Merge pull request #9785 from Lyndon-Li/bump-up-kopia-1.23.0

Bump up kopia 1.23.0

.github/workflows/auto_assign_prs.yml

@@ -7,6 +7,10 @@ on:
   pull_request_target:
     types: [opened, reopened, ready_for_review]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   # Automatically assigns reviewers and owner
   add-reviews:
@@ -16,4 +20,3 @@ jobs:
         uses: kentaro-m/auto-assign-action@v2.0.0
         with:
           configuration-path: ".github/auto-assignees.yml"
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/auto_label_prs.yml

@@ -8,6 +8,10 @@ on:
   pull_request_target:
     types: [opened, reopened, synchronize, ready_for_review]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   # Automatically labels PRs based on file globs in the change.
   triage:
@@ -15,5 +19,4 @@ jobs:
     steps:
       - uses: actions/labeler@v5
         with:
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
           configuration-path: .github/labeler.yml

.github/workflows/auto_request_review.yml

@@ -5,6 +5,10 @@ on:
   pull_request_target:
     types: [opened, ready_for_review, reopened]
 
+permissions:
+  contents: read
+  pull-requests: write
+
 jobs:
   auto-request-review:
     name: Auto Request Review
@@ -13,5 +17,5 @@ jobs:
       - name: Request a PR review based on files types/paths, and/or groups the author belongs to
         uses: necojackarc/auto-request-review@v0.13.0
         with:
-          token: ${{ secrets.GITHUB_TOKEN }}
           config: .github/auto-assignees.yml
+          token: ${{ secrets.GITHUB_TOKEN }}

.github/workflows/e2e-test-kind.yaml

@@ -21,7 +21,7 @@ jobs:
       minio-dockerfile-sha: ${{ steps.minio-version.outputs.dockerfile_sha }}
     steps:
       - name: Check out the code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
       
       - name: Set up Go version
         uses: actions/setup-go@v6
@@ -71,7 +71,7 @@ jobs:
         run: |
           echo "Building MinIO image from Bitnami Dockerfile..."
           git clone --depth 1 https://github.com/bitnami/containers.git /tmp/bitnami-containers
-          cd /tmp/bitnami-containers/bitnami/minio/2025/debian-12
+          cd /tmp/bitnami-containers/bitnami/minio/2026/debian-12
           docker build -t bitnami/minio:local .
           docker save bitnami/minio:local > ${{ github.workspace }}/minio-image.tar
   # Create json of k8s versions to test
@@ -112,7 +112,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out the code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go version
         uses: actions/setup-go@v6
@@ -185,7 +185,7 @@ jobs:
         timeout-minutes: 30
       - name: Upload debug bundle
         if: ${{ failure() }}
-        uses: actions/upload-artifact@v4
+        uses: actions/upload-artifact@v5
         with:
-          name: DebugBundle
+          name: DebugBundle-k8s-${{ matrix.k8s }}-job-${{ strategy.job-index }}
           path: /home/runner/work/velero/velero/test/e2e/debug-bundle*

.github/workflows/get-go-version.yaml

@@ -17,7 +17,7 @@ jobs:
         version: ${{ steps.pick-version.outputs.version }}
       steps:
         - name: Check out the code
-          uses: actions/checkout@v5
+          uses: actions/checkout@v6
 
         - id: pick-version
           run: |
@@ -25,7 +25,7 @@ jobs:
               version=$(grep '^go ' go.mod | awk '{print $2}' | cut -d. -f1-2)
             else
               goDirectiveVersion=$(grep '^go ' go.mod | awk '{print $2}')
-              toolChainVersion=$(grep '^toolchain ' go.mod | awk '{print $2}')
+              toolChainVersion=$(grep '^toolchain ' go.mod | awk '{print $2}' | sed 's/^go//')
               version=$(printf "%s\n%s\n" "$goDirectiveVersion" "$toolChainVersion" | sort -V | tail -n1)
             fi
 

.github/workflows/nightly-trivy-scan.yml

@@ -19,10 +19,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@master
+        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
         with:
           image-ref: 'docker.io/velero/${{ matrix.images }}:${{ matrix.versions }}'
           severity: 'CRITICAL,HIGH,MEDIUM'

.github/workflows/pr-changelog-check.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
 
     - name: Check out the code
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Changelog check
       if: ${{ !(contains(github.event.pull_request.labels.*.name, 'kind/changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}}

.github/workflows/pr-ci-check.yml

@@ -14,7 +14,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out the code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go version
         uses: actions/setup-go@v6

.github/workflows/pr-codespell.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
 
     - name: Check out the code
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
 
     - name: Codespell
       uses: codespell-project/actions-codespell@master

.github/workflows/pr-containers.yml

@@ -7,13 +7,14 @@ on:
       - 'release-**'
     paths:
       - 'Dockerfile'
+      - 'Dockerfile-Windows'
 
 jobs:
   build:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       name: Checkout
 
     - name: Set up QEMU
@@ -32,6 +33,6 @@ jobs:
     # by push, so BRANCH and TAG are empty by default. docker-push.sh will
     # only build Velero image without pushing.
     - name: Make Velero container without pushing to registry.
-      if: github.repository == 'vmware-tanzu/velero'
+      if: github.repository == 'velero-io/velero'
       run: |
         ./hack/docker-push.sh

.github/workflows/pr-filepath-check.yml

@@ -0,0 +1,93 @@
+name: Pull Request File Path Check
+on: [pull_request]
+jobs:
+
+  filepath-check:
+    name: Check for invalid characters in file paths
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Check out the code
+      uses: actions/checkout@v6
+
+    - name: Validate file paths for Go module compatibility
+      run: |
+        # Go's module zip rejects filenames containing certain characters.
+        # See golang.org/x/mod/module fileNameOK() for the full specification.
+        #
+        # Allowed ASCII: letters, digits, and: !#$%&()+,-.=@[]^_{}~ and space
+        # Allowed non-ASCII: unicode letters only
+        # Rejected: " ' * < > ? ` | / \ : and any non-letter unicode (control
+        #           chars, format chars like U+200E LEFT-TO-RIGHT MARK, etc.)
+        #
+        # This check catches issues like the U+200E incident in PR #9552.
+
+        EXIT_STATUS=0
+
+        git ls-files -z | python3 -c "
+        import sys, unicodedata
+
+        data = sys.stdin.buffer.read()
+        files = data.split(b'\x00')
+
+        # Characters explicitly rejected by Go's fileNameOK
+        # (path separators / and \ are inherent to paths so we check per-element)
+        bad_ascii = set('\"' + \"'\" + '*<>?\`|:')
+
+        allowed_ascii = set('!#$%&()+,-.=@[]^_{}~ ')
+
+        def is_ok(ch):
+            if ch.isascii():
+                return ch.isalnum() or ch in allowed_ascii
+            return ch.isalpha()
+
+        bad_files = []  # list of (original_path, clean_path, char_desc)
+        for f in files:
+            if not f:
+                continue
+            try:
+                name = f.decode('utf-8')
+            except UnicodeDecodeError:
+                print(f'::error::Non-UTF-8 bytes in filename: {f!r}')
+                bad_files.append((repr(f), None, 'non-UTF-8 bytes'))
+                continue
+
+            # Check each path element (split on /)
+            for element in name.split('/'):
+                for ch in element:
+                    if not is_ok(ch):
+                        cp = ord(ch)
+                        char_name = unicodedata.name(ch, f'U+{cp:04X}')
+                        char_desc = f'U+{cp:04X} ({char_name})'
+                        # Build cleaned path by stripping invalid chars
+                        clean = '/'.join(
+                            ''.join(c for c in elem if is_ok(c))
+                            for elem in name.split('/')
+                        )
+                        print(f'::error file={name}::File \"{name}\" contains invalid char {char_desc}')
+                        bad_files.append((name, clean, char_desc))
+                        break
+
+        if bad_files:
+            print()
+            print('The following files have characters that are invalid in Go module zip archives:')
+            print()
+            for original, clean, desc in bad_files:
+                print(f'  {original}  — {desc}')
+            print()
+            print('To fix, rename the files to remove the problematic characters:')
+            print()
+            for original, clean, desc in bad_files:
+                if clean:
+                    print(f'  mv \"{original}\" \"{clean}\" && git add \"{clean}\"')
+                    print(f'  # or: git mv \"{original}\" \"{clean}\"')
+                else:
+                    print(f'  # {original} — cannot auto-suggest rename (non-UTF-8)')
+            print()
+            print('See https://github.com/velero-io/velero/pull/9552 for context.')
+            sys.exit(1)
+        else:
+            print('All file paths are valid for Go module zip.')
+        " || EXIT_STATUS=1
+
+        exit $EXIT_STATUS

.github/workflows/pr-goreleaser.yml

@@ -14,11 +14,11 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       name: Checkout
 
     - name: Verify .goreleaser.yml and try a dryrun release.
-      if: github.repository == 'vmware-tanzu/velero'
+      if: github.repository == 'velero-io/velero'
       run: |
         CHANGELOG=$(ls changelogs | sort -V -r | head -n 1)
         GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \

.github/workflows/pr-linter-check.yml

@@ -18,7 +18,7 @@ jobs:
     needs: get-go-version
     steps:
       - name: Check out the code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go version
         uses: actions/setup-go@v6
@@ -26,7 +26,7 @@ jobs:
           go-version: ${{ needs.get-go-version.outputs.version }}
 
       - name: Linter check
-        uses: golangci/golangci-lint-action@v8
+        uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.1.1
+          version: v2.12.0
           args: --verbose

.github/workflows/prow-action.yml

@@ -5,6 +5,10 @@ on:
   issue_comment:
     types: [created]
 
+permissions:
+  issues: write
+  pull-requests: write
+
 jobs:
   execute:
     runs-on: ubuntu-latest

.github/workflows/push-builder.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@v5
+    - uses: actions/checkout@v6
       with:
         # The default value is "1" which fetches only a single commit. If we merge PR without squash or rebase,
         # there are at least two commits: the first one is the merge commit and the second one is the real commit
@@ -28,7 +28,7 @@ jobs:
 
     # Only try to publish the container image from the root repo; forks don't have permission to do so and will always get failures.
     - name: Publish container image
-      if: github.repository == 'vmware-tanzu/velero'
+      if: github.repository == 'velero-io/velero'
       run: |
         docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
        

.github/workflows/push.yml

@@ -12,7 +12,7 @@ jobs:
   get-go-version:
     uses: ./.github/workflows/get-go-version.yaml
     with:
-      ref: ${{ github.ref }}
+      ref: ${{ github.ref_name }}
 
   build:
     name: Build
@@ -20,7 +20,7 @@ jobs:
     needs: get-go-version
     steps:
       - name: Check out the code
-        uses: actions/checkout@v5
+        uses: actions/checkout@v6
 
       - name: Set up Go version
         uses: actions/setup-go@v6
@@ -52,7 +52,7 @@ jobs:
           verbose: true
       # Only try to publish the container image from the root repo; forks don't have permission to do so and will always get failures.
       - name: Publish container image
-        if: github.repository == 'vmware-tanzu/velero'
+        if: github.repository == 'velero-io/velero'
         run: |
           sudo swapoff -a
           sudo rm -f /mnt/swapfile

.github/workflows/rebase.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the latest code
-      uses: actions/checkout@v5
+      uses: actions/checkout@v6
       with:
         fetch-depth: 0
     - name: Automatic Rebase

.github/workflows/stale-issues.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10.1.0
+      - uses: actions/stale@v10.1.1
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: "This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands."

.golangci.yaml

@@ -317,7 +317,7 @@ linters:
     - errchkjson
     - exptostd
     - ginkgolinter
-    - goconst
+    #- goconst # Disable goconst for now, as it reports a lot of false positives. We can enable it later after refactoring the codebase to reduce the number of string literals.
     - goheader
     - goprintffuncname
     - gosec
@@ -383,6 +383,9 @@ linters:
         linters:
           - dupword
         text: "bucket"
+      - text: "non-constant format string"
+        linters:
+          - govet
 
     generated: lax
     presets:

.goreleaser.yml

@@ -55,7 +55,7 @@ checksum:
   name_template: 'CHECKSUM'
 release:
   github:
-    owner: vmware-tanzu
+    owner: velero-io
     name: velero
   draft: true
   prerelease: auto

ADOPTERS.md

@@ -17,6 +17,7 @@ If you're using Velero and want to add your organization to this list,
 <a href="https://www.replicated.com/" border="0" target="_blank"><img alt="replicated.com" src="site/static/img/adopters/replicated-logo-red.svg" height="50"></a>
 <a href="https://cloudcasa.io/" border="0" target="_blank"><img alt="cloudcasa.io" src="site/static/img/adopters/cloudcasa.svg" height="50"></a>
 <a href="https://azure.microsoft.com/" border="0" target="_blank"><img alt="azure.com" src="site/static/img/adopters/azure.svg" height="50"></a>
+<a href="https://www.broadcom.com/" border="0" target="_blank"><img alt="broadcom.com" src="site/static/img/adopters/broadcom.svg" height="50"></a>
 ## Success Stories
 
 Below is a list of adopters of Velero in **production environments** that have
@@ -68,6 +69,9 @@ Replicated uses the Velero open source project to enable snapshots in [KOTS][101
 **[Microsoft Azure][105]**<br>
 [Azure Backup for AKS][106] is an Azure native, Kubernetes aware, Enterprise ready backup for containerized applications deployed on Azure Kubernetes Service (AKS). AKS Backup utilizes Velero to perform backup and restore operations to protect stateful applications in AKS clusters.<br>
 
+**[Broadcom][107]**<br>
+[VMware Cloud Foundation][108] (VCF) offers built-in [vSphere Kubernetes Service][109] (VKS),  a Kubernetes runtime that includes a CNCF certified Kubernetes distribution, to deploy and manage containerized workloads. VCF empowers platform engineers with native [Kubernetes multi-cluster management][110] capability for managing Kubernetes (K8s) infrastructure at scale. VCF utilizes Velero for Kubernetes data protection enabling platform engineers to back up and restore containerized workloads manifests & persistent volumes, helping to increase the resiliency of stateful applications in VKS cluster.
+
 ## Adding your organization to the list of Velero Adopters
 
 If you are using Velero and would like to be included in the list of `Velero Adopters`, add an SVG version of your logo to the `site/static/img/adopters` directory in this repo and submit a [pull request][3] with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). See this for an example [PR][4].
@@ -125,3 +129,8 @@ If you would like to add your logo to a future `Adopters of Velero` section on [
 
 [105]: https://azure.microsoft.com/
 [106]: https://learn.microsoft.com/azure/backup/backup-overview
+
+[107]: https://www.broadcom.com/
+[108]: https://www.vmware.com/products/cloud-infrastructure/vmware-cloud-foundation
+[109]: https://www.vmware.com/products/cloud-infrastructure/vsphere-kubernetes-service
+[110]: https://blogs.vmware.com/cloud-foundation/2025/09/29/empowering-platform-engineers-with-native-kubernetes-multi-cluster-management-in-vmware-cloud-foundation/

CODE_OF_CONDUCT.md

@@ -1,3 +1,23 @@
+# Velero Code of Conduct
+
+Velero is a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox
+project. As a CNCF project, the Velero community follows the
+[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
+
+The text below is the project's adopted Code of Conduct, based on the
+[Contributor Covenant](https://www.contributor-covenant.org/), and is
+substantively aligned with the CNCF Code of Conduct. Where any conflict exists,
+the CNCF Code of Conduct prevails.
+
+Instances of unacceptable behavior may be reported to the CNCF Code of
+Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more
+detailed instructions on how to submit a report, including how to submit a
+report anonymously, please see the CNCF
+[Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md).
+You can expect a response within three business days.
+
+---
+
 # Contributor Covenant Code of Conduct
 
 ## Our Pledge
@@ -59,7 +79,8 @@ representative at an online or offline event.
 ## Enforcement
 
 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported to the community leaders responsible for enforcement at oss-coc@vmware.com.
+reported by contacting the CNCF Code of Conduct Committee at
+[conduct@cncf.io](mailto:conduct@cncf.io).
 All complaints will be reviewed and investigated promptly and fairly.
 
 All community leaders are obligated to respect the privacy and security of the

Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.26-trixie AS velero-builder
 
 ARG GOPROXY
 ARG BIN
@@ -48,30 +48,6 @@ RUN mkdir -p /output/usr/bin && \
     -ldflags "${LDFLAGS}" ${PKG}/cmd/velero-helper && \
     go clean -modcache -cache
 
-# Restic binary build section
-FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS restic-builder
-
-ARG GOPROXY
-ARG BIN
-ARG TARGETOS
-ARG TARGETARCH
-ARG TARGETVARIANT
-ARG RESTIC_VERSION
-
-ENV CGO_ENABLED=0 \
-    GO111MODULE=on \
-    GOPROXY=${GOPROXY} \
-    GOOS=${TARGETOS} \
-    GOARCH=${TARGETARCH} \
-    GOARM=${TARGETVARIANT}
-
-COPY . /go/src/github.com/vmware-tanzu/velero
-
-RUN mkdir -p /output/usr/bin && \
-    export GOARM=$(echo "${GOARM}" | cut -c2-) && \
-    /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \
-    go clean -modcache -cache
-
 # Velero image packing section
 FROM paketobuildpacks/run-jammy-tiny:latest
 
@@ -79,7 +55,4 @@ LABEL maintainer="Xun Jiang <jxun@vmware.com>"
 
 COPY --from=velero-builder /output /
 
-COPY --from=restic-builder /output /
-
 USER cnb:cnb
-

Dockerfile-Windows

@@ -15,7 +15,7 @@
 ARG OS_VERSION=1809
 
 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.26-trixie AS velero-builder
 
 ARG GOPROXY
 ARG BIN

MAINTAINERS.md

@@ -7,11 +7,11 @@
 | Maintainer          | GitHub ID                                                     | Affiliation                                      |
 |---------------------|---------------------------------------------------------------|--------------------------------------------------|
 | Scott Seago         | [sseago](https://github.com/sseago)                           | [OpenShift](https://github.com/openshift)        |
-| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | [VMware](https://www.github.com/vmware/)         |
-| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | [VMware](https://www.github.com/vmware/)         |
-| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | [VMware](https://www.github.com/vmware/)         |
+| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | Broadcom                                         |
+| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | Broadcom                                         |
+| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | Broadcom                                         |
 | Shubham Pampattiwar | [shubham-pampattiwar](https://github.com/shubham-pampattiwar) | [OpenShift](https://github.com/openshift)        |
-| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | [VMware](https://www.github.com/vmware/)         |
+| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | Broadcom                                         |
 | Anshul Ahuja        | [anshulahuja98](https://github.com/anshulahuja98)             | [Microsoft Azure](https://www.github.com/azure/) |
 | Tiger Kaovilai      | [kaovilai](https://github.com/kaovilai)                       | [OpenShift](https://github.com/openshift)        |
 
@@ -27,14 +27,3 @@
 * JenTing Hsiao ([jenting](https://github.com/jenting))
 * Dave Smith-Uchida ([dsu-igeek](https://github.com/dsu-igeek))
 * Ming Qiu ([qiuming-best](https://github.com/qiuming-best))
-
-## Velero Contributors & Stakeholders
-
-| Feature Area           |                                         Lead                                         |
-|------------------------|:------------------------------------------------------------------------------------:|
-| Technical Lead         |               Daniel Jiang [reasonerjt](https://github.com/reasonerjt)               |
-| Kubernetes CSI Liaison |                                                                                      |
-| Deployment             |                                                                                      |
-| Community Management   |            Orlin Vasilev [OrlinVasilev](https://github.com/OrlinVasilev)             |
-| Product Management     | Pradeep Kumar Chaturvedi [pradeepkchaturvedi](https://github.com/pradeepkchaturvedi) |
-

Makefile

@@ -105,8 +105,6 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v
 endef
 # comma cannot be escaped and can only be used in Make function arguments by putting into variable
 comma=,
-# The version of restic binary to be downloaded
-RESTIC_VERSION ?= 0.15.0
 
 CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 linux-ppc64le linux-s390x
 BUILD_OUTPUT_TYPE ?= docker
@@ -213,6 +211,7 @@ shell: build-dirs build-env
 		-v "$$(pwd)/.go/std/$(GOOS)/$(GOARCH):/usr/local/go/pkg/$(GOOS)_$(GOARCH)_static:delegated" \
 		-v "$$(pwd)/.go/go-build:/.cache/go-build:delegated" \
 		-v "$$(pwd)/.go/golangci-lint:/.cache/golangci-lint:delegated" \
+        -v "$$(pwd)/.go/goimports:/.cache/goimports:delegated" \
 		-w /github.com/vmware-tanzu/velero \
 		$(BUILDER_IMAGE) \
 		/bin/sh $(CMD)
@@ -260,7 +259,6 @@ container-linux:
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
 	--build-arg=REGISTRY=$(REGISTRY) \
-	--build-arg=RESTIC_VERSION=$(RESTIC_VERSION) \
 	--provenance=false \
 	--sbom=false \
 	-f $(VELERO_DOCKERFILE) .
@@ -345,7 +343,7 @@ update-crd:
 
 build-dirs:
 	@mkdir -p _output/bin/$(GOOS)/$(GOARCH)
-	@mkdir -p .go/src/$(PKG) .go/pkg .go/bin .go/std/$(GOOS)/$(GOARCH) .go/go-build .go/golangci-lint
+	@mkdir -p .go/src/$(PKG) .go/pkg .go/bin .go/std/$(GOOS)/$(GOARCH) .go/go-build .go/golangci-lint .go/goimports
 
 build-env:
 	@# if we have overridden the value for the build-image Dockerfile,

README.md

@@ -42,13 +42,11 @@ The following is a list of the supported Kubernetes versions for each Velero ver
 
 | Velero version | Expected Kubernetes version compatibility | Tested on Kubernetes version        |
 |----------------|-------------------------------------------|-------------------------------------|
-| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0          |
+| 1.18           | 1.18-latest                               | 1.33.7, 1.34.1, and 1.35.0          |
+| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0  |
 | 1.16           | 1.18-latest                               | 1.31.4, 1.32.3, and 1.33.0          |
 | 1.15           | 1.18-latest                               | 1.28.8, 1.29.8, 1.30.4 and 1.31.1   |
 | 1.14           | 1.18-latest                               | 1.27.9, 1.28.9, and 1.29.4          |
-| 1.13           | 1.18-latest                               | 1.26.5, 1.27.3, 1.27.8, and 1.28.3  |
-| 1.12           | 1.18-latest                               | 1.25.7, 1.26.5, 1.26.7, and 1.27.3  |
-| 1.11           | 1.18-latest                               | 1.23.10, 1.24.9, 1.25.5, and 1.26.1 |
 
 Velero supports IPv4, IPv6, and dual stack environments. Support for this was tested against Velero v1.8.
 

Tiltfile

@@ -52,7 +52,7 @@ git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip(
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.24 as tilt-helper
+FROM golang:1.26 as tilt-helper
 
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
@@ -103,11 +103,6 @@ local_resource(
     deps = ["internal", "pkg/cmd"],
 )
 
-local_resource(
-    "restic_binary",
-    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/restic; BIN=velero GOOS=linux GOARCH=amd64 GOARM="" RESTIC_VERSION=0.13.1 OUTPUT_DIR=_tiltbuild/restic ./hack/build-restic.sh',
-)
-
 # Note: we need a distro with a bash shell to exec into the Velero container
 tilt_dockerfile_header = """
 FROM ubuntu:22.04 as tilt
@@ -118,7 +113,6 @@ WORKDIR /
 COPY --from=tilt-helper /start.sh .
 COPY --from=tilt-helper /restart.sh .
 COPY velero .
-COPY restic/restic /usr/bin/restic
 """
 
 dockerfile_contents = "\n".join([

changelogs/CHANGELOG-1.18.md

@@ -0,0 +1,109 @@
+## v1.18
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.18.0
+
+### Container Image
+`velero/velero:v1.18.0`
+
+### Documentation
+https://velero.io/docs/v1.18/
+
+### Upgrading
+https://velero.io/docs/v1.18/upgrade-to-1.18/
+
+### Highlights
+#### Concurrent backup
+In v1.18, Velero is capable to process multiple backups concurrently. This is a significant usability improvement, especially for multiple tenants or multiple users case, backups submitted from different users could run their backups simultaneously without interfering with each other.  
+
+Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/concurrent-backup-processing.md for more details.
+
+#### Cache volume for data movers
+In v1.18, Velero allows users to configure cache volumes for data mover pods during restore for CSI snapshot data movement and fs-backup. This brings below benefits:
+- Solve the problem that data mover pods fail to when pod's ephemeral disk is limited
+- Solve the problem that multiple data mover pods fail to run concurrently in one node when the node's ephemeral disk is limited
+- Working together with backup repository's cache limit configuration, cache volume with appropriate size helps to improve the restore throughput
+
+Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/backup-repo-cache-volume.md for more details.
+
+#### Incremental size for data movers
+In v1.18, Velero allows users to observe the incremental size of data movers backups for CSI snapshot data movement and fs-backup, so that users could visually see the data reduction due to incremental backup.
+
+#### Wildcard support for namespaces
+In v1.18, Velero allows to use Glob regular expressions for namespace filters during backup and restore, so that users could filter namespaces in a batch manner.
+
+#### VolumePolicy for PVC phase
+In v1.18, Velero VolumePolicy supports actions by PVC phase, which help users to do special operations for PVCs with a specific phase, e.g., skip PVCs in Pending/Lost status from the backup.  
+
+#### Scalability and Resiliency improvements
+##### Prevent Velero server OOM Kill for large backup repositories
+In v1.18, some backup repository operations are delay executed out of Velero server, so Velero server won't be OOM Killed.
+
+#### Performance improvement for VolumePolicy
+In v1.18, VolumePolicy is enhanced for large number of pods/PVCs so that the performance is significantly improved.
+
+#### Events for data mover pod diagnostic
+In v1.18, events are recorded into data mover pod diagnostic, which allows user to see more information for troubleshooting when the data mover pod fails.
+
+### Runtime and dependencies
+Golang runtime: 1.25.7  
+kopia: 0.22.3
+
+### Limitations/Known issues
+
+### Breaking changes
+#### Deprecation of PVC selected node feature
+According to [Velero deprecation policy](https://github.com/vmware-tanzu/velero/blob/main/GOVERNANCE.md#deprecation-policy), PVC selected node feature is deprecated in v1.18. Velero could appropriately handle PVC's selected-node annotation, so users don't need to do anything particularly.
+
+### All Changes
+* Remove backup from running list when backup fails validation (#9498, @sseago)
+* Maintenance Job only uses the first element of the LoadAffinity array (#9494, @blackpiglet)
+* Fix issue #9478, add diagnose info on expose peek fails (#9481, @Lyndon-Li)
+* Add Role, RoleBinding, ClusterRole, and ClusterRoleBinding in restore sequence. (#9474, @blackpiglet)
+* Add maintenance job and data mover pod's labels and annotations setting. (#9452, @blackpiglet)
+* Fix plugin init container names exceeding DNS-1123 limit (#9445, @mpryc)
+* Add PVC-to-Pod cache to improve volume policy performance (#9441, @shubham-pampattiwar)
+* Remove VolumeSnapshotClass from CSI B/R process. (#9431, @blackpiglet)
+* Use hookIndex for recording multiple restore exec hooks. (#9366, @blackpiglet)
+* Sanitize Azure HTTP responses in BSL status messages (#9321, @shubham-pampattiwar)
+* Remove labels associated with previous backups (#9206, @Joeavaikath)
+* Add VolumePolicy support for PVC Phase conditions to allow skipping Pending PVCs (#9166, @claude)
+* feat: Enhance BackupStorageLocation with Secret-based CA certificate support (#9141, @kaovilai)
+* Add `--apply` flag to `install` command, allowing usage of Kubernetes apply to make changes to existing installs (#9132, @mjnagel)
+* Fix issue #9194, add doc for GOMAXPROCS behavior change (#9420, @Lyndon-Li)
+* Apply volume policies to VolumeGroupSnapshot PVC filtering (#9419, @shubham-pampattiwar)
+* Fix issue #9276, add doc for cache volume support (#9418, @Lyndon-Li)
+* Add Prometheus metrics for maintenance jobs (#9414, @shubham-pampattiwar)
+* Fix issue #9400, connect repo first time after creation so that init params could be written (#9407, @Lyndon-Li)
+* Cache volume for PVR (#9397, @Lyndon-Li)
+* Cache volume support for DataDownload (#9391, @Lyndon-Li)
+* don't copy securitycontext from first container if configmap found (#9389, @sseago)
+* Refactor repo provider interface for static configuration (#9379, @Lyndon-Li)
+* Fix issue #9365, prevent fake completion notification due to multiple update of single PVR (#9375, @Lyndon-Li)
+* Add cache volume configuration (#9370, @Lyndon-Li)
+* Track actual resource names for GenerateName in restore status (#9368, @shubham-pampattiwar)
+* Fix managed fields patch for resources using GenerateName (#9367, @shubham-pampattiwar)
+* Support cache volume for generic restore exposer and pod volume exposer (#9362, @Lyndon-Li)
+* Add incrementalSize to DU/PVB for reporting new/changed size (#9357, @sseago)
+* Add snapshotSize for DataDownload, PodVolumeRestore (#9354, @Lyndon-Li)
+* Add cache dir configuration for udmrepo (#9353, @Lyndon-Li)
+* Fix the Job build error when BackupReposiotry name longer than 63. (#9350, @blackpiglet)
+* Add cache configuration to VGDP (#9342, @Lyndon-Li)
+* Fix issue #9332, add bytesDone for cache files (#9333, @Lyndon-Li)
+* Fix typos in documentation (#9329, @T4iFooN-IX)
+* Concurrent backup processing (#9307, @sseago)
+* VerifyJSONConfigs verify every elements in Data. (#9302, @blackpiglet)
+* Fix issue #9267, add events to data mover prepare diagnostic (#9296, @Lyndon-Li)
+* Add option for privileged fs-backup pod (#9295, @sseago)
+* Fix issue #9193, don't connect repo in repo controller (#9291, @Lyndon-Li)
+* Implement concurrency control for cache of native VolumeSnapshotter plugin. (#9281, @0xLeo258)
+* Fix issue #7904, remove the code and doc for PVC node selection (#9269, @Lyndon-Li)
+* Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases (#9264, @shubham-pampattiwar)
+* Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment (#9256, @shubham-pampattiwar)
+* Implement wildcard namespace pattern expansion for backup namespace includes/excludes. This change adds support for wildcard patterns (*, ?, [abc], {a,b,c}) in namespace includes and excludes during backup operations (#9255, @Joeavaikath)
+* Protect VolumeSnapshot field from race condition during multi-thread backup (#9248, @0xLeo258)
+* Update AzureAD Microsoft Authentication Library to v1.5.0 (#9244, @priyansh17)
+* Get pod list once per namespace in pvc IBA (#9226, @sseago)
+* Fix issue #7725, add design for backup repo cache configuration (#9148, @Lyndon-Li)
+* Fix issue #9229, don't attach backupPVC to the source node (#9233, @Lyndon-Li)
+* feat: Permit specifying annotations for the BackupPVC (#9173, @clementnuss)

changelogs/unreleased/9173-clementnuss

@@ -1 +0,0 @@
-feat: Permit specifying annotations for the BackupPVC

changelogs/unreleased/9226-sseago

@@ -1 +0,0 @@
-Get pod list once per namespace in pvc IBA

changelogs/unreleased/9233-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9229, don't attach backupPVC to the source node

changelogs/unreleased/9244-priyansh17

@@ -1 +0,0 @@
-Update AzureAD Microsoft Authentication Library to v1.5.0

changelogs/unreleased/9248-0xLeo258

@@ -1 +0,0 @@
-Protect VolumeSnapshot field from race condition during multi-thread backup

changelogs/unreleased/9256-shubham-pampattiwar

@@ -1 +0,0 @@
-Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment

changelogs/unreleased/9264-shubham-pampattiwar

@@ -1 +0,0 @@
-Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases

changelogs/unreleased/9269-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #7904, remove the code and doc for PVC node selection

changelogs/unreleased/9281-0xLeo258

@@ -1 +0,0 @@
-Implement concurrency control for cache of native VolumeSnapshotter plugin.

changelogs/unreleased/9295-sseago

@@ -1 +0,0 @@
-Add option for privileged fs-backup pod

changelogs/unreleased/9296-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9267, add events to data mover prepare diagnostic

changelogs/unreleased/9302-blackpiglet

@@ -1 +0,0 @@
-VerifyJSONConfigs verify every elements in Data.

changelogs/unreleased/9329-T4iFooN-IX

@@ -1 +0,0 @@
-Fix typos in documentation

changelogs/unreleased/9333-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9332, add bytesDone for cache files

changelogs/unreleased/9403-GabriFedi97

@@ -0,0 +1 @@
+Include InitContainer configured as Sidecars when validating the existence of the target containers configured for the Backup Hooks

changelogs/unreleased/9502-Joeavaikath

@@ -0,0 +1 @@
+Support all glob wildcard characters in namespace validation

changelogs/unreleased/9508-kaovilai

@@ -0,0 +1 @@
+Fix VolumePolicy PVC phase condition filter for unbound PVCs (#9507)

changelogs/unreleased/9516-shubham-pampattiwar

@@ -0,0 +1 @@
+Fix VolumeGroupSnapshot restore failure with Ceph RBD CSI driver by creating stub VolumeGroupSnapshotContent during restore and looking up VolumeSnapshotClass by driver for credential support

changelogs/unreleased/9528-Lyndon-Li

@@ -0,0 +1 @@
+Add block data mover design for block level incremental backup by integrating with Kubernetes CBT

changelogs/unreleased/9532-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9343, include PV topology to data mover pod affinities

changelogs/unreleased/9533-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9496, support customized host os

changelogs/unreleased/9540-sseago

@@ -0,0 +1 @@
+Add custom action type to volume policies

changelogs/unreleased/9547-blackpiglet

@@ -0,0 +1 @@
+If BIA return updateObj with SkipFromBackupAnnotation, treat it as skip the resource from backup.

changelogs/unreleased/9554-testsabirweb

@@ -0,0 +1 @@
+Issue #9544: Add test coverage for S3 bucket name in MRAP ARN notation and fix bucket validation to accept ARN format

changelogs/unreleased/9558-Joeavaikath

@@ -0,0 +1 @@
+Wildcard namespaces: Log warning on empty resolution

changelogs/unreleased/9560-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9475, use node-selector instead of nodName for generic restore

changelogs/unreleased/9561-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9460, flush buffer before data mover completes

changelogs/unreleased/9570-H-M-Quang-Ngo

@@ -0,0 +1 @@
+Add schedule_expected_interval_seconds metric for dynamic backup alerting thresholds (#9559)

changelogs/unreleased/9574-blackpiglet

@@ -0,0 +1 @@
+Add ephemeral storage limit and request support for data mover and maintenance job

changelogs/unreleased/9581-shubham-pampattiwar

@@ -0,0 +1 @@
+Fix DBR stuck when CSI snapshot no longer exists in cloud provider

changelogs/unreleased/9613-pjjw

@@ -0,0 +1 @@
+update go-hclog to current version

changelogs/unreleased/9614-blackpiglet

@@ -0,0 +1 @@
+Add check for file extraction from tarball.

changelogs/unreleased/9628-priyansh17

@@ -0,0 +1 @@
+Implement original VolumeSnapshotContent deletion for legacy backups

changelogs/unreleased/9634-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9626, let go for uninitialized repo under readonly mode

changelogs/unreleased/9638-adam-jian-zhang

@@ -0,0 +1 @@
+Fix issue #9636, fix configmap lookup in non-default namespaces

changelogs/unreleased/9643-priyansh17

@@ -0,0 +1 @@
+Fix issue #9641, Remove redundant ReadyToUse polling in CSI VolumeSnapshotContent delete plugin

changelogs/unreleased/9653-BassinD

@@ -0,0 +1 @@
+Fix service restore with null healthCheckNodePort in last-applied-configuration label

changelogs/unreleased/9654-pierluigilenoci

@@ -0,0 +1 @@
+Fix issue #9658, Honor --stderrthreshold when --logtostderr is enabled

changelogs/unreleased/9663-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9659, in the case that PVB/PVR/DU/DD is cancelled before the data path is really started, call EndEvent to prevent data mover pod from crashing because of delay event distribution

changelogs/unreleased/9668-adam-jian-zhang

@@ -0,0 +1 @@
+Fix issue #9666, fix node-agent node detection in multiple instances scenario

changelogs/unreleased/9676-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9470, remove restic from repository

changelogs/unreleased/9677-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9469, remove restic for uploader

changelogs/unreleased/9682-adam-jian-zhang

@@ -0,0 +1 @@
+Fix issue #9681, fix restores and podvolumerestores list options to only list in installed namespace

changelogs/unreleased/9683-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9428, increase repo maintenance history queue length from 3 to 25

changelogs/unreleased/9684-Joeavaikath

@@ -0,0 +1 @@
+Fix wildcard expansion when includes is empty and excludes has wildcards

changelogs/unreleased/9693-priyansh17

@@ -0,0 +1 @@
+Enhance backup deletion logic to handle tarball download failures

changelogs/unreleased/9695-shubham-pampattiwar

@@ -0,0 +1 @@
+Bump external-snapshotter to v8.4.0 and migrate VolumeGroupSnapshot API from v1beta1 to v1beta2 for Kubernetes 1.34+ compatibility

changelogs/unreleased/9700-priyansh17

@@ -0,0 +1 @@
+Fix issue #9699, add a 2-second gap between temporary CSI VolumeSnapshotContent create and delete operations

changelogs/unreleased/9701-emirot

@@ -0,0 +1 @@
+Update Debian base image from bookworm to trixie

changelogs/unreleased/9704-adam-jian-zhang

@@ -0,0 +1 @@
+Fix issue #9703, fix CSI PVC Backup Plugin list options to only list in installed namespace

changelogs/unreleased/9705-emirot

@@ -0,0 +1 @@
+perf: better string concatenation

changelogs/unreleased/9716-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9709, add interfaces for CBT service and CBT bitmap

changelogs/unreleased/9724-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9723, extend Unified Repo Interface to support block uploader

changelogs/unreleased/9728-blackpiglet

@@ -0,0 +1 @@
+Remove Restic build from Dockerfile, Makefile and Tiltfile.

changelogs/unreleased/9732-blackpiglet

@@ -0,0 +1 @@
+Remove Restic code path from PodVolumeRestore.

changelogs/unreleased/9740-emirot

@@ -0,0 +1 @@
+fix: lint permission issue

cmd/velero-restore-helper/velero-restore-helper.go

@@ -35,7 +35,7 @@ func main() {
 	for {
 		<-ticker.C
 		if done() {
-			fmt.Println("All restic restores are done")
+			fmt.Println("All PodVolumeRestores are done")
 			err := removeFolder()
 			if err != nil {
 				fmt.Println(err)
@@ -65,6 +65,7 @@ func done() bool {
 
 		doneFile := filepath.Join("/restores", child.Name(), ".velero", os.Args[1])
 
+		// #nosec G304,G703 -- doneFile is generated from internal logic and not user-controllable.
 		if _, err := os.Stat(doneFile); os.IsNotExist(err) {
 			fmt.Printf("The filesystem restore done file %s is not found yet. Retry later.\n", doneFile)
 			return false

config/crd/v1/bases/velero.io_backuprepositories.yaml

@@ -69,9 +69,7 @@ spec:
                 - ""
                 type: string
               resticIdentifier:
-                description: |-
-                  ResticIdentifier is the full restic-compatible string for identifying
-                  this repository. This field is only used when RepositoryType is "restic".
+                description: Deprecated
                 type: string
               volumeNamespace:
                 description: |-

config/crd/v1/bases/velero.io_backups.yaml

@@ -594,6 +594,8 @@ spec:
                 description: Phase is the current state of the Backup.
                 enum:
                 - New
+                - Queued
+                - ReadyToStart
                 - FailedValidation
                 - InProgress
                 - WaitingForPluginOperations
@@ -625,6 +627,11 @@ spec:
                       filters that happen as items are processed.
                     type: integer
                 type: object
+              queuePosition:
+                description: |-
+                  QueuePosition is the position of the backup in the queue.
+                  Only relevant when Phase is "Queued"
+                type: integer
               startTimestamp:
                 description: |-
                   StartTimestamp records the time a backup was started.

config/crd/v1/bases/velero.io_backupstoragelocations.yaml

@@ -113,10 +113,38 @@ spec:
                     description: Bucket is the bucket to use for object storage.
                     type: string
                   caCert:
-                    description: CACert defines a CA bundle to use when verifying
-                      TLS connections to the provider.
+                    description: |-
+                      CACert defines a CA bundle to use when verifying TLS connections to the provider.
+                      Deprecated: Use CACertRef instead.
                     format: byte
                     type: string
+                  caCertRef:
+                    description: |-
+                      CACertRef is a reference to a Secret containing the CA certificate bundle to use
+                      when verifying TLS connections to the provider. The Secret must be in the same
+                      namespace as the BackupStorageLocation.
+                    properties:
+                      key:
+                        description: The key of the secret to select from.  Must be
+                          a valid secret key.
+                        type: string
+                      name:
+                        default: ""
+                        description: |-
+                          Name of the referent.
+                          This field is effectively required, but due to backwards compatibility is
+                          allowed to be empty. Instances of this type with an empty value here are
+                          almost certainly wrong.
+                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                        type: string
+                      optional:
+                        description: Specify whether the Secret or its key must be
+                          defined
+                        type: boolean
+                    required:
+                    - key
+                    type: object
+                    x-kubernetes-map-type: atomic
                   prefix:
                     description: Prefix is the path inside a bucket to use for Velero
                       storage. Optional.

config/crd/v1/bases/velero.io_podvolumebackups.yaml

@@ -33,6 +33,12 @@ spec:
       jsonPath: .status.progress.totalBytes
       name: Total Bytes
       type: integer
+    - description: Incremental bytes
+      format: int64
+      jsonPath: .status.incrementalBytes
+      name: Incremental Bytes
+      priority: 10
+      type: integer
     - description: Name of the Backup Storage Location where this backup should be
         stored
       jsonPath: .spec.backupStorageLocation
@@ -189,6 +195,11 @@ spec:
                 format: date-time
                 nullable: true
                 type: string
+              incrementalBytes:
+                description: IncrementalBytes holds the number of bytes new or changed
+                  since the last backup
+                format: int64
+                type: integer
               message:
                 description: Message is a message about the pod volume backup's status.
                 type: string

config/crd/v1/bases/velero.io_podvolumerestores.yaml

@@ -133,6 +133,10 @@ spec:
               snapshotID:
                 description: SnapshotID is the ID of the volume snapshot to be restored.
                 type: string
+              snapshotSize:
+                description: SnapshotSize is the logical size in Bytes of the snapshot.
+                format: int64
+                type: integer
               sourceNamespace:
                 description: SourceNamespace is the original namespace for namaspace
                   mapping.

config/crd/v2alpha1/bases/velero.io_datadownloads.yaml

@@ -108,6 +108,10 @@ spec:
                 description: SnapshotID is the ID of the Velero backup snapshot to
                   be restored from.
                 type: string
+              snapshotSize:
+                description: SnapshotSize is the logical size in Bytes of the snapshot.
+                format: int64
+                type: integer
               sourceNamespace:
                 description: |-
                   SourceNamespace is the original namespace where the volume is backed up from.

config/crd/v2alpha1/bases/velero.io_datauploads.yaml

@@ -33,6 +33,12 @@ spec:
       jsonPath: .status.progress.totalBytes
       name: Total Bytes
       type: integer
+    - description: Incremental bytes
+      format: int64
+      jsonPath: .status.incrementalBytes
+      name: Incremental Bytes
+      priority: 10
+      type: integer
     - description: Name of the Backup Storage Location where this backup should be
         stored
       jsonPath: .spec.backupStorageLocation
@@ -173,6 +179,11 @@ spec:
                   as a result of the DataUpload.
                 nullable: true
                 type: object
+              incrementalBytes:
+                description: IncrementalBytes holds the number of bytes new or changed
+                  since the last backup
+                format: int64
+                type: integer
               message:
                 description: Message is a message about the DataUpload's status.
                 type: string

design/Implemented/apply-flag.md

@@ -0,0 +1,70 @@
+# Apply flag for install command
+
+## Abstract
+Add an `--apply` flag to the install command that enables applying existing resources rather than creating them. This can be useful as part of the upgrade process for existing installations.
+
+## Background
+The current Velero install command creates resources but doesn't provide a direct way to apply updates to an existing installation.
+Users attempting to run the install command on an existing installation receive "already exists" messages.
+Upgrade steps for existing installs typically involve a three (or more) step process to apply updated CRDs (using `--dry-run` and piping to `kubectl apply`) and then updating/setting images on the Velero deployment and node-agent.
+
+## Goals
+- Provide a simple flag to enable applying resources on an existing Velero installation.
+- Use server-side apply to update existing resources rather than attempting to create them.
+- Maintain consistency with the regular install flow.
+
+## Non Goals
+- Implement special logic for specific version-to-version upgrades (i.e. resource deletion, etc).
+- Add complex upgrade validation or pre/post-upgrade hooks.
+- Provide rollback capabilities.
+
+## High-Level Design
+The `--apply` flag will be added to the Velero install command.
+When this flag is set, the installation process will use server-side apply to update existing resources instead of using create on new resources.
+This flag can be used as _part_ of the upgrade process, but will not always fully handle an upgrade.
+
+## Detailed Design
+The implementation adds a new boolean flag `--apply` to the install command.
+This flag will be passed through to the underlying install functions where the resource creation logic resides.
+
+When the flag is set to true:
+- The `createOrApplyResource` function will use server-side apply with field manager "velero-cli" and `force=true` to update resources.
+- Resources will be applied in the same order as they would be created during installation.
+- Custom Resource Definitions will still be processed first, and the system will wait for them to be established before continuing.
+
+The server-side apply approach with `force=true` ensures that resources are updated even if there are conflicts with the last applied state.
+This provides a best-effort mechanism to apply resources that follows the same flow as installation but updates resources instead of creating them.
+
+No special handling is added for specific versions or resource structures, making this a general-purpose mechanism for applying resources.
+
+## Alternatives Considered
+1. Creating a separate `upgrade` command that would duplicate much of the install command logic.
+   - Rejected due to code duplication and maintenance overhead.
+
+2. Implementing version-specific upgrade logic to handle breaking changes between versions.
+   - Rejected as overly complex and difficult to maintain across multiple version paths.
+   - This could be considered again in the future, but is not in the scope of the current design.
+
+3. Adding automatic detection of existing resources and switching to apply mode.
+   - Rejected as it could lead to unexpected behavior and confusion if users unintentionally apply changes to existing resources.
+
+## Security Considerations
+The apply flag maintains the same security profile as the install command.
+No additional permissions are required beyond what is needed for resource creation.
+The use of `force=true` with server-side apply could potentially override manual changes made to resources, but this is a necessary trade-off to ensure apply is successful.
+
+## Compatibility
+This enhancement is compatible with all existing Velero installations as it is a new opt-in flag.
+It does not change any resource formats or API contracts.
+The apply process is best-effort and does not guarantee compatibility between arbitrary versions of Velero.
+Users should still consult release notes for any breaking changes that may require manual intervention.
+This flag could be adopted by the helm chart, specifically for CRD updates, to simplify the CRD update job.
+
+## Implementation
+The implementation involves:
+1. Adding support for `Apply` to the existing Kubernetes client code.
+1. Adding the `--apply` flag to the install command options.
+1. Changing `createResource` to `createOrApplyResource` and updating it to use server-side apply when the `apply` boolean is set.
+
+The implementation is straightforward and follows existing code patterns.
+No migration of state or special handling of specific resources is required.

design/Implemented/backup-repo-cache-volume.md

@@ -0,0 +1,231 @@
+# Backup Repository Cache Volume Design
+
+## Glossary & Abbreviation
+
+**Backup Storage**: The storage to store the backup data. Check [Unified Repository design][1] for details.  
+**Backup Repository**: Backup repository is layered between BR data movers and Backup Storage to provide BR related features that is introduced in [Unified Repository design][1].  
+**Velero Generic Data Path (VGDP)**: VGDP is the collective of modules that is introduced in [Unified Repository design][1]. Velero uses these modules to finish data transfer for various purposes (i.e., PodVolume backup/restore, Volume Snapshot Data Movement). VGDP modules include uploaders and the backup repository.  
+**Data Mover Pods**: Intermediate pods which hold VGDP and complete the data transfer. See [VGDP Micro Service for Volume Snapshot Data Movement][2] and [VGDP Micro Service For fs-backup][3] for details.  
+**Repository Maintenance Pods**: Pods for [Repository Maintenance Jobs][4], which holds VGDP to run repository maintenance.    
+
+## Background
+
+According to the [Unified Repository design][1] Velero uses selectable backup repositories for various backup/restore methods, i.e., fs-backup, volume snapshot data movement, etc. Some backup repositories may need to cache data on the client side for various repository operation, so as to accelerate the execution.  
+In the existing [Backup Repository Configuration][5], we allow users to configure the cache data size (`cacheLimitMB`). However, the cache data is still stored in the root file system of data mover pods/repository maintenance pods, so stored in the root file system of the node. This is not good enough, reasons:  
+- In many distributions, the node's system disk size is predefined, non configurable and limit, e.g., the system disk size may be 20G or less
+- Velero supports concurrent data movements in each node. The cache in each of the concurrent data mover pods could quickly run out of the system disk and cause problems like pod eviction, failure of pod creation, degradation of Kubernetes QoS, etc.  
+
+We need to allow users to prepare a dedicated location, e.g., a dedictated volume, for the cache.  
+Not all backup repositories or not all backup repository operations require cache, we need to define the details when and how the cache is used.  
+
+## Goals
+
+- Create a mechanism for users to configure cache volumes for various pods running VGDP
+- Design the workflow to assign the cache volume pod path to backup repositories
+- Describe when and how the cache volume is used 
+
+## Non-Goals
+
+- The solution is based on [Unified Repository design][1], [VGDP Micro Service for Volume Snapshot Data Movement][2] and [VGDP Micro Service For fs-backup][3], legacy data paths are not supported. E.g., when a pod volume restore (PVR) runs with legacy Restic path, if any data is cached, the cache still resides in the root file system.  
+
+## Solution
+
+### Cache Data
+
+Varying on backup repositoires, cache data may include payload data or repository metadata, e.g., indexes to the payload data chunks.  
+
+Payload data is highly related to the backup data, and normally take the majority of the repository data as well as the cache data.
+
+Repository metadata is related to the backup repository's chunking algorithm, data chunk mapping method, etc, and so the size is not proportional to the backup data size.  
+On the other hand for some backup repository, in extreme cases, the repository metadata may be significantly large. E.g., Kopia's indexes are per chunks, if there are huge number of small files in the repository, Kopia's index data may be in the same level of or even larger than the payload data.    
+However, in the cases that repository metadata data become the majority, other bottlenecks may emerge and concurrency of data movers may be significantly constrained, so the requirement to cache volumes may go away.  
+
+Therefore, for now we only consider the cache volume requirement for payload data, and leave the consideration for metadata as a future enhancement.  
+
+### Scenarios
+
+Backup repository cache varies on backup repositories and backup repository operation during VGDP runs. Below are the scenarios when VGDP runs:
+- Data Upload for Backup: this is the process to upload/write the backup data into the backup repository, e.g., DataUpload or PodVolumeBackup. The pieces of data is almost directly written to the repository, sometimes with a small group staying shortly in the local place. That is to say, there should not be large scale data cached for this scenario, so we don't prepare dedicated cache for this scenario.
+- Repository Maintenance: Repository maintenance most often visits the backup repository's metadata and sometimes it needs to visit the file system directories from the backed up data. On the other hand, it is not practical to run concurrent maintenance jobs in one node. So the cache data is neither large nor affect the root file system too much. Therefore, we don't need to prepare dedicated cache for this scenario.
+- Data Download for Restore: this is the process to download/read the backup data from the backup repository during restore, e.g., DataDownload or PodVolumeRestore. For backup repositories for which data are stored in remote backup storages (e.g., Kopia repository stores data in remote object stores), large scale of data are cached locally to accerlerate the restore. Therefore, we need dedicate cache volumes for this scenario.  
+- Backup Deletion: During this scenario, backup repository is connected, metadata is enumerated to find the repository snapshot representing the backup data. That is to say, only metadata is cached if any. Therefore, dedicated cache volumes are not required in this scenario.
+
+The above analyses are based on the common behavior of backup repositories and they are not considering the case that backup repository metadata takes majority or siginficant proportion of the cache data.   
+As a conclusion of the analyses, we will create dedicated cache volumes for restore scenarios.  
+For other scenarios, we can add them regarded to the future changes/requirements. The mechanism to expose and connect the cache volumes should work for all scenarios. E.g., if we need to consider the backup repository metadata case, we may need cache volumes for backup and repository maintenance as well, then we can just reuse the same cache volume provision and connection mechanism to backup and repository maintenance scenarios.   
+
+### Cache Data and Lifecycle
+
+If available, one cache volume is dedicately assigned to one data mover pod. That is, the cached data is destroyed when the data mover pod completes. Then the backup repository instance also closes.    
+Cache data are fully managed by the specific backup repository. So the backup repository may also have its own way to GC the cache data.  
+That is to say, cache data GC may be launched by the backup repository instance during the running of the data mover pod; then the left data are automatically destroyed when the data mover pod and the cache PVC are destroyed (cache PVC's `reclaimPolicy` is always `Deleted`, so once the cache PVC is destroyed, the volume will also be destroyed). So no specially logics are needed for cache data GC.  
+
+### Data Size
+
+Cache volumes take storage space and cluster resources (PVC, PV), therefore, cache volumes should be created only when necessary and the volumes should be with reasonable size based on the cache data size:  
+- It is not a good bargain to have cache volumes for small backups, small backups will use resident cache location (the cache location in the root file system)
+- The cache data size has a limit, the existing `cacheLimitMB` is used for this purpose. E.g., it could be set as 1024 for a 1TB backup, which means 1GB of data is cached and the old cache data exceeding this size will be cleared. Therefore, it is meaningless to set the cache volume size much larger than `cacheLimitMB`
+
+### Cache Volume Size
+
+The cache volume size is calculated from below factors (for Restore scenarios):  
+- **Limit**: The limit of the cache data, that is represented by `cacheLimitMB`, the default value is 5GB
+- **backupSize**: The size of the backup as a reference to evaluate whether to create a cache volume. It doesn't mean the backup data really decides the cache data all the time, it is just a reference to evaluate the scale of the backup, small scale backups may need small cache data. Sometimes, backupSize is not irrelevant to the size of cache data, in this case, ResidentThreshold should not be set, Limit will be used directly. It is unlikely that backupSize is unavailable, but once that happens, ResidentThreshold is ignored, Limit will be used directly.  
+- **ResidentThreshold**: The minimum backup size that a cache volume is created
+- **InflationPercentage**: Considering the overhead of the file system and the possible delay of the cache cleanup, there should be an inflation for the final volume size vs. the logical size, otherwise, the cache volume may be overrun. This inflation percentage is hardcoded, e.g., 20%. 
+
+A formula is as below:  
+```
+cacheVolumeSize = ((backupSize != 0 ? (backupSize > residentThreshold ? limit : 0) : limit) * (100 + inflationPercentage)) / 100
+```
+Finally, the `cacheVolumeSize` will be rounded up to GiB considering the UX friendliness, storage friendliness and management friendliness.    
+
+### PVC/PV
+
+The PVC for a cache volume is created in Velero namespace and a storage class is required for the cache PVC. The PVC's accessMode is `ReadWriteOnce` and volumeMode is `FileSystem`, so the storage class provided should support this specification. Otherwise, if the storageclass doesn't support either of the specifications, the data mover pod may be hang in `Pending` state until a timeout setting with the data movement (e.g. `prepareTimeout`) and the data movement will finally fail.  
+It is not expected that the cache volume is retained after data mover pod is deleted, so the `reclaimPolicy` for the storageclass must be `Delete`.  
+
+To detect the problems in the storageclass and fail earlier, a validation is applied to the storageclass and once the validation fails, the cache configuration will be ignored, so the data mover pod will be created without a cache volume.  
+
+### Cache Volume Configurations
+
+Below configurations are introduced:
+- **residentThresholdMB**: the minimum data size(in MB) to be processed (if available) that a cache volume is created
+- **cacheStorageClass**: the name of the storage class to provision the cache PVC
+
+Not like `cacheLimitMB` which is set to and affect the backup repository, the above two configurations are actually data mover configurations of how to create cache volumes to data mover pods; and the two configurations don't need to be per backup repository. So we add them to the node-agent Configuration.  
+
+### Sample
+
+Below are some examples of the node-agent configMap with the configurations:
+
+Sample-1:  
+```json
+{
+    "cacheVolume": {
+        "storageClass": "sc-1",
+        "residentThresholdMB": 1024        
+    }
+}
+```
+
+Sample-2:  
+```json
+{
+    "cacheVolume": {
+        "storageClass": "sc-1",       
+    }
+}
+```
+
+Sample-3:  
+```json
+{
+    "cacheVolume": {
+        "residentThresholdMB": 1024        
+    }
+}
+```
+
+**sample-1**: This is a valid configuration. Restores with backup data size larger than 1G will be assigned a cache volume using storage class `sc-1`.  
+**sample-2**: This is a valid configuration. Data mover pods are always assigned a cache volume using storage class `sc-1`.  
+**sample-3**: This is not a valid configuration because the storage class is absent. Velero gives up creating a cache volume.   
+
+To create the configMap, users need to save something like the above sample to a json file and then run below command:
+```
+kubectl create cm <ConfigMap name> -n velero --from-file=<json file name>
+```
+
+The cache volume configurations will be visited by node-agent server, so they also need to specify the `--node-agent-configmap` to the `velero node-agent` parameters.  
+
+## Detailed Design
+
+### Backup and Restore
+
+The restore needs to know the backup size so as to calculate the cache volume size, some new fields are added to the DataDownload and PodVolumeRestore CRDs.  
+
+`snapshotSize` field is also added to DataDownload and PodVolumeRestore's `spec`:
+```yaml
+          spec:
+              snapshotID:
+                description: SnapshotID is the ID of the Velero backup snapshot to
+                  be restored from.
+                type: string
+              snapshotSize:
+                description: SnapshotSize is the logical size of the snapshot.
+                format: int64
+                type: integer
+```
+
+`snapshotSize` represents the total size of the backup; during restore, the value is transferred from DataUpload/PodVolumeBackup's `Status.Progress.TotalBytes` to DataDownload/PodVolumeRestore.    
+
+It is unlikely that `Status.Progress.TotalBytes` from DataUpload/PodVolumeBackup is unavailable, but once it happens, according to the above formula, `residentThresholdMB` is ignored, cache volume size is calculated directly from cache limit for the corresponding backup repository.  
+
+### Exposer
+
+Cache volume configurations are retrieved by node-agent and passed through DataDownload/PodVolumeRestore to GenericRestore exposer/PodVolume exposer.  
+The exposers are responsible to calculate cache volume size, create cache PVCs and mount them to the restorePods.  
+If the calculated cache volume size is 0, or any of the critical parameters is missing (e.g., cache volume storage class), the exposers ignore the cache volume configuration and continue with creating restorePods without cache volumes, so no impact to the result of the restore.  
+
+Exposers mount the cache volume to a predefined directory and pass the directory to the data mover pods through the `cache-volume-path` parameter.  
+
+Below data structure is added to the exposers' expose parameters:  
+
+```go
+type GenericRestoreExposeParam struct {
+	// RestoreSize specifies the data size for the volume to be restored
+	RestoreSize int64
+
+	// CacheVolume specifies the info for cache volumes
+	CacheVolume *CacheVolumeInfo
+}
+
+type PodVolumeExposeParam struct {
+	// RestoreSize specifies the data size for the volume to be restored
+	RestoreSize int64
+
+	// CacheVolume specifies the info for cache volumes
+	CacheVolume *repocache.CacheConfigs
+}
+
+type CacheConfigs struct {
+	// StorageClass specifies the storage class for cache volumes
+	StorageClass string
+
+	// Limit specifies the maximum size of the cache data
+	Limit int64
+
+	// ResidentThreshold specifies the minimum size of the cache data to create a cache volume
+	ResidentThreshold int64
+}
+```
+
+### Data Mover Pods
+
+Data mover pods retrieve the cache volume directory from `cache-volume-path` parameter and pass it to Unified Repository.  
+If the directory is empty, Unified Repository uses the resident location for data cache, that is, the root file system.  
+
+### Kopia Repository
+
+Kopia repository supports cache directory configuration for both metadata and data. The existing `SetupConnectOptions` is modified to customize the `CacheDirectory`:  
+
+```go
+func SetupConnectOptions(ctx context.Context, repoOptions udmrepo.RepoOptions) repo.ConnectOptions {
+    ...
+
+	return repo.ConnectOptions{
+		CachingOptions: content.CachingOptions{
+			CacheDirectory: cacheDir,
+			...
+		},
+		...
+	}
+}
+```  
+
+
+[1]: Implemented/unified-repo-and-kopia-integration/unified-repo-and-kopia-integration.md
+[2]: Implemented/vgdp-micro-service/vgdp-micro-service.md
+[3]: Implemented/vgdp-micro-service-for-fs-backup/vgdp-micro-service-for-fs-backup.md
+[4]: Implemented/repo_maintenance_job_config.md
+[5]: Implemented/backup-repo-config.md

design/Implemented/bsl-certificate-support_design.md

@@ -0,0 +1,417 @@
+# Design for BSL Certificate Support Enhancement
+
+## Abstract
+
+This design document describes the enhancement of BackupStorageLocation (BSL) certificate management in Velero, introducing a Secret-based certificate reference mechanism (`caCertRef`) alongside the existing inline certificate field (`caCert`). This enhancement provides a more secure, Kubernetes-native approach to certificate management while enabling future CLI improvements for automatic certificate discovery.
+
+## Background
+
+Currently, Velero supports TLS certificate verification for object storage providers through an inline `caCert` field in the BSL specification. While functional, this approach has several limitations:
+
+- **Security**: Certificates are stored directly in the BSL YAML, potentially exposing sensitive data
+- **Management**: Certificate rotation requires updating the BSL resource itself
+- **CLI Usability**: Users must manually specify certificates when using CLI commands
+- **Size Limitations**: Large certificate bundles can make BSL resources unwieldy
+
+Issue #9097 and PR #8557 highlight the need for improved certificate management that addresses these concerns while maintaining backward compatibility.
+
+## Goals
+
+- Provide a secure, Secret-based certificate storage mechanism
+- Maintain full backward compatibility with existing BSL configurations
+- Enable future CLI enhancements for automatic certificate discovery
+- Simplify certificate rotation and management
+- Provide clear migration path for existing users
+
+## Non-Goals
+
+- Removing support for inline certificates immediately
+- Changing the behavior of existing BSL configurations
+- Implementing client-side certificate validation
+- Supporting certificates from ConfigMaps or other resource types
+
+## High-Level Design
+
+### API Changes
+
+#### New Field: CACertRef
+
+```go
+type ObjectStorageLocation struct {
+    // Existing field (now deprecated)
+    // +optional
+    // +kubebuilder:deprecatedversion:warning="caCert is deprecated, use caCertRef instead"
+    CACert []byte `json:"caCert,omitempty"`
+
+    // New field for Secret reference
+    // +optional
+    CACertRef *corev1api.SecretKeySelector `json:"caCertRef,omitempty"`
+}
+```
+
+The `SecretKeySelector` follows standard Kubernetes patterns:
+```go
+type SecretKeySelector struct {
+    // Name of the Secret
+    Name string `json:"name"`
+    // Key within the Secret
+    Key string `json:"key"`
+}
+```
+
+### Certificate Resolution Logic
+
+The system follows a priority-based resolution:
+
+1. If `caCertRef` is specified, retrieve certificate from the referenced Secret
+2. If `caCert` is specified (and `caCertRef` is not), use the inline certificate
+3. If neither is specified, no custom CA certificate is used
+
+### Validation
+
+BSL validation ensures mutual exclusivity:
+```go
+func (bsl *BackupStorageLocation) Validate() error {
+    if bsl.Spec.ObjectStorage != nil &&
+        bsl.Spec.ObjectStorage.CACert != nil &&
+        bsl.Spec.ObjectStorage.CACertRef != nil {
+        return errors.New("cannot specify both caCert and caCertRef in objectStorage")
+    }
+    return nil
+}
+```
+
+## Detailed Design
+
+### BSL Controller Changes
+
+The BSL controller incorporates validation during reconciliation:
+
+```go
+func (r *backupStorageLocationReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
+    // ... existing code ...
+    
+    // Validate BSL configuration
+    if err := location.Validate(); err != nil {
+        r.logger.WithError(err).Error("BSL validation failed")
+        return ctrl.Result{}, err
+    }
+    
+    // ... continue reconciliation ...
+}
+```
+
+### Repository Provider Integration
+
+All repository providers implement consistent certificate handling:
+
+```go
+func configureCACert(bsl *velerov1api.BackupStorageLocation, credGetter *credentials.CredentialGetter) ([]byte, error) {
+    if bsl.Spec.ObjectStorage == nil {
+        return nil, nil
+    }
+
+    // Prefer caCertRef (new method)
+    if bsl.Spec.ObjectStorage.CACertRef != nil {
+        certString, err := credGetter.FromSecret.Get(bsl.Spec.ObjectStorage.CACertRef)
+        if err != nil {
+            return nil, errors.Wrap(err, "error getting CA certificate from secret")
+        }
+        return []byte(certString), nil
+    }
+
+    // Fall back to caCert (deprecated)
+    if bsl.Spec.ObjectStorage.CACert != nil {
+        return bsl.Spec.ObjectStorage.CACert, nil
+    }
+
+    return nil, nil
+}
+```
+
+### CLI Certificate Discovery Integration
+
+#### Background: PR #8557 Implementation
+PR #8557 ("CLI automatically discovers and uses cacert from BSL") was merged in August 2025, introducing automatic CA certificate discovery from BackupStorageLocation for Velero CLI download operations. This eliminated the need for users to manually specify the `--cacert` flag when performing operations like `backup describe`, `backup download`, `backup logs`, and `restore logs`.
+
+#### Current Implementation (Post PR #8557)
+The CLI now automatically discovers certificates from BSL through the `pkg/cmd/util/cacert/bsl_cacert.go` module:
+
+```go
+// Current implementation only supports inline caCert
+func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
+    // ... fetch BSL ...
+    if bsl.Spec.ObjectStorage != nil && len(bsl.Spec.ObjectStorage.CACert) > 0 {
+        return string(bsl.Spec.ObjectStorage.CACert), nil
+    }
+    return "", nil
+}
+```
+
+#### Enhancement with caCertRef Support
+This design extends the existing CLI certificate discovery to support the new `caCertRef` field:
+
+```go
+// Enhanced implementation supporting both caCert and caCertRef
+func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
+    // ... fetch BSL ...
+
+    // Prefer caCertRef over inline caCert
+    if bsl.Spec.ObjectStorage.CACertRef != nil {
+        secret := &corev1api.Secret{}
+        key := types.NamespacedName{
+            Name:      bsl.Spec.ObjectStorage.CACertRef.Name,
+            Namespace: namespace,
+        }
+        if err := client.Get(ctx, key, secret); err != nil {
+            return "", errors.Wrap(err, "error getting certificate secret")
+        }
+
+        certData, ok := secret.Data[bsl.Spec.ObjectStorage.CACertRef.Key]
+        if !ok {
+            return "", errors.Errorf("key %s not found in secret",
+                bsl.Spec.ObjectStorage.CACertRef.Key)
+        }
+        return string(certData), nil
+    }
+
+    // Fall back to inline caCert (deprecated)
+    if bsl.Spec.ObjectStorage.CACert != nil {
+        return string(bsl.Spec.ObjectStorage.CACert), nil
+    }
+
+    return "", nil
+}
+```
+
+#### Certificate Resolution Priority
+
+The CLI follows this priority order for certificate resolution:
+
+1. **`--cacert` flag** - Manual override, highest priority
+2. **`caCertRef`** - Secret-based certificate (recommended)
+3. **`caCert`** - Inline certificate (deprecated)
+4. **System certificate pool** - Default fallback
+
+#### User Experience Improvements
+
+With both PR #8557 and this enhancement:
+
+```bash
+# Automatic discovery - works with both caCert and caCertRef
+velero backup describe my-backup
+velero backup download my-backup
+velero backup logs my-backup
+velero restore logs my-restore
+
+# Manual override still available
+velero backup describe my-backup --cacert /custom/ca.crt
+
+# Debug output shows certificate source
+velero backup download my-backup --log-level=debug
+# [DEBUG] Resolved CA certificate from BSL 'default' Secret 'storage-ca-cert' key 'ca-bundle.crt'
+```
+
+#### RBAC Considerations for CLI
+
+CLI users need read access to Secrets when using `caCertRef`:
+
+```yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: velero-cli-user
+  namespace: velero
+rules:
+- apiGroups: ["velero.io"]
+  resources: ["backups", "restores", "backupstoragelocations"]
+  verbs: ["get", "list"]
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  # Limited to secrets referenced by BSLs
+```
+
+### Migration Strategy
+
+#### Phase 1: Introduction (Current)
+- Add `caCertRef` field
+- Mark `caCert` as deprecated
+- Both fields supported, mutual exclusivity enforced
+
+#### Phase 2: Migration Period
+- Documentation and tools to help users migrate
+- Warning messages for `caCert` usage
+- CLI enhancements to leverage `caCertRef`
+
+#### Phase 3: Future Removal
+- Remove `caCert` field in major version update
+- Provide migration tool for automatic conversion
+
+## User Experience
+
+### Creating a BSL with Certificate Reference
+
+1. Create a Secret containing the CA certificate:
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: storage-ca-cert
+  namespace: velero
+type: Opaque
+data:
+  ca-bundle.crt: <base64-encoded-certificate>
+```
+
+2. Reference the Secret in BSL:
+```yaml
+apiVersion: velero.io/v1
+kind: BackupStorageLocation
+metadata:
+  name: default
+  namespace: velero
+spec:
+  provider: aws
+  objectStorage:
+    bucket: my-bucket
+    caCertRef:
+      name: storage-ca-cert
+      key: ca-bundle.crt
+```
+
+### Certificate Rotation
+
+With Secret-based certificates:
+```bash
+# Update the Secret with new certificate
+kubectl create secret generic storage-ca-cert \
+  --from-file=ca-bundle.crt=new-ca.crt \
+  --dry-run=client -o yaml | kubectl apply -f -
+
+# No BSL update required - changes take effect on next use
+```
+
+### CLI Usage Examples
+
+#### Immediate Benefits
+- No change required for existing workflows
+- Certificate validation errors include helpful context
+
+#### Future CLI Enhancements
+```bash
+# Automatic certificate discovery
+velero backup download my-backup
+
+# Manual override still available
+velero backup download my-backup --cacert /custom/ca.crt
+
+# Debug certificate resolution
+velero backup download my-backup --log-level=debug
+# [DEBUG] Resolved CA certificate from BSL 'default' Secret 'storage-ca-cert'
+```
+
+## Security Considerations
+
+### Advantages of Secret-based Storage
+
+1. **Encryption at Rest**: Secrets are encrypted in etcd
+2. **RBAC Control**: Fine-grained access control via Kubernetes RBAC
+3. **Audit Trail**: Secret access is auditable
+4. **Separation of Concerns**: Certificates separate from configuration
+
+### Required Permissions
+
+The Velero server requires additional RBAC permissions:
+```yaml
+- apiGroups: [""]
+  resources: ["secrets"]
+  verbs: ["get"]
+  # Scoped to secrets referenced by BSLs
+```
+
+## Compatibility
+
+### Backward Compatibility
+
+- Existing BSLs with `caCert` continue to function unchanged
+- No breaking changes to API
+- Gradual migration path
+
+### Forward Compatibility
+
+- Design allows for future enhancements:
+  - Multiple certificate support
+  - Certificate chain validation
+  - Automatic certificate discovery from cloud providers
+
+## Implementation Phases
+
+### Phase 1: Core Implementation ✓ (Current PR)
+- API changes with new `caCertRef` field
+- Controller validation
+- Repository provider updates
+- Basic testing
+
+### Phase 2: CLI Enhancement (Future)
+- Automatic certificate discovery in CLI
+- Enhanced error messages
+- Debug logging for certificate resolution
+
+### Phase 3: Migration Tools (Future)
+- Automated migration scripts
+- Validation tools
+- Documentation updates
+
+## Testing
+
+### Unit Tests
+- BSL validation logic
+- Certificate resolution in providers
+- Controller behavior
+
+### Integration Tests
+- End-to-end backup/restore with `caCertRef`
+- Certificate rotation scenarios
+- Migration from `caCert` to `caCertRef`
+
+### Manual Testing Scenarios
+1. Create BSL with `caCertRef`
+2. Perform backup/restore operations
+3. Rotate certificate in Secret
+4. Verify continued operation
+
+## Documentation
+
+### User Documentation
+- Migration guide from `caCert` to `caCertRef`
+- Examples for common cloud providers
+- Troubleshooting guide
+
+### API Documentation
+- Updated API reference
+- Deprecation notices
+- Field descriptions
+
+## Alternatives Considered
+
+### ConfigMap-based Storage
+- Pros: Similar to Secrets, simpler API
+- Cons: Not designed for sensitive data, no encryption at rest
+- Decision: Secrets are the Kubernetes-standard for sensitive data
+
+### External Certificate Management
+- Pros: Integration with cert-manager, etc.
+- Cons: Additional complexity, dependencies
+- Decision: Keep it simple, allow users to manage certificates as needed
+
+### Immediate Removal of Inline Certificates
+- Pros: Cleaner API, forces best practices
+- Cons: Breaking change, migration burden
+- Decision: Gradual deprecation respects existing users
+
+## Conclusion
+
+This design provides a secure, Kubernetes-native approach to certificate management in Velero while maintaining backward compatibility. It establishes the foundation for enhanced CLI functionality and improved user experience, addressing the concerns raised in issue #9097 and enabling the features proposed in PR #8557.
+
+The phased approach ensures smooth migration for existing users while delivering immediate security benefits for new deployments.

design/Implemented/wildcard-namespace-support-design.md

@@ -0,0 +1,115 @@
+
+# Wildcard Namespace Support
+
+## Abstract
+
+Velero currently treats namespace patterns with glob characters as literal strings. This design adds wildcard expansion to support flexible namespace selection using patterns like `app-*` or `test-{dev,staging}`.
+
+## Background
+
+Requested in [#1874](https://github.com/vmware-tanzu/velero/issues/1874) for more flexible namespace selection.
+
+## Goals
+
+- Support glob pattern expansion in namespace includes/excludes
+- Maintain backward compatibility with existing `*` behavior
+
+## Non-Goals
+
+- Complex regex patterns beyond basic globs
+
+## High-Level Design
+
+Wildcard expansion occurs early in both backup and restore flows, converting patterns to literal namespace lists before normal processing.
+
+### Backup Flow
+
+Expansion happens in `getResourceItems()` before namespace collection:
+1. Check if wildcards exist using `ShouldExpandWildcards()`
+2. Expand patterns against active cluster namespaces
+3. Replace includes/excludes with expanded literal namespaces
+4. Continue with normal backup processing
+
+### Restore Flow
+
+Expansion occurs in `execute()` after parsing backup contents:
+1. Extract available namespaces from backup tar
+2. Expand patterns against backup namespaces (not cluster namespaces)
+3. Update restore context with expanded namespaces
+4. Continue with normal restore processing
+
+This ensures restore wildcards match actual backup contents, not current cluster state.
+
+## Detailed Design
+
+### Status Fields
+
+Add wildcard expansion tracking to backup and restore CRDs:
+
+```go
+type WildcardNamespaceStatus struct {
+    // IncludeWildcardMatches records namespaces that matched include patterns
+    // +optional
+    IncludeWildcardMatches []string `json:"includeWildcardMatches,omitempty"`
+    
+    // ExcludeWildcardMatches records namespaces that matched exclude patterns  
+    // +optional
+    ExcludeWildcardMatches []string `json:"excludeWildcardMatches,omitempty"`
+    
+    // WildcardResult records final namespaces after wildcard processing
+    // +optional
+    WildcardResult []string `json:"wildcardResult,omitempty"`
+}
+
+// Added to both BackupStatus and RestoreStatus
+type BackupStatus struct {
+    // WildcardNamespaces contains wildcard expansion results
+    // +optional
+    WildcardNamespaces *WildcardNamespaceStatus `json:"wildcardNamespaces,omitempty"`
+}
+```
+
+### Wildcard Expansion Package
+
+New `pkg/util/wildcard/expand.go` package provides:
+
+- `ShouldExpandWildcards()` - Skip expansion for simple "*" case
+- `ExpandWildcards()` - Main expansion function using `github.com/gobwas/glob`
+- Pattern validation rejecting unsupported regex symbols
+
+**Supported patterns**: `*`, `?`, `[abc]`, `{a,b,c}`  
+**Unsupported**: `|()`, `**`
+
+### Implementation Details
+
+#### Backup Integration (`pkg/backup/item_collector.go`)
+
+Expansion in `getResourceItems()`:
+- Call `wildcard.ExpandWildcards()` with cluster namespaces
+- Update `NamespaceIncludesExcludes` with expanded results
+- Populate status fields with expansion results
+
+#### Restore Integration (`pkg/restore/restore.go`)
+
+Expansion in `execute()`:
+```go
+if wildcard.ShouldExpandWildcards(includes, excludes) {
+    availableNamespaces := extractNamespacesFromBackup(backupResources)
+    expandedIncludes, expandedExcludes, err := wildcard.ExpandWildcards(
+        availableNamespaces, includes, excludes)
+    // Update context and status
+}
+```
+
+## Alternatives Considered
+
+1. **Client-side expansion**: Rejected because it wouldn't work for scheduled backups
+2. **Expansion in `collectNamespaces`**: Rejected because these functions expect literal namespaces
+
+## Compatibility
+
+Maintains full backward compatibility - existing "*" behavior unchanged.
+
+## Implementation
+
+Target: Velero 1.18