT validation time (validation frequency + last validation time)",
+			serverDefaultValidationFrequency: 0,
+			backupLocation:                   builder.ForBackupStorageLocation("ns-1", "location-2").ValidationFrequency(1 * time.Second).LastValidationTime(time.Now().Add(-2 * time.Second)).Result(),
+			ready:                            true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			storageLocationInfo := StorageLocation{
+				DefaultStoreValidationFrequency: tt.serverDefaultValidationFrequency,
+			}
+
+			g.Expect(storageLocationInfo.IsReadyToValidate(tt.backupLocation, velerotest.NewLogger())).To(BeIdenticalTo(tt.ready))
+		})
+	}
+}
+
+func TestIsValid(t *testing.T) {
+	tests := []struct {
+		name           string
+		backupLocation *velerov1api.BackupStorageLocation
+		isValidError   error
+		expectError    bool
+	}{
+		{
+			name:           "do not expect an error when store is valid",
+			backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").Result(),
+			isValidError:   nil,
+			expectError:    false,
+		},
+		{
+			name:           "expect an error when store is not valid",
+			backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").Result(),
+			isValidError:   errors.New("an error"),
+			expectError:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			var (
+				pluginManager = &pluginmocks.Manager{}
+				backupStores  = make(map[string]*persistencemocks.BackupStore)
+			)
+			pluginManager.On("CleanupClients").Return(nil)
+
+			location := tt.backupLocation
+			backupStores[location.Name] = &persistencemocks.BackupStore{}
+			backupStore := backupStores[location.Name]
+			backupStore.On("IsValid").Return(tt.isValidError)
+
+			storageLocationInfo := StorageLocation{
+				NewPluginManager: func(logrus.FieldLogger) clientmgmt.Manager { return pluginManager },
+				NewBackupStore: func(loc *velerov1api.BackupStorageLocation, _ persistence.ObjectStoreGetter, _ logrus.FieldLogger) (persistence.BackupStore, error) {
+					return backupStores[loc.Name], nil
+				},
+			}
+
+			actual := storageLocationInfo.IsValid(tt.backupLocation, velerotest.NewLogger())
+			if tt.expectError {
+				g.Expect(actual).NotTo(BeNil())
+			} else {
+				g.Expect(actual).To(BeNil())
+			}
+		})
+	}
+}
+
+func TestPatchStatus(t *testing.T) {
+	tests := []struct {
+		name           string
+		backupLocation *velerov1api.BackupStorageLocation
+		newPhase       velerov1api.BackupStorageLocationPhase
+		expectError    bool
+	}{
+		{
+			name:           "an update to the same phase should succeed",
+			backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").Phase(velerov1api.BackupStorageLocationPhaseAvailable).Result(),
+			newPhase:       velerov1api.BackupStorageLocationPhaseAvailable,
+			expectError:    false,
+		},
+		{
+			name:           "an update to a different phase should succeed",
+			backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").Phase(velerov1api.BackupStorageLocationPhaseAvailable).Result(),
+			newPhase:       velerov1api.BackupStorageLocationPhaseUnavailable,
+			expectError:    false,
+		},
+		{
+			name:           "an update to a location that doesn't exist should fail (see actual test)",
+			backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").Phase(velerov1api.BackupStorageLocationPhaseAvailable).Result(),
+			newPhase:       velerov1api.BackupStorageLocationPhaseUnavailable,
+			expectError:    true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			storageLocationInfo := StorageLocation{
+				Client: fake.NewFakeClientWithScheme(scheme.Scheme, tt.backupLocation),
+			}
+
+			if tt.expectError {
+				backupLocation := builder.ForBackupStorageLocation("ns-1", "location-2").Phase(velerov1api.BackupStorageLocationPhaseAvailable).Result()
+				// an update to a location that was never created will fail:
+				g.Expect(storageLocationInfo.PatchStatus(backupLocation, tt.newPhase)).NotTo(BeNil())
+			} else {
+				g.Expect(storageLocationInfo.PatchStatus(tt.backupLocation, tt.newPhase)).To(BeNil())
+
+				key := client.ObjectKey{Name: tt.backupLocation.Name, Namespace: tt.backupLocation.Namespace}
+				instance := &velerov1api.BackupStorageLocation{}
+				err := storageLocationInfo.Client.Get(context.Background(), key, instance)
+				g.Expect(err).To(BeNil())
+				g.Expect(instance.Status.Phase).To(BeIdenticalTo(tt.newPhase))
+			}
+		})
+	}
+}
+
+func TestListBackupStorageLocations(t *testing.T) {
+	tests := []struct {
+		name            string
+		backupLocations *velerov1api.BackupStorageLocationList
+		expectError     bool
+	}{
+		{
+			name: "1 existing location",
+			backupLocations: &velerov1api.BackupStorageLocationList{
+				Items: []velerov1api.BackupStorageLocation{
+					*builder.ForBackupStorageLocation("ns-1", "location-1").Result(),
+				},
+			},
+			expectError: false,
+		},
+		{
+			name: "multiple existing location",
+			backupLocations: &velerov1api.BackupStorageLocationList{
+				Items: []velerov1api.BackupStorageLocation{
+					*builder.ForBackupStorageLocation("ns-1", "location-1").Result(),
+					*builder.ForBackupStorageLocation("ns-1", "location-2").Result(),
+					*builder.ForBackupStorageLocation("ns-1", "location-3").Result(),
+				},
+			},
+			expectError: false,
+		},
+		{
+			name:            "no existing locations",
+			backupLocations: &velerov1api.BackupStorageLocationList{},
+			expectError:     true,
+		},
+	}
+
+	for _, tt := range tests {
+		t.Run(tt.name, func(t *testing.T) {
+			g := NewWithT(t)
+
+			client := fake.NewFakeClientWithScheme(scheme.Scheme, tt.backupLocations)
+			if tt.expectError {
+				_, err := ListBackupStorageLocations(client, context.Background(), "ns-1")
+				g.Expect(err).NotTo(BeNil())
+			} else {
+				_, err := ListBackupStorageLocations(client, context.Background(), "ns-1")
+				g.Expect(err).To(BeNil())
+			}
+		})
+	}
+}
--- a/pkg/apis/velero/v1/backupstoragelocation_types.go
+++ b/pkg/apis/velero/v1/backupstoragelocation_types.go
@@ -40,6 +40,11 @@ type BackupStorageLocationSpec struct {
 	// +optional
 	// +nullable
 	BackupSyncPeriod *metav1.Duration `json:"backupSyncPeriod,omitempty"`
+
+	// ValidationFrequency defines how frequently to validate the corresponding object storage. A value of 0 disables validation.
+	// +optional
+	// +nullable
+	ValidationFrequency *metav1.Duration `json:"validationFrequency,omitempty"`
 }

 // BackupStorageLocationStatus defines the observed state of BackupStorageLocation
@@ -54,6 +59,12 @@ type BackupStorageLocationStatus struct {
 	// +nullable
 	LastSyncedTime *metav1.Time `json:"lastSyncedTime,omitempty"`

+	// LastValidationTime is the last time the backup store location was validated
+	// the cluster.
+	// +optional
+	// +nullable
+	LastValidationTime *metav1.Time `json:"lastValidationTime,omitempty"`
+
 	// LastSyncedRevision is the value of the `metadata/revision` file in the backup
 	// storage location the last time the BSL's contents were synced into the cluster.
 	//
@@ -79,6 +90,7 @@ type BackupStorageLocationStatus struct {
 // +kubebuilder:storageversion
 // +kubebuilder:subresource:status
 // +kubebuilder:printcolumn:name="Phase",type="string",JSONPath=".status.phase",description="Backup Storage Location status such as Available/Unavailable"
+// +kubebuilder:printcolumn:name="Last Validated",type="date",JSONPath=".status.lastValidationTime",description="LastValidationTime is the last time the backup store location was validated"
 // +kubebuilder:printcolumn:name="Age",type="date",JSONPath=".metadata.creationTimestamp"

 // BackupStorageLocation is a location where Velero stores backup objects
@@ -94,6 +106,8 @@ type BackupStorageLocation struct {
 // the k8s:deepcopy marker will no longer be needed and should be removed.
 // +k8s:deepcopy-gen:interfaces=k8s.io/apimachinery/pkg/runtime.Object
 // +kubebuilder:object:root=true
+// +kubebuilder:rbac:groups=velero.io,resources=backupstoragelocations,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=velero.io,resources=backupstoragelocations/status,verbs=get;update;patch

 // BackupStorageLocationList contains a list of BackupStorageLocation
 type BackupStorageLocationList struct {
@@ -124,6 +138,7 @@ type ObjectStorageLocation struct {

 // BackupStorageLocationPhase is the lifecycle phase of a Velero BackupStorageLocation.
 // +kubebuilder:validation:Enum=Available;Unavailable
+// +kubebuilder:default=Unavailable
 type BackupStorageLocationPhase string

 const (
--- a/pkg/apis/velero/v1/zz_generated.deepcopy.go
+++ b/pkg/apis/velero/v1/zz_generated.deepcopy.go
@@ -379,6 +379,11 @@ func (in *BackupStorageLocationSpec) DeepCopyInto(out *BackupStorageLocationSpec
 		*out = new(metav1.Duration)
 		**out = **in
 	}
+	if in.ValidationFrequency != nil {
+		in, out := &in.ValidationFrequency, &out.ValidationFrequency
+		*out = new(metav1.Duration)
+		**out = **in
+	}
 	return
 }

@@ -399,6 +404,10 @@ func (in *BackupStorageLocationStatus) DeepCopyInto(out *BackupStorageLocationSt
 		in, out := &in.LastSyncedTime, &out.LastSyncedTime
 		*out = (*in).DeepCopy()
 	}
+	if in.LastValidationTime != nil {
+		in, out := &in.LastValidationTime, &out.LastValidationTime
+		*out = (*in).DeepCopy()
+	}
 	return
 }

--- a/pkg/builder/backup_storage_location_builder.go
+++ b/pkg/builder/backup_storage_location_builder.go
@@ -17,6 +17,8 @@ limitations under the License.
 package builder

 import (
+	"time"
+
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"

 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -86,3 +88,21 @@ func (b *BackupStorageLocationBuilder) AccessMode(accessMode velerov1api.BackupS
 	b.object.Spec.AccessMode = accessMode
 	return b
 }
+
+// ValidationFrequency sets the BackupStorageLocation's validation frequency.
+func (b *BackupStorageLocationBuilder) ValidationFrequency(frequency time.Duration) *BackupStorageLocationBuilder {
+	b.object.Spec.ValidationFrequency = &metav1.Duration{Duration: frequency}
+	return b
+}
+
+// LastValidationTime sets the BackupStorageLocation's last validated time.
+func (b *BackupStorageLocationBuilder) LastValidationTime(lastValidated time.Time) *BackupStorageLocationBuilder {
+	b.object.Status.LastValidationTime = &metav1.Time{Time: lastValidated}
+	return b
+}
+
+// Phase sets the BackupStorageLocation's status phase.
+func (b *BackupStorageLocationBuilder) Phase(phase velerov1api.BackupStorageLocationPhase) *BackupStorageLocationBuilder {
+	b.object.Status.Phase = phase
+	return b
+}
--- a/pkg/cmd/cli/backuplocation/create.go
+++ b/pkg/cmd/cli/backuplocation/create.go
@@ -58,14 +58,14 @@ func NewCreateCommand(f client.Factory, use string) *cobra.Command {
 }

 type CreateOptions struct {
-	Name             string
-	Provider         string
-	Bucket           string
-	Prefix           string
-	BackupSyncPeriod time.Duration
-	Config           flag.Map
-	Labels           flag.Map
-	AccessMode       *flag.Enum
+	Name                                  string
+	Provider                              string
+	Bucket                                string
+	Prefix                                string
+	BackupSyncPeriod, ValidationFrequency time.Duration
+	Config                                flag.Map
+	Labels                                flag.Map
+	AccessMode                            *flag.Enum
 }

 func NewCreateOptions() *CreateOptions {
@@ -83,7 +83,8 @@ func (o *CreateOptions) BindFlags(flags *pflag.FlagSet) {
 	flags.StringVar(&o.Provider, "provider", o.Provider, "name of the backup storage provider (e.g. aws, azure, gcp)")
 	flags.StringVar(&o.Bucket, "bucket", o.Bucket, "name of the object storage bucket where backups should be stored")
 	flags.StringVar(&o.Prefix, "prefix", o.Prefix, "prefix under which all Velero data should be stored within the bucket. Optional.")
-	flags.DurationVar(&o.BackupSyncPeriod, "backup-sync-period", o.BackupSyncPeriod, "how often to ensure all Velero backups in object storage exist as Backup API objects in the cluster. Optional. Set this to `0s` to disable sync")
+	flags.DurationVar(&o.BackupSyncPeriod, "backup-sync-period", o.BackupSyncPeriod, "how often to ensure all Velero backups in object storage exist as Backup API objects in the cluster. Optional. Set this to `0s` to disable sync. Default: 1 minute.")
+	flags.DurationVar(&o.ValidationFrequency, "validation-frequency", o.ValidationFrequency, "how often to verify if the backup storage location is valid. Optional. Set this to `0s` to disable sync. Default 1 minute.")
 	flags.Var(&o.Config, "config", "configuration key-value pairs")
 	flags.Var(&o.Labels, "labels", "labels to apply to the backup storage location")
 	flags.Var(
@@ -119,12 +120,16 @@ func (o *CreateOptions) Complete(args []string, f client.Factory) error {
 }

 func (o *CreateOptions) Run(c *cobra.Command, f client.Factory) error {
-	var backupSyncPeriod *metav1.Duration
+	var backupSyncPeriod, validationFrequency *metav1.Duration

 	if c.Flags().Changed("backup-sync-period") {
 		backupSyncPeriod = &metav1.Duration{Duration: o.BackupSyncPeriod}
 	}

+	if c.Flags().Changed("validation-frequency") {
+		validationFrequency = &metav1.Duration{Duration: o.ValidationFrequency}
+	}
+
 	backupStorageLocation := &velerov1api.BackupStorageLocation{
 		ObjectMeta: metav1.ObjectMeta{
 			Namespace: f.Namespace(),
@@ -139,9 +144,10 @@ func (o *CreateOptions) Run(c *cobra.Command, f client.Factory) error {
 					Prefix: o.Prefix,
 				},
 			},
-			Config:           o.Config.Data(),
-			AccessMode:       velerov1api.BackupStorageLocationAccessMode(o.AccessMode.String()),
-			BackupSyncPeriod: backupSyncPeriod,
+			Config:              o.Config.Data(),
+			AccessMode:          velerov1api.BackupStorageLocationAccessMode(o.AccessMode.String()),
+			BackupSyncPeriod:    backupSyncPeriod,
+			ValidationFrequency: validationFrequency,
 		},
 	}

--- a/pkg/cmd/server/server.go
+++ b/pkg/cmd/server/server.go
@@ -49,7 +49,6 @@ import (
 	snapshotv1beta1informers "github.com/kubernetes-csi/external-snapshotter/v2/pkg/client/informers/externalversions"
 	snapshotv1beta1listers "github.com/kubernetes-csi/external-snapshotter/v2/pkg/client/listers/volumesnapshot/v1beta1"

-	api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/backup"
 	"github.com/vmware-tanzu/velero/pkg/buildinfo"
 	"github.com/vmware-tanzu/velero/pkg/client"
@@ -72,10 +71,10 @@ import (

 	ctrl "sigs.k8s.io/controller-runtime"

-	kbclient "sigs.k8s.io/controller-runtime/pkg/client"
 	"sigs.k8s.io/controller-runtime/pkg/manager"

 	"github.com/vmware-tanzu/velero/internal/util/managercontroller"
+	"github.com/vmware-tanzu/velero/internal/velero"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 )

@@ -84,6 +83,7 @@ const (
 	defaultMetricsAddress = ":8085"

 	defaultBackupSyncPeriod           = time.Minute
+	defaultStoreValidationFrequency   = time.Minute
 	defaultPodVolumeOperationTimeout  = 240 * time.Minute
 	defaultResourceTerminatingTimeout = 10 * time.Minute

@@ -125,7 +125,7 @@ var disableControllerList = []string{
 type serverConfig struct {
 	pluginDir, metricsAddress, defaultBackupLocation                        string
 	backupSyncPeriod, podVolumeOperationTimeout, resourceTerminatingTimeout time.Duration
-	defaultBackupTTL                                                        time.Duration
+	defaultBackupTTL, storeValidationFrequency                              time.Duration
 	restoreResourcePriorities                                               []string
 	defaultVolumeSnapshotLocations                                          map[string]string
 	restoreOnly                                                             bool
@@ -154,6 +154,7 @@ func NewCommand(f client.Factory) *cobra.Command {
 			defaultVolumeSnapshotLocations:    make(map[string]string),
 			backupSyncPeriod:                  defaultBackupSyncPeriod,
 			defaultBackupTTL:                  defaultBackupTTL,
+			storeValidationFrequency:          defaultStoreValidationFrequency,
 			podVolumeOperationTimeout:         defaultPodVolumeOperationTimeout,
 			restoreResourcePriorities:         defaultRestorePriorities,
 			clientQPS:                         defaultClientQPS,
@@ -217,6 +218,7 @@ func NewCommand(f client.Factory) *cobra.Command {
 	command.Flags().StringSliceVar(&config.disabledControllers, "disable-controllers", config.disabledControllers, fmt.Sprintf("list of controllers to disable on startup. Valid values are %s", strings.Join(disableControllerList, ",")))
 	command.Flags().StringSliceVar(&config.restoreResourcePriorities, "restore-resource-priorities", config.restoreResourcePriorities, "desired order of resource restores; any resource not in the list will be restored alphabetically after the prioritized resources")
 	command.Flags().StringVar(&config.defaultBackupLocation, "default-backup-storage-location", config.defaultBackupLocation, "name of the default backup storage location")
+	command.Flags().DurationVar(&config.storeValidationFrequency, "store-validation-frequency", config.storeValidationFrequency, "how often to verify if the storage is valid. Optional. Set this to `0s` to disable sync. Default 1 minute.")
 	command.Flags().Var(&volumeSnapshotLocations, "default-volume-snapshot-locations", "list of unique volume providers and default volume snapshot location (provider1:location-01,provider2:location-02,...)")
 	command.Flags().Float32Var(&config.clientQPS, "client-qps", config.clientQPS, "maximum number of requests per second by the server to the Kubernetes API once the burst limit has been reached")
 	command.Flags().IntVar(&config.clientBurst, "client-burst", config.clientBurst, "maximum number of requests by the server to the Kubernetes API in a short period of time")
@@ -296,7 +298,7 @@ func newServer(f client.Factory, config serverConfig, logger *logrus.Logger) (*s
 	}

 	var csiSnapClient *snapshotv1beta1client.Clientset
-	if features.IsEnabled(api.CSIFeatureFlag) {
+	if features.IsEnabled(velerov1api.CSIFeatureFlag) {
 		csiSnapClient, err = snapshotv1beta1client.NewForConfig(clientConfig)
 		if err != nil {
 			cancelFunc()
@@ -359,21 +361,6 @@ func (s *server) run() error {
 		return err
 	}

-	if err := s.validateBackupStorageLocations(); err != nil {
-		return err
-	}
-
-	// Fetching from the server directly since at this point
-	// the cache has not yet started
-	bsl := &velerov1api.BackupStorageLocation{}
-	if err := s.mgr.GetAPIReader().Get(context.Background(), kbclient.ObjectKey{
-		Namespace: s.namespace,
-		Name:      s.config.defaultBackupLocation,
-	}, bsl); err != nil {
-		s.logger.WithError(errors.WithStack(err)).
-			Warnf("A backup storage location named %s has been specified for the server to use by default, but no corresponding backup storage location exists. Backups with a location not matching the default will need to explicitly specify an existing location", s.config.defaultBackupLocation)
-	}
-
 	if err := s.initRestic(); err != nil {
 		return err
 	}
@@ -427,14 +414,14 @@ func (s *server) veleroResourcesExist() error {

 	var veleroGroupVersion *metav1.APIResourceList
 	for _, gv := range s.discoveryHelper.Resources() {
-		if gv.GroupVersion == api.SchemeGroupVersion.String() {
+		if gv.GroupVersion == velerov1api.SchemeGroupVersion.String() {
 			veleroGroupVersion = gv
 			break
 		}
 	}

 	if veleroGroupVersion == nil {
-		return errors.Errorf("Velero API group %s not found. Apply examples/common/00-prereqs.yaml to create it.", api.SchemeGroupVersion)
+		return errors.Errorf("Velero API group %s not found. Apply examples/common/00-prereqs.yaml to create it.", velerov1api.SchemeGroupVersion)
 	}

 	foundResources := sets.NewString()
@@ -443,13 +430,13 @@ func (s *server) veleroResourcesExist() error {
 	}

 	var errs []error
-	for kind := range api.CustomResources() {
+	for kind := range velerov1api.CustomResources() {
 		if foundResources.Has(kind) {
 			s.logger.WithField("kind", kind).Debug("Found custom resource")
 			continue
 		}

-		errs = append(errs, errors.Errorf("custom resource %s not found in Velero API group %s", kind, api.SchemeGroupVersion))
+		errs = append(errs, errors.Errorf("custom resource %s not found in Velero API group %s", kind, velerov1api.SchemeGroupVersion))
 	}

 	if len(errs) > 0 {
@@ -461,43 +448,6 @@ func (s *server) veleroResourcesExist() error {
 	return nil
 }

-// validateBackupStorageLocations checks to ensure all backup storage locations exist
-// and have a compatible layout, and returns an error if not.
-func (s *server) validateBackupStorageLocations() error {
-	s.logger.Info("Checking that all backup storage locations are valid")
-
-	pluginManager := clientmgmt.NewManager(s.logger, s.logLevel, s.pluginRegistry)
-	defer pluginManager.CleanupClients()
-
-	// Fetching from the server directly since at this point
-	// the cache has not yet started
-	locations := &velerov1api.BackupStorageLocationList{}
-	if err := s.mgr.GetAPIReader().List(context.Background(), locations, &kbclient.ListOptions{
-		Namespace: s.namespace,
-	}); err != nil {
-		return errors.WithStack(err)
-	}
-
-	var invalid []string
-	for _, location := range locations.Items {
-		backupStore, err := persistence.NewObjectBackupStore(&location, pluginManager, s.logger)
-		if err != nil {
-			invalid = append(invalid, errors.Wrapf(err, "error getting backup store for location %q", location.Name).Error())
-			continue
-		}
-
-		if err := backupStore.IsValid(); err != nil {
-			invalid = append(invalid, errors.Wrapf(err, "backup store for location %q is invalid", location.Name).Error())
-		}
-	}
-
-	if len(invalid) > 0 {
-		return errors.Errorf("some backup storage locations are invalid: %s", strings.Join(invalid, "; "))
-	}
-
-	return nil
-}
-
 // - Custom Resource Definitions come before Custom Resource so that they can be
 //   restored with their corresponding CRD.
 // - Namespaces go second because all namespaced resources depend on them.
@@ -595,12 +545,12 @@ func (s *server) getCSISnapshotListers() (snapshotv1beta1listers.VolumeSnapshotL

 	// If CSI is enabled, check for the CSI groups and generate the listers
 	// If CSI isn't enabled, return empty listers.
-	if features.IsEnabled(api.CSIFeatureFlag) {
+	if features.IsEnabled(velerov1api.CSIFeatureFlag) {
 		_, err = s.discoveryClient.ServerResourcesForGroupVersion(snapshotv1beta1api.SchemeGroupVersion.String())
 		switch {
 		case apierrors.IsNotFound(err):
 			// CSI is enabled, but the required CRDs aren't installed, so halt.
-			s.logger.Fatalf("The '%s' feature flag was specified, but CSI API group [%s] was not found.", api.CSIFeatureFlag, snapshotv1beta1api.SchemeGroupVersion.String())
+			s.logger.Fatalf("The '%s' feature flag was specified, but CSI API group [%s] was not found.", velerov1api.CSIFeatureFlag, snapshotv1beta1api.SchemeGroupVersion.String())
 		case err == nil:
 			// CSI is enabled, and the resources were found.
 			// Instantiate the listers fully
@@ -901,6 +851,22 @@ func (s *server) runControllers(defaultVolumeSnapshotLocations map[string]string
 		s.logger.WithField("informer", informer).Info("Informer cache synced")
 	}

+	storageLocationInfo := velero.StorageLocation{
+		Client:                          s.mgr.GetClient(),
+		Ctx:                             s.ctx,
+		DefaultStorageLocation:          s.config.defaultBackupLocation,
+		DefaultStoreValidationFrequency: s.config.storeValidationFrequency,
+		NewPluginManager:                newPluginManager,
+		NewBackupStore:                  persistence.NewObjectBackupStore,
+	}
+	if err := (&controller.BackupStorageLocationReconciler{
+		Scheme:          s.mgr.GetScheme(),
+		StorageLocation: storageLocationInfo,
+		Log:             s.logger,
+	}).SetupWithManager(s.mgr); err != nil {
+		s.logger.Fatal(err, "unable to create controller", "controller", "BackupStorageLocation")
+	}
+
 	// TODO(2.0): presuming all controllers and resources are converted to runtime-controller
 	// by v2.0, the block from this line and including the `s.mgr.Start() will be
 	// deprecated, since the manager auto-starts all the caches. Until then, we need to start the
@@ -944,7 +910,7 @@ func NewCSIInformerFactoryWrapper(c snapshotv1beta1client.Interface) *CSIInforme
 	// This is desirable for VolumeSnapshots, as we want to query for all VolumeSnapshots across all namespaces using this informer
 	w := &CSIInformerFactoryWrapper{}

-	if features.IsEnabled(api.CSIFeatureFlag) {
+	if features.IsEnabled(velerov1api.CSIFeatureFlag) {
 		w.factory = snapshotv1beta1informers.NewSharedInformerFactoryWithOptions(c, 0)
 	}
 	return w
@@ -952,14 +918,14 @@ func NewCSIInformerFactoryWrapper(c snapshotv1beta1client.Interface) *CSIInforme

 // Start proxies the Start call to the CSI SharedInformerFactory.
 func (w *CSIInformerFactoryWrapper) Start(stopCh <-chan struct{}) {
-	if features.IsEnabled(api.CSIFeatureFlag) {
+	if features.IsEnabled(velerov1api.CSIFeatureFlag) {
 		w.factory.Start(stopCh)
 	}
 }

 // WaitForCacheSync proxies the WaitForCacheSync call to the CSI SharedInformerFactory.
 func (w *CSIInformerFactoryWrapper) WaitForCacheSync(stopCh <-chan struct{}) map[reflect.Type]bool {
-	if features.IsEnabled(api.CSIFeatureFlag) {
+	if features.IsEnabled(velerov1api.CSIFeatureFlag) {
 		return w.factory.WaitForCacheSync(stopCh)
 	}
 	return nil
--- a/pkg/cmd/util/output/backup_storage_location_printer.go
+++ b/pkg/cmd/util/output/backup_storage_location_printer.go
@@ -31,6 +31,7 @@ var (
 		{Name: "Provider"},
 		{Name: "Bucket/Prefix"},
 		{Name: "Phase"},
+		{Name: "Last Validated"},
 		{Name: "Access Mode"},
 	}
 )
@@ -64,11 +65,18 @@ func printBackupStorageLocation(location *velerov1api.BackupStorageLocation) []m
 		status = "Unknown"
 	}

+	lastValidated := location.Status.LastValidationTime
+	LastValidatedStr := "Unknown"
+	if lastValidated != nil {
+		LastValidatedStr = lastValidated.String()
+	}
+
 	row.Cells = append(row.Cells,
 		location.Name,
 		location.Spec.Provider,
 		bucketAndPrefix,
 		status,
+		LastValidatedStr,
 		accessMode,
 	)

--- a/pkg/controller/backup_sync_controller.go
+++ b/pkg/controller/backup_sync_controller.go
@@ -29,6 +29,7 @@ import (
 	"k8s.io/apimachinery/pkg/util/sets"
 	"k8s.io/client-go/kubernetes"

+	"github.com/vmware-tanzu/velero/internal/velero"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/features"
 	velerov1client "github.com/vmware-tanzu/velero/pkg/generated/clientset/versioned/typed/velero/v1"
@@ -122,16 +123,14 @@ func orderedBackupLocations(locationList *velerov1api.BackupStorageLocationList,
 func (c *backupSyncController) run() {
 	c.logger.Debug("Checking for existing backup storage locations to sync into cluster")

-	locationList := &velerov1api.BackupStorageLocationList{}
-	if err := c.kbClient.List(context.Background(), locationList, &client.ListOptions{
-		Namespace: c.namespace,
-	}); err != nil {
-		c.logger.WithError(errors.WithStack(err)).Error("Error getting backup storage locations from lister")
+	locationList, err := velero.ListBackupStorageLocations(c.kbClient, context.Background(), c.namespace)
+	if err != nil {
+		c.logger.WithError(err).Error("No backup storage locations found, at least one is required")
 		return
 	}

 	// sync the default location first, if it exists
-	locations := orderedBackupLocations(locationList, c.defaultBackupLocation)
+	locations := orderedBackupLocations(&locationList, c.defaultBackupLocation)

 	pluginManager := c.newPluginManager(c.logger)
 	defer pluginManager.CleanupClients()
--- a/pkg/controller/backupstoragelocation_controller.go
+++ b/pkg/controller/backupstoragelocation_controller.go
@@ -0,0 +1,142 @@
+/*
+Copyright 2020 the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"strings"
+
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+
+	"k8s.io/apimachinery/pkg/runtime"
+	ctrl "sigs.k8s.io/controller-runtime"
+
+	"github.com/vmware-tanzu/velero/internal/velero"
+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+)
+
+// BackupStorageLocationReconciler reconciles a BackupStorageLocation object
+type BackupStorageLocationReconciler struct {
+	Scheme          *runtime.Scheme
+	StorageLocation velero.StorageLocation
+
+	Log logrus.FieldLogger
+}
+
+// +kubebuilder:rbac:groups=velero.io,resources=backupstoragelocations,verbs=get;list;watch;create;update;patch;delete
+// +kubebuilder:rbac:groups=velero.io,resources=backupstoragelocations/status,verbs=get;update;patch
+func (r *BackupStorageLocationReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+	log := r.Log.WithField("controller", "backupstoragelocation")
+
+	log.Info("Checking for existing backup locations ready to be verified; there needs to be at least 1 backup location available")
+
+	locationList, err := velero.ListBackupStorageLocations(r.StorageLocation.Client, r.StorageLocation.Ctx, req.Namespace)
+	if err != nil {
+		log.WithError(err).Error("No backup storage locations found, at least one is required")
+	}
+
+	var defaultFound bool
+	var unavailableErrors []string
+	var anyVerified bool
+	for i := range locationList.Items {
+		location := &locationList.Items[i]
+		log := r.Log.WithField("controller", "backupstoragelocation").WithField("backupstoragelocation", location.Name)
+
+		if location.Name == r.StorageLocation.DefaultStorageLocation {
+			defaultFound = true
+		}
+
+		if !r.StorageLocation.IsReadyToValidate(location, log) {
+			continue
+		}
+
+		anyVerified = true
+
+		log.Debug("Verifying backup storage location")
+
+		if err := r.StorageLocation.IsValid(location, log); err != nil {
+			log.Debug("Backup location verified, not valid")
+			unavailableErrors = append(unavailableErrors, errors.Wrapf(err, "Backup location %q is unavailable", location.Name).Error())
+
+			if location.Name == r.StorageLocation.DefaultStorageLocation {
+				log.Warnf("The specified default backup location named %q is unavailable; for convenience, be sure to configure it properly or make another backup location that is available the default", r.StorageLocation.DefaultStorageLocation)
+			}
+
+			if err2 := r.StorageLocation.PatchStatus(location, velerov1api.BackupStorageLocationPhaseUnavailable); err2 != nil {
+				log.WithError(err).Errorf("Error updating backup location phase to %s", velerov1api.BackupStorageLocationPhaseUnavailable)
+				continue
+			}
+		} else {
+			log.Debug("Backup location verified and it is valid")
+			if err := r.StorageLocation.PatchStatus(location, velerov1api.BackupStorageLocationPhaseAvailable); err != nil {
+				log.WithError(err).Errorf("Error updating backup location phase to %s", velerov1api.BackupStorageLocationPhaseAvailable)
+				continue
+			}
+		}
+	}
+
+	if !anyVerified {
+		log.Info("No backup locations were ready to be verified")
+	}
+
+	r.logReconciledPhase(defaultFound, locationList, unavailableErrors)
+
+	return ctrl.Result{Requeue: true}, nil
+}
+
+func (r *BackupStorageLocationReconciler) logReconciledPhase(defaultFound bool, locationList velerov1api.BackupStorageLocationList, errs []string) {
+	var availableBSLs []*velerov1api.BackupStorageLocation
+	var unAvailableBSLs []*velerov1api.BackupStorageLocation
+	var unknownBSLs []*velerov1api.BackupStorageLocation
+	log := r.Log.WithField("controller", "backupstoragelocation")
+
+	for i, location := range locationList.Items {
+		phase := location.Status.Phase
+		switch phase {
+		case velerov1api.BackupStorageLocationPhaseAvailable:
+			availableBSLs = append(availableBSLs, &locationList.Items[i])
+		case velerov1api.BackupStorageLocationPhaseUnavailable:
+			unAvailableBSLs = append(unAvailableBSLs, &locationList.Items[i])
+		default:
+			unknownBSLs = append(unknownBSLs, &locationList.Items[i])
+		}
+	}
+
+	numAvailable := len(availableBSLs)
+	numUnavailable := len(unAvailableBSLs)
+	numUnknown := len(unknownBSLs)
+
+	if numUnavailable+numUnknown == len(locationList.Items) { // no available BSL
+		if len(errs) > 0 {
+			log.Errorf("Current backup storage locations available/unavailable/unknown: %v/%v/%v, %s)", numAvailable, numUnavailable, numUnknown, strings.Join(errs, "; "))
+		} else {
+			log.Errorf("Current backup storage locations available/unavailable/unknown: %v/%v/%v)", numAvailable, numUnavailable, numUnknown)
+		}
+	} else if numUnavailable > 0 { // some but not all BSL unavailable
+		log.Warnf("Invalid backup locations detected: available/unavailable/unknown: %v/%v/%v, %s)", numAvailable, numUnavailable, numUnknown, strings.Join(errs, "; "))
+	}
+
+	if !defaultFound {
+		log.Warnf("The specified default backup location named %q was not found; for convenience, be sure to create one or make another backup location that is available the default", r.StorageLocation.DefaultStorageLocation)
+	}
+}
+
+func (r *BackupStorageLocationReconciler) SetupWithManager(mgr ctrl.Manager) error {
+	return ctrl.NewControllerManagedBy(mgr).
+		For(&velerov1api.BackupStorageLocation{}).
+		Complete(r)
+}
--- a/pkg/controller/backupstoragelocation_controller_test.go
+++ b/pkg/controller/backupstoragelocation_controller_test.go
@@ -0,0 +1,185 @@
+/*
+Copyright 2020 the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package controller
+
+import (
+	"time"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
+	ctrl "sigs.k8s.io/controller-runtime"
+	"sigs.k8s.io/controller-runtime/pkg/client"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+
+	"k8s.io/apimachinery/pkg/types"
+	"k8s.io/client-go/kubernetes/scheme"
+
+	"github.com/vmware-tanzu/velero/internal/velero"
+	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
+	"github.com/vmware-tanzu/velero/pkg/builder"
+	"github.com/vmware-tanzu/velero/pkg/persistence"
+	persistencemocks "github.com/vmware-tanzu/velero/pkg/persistence/mocks"
+	"github.com/vmware-tanzu/velero/pkg/plugin/clientmgmt"
+	pluginmocks "github.com/vmware-tanzu/velero/pkg/plugin/mocks"
+	velerotest "github.com/vmware-tanzu/velero/pkg/test"
+)
+
+var _ = Describe("Backup Storage Location Reconciler", func() {
+	BeforeEach(func() {})
+	AfterEach(func() {})
+
+	It("Should successfully patch a backup storage location object status phase according to whether its storage is valid or not", func() {
+		tests := []struct {
+			backupLocation *velerov1api.BackupStorageLocation
+			isValidError   error
+			expectedPhase  velerov1api.BackupStorageLocationPhase
+		}{
+			{
+				backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").ValidationFrequency(1 * time.Second).Result(),
+				isValidError:   nil,
+				expectedPhase:  velerov1api.BackupStorageLocationPhaseAvailable,
+			},
+			{
+				backupLocation: builder.ForBackupStorageLocation("ns-1", "location-2").ValidationFrequency(1 * time.Second).Result(),
+				isValidError:   errors.New("an error"),
+				expectedPhase:  velerov1api.BackupStorageLocationPhaseUnavailable,
+			},
+		}
+
+		// Setup
+		var (
+			pluginManager = &pluginmocks.Manager{}
+			backupStores  = make(map[string]*persistencemocks.BackupStore)
+		)
+		pluginManager.On("CleanupClients").Return(nil)
+
+		locations := new(velerov1api.BackupStorageLocationList)
+		for i, test := range tests {
+			location := test.backupLocation
+			locations.Items = append(locations.Items, *location)
+			backupStores[location.Name] = &persistencemocks.BackupStore{}
+			backupStore := backupStores[location.Name]
+			backupStore.On("IsValid").Return(tests[i].isValidError)
+		}
+
+		// Setup reconciler
+		Expect(velerov1api.AddToScheme(scheme.Scheme)).To(Succeed())
+		storageLocationInfo := velero.StorageLocation{
+			Client:                          fake.NewFakeClientWithScheme(scheme.Scheme, locations),
+			DefaultStorageLocation:          "default",
+			DefaultStoreValidationFrequency: 0,
+			NewPluginManager:                func(logrus.FieldLogger) clientmgmt.Manager { return pluginManager },
+			NewBackupStore: func(loc *velerov1api.BackupStorageLocation, _ persistence.ObjectStoreGetter, _ logrus.FieldLogger) (persistence.BackupStore, error) {
+				return backupStores[loc.Name], nil
+			},
+		}
+
+		r := &BackupStorageLocationReconciler{
+			StorageLocation: storageLocationInfo,
+			Log:             velerotest.NewLogger(),
+		}
+
+		actualResult, err := r.Reconcile(ctrl.Request{
+			NamespacedName: types.NamespacedName{Namespace: "ns-1"},
+		})
+
+		Expect(actualResult).To(BeEquivalentTo(ctrl.Result{Requeue: true}))
+		Expect(err).To(BeNil())
+
+		// Assertions
+		for i, location := range locations.Items {
+			key := client.ObjectKey{Name: location.Name, Namespace: location.Namespace}
+			instance := &velerov1api.BackupStorageLocation{}
+			err := r.StorageLocation.Client.Get(ctx, key, instance)
+			Expect(err).To(BeNil())
+			Expect(instance.Status.Phase).To(BeIdenticalTo(tests[i].expectedPhase))
+		}
+	})
+
+	It("Should not patch a backup storage location object status phase if the location's validation frequency is specifically set to zero", func() {
+		tests := []struct {
+			backupLocation *velerov1api.BackupStorageLocation
+			isValidError   error
+			expectedPhase  velerov1api.BackupStorageLocationPhase
+			wantErr        bool
+		}{
+			{
+				backupLocation: builder.ForBackupStorageLocation("ns-1", "location-1").ValidationFrequency(0).Result(),
+				isValidError:   nil,
+				expectedPhase:  "",
+				wantErr:        false,
+			},
+			{
+				backupLocation: builder.ForBackupStorageLocation("ns-1", "location-2").ValidationFrequency(0).Result(),
+				isValidError:   nil,
+				expectedPhase:  "",
+				wantErr:        false,
+			},
+		}
+
+		// Setup
+		var (
+			pluginManager = &pluginmocks.Manager{}
+			backupStores  = make(map[string]*persistencemocks.BackupStore)
+		)
+		pluginManager.On("CleanupClients").Return(nil)
+
+		locations := new(velerov1api.BackupStorageLocationList)
+		for i, test := range tests {
+			location := test.backupLocation
+			locations.Items = append(locations.Items, *location)
+			backupStores[location.Name] = &persistencemocks.BackupStore{}
+			backupStores[location.Name].On("IsValid").Return(tests[i].isValidError)
+		}
+
+		// Setup reconciler
+		Expect(velerov1api.AddToScheme(scheme.Scheme)).To(Succeed())
+		storageLocationInfo := velero.StorageLocation{
+			Client:                          fake.NewFakeClientWithScheme(scheme.Scheme, locations),
+			DefaultStorageLocation:          "default",
+			DefaultStoreValidationFrequency: 0,
+			NewPluginManager:                func(logrus.FieldLogger) clientmgmt.Manager { return pluginManager },
+			NewBackupStore: func(loc *velerov1api.BackupStorageLocation, _ persistence.ObjectStoreGetter, _ logrus.FieldLogger) (persistence.BackupStore, error) {
+				// this gets populated just below, prior to exercising the method under test
+				return backupStores[loc.Name], nil
+			},
+		}
+
+		r := &BackupStorageLocationReconciler{
+			StorageLocation: storageLocationInfo,
+			Log:             velerotest.NewLogger(),
+		}
+
+		actualResult, err := r.Reconcile(ctrl.Request{
+			NamespacedName: types.NamespacedName{Namespace: "ns-1"},
+		})
+
+		Expect(actualResult).To(BeEquivalentTo(ctrl.Result{Requeue: true}))
+		Expect(err).To(BeNil())
+
+		// Assertions
+		for i, location := range locations.Items {
+			key := client.ObjectKey{Name: location.Name, Namespace: location.Namespace}
+			instance := &velerov1api.BackupStorageLocation{}
+			err := r.StorageLocation.Client.Get(ctx, key, instance)
+			Expect(err).To(BeNil())
+			Expect(instance.Status.Phase).To(BeIdenticalTo(tests[i].expectedPhase))
+		}
+	})
+})
--- a/pkg/controller/suite_test.go
+++ b/pkg/controller/suite_test.go
@@ -17,19 +17,116 @@ limitations under the License.
 package controller

 import (
+	"context"
+	"path/filepath"
 	"testing"
-
-	"github.com/stretchr/testify/require"
+	"time"

 	"k8s.io/apimachinery/pkg/runtime"
+	"k8s.io/klog"
 	"sigs.k8s.io/controller-runtime/pkg/client/fake"
+	"sigs.k8s.io/controller-runtime/pkg/envtest"
+	"sigs.k8s.io/controller-runtime/pkg/manager"
+
+	. "github.com/onsi/ginkgo"
+	. "github.com/onsi/gomega"
+
+	"github.com/stretchr/testify/require"

 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"

 	"k8s.io/client-go/kubernetes/scheme"
+	"k8s.io/client-go/rest"
 	"sigs.k8s.io/controller-runtime/pkg/client"
+	// +kubebuilder:scaffold:imports
 )

+// These tests use Ginkgo (BDD-style Go testing framework). Refer to
+// http://onsi.github.io/ginkgo/ to learn more about Ginkgo.
+
+const (
+	timeout = time.Second * 30
+)
+
+var (
+	env     *envtest.Environment
+	testEnv *testEnvironment
+	ctx     = context.Background()
+)
+
+func TestAPIs(t *testing.T) {
+	RegisterFailHandler(Fail)
+	RunSpecs(t, "Controller Suite")
+}
+
+var _ = BeforeSuite(func(done Done) {
+	By("bootstrapping test environment")
+	testEnv = newTestEnvironment()
+
+	By("starting the manager")
+	go func() {
+		defer GinkgoRecover()
+		Expect(testEnv.startManager()).To(Succeed())
+	}()
+
+	close(done)
+}, 60)
+
+var _ = AfterSuite(func() {
+	By("tearing down the test environment")
+	err := testEnv.stop()
+	Expect(err).ToNot(HaveOccurred())
+})
+
+// testEnvironment encapsulates a Kubernetes local test environment.
+type testEnvironment struct {
+	manager.Manager
+	client.Client
+	Config *rest.Config
+
+	doneMgr chan struct{}
+}
+
+// newTestEnvironment creates a new environment spinning up a local api-server.
+//
+// This function should be called only once for each package you're running tests within,
+// usually the environment is initialized in a suite_test.go file within a `BeforeSuite` ginkgo block.
+func newTestEnvironment() *testEnvironment {
+	err := velerov1api.AddToScheme(scheme.Scheme)
+	Expect(err).NotTo(HaveOccurred())
+
+	env = &envtest.Environment{
+		CRDDirectoryPaths: []string{filepath.Join("..", "config", "crd", "bases")},
+	}
+
+	if _, err := env.Start(); err != nil {
+		panic(err)
+	}
+
+	mgr, err := manager.New(env.Config, manager.Options{
+		Scheme: scheme.Scheme,
+	})
+	if err != nil {
+		klog.Fatalf("Failed to start testenv manager: %v", err)
+	}
+
+	return &testEnvironment{
+		Manager: mgr,
+		Client:  mgr.GetClient(),
+		Config:  mgr.GetConfig(),
+		doneMgr: make(chan struct{}),
+	}
+}
+
+func (t *testEnvironment) startManager() error {
+	return t.Manager.Start(t.doneMgr)
+}
+
+func (t *testEnvironment) stop() error {
+	t.doneMgr <- struct{}{}
+	return env.Stop()
+}
+
 func newFakeClient(t *testing.T, initObjs ...runtime.Object) client.Client {
 	err := velerov1api.AddToScheme(scheme.Scheme)
 	require.NoError(t, err)
--- a/site/docs/master/api-types/backupstoragelocation.md
+++ b/site/docs/master/api-types/backupstoragelocation.md
@@ -40,6 +40,7 @@ The configurable parameters are as follows:
 | `config` | map[string]string | None (Optional) | Provider-specific configuration keys/values to be passed to the object store plugin. See [your object storage provider's plugin documentation][0] for details. |
 | `accessMode` | String | `ReadWrite` | How Velero can access the backup storage location. Valid values are `ReadWrite`, `ReadOnly`. |
 | `backupSyncPeriod` | metav1.Duration | Optional Field | How frequently Velero should synchronize backups in object storage. Default is Velero's server backup sync period. Set this to `0s` to disable sync. |
+| `validationFrequency` | metav1.Duration | Optional Field | How frequently Velero should validate the object storage . Default is Velero's server validation frequency. Set this to `0s` to disable validation. Default 1 minute. |


 [0]: ../supported-providers.md
				`@@ -0,0 +1 @@`
				`Add a BSL controller to handle validation + update BSL status phase (validation removed from the server and no longer blocks when there's any invalid BSL)`