Merge pull request #8834 from Lyndon-Li/release-1.16

Pin velero image for 1.16.0
pin velero image
2026-06-10 00:03:10 +00:00 · 2025-03-31 15:15:43 +08:00 · 2025-03-31 13:39:27 +08:00
1425 changed files with 17515 additions and 87958 deletions
@@ -7,10 +7,6 @@ on:
  pull_request_target:
    types: [opened, reopened, ready_for_review]

-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
  # Automatically assigns reviewers and owner
  add-reviews:
@@ -20,3 +16,4 @@ jobs:
        uses: kentaro-m/auto-assign-action@v2.0.0
        with:
          configuration-path: ".github/auto-assignees.yml"
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
@@ -8,10 +8,6 @@ on:
  pull_request_target:
    types: [opened, reopened, synchronize, ready_for_review]

-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
  # Automatically labels PRs based on file globs in the change.
  triage:
@@ -19,4 +15,5 @@ jobs:
    steps:
      - uses: actions/labeler@v5
        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
          configuration-path: .github/labeler.yml
@@ -5,10 +5,6 @@ on:
  pull_request_target:
    types: [opened, ready_for_review, reopened]

-permissions:
-  contents: read
-  pull-requests: write
-
 jobs:
  auto-request-review:
    name: Auto Request Review
@@ -17,5 +13,5 @@ jobs:
      - name: Request a PR review based on files types/paths, and/or groups the author belongs to
        uses: necojackarc/auto-request-review@v0.13.0
        with:
-          config: .github/auto-assignees.yml
          token: ${{ secrets.GITHUB_TOKEN }}
+          config: .github/auto-assignees.yml
@@ -8,26 +8,16 @@ on:
      - "design/**"
      - "**/*.md"
 jobs:
-  get-go-version:
-    uses: ./.github/workflows/get-go-version.yaml
-    with:
-      ref: ${{ github.event.pull_request.base.ref }}
-
  # Build the Velero CLI and image once for all Kubernetes versions, and cache it so the fan-out workers can get it.
  build:
    runs-on: ubuntu-latest
-    needs: get-go-version
-    outputs:
-      minio-dockerfile-sha: ${{ steps.minio-version.outputs.dockerfile_sha }}
    steps:
      - name: Check out the code
-        uses: actions/checkout@v6
-      
-      - name: Set up Go version
-        uses: actions/setup-go@v6
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ${{ needs.get-go-version.outputs.version }}
-
+          go-version-file: 'go.mod'
      # Look for a CLI that's made for this PR
      - name: Fetch built CLI
        id: cli-cache
@@ -54,26 +44,6 @@ jobs:
        run: |
          IMAGE=velero VERSION=pr-test BUILD_OUTPUT_TYPE=docker make container
          docker save velero:pr-test-linux-amd64 -o ./velero.tar
-      # Check and build MinIO image once for all e2e tests
-      - name: Check Bitnami MinIO Dockerfile version
-        id: minio-version
-        run: |
-          DOCKERFILE_SHA=$(curl -s https://api.github.com/repos/bitnami/containers/commits?path=bitnami/minio/2025/debian-12/Dockerfile\&per_page=1 | jq -r '.[0].sha')
-          echo "dockerfile_sha=${DOCKERFILE_SHA}" >> $GITHUB_OUTPUT
-      - name: Cache MinIO Image
-        uses: actions/cache@v4
-        id: minio-cache
-        with:
-          path: ./minio-image.tar
-          key: minio-bitnami-${{ steps.minio-version.outputs.dockerfile_sha }}
-      - name: Build MinIO Image from Bitnami Dockerfile
-        if: steps.minio-cache.outputs.cache-hit != 'true'
-        run: |
-          echo "Building MinIO image from Bitnami Dockerfile..."
-          git clone --depth 1 https://github.com/bitnami/containers.git /tmp/bitnami-containers
-          cd /tmp/bitnami-containers/bitnami/minio/2026/debian-12
-          docker build -t bitnami/minio:local .
-          docker save bitnami/minio:local > ${{ github.workspace }}/minio-image.tar
  # Create json of k8s versions to test
  # from guide: https://stackoverflow.com/a/65094398/4590470
  setup-test-matrix:
@@ -95,9 +65,9 @@ jobs:
            \"k8s\":$(wget -q -O - "https://hub.docker.com/v2/namespaces/kindest/repositories/node/tags?page_size=50" | grep -o '"name": *"[^"]*' | grep -o '[^"]*$' | grep -v -E "alpha|beta" | grep -E "v[1-9]\.(2[5-9]|[3-9][0-9])" | awk -F. '{if(!a[$1"."$2]++)print $1"."$2"."$NF}' | sort -r | sed s/v//g | jq -R -c -s 'split("\n")[:-1]'),\
            \"labels\":[\
              \"Basic && (ClusterResource || NodePort || StorageClass)\", \
-              \"ResourceFiltering && !FSBackup\", \
+              \"ResourceFiltering && !Restic\", \
              \"ResourceModifier || (Backups && BackupsSync) || PrivilegesMgmt || OrderedResources\", \
-              \"(NamespaceMapping && Single && FSBackup) || (NamespaceMapping && Multiple && FSBackup)\"\
+              \"(NamespaceMapping && Single && Restic) || (NamespaceMapping && Multiple && Restic)\"\
            ]}" >> $GITHUB_OUTPUT

  # Run E2E test against all Kubernetes versions on kind
@@ -105,38 +75,24 @@ jobs:
    needs:
      - build
      - setup-test-matrix
-      - get-go-version
    runs-on: ubuntu-latest
    strategy:
      matrix: ${{fromJson(needs.setup-test-matrix.outputs.matrix)}}
      fail-fast: false
    steps:
      - name: Check out the code
-        uses: actions/checkout@v6
-
-      - name: Set up Go version
-        uses: actions/setup-go@v6
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ${{ needs.get-go-version.outputs.version }}
-
-      # Fetch the pre-built MinIO image from the build job
-      - name: Fetch built MinIO Image
-        uses: actions/cache@v4
-        id: minio-cache
-        with:
-          path: ./minio-image.tar
-          key: minio-bitnami-${{ needs.build.outputs.minio-dockerfile-sha }}
-      - name: Load MinIO Image
-        run: |
-          echo "Loading MinIO image..."
-          docker load < ./minio-image.tar
+          go-version-file: 'go.mod'
      - name: Install MinIO
-        run: |
-          docker run -d --rm -p 9000:9000 -e "MINIO_ROOT_USER=minio" -e "MINIO_ROOT_PASSWORD=minio123" -e "MINIO_DEFAULT_BUCKETS=bucket,additional-bucket" bitnami/minio:local
+        run:
+          docker run -d --rm -p 9000:9000 -e "MINIO_ACCESS_KEY=minio" -e "MINIO_SECRET_KEY=minio123" -e "MINIO_DEFAULT_BUCKETS=bucket,additional-bucket" bitnami/minio:2021.6.17-debian-10-r7
      - uses: engineerd/setup-kind@v0.6.2
        with:
          skipClusterLogsExport: true
-          version: "v0.32.0"
+          version: "v0.27.0"
          image: "kindest/node:v${{ matrix.k8s }}"
      - name: Fetch built CLI
        id: cli-cache
@@ -165,8 +121,6 @@ jobs:
          curl -LO https://dl.k8s.io/release/v${{ matrix.k8s }}/bin/linux/amd64/kubectl
          sudo install -o root -g root -m 0755 kubectl /usr/local/bin/kubectl

-          git clone https://github.com/vmware-tanzu-experiments/distributed-data-generator.git -b main /tmp/kibishii
-
          GOPATH=~/go \
              CLOUD_PROVIDER=kind \
              OBJECT_STORE_PROVIDER=aws \
@@ -178,14 +132,12 @@ jobs:
              ADDITIONAL_CREDS_FILE=/tmp/credential \
              ADDITIONAL_BSL_BUCKET=additional-bucket \
              VELERO_IMAGE=velero:pr-test-linux-amd64 \
-              PLUGINS=velero/velero-plugin-for-aws:latest \
              GINKGO_LABELS="${{ matrix.labels }}" \
-              KIBISHII_DIRECTORY=/tmp/kibishii/kubernetes/yaml/ \
              make -C test/ run-e2e
        timeout-minutes: 30
      - name: Upload debug bundle
        if: ${{ failure() }}
-        uses: actions/upload-artifact@v5
+        uses: actions/upload-artifact@v4
        with:
-          name: DebugBundle-k8s-${{ matrix.k8s }}-job-${{ strategy.job-index }}
+          name: DebugBundle
          path: /home/runner/work/velero/velero/test/e2e/debug-bundle*
@@ -1,33 +0,0 @@
-on:
-  workflow_call:
-    inputs:
-      ref:
-        description: "The target branch's ref"
-        required: true
-        type: string
-    outputs:
-      version: 
-        description: "The expected Go version"
-        value: ${{ jobs.extract.outputs.version }}
-
-jobs:
-  extract:
-      runs-on: ubuntu-latest
-      outputs:
-        version: ${{ steps.pick-version.outputs.version }}
-      steps:
-        - name: Check out the code
-          uses: actions/checkout@v6
-
-        - id: pick-version
-          run: |
-            if [ "${{ inputs.ref }}" == "main" ]; then
-              version=$(grep '^go ' go.mod | awk '{print $2}' | cut -d. -f1-2)
-            else
-              goDirectiveVersion=$(grep '^go ' go.mod | awk '{print $2}')
-              toolChainVersion=$(grep '^toolchain ' go.mod | awk '{print $2}' | sed 's/^go//')
-              version=$(printf "%s\n%s\n" "$goDirectiveVersion" "$toolChainVersion" | sort -V | tail -n1)
-            fi
-
-            echo "version=$version"
-            echo "version=$version" >> $GITHUB_OUTPUT
@@ -13,16 +13,16 @@ jobs:
        # maintain the versions of Velero those need security scan
        versions: [main]
        # list of images that need scan
-        images: [velero, velero-plugin-for-aws, velero-plugin-for-gcp, velero-plugin-for-microsoft-azure]
+        images: [velero, velero-restore-helper]
    permissions:
      security-events: write  # for github/codeql-action/upload-sarif to upload SARIF results

    steps:
      - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v4

      - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@master
        with:
          image-ref: 'docker.io/velero/${{ matrix.images }}:${{ matrix.versions }}'
          severity: 'CRITICAL,HIGH,MEDIUM'
@@ -12,7 +12,7 @@ jobs:
    steps:

    - name: Check out the code
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4

    - name: Changelog check
      if: ${{ !(contains(github.event.pull_request.labels.*.name, 'kind/changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}}
@@ -1,30 +1,22 @@
 name: Pull Request CI Check
 on: [pull_request]
 jobs:
-  get-go-version:
-    uses: ./.github/workflows/get-go-version.yaml
-    with:
-      ref: ${{ github.event.pull_request.base.ref }}
-
  build:
    name: Run CI
-    needs: get-go-version
    runs-on: ubuntu-latest
    strategy:
      fail-fast: false
    steps:
      - name: Check out the code
-        uses: actions/checkout@v6
-
-      - name: Set up Go version
-        uses: actions/setup-go@v6
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ${{ needs.get-go-version.outputs.version }}      
-
+          go-version-file: 'go.mod'
      - name: Make ci
        run: make ci
      - name: Upload test coverage
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: coverage.out
@@ -8,14 +8,14 @@ jobs:
    steps:

    - name: Check out the code
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4

    - name: Codespell
      uses: codespell-project/actions-codespell@master
      with:
        # ignore the config/.../crd.go file as it's generated binary data that is edited elsewhere.
        skip: .git,*.png,*.jpg,*.woff,*.ttf,*.gif,*.ico,./config/crd/v1beta1/crds/crds.go,./config/crd/v1/crds/crds.go,./config/crd/v2alpha1/crds/crds.go,./go.sum,./LICENSE
-        ignore_words_list: iam,aks,ist,bridget,ue,shouldnot,atleast,notin,sme,optin,sie
+        ignore_words_list: iam,aks,ist,bridget,ue,shouldnot,atleast,notin,sme,optin
        check_filenames: true
        check_hidden: true

@@ -7,14 +7,13 @@ on:
      - 'release-**'
    paths:
      - 'Dockerfile'
-      - 'Dockerfile-Windows'

 jobs:
  build:
    name: Build
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4
      name: Checkout

    - name: Set up QEMU
@@ -33,6 +32,6 @@ jobs:
    # by push, so BRANCH and TAG are empty by default. docker-push.sh will
    # only build Velero image without pushing.
    - name: Make Velero container without pushing to registry.
-      if: github.repository == 'velero-io/velero'
+      if: github.repository == 'vmware-tanzu/velero'
      run: |
        ./hack/docker-push.sh
@@ -1,93 +0,0 @@
-name: Pull Request File Path Check
-on: [pull_request]
-jobs:
-
-  filepath-check:
-    name: Check for invalid characters in file paths
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: Check out the code
-      uses: actions/checkout@v6
-
-    - name: Validate file paths for Go module compatibility
-      run: |
-        # Go's module zip rejects filenames containing certain characters.
-        # See golang.org/x/mod/module fileNameOK() for the full specification.
-        #
-        # Allowed ASCII: letters, digits, and: !#$%&()+,-.=@[]^_{}~ and space
-        # Allowed non-ASCII: unicode letters only
-        # Rejected: " ' * < > ? ` | / \ : and any non-letter unicode (control
-        #           chars, format chars like U+200E LEFT-TO-RIGHT MARK, etc.)
-        #
-        # This check catches issues like the U+200E incident in PR #9552.
-
-        EXIT_STATUS=0
-
-        git ls-files -z | python3 -c "
-        import sys, unicodedata
-
-        data = sys.stdin.buffer.read()
-        files = data.split(b'\x00')
-
-        # Characters explicitly rejected by Go's fileNameOK
-        # (path separators / and \ are inherent to paths so we check per-element)
-        bad_ascii = set('\"' + \"'\" + '*<>?\`|:')
-
-        allowed_ascii = set('!#$%&()+,-.=@[]^_{}~ ')
-
-        def is_ok(ch):
-            if ch.isascii():
-                return ch.isalnum() or ch in allowed_ascii
-            return ch.isalpha()
-
-        bad_files = []  # list of (original_path, clean_path, char_desc)
-        for f in files:
-            if not f:
-                continue
-            try:
-                name = f.decode('utf-8')
-            except UnicodeDecodeError:
-                print(f'::error::Non-UTF-8 bytes in filename: {f!r}')
-                bad_files.append((repr(f), None, 'non-UTF-8 bytes'))
-                continue
-
-            # Check each path element (split on /)
-            for element in name.split('/'):
-                for ch in element:
-                    if not is_ok(ch):
-                        cp = ord(ch)
-                        char_name = unicodedata.name(ch, f'U+{cp:04X}')
-                        char_desc = f'U+{cp:04X} ({char_name})'
-                        # Build cleaned path by stripping invalid chars
-                        clean = '/'.join(
-                            ''.join(c for c in elem if is_ok(c))
-                            for elem in name.split('/')
-                        )
-                        print(f'::error file={name}::File \"{name}\" contains invalid char {char_desc}')
-                        bad_files.append((name, clean, char_desc))
-                        break
-
-        if bad_files:
-            print()
-            print('The following files have characters that are invalid in Go module zip archives:')
-            print()
-            for original, clean, desc in bad_files:
-                print(f'  {original}  — {desc}')
-            print()
-            print('To fix, rename the files to remove the problematic characters:')
-            print()
-            for original, clean, desc in bad_files:
-                if clean:
-                    print(f'  mv \"{original}\" \"{clean}\" && git add \"{clean}\"')
-                    print(f'  # or: git mv \"{original}\" \"{clean}\"')
-                else:
-                    print(f'  # {original} — cannot auto-suggest rename (non-UTF-8)')
-            print()
-            print('See https://github.com/velero-io/velero/pull/9552 for context.')
-            sys.exit(1)
-        else:
-            print('All file paths are valid for Go module zip.')
-        " || EXIT_STATUS=1
-
-        exit $EXIT_STATUS
@@ -14,11 +14,11 @@ jobs:
    name: Build
    runs-on: ubuntu-latest
    steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4
      name: Checkout

    - name: Verify .goreleaser.yml and try a dryrun release.
-      if: github.repository == 'velero-io/velero'
+      if: github.repository == 'vmware-tanzu/velero'
      run: |
        CHANGELOG=$(ls changelogs | sort -V -r | head -n 1)
        GITHUB_TOKEN=${{ secrets.GITHUB_TOKEN }} \
@@ -7,26 +7,18 @@ on:
      - "design/**"
      - "**/*.md"
 jobs:
-  get-go-version:
-    uses: ./.github/workflows/get-go-version.yaml
-    with:
-      ref: ${{ github.event.pull_request.base.ref }}
-
  build:
    name: Run Linter Check
    runs-on: ubuntu-latest
-    needs: get-go-version
    steps:
      - name: Check out the code
-        uses: actions/checkout@v6
-
-      - name: Set up Go version
-        uses: actions/setup-go@v6
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ${{ needs.get-go-version.outputs.version }}
-
+          go-version-file: 'go.mod'
      - name: Linter check
-        uses: golangci/golangci-lint-action@v9
+        uses: golangci/golangci-lint-action@v6
        with:
-          version: v2.12.0
+          version: v1.64.5
          args: --verbose
@@ -5,10 +5,6 @@ on:
  issue_comment:
    types: [created]

-permissions:
-  issues: write
-  pull-requests: write
-
 jobs:
  execute:
    runs-on: ubuntu-latest
@@ -12,7 +12,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:

-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4
      with:
        # The default value is "1" which fetches only a single commit. If we merge PR without squash or rebase,
        # there are at least two commits: the first one is the merge commit and the second one is the real commit
@@ -28,7 +28,7 @@ jobs:

    # Only try to publish the container image from the root repo; forks don't have permission to do so and will always get failures.
    - name: Publish container image
-      if: github.repository == 'velero-io/velero'
+      if: github.repository == 'vmware-tanzu/velero'
      run: |
        docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
       
@@ -9,24 +9,26 @@ on:
      - '*'

 jobs:
-  get-go-version:
-    uses: ./.github/workflows/get-go-version.yaml
-    with:
-      ref: ${{ github.ref_name }}

  build:
    name: Build
    runs-on: ubuntu-latest
-    needs: get-go-version
    steps:
      - name: Check out the code
-        uses: actions/checkout@v6
-
-      - name: Set up Go version
-        uses: actions/setup-go@v6
+        uses: actions/checkout@v4
+      - name: Set up Go
+        uses: actions/setup-go@v5
        with:
-          go-version: ${{ needs.get-go-version.outputs.version }}
-
+          go-version-file: 'go.mod'
+      - id: 'auth'
+        uses: google-github-actions/auth@v2
+        with:
+          credentials_json: '${{ secrets.GCS_SA_KEY }}'
+      - name: 'set up GCloud SDK'
+        uses: google-github-actions/setup-gcloud@v2
+      - name: 'use gcloud CLI'
+        run: |
+          gcloud info
      - name: Set up QEMU
        id: qemu
        uses: docker/setup-qemu-action@v3
@@ -45,14 +47,20 @@ jobs:
      - name: Test
        run: make test
      - name: Upload test coverage
-        uses: codecov/codecov-action@v6
+        uses: codecov/codecov-action@v5
        with:
          token: ${{ secrets.CODECOV_TOKEN }}
          files: coverage.out
          verbose: true
+      # Use the JSON key in secret to login gcr.io
+      - uses: 'docker/login-action@v3'
+        with:
+          registry: 'gcr.io' # or REGION.docker.pkg.dev
+          username: '_json_key'
+          password: '${{ secrets.GCR_SA_KEY }}'
      # Only try to publish the container image from the root repo; forks don't have permission to do so and will always get failures.
      - name: Publish container image
-        if: github.repository == 'velero-io/velero'
+        if: github.repository == 'vmware-tanzu/velero'
        run: |
          sudo swapoff -a
          sudo rm -f /mnt/swapfile
@@ -9,7 +9,7 @@ jobs:
    runs-on: ubuntu-latest
    steps:
    - name: Checkout the latest code
-      uses: actions/checkout@v6
+      uses: actions/checkout@v4
      with:
        fetch-depth: 0
    - name: Automatic Rebase
@@ -7,7 +7,7 @@ jobs:
  stale:
    runs-on: ubuntu-latest
    steps:
-      - uses: actions/stale@v10.1.1
+      - uses: actions/stale@v9.1.0
        with:
          repo-token: ${{ secrets.GITHUB_TOKEN }}
          stale-issue-message: "This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands."
@@ -20,4 +20,4 @@ jobs:
          days-before-pr-close: -1
          # Only issues made after Feb 09 2021.
          start-date: "2021-09-02T00:00:00"
-          exempt-issue-labels: "Epic,Area/CLI,Area/Cloud/AWS,Area/Cloud/Azure,Area/Cloud/GCP,Area/Cloud/vSphere,Area/CSI,Area/Design,Area/Documentation,Area/Plugins,Bug,Enhancement/User,kind/requirement,kind/refactor,kind/tech-debt,limitation,Needs investigation,Needs triage,Needs Product,P0 - Hair on fire,P1 - Important,P2 - Long-term important,P3 - Wouldn't it be nice if...,Product Requirements,release-blocker,Security,backlog"
+          exempt-issue-labels: "Epic,Area/CLI,Area/Cloud/AWS,Area/Cloud/Azure,Area/Cloud/GCP,Area/Cloud/vSphere,Area/CSI,Area/Design,Area/Documentation,Area/Plugins,Bug,Enhancement/User,kind/requirement,kind/refactor,kind/tech-debt,limitation,Needs investigation,Needs triage,Needs Product,P0 - Hair on fire,P1 - Important,P2 - Long-term important,P3 - Wouldn't it be nice if...,Product Requirements,Restic - GA,Restic,release-blocker,Security,backlog"
@@ -58,8 +58,3 @@ debug.test*

 # make lint cache
 .cache/
-
-# Go telemetry directory created when container sets HOME to working directory
-# This happens because Makefile uses 'docker run -w /github.com/vmware-tanzu/velero'
-# and Go's os.UserConfigDir() falls back to $HOME/.config when XDG_CONFIG_HOME is unset
-.config/
@@ -6,7 +6,7 @@ run:
  # default concurrency is a available CPU number
  concurrency: 4

-  # timeout for analysis, e.g. 30s, 5m, default is 0
+  # timeout for analysis, e.g. 30s, 5m, default is 1m
  timeout: 20m

  # exit code when at least one issue was found, default is 1
@@ -29,281 +29,293 @@ run:

 # output configuration options
 output:
+  # colored-line-number|line-number|json|tab|checkstyle|code-climate, default is "colored-line-number"
  formats:
-    text:
+    - format: colored-line-number
      path: stdout

-      # print lines of code with issue, default is true
-      print-issued-lines: true
+  # print lines of code with issue, default is true
+  print-issued-lines: true

-      # print linter name in the end of issue text, default is true
-      print-linter-name: true
+  # print linter name in the end of issue text, default is true
+  print-linter-name: true

-  # Show statistics per linter.      
-  show-stats: false
+# all available settings of specific linters
+linters-settings:

-linters:
-  # all available settings of specific linters
-  settings:
-    depguard:
-      rules:
-        main:
-          deny:
-            # specify an error message to output when a denylisted package is used
-            - pkg: github.com/sirupsen/logrus
-              desc: "logging is allowed only by logutils.Log"
+  depguard:
+    rules:
+      main:
+        deny:
+          # specify an error message to output when a denylisted package is used
+          - pkg: github.com/sirupsen/logrus
+            desc: "logging is allowed only by logutils.Log"

-    dogsled:
-      # checks assignments with too many blank identifiers; default is 2
-      max-blank-identifiers: 2
+  dogsled:
+    # checks assignments with too many blank identifiers; default is 2
+    max-blank-identifiers: 2

-    dupl:
-      # tokens count to trigger issue, 150 by default
-      threshold: 100
+  dupl:
+    # tokens count to trigger issue, 150 by default
+    threshold: 100

-    errcheck:
-      # report about not checking of errors in type assertions: `a := b.(MyStruct)`;
-      # default is false: such cases aren't reported by default.
-      check-type-assertions: false
+  errcheck:
+    # report about not checking of errors in type assertions: `a := b.(MyStruct)`;
+    # default is false: such cases aren't reported by default.
+    check-type-assertions: false

-      # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
-      # default is false: such cases aren't reported by default.
-      check-blank: false
+    # report about assignment of errors to blank identifier: `num, _ := strconv.Atoi(numStr)`;
+    # default is false: such cases aren't reported by default.
+    check-blank: false

+    # [deprecated] comma-separated list of pairs of the form pkg:regex
+    # the regex is used to ignore names within pkg. (default "fmt:.*").
+    # see https://github.com/kisielk/errcheck#the-deprecated-method for details
+    # ignore: fmt:.*,io/ioutil:^Read.*

-    exhaustive:
-      # indicates that switch statements are to be considered exhaustive if a
-      # 'default' case is present, even if all enum members aren't listed in the
-      # switch
-      default-signifies-exhaustive: false
+    # path to a file containing a list of functions to exclude from checking
+    # see https://github.com/kisielk/errcheck#excluding-functions for details
+    # exclude: /path/to/file.txt

-    funlen:
-      lines: 60
-      statements: 40
+  exhaustive:
+    # indicates that switch statements are to be considered exhaustive if a
+    # 'default' case is present, even if all enum members aren't listed in the
+    # switch
+    default-signifies-exhaustive: false

-    gocognit:
-      # minimal code complexity to report, 30 by default (but we recommend 10-20)
-      min-complexity: 10
+  funlen:
+    lines: 60
+    statements: 40

-    nestif:
-      # minimal complexity of if statements to report, 5 by default
-      min-complexity: 4
+  gocognit:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 10

-    goconst:
-      # minimal length of string constant, 3 by default
-      min-len: 3
-      # minimal occurrences count to trigger, 3 by default
-      min-occurrences: 5
+  nestif:
+    # minimal complexity of if statements to report, 5 by default
+    min-complexity: 4

-    gocritic:
-      # Which checks should be enabled; can't be combined with 'disabled-checks';
-      # See https://go-critic.github.io/overview#checks-overview
-      # To check which checks are enabled run `GL_DEBUG=gocritic golangci-lint run`
-      # By default list of stable checks is used.
-      settings: # settings passed to gocritic
-        captLocal: # must be valid enabled check name
-          paramsOnly: true
+  goconst:
+    # minimal length of string constant, 3 by default
+    min-len: 3
+    # minimal occurrences count to trigger, 3 by default
+    min-occurrences: 5

-    gocyclo:
-      # minimal code complexity to report, 30 by default (but we recommend 10-20)
-      min-complexity: 10
+  gocritic:
+    # Which checks should be enabled; can't be combined with 'disabled-checks';
+    # See https://go-critic.github.io/overview#checks-overview
+    # To check which checks are enabled run `GL_DEBUG=gocritic golangci-lint run`
+    # By default list of stable checks is used.
+    # enabled-checks:
+    #  - rangeValCopy

-    godot:
-      # check all top-level comments, not only declarations
-      check-all: false
+    # Which checks should be disabled; can't be combined with 'enabled-checks'; default is empty
+    # disabled-checks:
+    #  - regexpMust

-    godox:
-      # report any comments starting with keywords, this is useful for TODO or FIXME comments that
-      # might be left in the code accidentally and should be resolved before merging
-      keywords: # default keywords are TODO, BUG, and FIXME, these can be overwritten by this setting
-        - NOTE
-        - OPTIMIZE # marks code that should be optimized before merging
-        - HACK # marks hack-arounds that should be removed before merging
+    # Enable multiple checks by tags, run `GL_DEBUG=gocritic golangci-lint run` to see all tags and checks.
+    # Empty list by default. See https://github.com/go-critic/go-critic#usage -> section "Tags".
+    # enabled-tags:
+    #  - performance
+    # disabled-tags:
+    #  - experimental

-    gosec:
-      excludes:
-        - G115
+    settings: # settings passed to gocritic
+      captLocal: # must be valid enabled check name
+        paramsOnly: true
+    #  rangeValCopy:
+    #    sizeThreshold: 32

-    govet:
-      # enable or disable analyzers by name
-      enable:
-        - atomicalign
-      enable-all: false
-      disable:
-        - shadow
-      disable-all: false
-  
-    importas:
-       alias:
-        - alias: appsv1api
-          pkg: k8s.io/api/apps/v1
-        - alias: corev1api
-          pkg: k8s.io/api/core/v1
-        - alias: rbacv1
-          pkg: k8s.io/api/rbac/v1
-        - alias: apierrors
-          pkg: k8s.io/apimachinery/pkg/api/errors
-        - alias: apiextv1
-          pkg: k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1
-        - alias: metav1
-          pkg: k8s.io/apimachinery/pkg/apis/meta/v1
-        - alias: storagev1api
-          pkg: k8s.io/api/storage/v1
-        - alias: batchv1api
-          pkg: k8s.io/api/batch/v1
+  gocyclo:
+    # minimal code complexity to report, 30 by default (but we recommend 10-20)
+    min-complexity: 10

-    lll:
+  godot:
+    # check all top-level comments, not only declarations
+    check-all: false
+
+  godox:
+    # report any comments starting with keywords, this is useful for TODO or FIXME comments that
+    # might be left in the code accidentally and should be resolved before merging
+    keywords: # default keywords are TODO, BUG, and FIXME, these can be overwritten by this setting
+      - NOTE
+      - OPTIMIZE # marks code that should be optimized before merging
+      - HACK # marks hack-arounds that should be removed before merging
+
+  gofmt:
+    # simplify code: gofmt with `-s` option, true by default
+    simplify: true
+
+  goimports:
+    # put imports beginning with prefix after 3rd-party packages;
+    # it's a comma-separated list of prefixes
+    local-prefixes: github.com/org/project
+
+  gosec:
+    excludes:
+      - G115
+
+  govet:
+    # report about shadowed variables
+    # check-shadowing: true
+
+    # settings per analyzer
+    settings:
+      printf: # analyzer name, run `go tool vet help` to see all analyzers
+        funcs: # run `go tool vet help printf` to see available settings for `printf` analyzer
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Infof
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Warnf
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Errorf
+          - (github.com/golangci/golangci-lint/pkg/logutils.Log).Fatalf
+
+    # enable or disable analyzers by name
+    enable:
+      - atomicalign
+    enable-all: false
+    disable:
+      - shadow
+    disable-all: false
+
+  lll:
    # max line length, lines longer will be reported. Default is 120.
    # '\t' is counted as 1 character by default, and can be changed with the tab-width option
-      line-length: 120
-      # tab width in spaces. Default to 1.
-      tab-width: 1
+    line-length: 120
+    # tab width in spaces. Default to 1.
+    tab-width: 1

-    misspell:
-      # Correct spellings using locale preferences for US or UK.
-      # Default is to use a neutral variety of English.
-      # Setting locale to US will correct the British spelling of 'colour' to 'color'.
-      locale: US
-      ignore-rules:
-        - someword
+  misspell:
+    # Correct spellings using locale preferences for US or UK.
+    # Default is to use a neutral variety of English.
+    # Setting locale to US will correct the British spelling of 'colour' to 'color'.
+    locale: US
+    ignore-words:
+      - someword

-    nakedret:
-      # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
-      max-func-lines: 30
+  nakedret:
+    # make an issue if func has more lines of code than this setting and it has naked returns; default is 30
+    max-func-lines: 30

-    prealloc:
-      # XXX: we don't recommend using this linter before doing performance profiling.
-      # For most programs usage of prealloc will be a premature optimization.
+  prealloc:
+    # XXX: we don't recommend using this linter before doing performance profiling.
+    # For most programs usage of prealloc will be a premature optimization.

-      # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
-      # True by default.
-      simple: true
-      range-loops: true # Report preallocation suggestions on range loops, true by default
-      for-loops: false # Report preallocation suggestions on for loops, false by default
+    # Report preallocation suggestions only on simple loops that have no returns/breaks/continues/gotos in them.
+    # True by default.
+    simple: true
+    range-loops: true # Report preallocation suggestions on range loops, true by default
+    for-loops: false # Report preallocation suggestions on for loops, false by default

-    nolintlint:
-      # Enable to ensure that nolint directives are all used. Default is true.
-      allow-unused: false
-      # Exclude following linters from requiring an explanation.  Default is [].
-      allow-no-explanation: []
-      # Enable to require an explanation of nonzero length after each nolint directive. Default is false.
-      require-explanation: true
-      # Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
-      require-specific: true
+  nolintlint:
+    # Enable to ensure that nolint directives are all used. Default is true.
+    allow-unused: false
+    # Exclude following linters from requiring an explanation.  Default is [].
+    allow-no-explanation: []
+    # Enable to require an explanation of nonzero length after each nolint directive. Default is false.
+    require-explanation: true
+    # Enable to require nolint directives to mention the specific linter being suppressed. Default is false.
+    require-specific: true

-    perfsprint:
-      strconcat: false
-      sprintf1: false
-      errorf: false
-      int-conversion: true
+  perfsprint:
+    strconcat: false
+    sprintf1: false
+    errorf: false
+    int-conversion: true

-    revive:
-      rules:
-        - name: blank-imports
-          disabled: true
-        - name: context-as-argument
-          disabled: true
-        - name: context-keys-type
-        - name: dot-imports
-          disabled: true
-        - name: early-return
-          disabled: true
-          arguments:
-            - "preserveScope"
-        - name: empty-block
-          disabled: true
-        - name: error-naming
-          disabled: true
-        - name: error-return
-          disabled: true
-        - name: error-strings
-          disabled: true
-        - name: errorf
-          disabled: true
-        - name: increment-decrement
-        - name: indent-error-flow
-          disabled: true
-        - name: range
-        - name: receiver-naming
-          disabled: true
-        - name: redefines-builtin-id
-          disabled: true
-        - name: superfluous-else
-          disabled: true
-          arguments:
-            - "preserveScope"
-        - name: time-naming
-        - name: unexported-return
-          disabled: true
-        - name: unnecessary-stmt
-        - name: unreachable-code
-        - name: unused-parameter
-          disabled: true
-        - name: use-any
-        - name: var-declaration
-        - name: var-naming
-          disabled: true
+  revive:
+    rules:
+      - name: blank-imports
+        disabled: true
+      - name: context-as-argument
+        disabled: true
+      - name: context-keys-type
+      - name: dot-imports
+        disabled: true
+      - name: early-return
+        disabled: true
+        arguments:
+          - "preserveScope"
+      - name: empty-block
+        disabled: true
+      - name: error-naming
+        disabled: true
+      - name: error-return
+        disabled: true
+      - name: error-strings
+        disabled: true
+      - name: errorf
+        disabled: true
+      - name: increment-decrement
+      - name: indent-error-flow
+        disabled: true
+      - name: range
+      - name: receiver-naming
+        disabled: true
+      - name: redefines-builtin-id
+        disabled: true
+      - name: superfluous-else
+        disabled: true
+        arguments:
+          - "preserveScope"
+      - name: time-naming
+      - name: unexported-return
+        disabled: true
+      - name: unnecessary-stmt
+      - name: unreachable-code
+      - name: unused-parameter
+        disabled: true
+      - name: use-any
+      - name: var-declaration
+      - name: var-naming
+        disabled: true

-    rowserrcheck:
-      packages:
-        - github.com/jmoiron/sqlx
+  rowserrcheck:
+    packages:
+      - github.com/jmoiron/sqlx

-    staticcheck:
-      checks:
-        - all
-        - -QF1001 # FIXME
-        - -QF1003 # FIXME
-        - -QF1004 # FIXME
-        - -QF1007 # FIXME
-        - -QF1008 # FIXME
-        - -QF1009 # FIXME
-        - -QF1012 # FIXME
-
-    testifylint:
+  testifylint:
      # TODO: enable them all
      disable:
-        - float-compare
        - go-require
+        - float-compare
+        - require-error
      enable-all: true

-    testpackage:
-      # regexp pattern to skip files
-      skip-regexp: (export|internal)_test\.go
-    unparam:
-      # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
-      # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
-      # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
-      # with golangci-lint call it on a directory with the changed file.
-      check-exported: false
+  testpackage:
+    # regexp pattern to skip files
+    skip-regexp: (export|internal)_test\.go
+  unparam:
+    # Inspect exported functions, default is false. Set to true if no external program/library imports your code.
+    # XXX: if you enable this setting, unparam will report a lot of false-positives in text editors:
+    # if it's called for subdir of a project it can't find external interfaces. All text editor integrations
+    # with golangci-lint call it on a directory with the changed file.
+    check-exported: false

-    usetesting:
-      os-setenv: false
+  whitespace:
+    multi-if: false   # Enforces newlines (or comments) after every multi-line if statement
+    multi-func: false # Enforces newlines (or comments) after every multi-line function signature

-    whitespace:
-      multi-if: false # Enforces newlines (or comments) after every multi-line if statement
-      multi-func: false # Enforces newlines (or comments) after every multi-line function signature
+  wsl:
+    # If true append is only allowed to be cuddled if appending value is
+    # matching variables, fields or types on line above. Default is true.
+    strict-append: true
+    # Allow calls and assignments to be cuddled as long as the lines have any
+    # matching variables, fields or types. Default is true.
+    allow-assign-and-call: true
+    # Allow multiline assignments to be cuddled. Default is true.
+    allow-multiline-assign: true
+    # Allow declarations (var) to be cuddled.
+    allow-cuddle-declarations: false
+    # Allow trailing comments in ending of blocks
+    allow-trailing-comment: false
+    # Force newlines in end of case at this limit (0 = never).
+    force-case-trailing-whitespace: 0
+    # Force cuddling of err checks with err var assignment
+    force-err-cuddling: false
+    # Allow leading comments to be separated with empty lines
+    allow-separated-leading-comment: false

-    wsl:
-      # If true append is only allowed to be cuddled if appending value is
-      # matching variables, fields or types on line above. Default is true.
-      strict-append: true
-      # Allow calls and assignments to be cuddled as long as the lines have any
-      # matching variables, fields or types. Default is true.
-      allow-assign-and-call: true
-      # Allow multiline assignments to be cuddled. Default is true.
-      allow-multiline-assign: true
-      # Allow declarations (var) to be cuddled.
-      allow-cuddle-declarations: false
-      # Allow trailing comments in ending of blocks
-      allow-trailing-comment: false
-      # Force newlines in end of case at this limit (0 = never).
-      force-case-trailing-whitespace: 0
-      # Force cuddling of err checks with err var assignment
-      force-err-cuddling: false
-      # Allow leading comments to be separated with empty lines
-      allow-separated-leading-comment: false
-
-  default: none
+linters:
+  disable-all: true
  enable:
    - asasalint
    - asciicheck
@@ -311,90 +323,88 @@ linters:
    - bodyclose
    - copyloopvar
    - dogsled
-    - dupword
    - durationcheck
+    - dupword
    - errcheck
    - errchkjson
-    - exptostd
-    - ginkgolinter
-    #- goconst # Disable goconst for now, as it reports a lot of false positives. We can enable it later after refactoring the codebase to reduce the number of string literals.
+    - goconst
+    - gofmt
    - goheader
+    - goimports
    - goprintffuncname
    - gosec
+    - gosimple
    - govet
+    - ginkgolinter
    - importas
    - ineffassign
    - misspell
    - nakedret
+    - nosprintfhostport
    - nilerr
    - noctx
    - nolintlint
-    - nosprintfhostport
    - perfsprint
    - revive
    - staticcheck
+    - stylecheck
    - testifylint
    - thelper
+    - typecheck
    - unconvert
    - unparam
    - unused
    - usestdlibvars
-    - usetesting
    - whitespace
-
-  exclusions:
-    # which dirs to skip: issues from them won't be reported;
-    # can use regexp here: generated.*, regexp is applied on full path;
-    # default value is empty list, but default dirs are skipped independently
-    # from this option's value (see skip-dirs-use-default).
-    # "/" will be replaced by current OS file path separator to properly work
-    # on Windows.
-    paths:
-      - pkg/plugin/generated/*
-      - third_party
-
-    rules:
-      - linters:
-          - staticcheck
-        text: "DefaultVolumesToRestic" # No need to report deprecate for DefaultVolumesToRestic.
-      - path: ".*_test.go$"
-        linters:
-          - errcheck
-          - goconst
-          - gosec
-          - govet
-          - staticcheck
-          - unparam
-          - unused
-      - path: test/
-        linters:
-          - errcheck
-          - goconst
-          - gosec
-          - nilerr
-          - staticcheck
-          - unparam
-          - unused
-      - path: ".*data_upload_controller_test.go$"
-        linters:
-          - dupword
-        text: "type"
-      - path: ".*config_test.go$"
-        linters:
-          - dupword
-        text: "bucket"
-      - text: "non-constant format string"
-        linters:
-          - govet
-
-    generated: lax
-    presets:
-      - comments
-      - common-false-positives
-      - legacy
-      - std-error-handling
+  fast: false

 issues:
+  # which dirs to skip: issues from them won't be reported;
+  # can use regexp here: generated.*, regexp is applied on full path;
+  # default value is empty list, but default dirs are skipped independently
+  # from this option's value (see skip-dirs-use-default).
+  # "/" will be replaced by current OS file path separator to properly work
+  # on Windows.
+  exclude-dirs:
+    - pkg/plugin/generated/*
+
+  exclude-rules:
+    - linters:
+        - staticcheck
+      text: "DefaultVolumesToRestic" # No need to report deprecate for DefaultVolumesToRestic.
+    - path: ".*_test.go$"
+      linters:
+        - errcheck
+        - goconst
+        - gosec
+        - govet
+        - staticcheck
+        - stylecheck
+        - unparam
+        - unused
+    - path: test/
+      linters:
+        - errcheck
+        - goconst
+        - gosec
+        - nilerr
+        - staticcheck
+        - stylecheck
+        - unparam
+        - unused
+    - path: ".*data_upload_controller_test.go$"
+      linters:
+        - dupword
+      text: "type"
+    - path: ".*config_test.go$"
+      linters:
+        - dupword
+      text: "bucket"
+
+  # The list of ids of default excludes to include or disable. By default it's empty.
+  include:
+    - EXC0002 # disable excluding of issues about comments from golint
+
  # Maximum issues count per one linter. Set to 0 to disable. Default is 50.
  max-issues-per-linter: 0

@@ -404,29 +414,20 @@ issues:
  # make issues output unique by line, default is true
  uniq-by-line: true

-# This file contains all available configuration options
-# with their default values.
-formatters:
-  enable:
-    - gofmt
-    - goimports
-
-  exclusions:
-    generated: lax
-    paths:
-      - pkg/plugin/generated/*
-      - third_party
-
-  settings:
-    gofmt:
-      # simplify code: gofmt with `-s` option, true by default
-      simplify: true
-    goimports:
-      local-prefixes:
-        - github.com/vmware-tanzu/velero
-
 severity:
-  default: error
+  # Default value is empty string.
+  # Set the default severity for issues. If severity rules are defined and the issues 
+  # do not match or no severity is provided to the rule this will be the default 
+  # severity applied. Severities should match the supported severity names of the 
+  # selected out format.
+  # - Code climate: https://docs.codeclimate.com/docs/issues#issue-severity
+  # -   Checkstyle: https://checkstyle.sourceforge.io/property_types.html#severity
+  # -       Github: https://help.github.com/en/actions/reference/workflow-commands-for-github-actions#setting-an-error-message
+  default-severity: error
+
+  # The default value is false. 
+  # If set to true severity-rules regular expressions become case sensitive.
+  case-sensitive: false

  # Default value is empty list.
  # When a list of severity rules are provided, severity information will be added to lint
@@ -435,7 +436,5 @@ severity:
  # Only affects out formats that support setting severity information.
  rules:
    - linters:
-        - dupl
+      - dupl
      severity: info
-
-version: "2"
@@ -26,23 +26,18 @@ builds:
      - arm
      - arm64
      - ppc64le
-      - s390x
    ignore:
      # don't build arm for darwin and arm/arm64 for windows
      - goos: darwin
        goarch: arm
      - goos: darwin
        goarch: ppc64le
-      - goos: darwin
-        goarch: s390x
      - goos: windows
        goarch: arm
      - goos: windows
        goarch: arm64
      - goos: windows
        goarch: ppc64le
-      - goos: windows
-        goarch: s390x
    ldflags:
      - -X "github.com/vmware-tanzu/velero/pkg/buildinfo.Version={{ .Tag }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA={{ .FullCommit }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitTreeState={{ .Env.GIT_TREE_STATE }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.ImageRegistry={{ .Env.REGISTRY }}"
 archives:
@@ -55,7 +50,7 @@ checksum:
  name_template: 'CHECKSUM'
 release:
  github:
-    owner: velero-io
+    owner: vmware-tanzu
    name: velero
  draft: true
  prerelease: auto
@@ -65,4 +60,4 @@ git:
  # tags if there are more than one tag in the same commit.
  #
  # Default: `-version:refname`
-  tag_sort: -version:creatordate
+  tag_sort: -version:creatordate
@@ -17,7 +17,6 @@ If you're using Velero and want to add your organization to this list,
 <a href="https://www.replicated.com/" border="0" target="_blank"><img alt="replicated.com" src="site/static/img/adopters/replicated-logo-red.svg" height="50"></a>
 <a href="https://cloudcasa.io/" border="0" target="_blank"><img alt="cloudcasa.io" src="site/static/img/adopters/cloudcasa.svg" height="50"></a>
 <a href="https://azure.microsoft.com/" border="0" target="_blank"><img alt="azure.com" src="site/static/img/adopters/azure.svg" height="50"></a>
-<a href="https://www.broadcom.com/" border="0" target="_blank"><img alt="broadcom.com" src="site/static/img/adopters/broadcom.svg" height="50"></a>
 ## Success Stories

 Below is a list of adopters of Velero in **production environments** that have
@@ -69,9 +68,6 @@ Replicated uses the Velero open source project to enable snapshots in [KOTS][101
 **[Microsoft Azure][105]**<br>
 [Azure Backup for AKS][106] is an Azure native, Kubernetes aware, Enterprise ready backup for containerized applications deployed on Azure Kubernetes Service (AKS). AKS Backup utilizes Velero to perform backup and restore operations to protect stateful applications in AKS clusters.<br>

-**[Broadcom][107]**<br>
-[VMware Cloud Foundation][108] (VCF) offers built-in [vSphere Kubernetes Service][109] (VKS),  a Kubernetes runtime that includes a CNCF certified Kubernetes distribution, to deploy and manage containerized workloads. VCF empowers platform engineers with native [Kubernetes multi-cluster management][110] capability for managing Kubernetes (K8s) infrastructure at scale. VCF utilizes Velero for Kubernetes data protection enabling platform engineers to back up and restore containerized workloads manifests & persistent volumes, helping to increase the resiliency of stateful applications in VKS cluster.
-
 ## Adding your organization to the list of Velero Adopters

 If you are using Velero and would like to be included in the list of `Velero Adopters`, add an SVG version of your logo to the `site/static/img/adopters` directory in this repo and submit a [pull request][3] with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). See this for an example [PR][4].
@@ -129,8 +125,3 @@ If you would like to add your logo to a future `Adopters of Velero` section on [

 [105]: https://azure.microsoft.com/
 [106]: https://learn.microsoft.com/azure/backup/backup-overview
-
-[107]: https://www.broadcom.com/
-[108]: https://www.vmware.com/products/cloud-infrastructure/vmware-cloud-foundation
-[109]: https://www.vmware.com/products/cloud-infrastructure/vsphere-kubernetes-service
-[110]: https://blogs.vmware.com/cloud-foundation/2025/09/29/empowering-platform-engineers-with-native-kubernetes-multi-cluster-management-in-vmware-cloud-foundation/
@@ -1,23 +1,3 @@
-# Velero Code of Conduct
-
-Velero is a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox
-project. As a CNCF project, the Velero community follows the
-[**CNCF Code of Conduct**](https://github.com/cncf/foundation/blob/main/code-of-conduct.md).
-
-The text below is the project's adopted Code of Conduct, based on the
-[Contributor Covenant](https://www.contributor-covenant.org/), and is
-substantively aligned with the CNCF Code of Conduct. Where any conflict exists,
-the CNCF Code of Conduct prevails.
-
-Instances of unacceptable behavior may be reported to the CNCF Code of
-Conduct Committee at [conduct@cncf.io](mailto:conduct@cncf.io). For more
-detailed instructions on how to submit a report, including how to submit a
-report anonymously, please see the CNCF
-[Incident Resolution Procedures](https://github.com/cncf/foundation/blob/main/code-of-conduct/coc-incident-resolution-procedures.md).
-You can expect a response within three business days.
-
---
-
 # Contributor Covenant Code of Conduct

 ## Our Pledge
@@ -79,8 +59,7 @@ representative at an online or offline event.
 ## Enforcement

 Instances of abusive, harassing, or otherwise unacceptable behavior may be
-reported by contacting the CNCF Code of Conduct Committee at
-[conduct@cncf.io](mailto:conduct@cncf.io).
+reported to the community leaders responsible for enforcement at oss-coc@vmware.com.
 All complaints will be reviewed and investigated promptly and fairly.

 All community leaders are obligated to respect the privacy and security of the
@@ -13,7 +13,7 @@
 # limitations under the License.

 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.26-trixie AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.23.7-bookworm AS velero-builder

 ARG GOPROXY
 ARG BIN
@@ -48,11 +48,38 @@ RUN mkdir -p /output/usr/bin && \
    -ldflags "${LDFLAGS}" ${PKG}/cmd/velero-helper && \
    go clean -modcache -cache

-# Velero image packing section
-FROM paketobuildpacks/ubuntu-noble-run-tiny:latest
+# Restic binary build section
+FROM --platform=$BUILDPLATFORM golang:1.23.7-bookworm AS restic-builder

-LABEL maintainer="Xun Jiang <xun.jiang@broadcom.com>"
+ARG GOPROXY
+ARG BIN
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG RESTIC_VERSION
+
+ENV CGO_ENABLED=0 \
+    GO111MODULE=on \
+    GOPROXY=${GOPROXY} \
+    GOOS=${TARGETOS} \
+    GOARCH=${TARGETARCH} \
+    GOARM=${TARGETVARIANT}
+
+COPY . /go/src/github.com/vmware-tanzu/velero
+
+RUN mkdir -p /output/usr/bin && \
+    export GOARM=$(echo "${GOARM}" | cut -c2-) && \
+    /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \
+    go clean -modcache -cache
+
+# Velero image packing section
+FROM paketobuildpacks/run-jammy-tiny:0.2.56
+
+LABEL maintainer="Xun Jiang <jxun@vmware.com>"

 COPY --from=velero-builder /output /

+COPY --from=restic-builder /output /
+
 USER cnb:cnb
+
@@ -15,7 +15,7 @@
 ARG OS_VERSION=1809

 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.26-trixie AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.23.7-bookworm AS velero-builder

 ARG GOPROXY
 ARG BIN
@@ -44,8 +44,6 @@ RUN mkdir -p /output/usr/bin && \
    export GOARM=$( echo "${GOARM}" | cut -c2-) && \
    go build -o /output/${BIN}.exe \
    -ldflags "${LDFLAGS}" ${PKG}/cmd/${BIN} && \
-    go build -o /output/velero-restore-helper.exe \
-    -ldflags "${LDFLAGS}" ${PKG}/cmd/velero-restore-helper && \    
    go build -o /output/velero-helper.exe \
    -ldflags "${LDFLAGS}" ${PKG}/cmd/velero-helper && \
    go clean -modcache -cache
@@ -7,11 +7,11 @@
 | Maintainer          | GitHub ID                                                     | Affiliation                                      |
 |---------------------|---------------------------------------------------------------|--------------------------------------------------|
 | Scott Seago         | [sseago](https://github.com/sseago)                           | [OpenShift](https://github.com/openshift)        |
-| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | Broadcom                                         |
-| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | Broadcom                                         |
-| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | Broadcom                                         |
+| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | [VMware](https://www.github.com/vmware/)         |
+| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | [VMware](https://www.github.com/vmware/)         |
+| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | [VMware](https://www.github.com/vmware/)         |
 | Shubham Pampattiwar | [shubham-pampattiwar](https://github.com/shubham-pampattiwar) | [OpenShift](https://github.com/openshift)        |
-| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | Broadcom                                         |
+| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | [VMware](https://www.github.com/vmware/)         |
 | Anshul Ahuja        | [anshulahuja98](https://github.com/anshulahuja98)             | [Microsoft Azure](https://www.github.com/azure/) |
 | Tiger Kaovilai      | [kaovilai](https://github.com/kaovilai)                       | [OpenShift](https://github.com/openshift)        |

@@ -27,3 +27,14 @@
 * JenTing Hsiao ([jenting](https://github.com/jenting))
 * Dave Smith-Uchida ([dsu-igeek](https://github.com/dsu-igeek))
 * Ming Qiu ([qiuming-best](https://github.com/qiuming-best))
+
+## Velero Contributors & Stakeholders
+
+| Feature Area           |                                         Lead                                         |
+|------------------------|:------------------------------------------------------------------------------------:|
+| Technical Lead         |               Daniel Jiang [reasonerjt](https://github.com/reasonerjt)               |
+| Kubernetes CSI Liaison |                                                                                      |
+| Deployment             |                                                                                      |
+| Community Management   |            Orlin Vasilev [OrlinVasilev](https://github.com/OrlinVasilev)             |
+| Product Management     | Pradeep Kumar Chaturvedi [pradeepkchaturvedi](https://github.com/pradeepkchaturvedi) |
+
@@ -34,9 +34,11 @@ REGISTRY ?= velero
 #        docker buildx create --name=velero-builder --driver=docker-container --bootstrap --use --config ./buildkitd.toml
 #      Refer to https://github.com/docker/buildx/issues/1370#issuecomment-1288516840 for more details
 INSECURE_REGISTRY ?= false
+GCR_REGISTRY ?= gcr.io/velero-gcp

 # Image name
 IMAGE ?= $(REGISTRY)/$(BIN)
+GCR_IMAGE ?= $(GCR_REGISTRY)/$(BIN)

 # We allow the Dockerfile to be configurable to enable the use of custom Dockerfiles
 # that pull base images from different registries.
@@ -65,7 +67,7 @@ endif
 BUILDER_IMAGE := $(REGISTRY)/build-image:$(BUILDER_IMAGE_TAG)
 BUILDER_IMAGE_CACHED := $(shell docker images -q ${BUILDER_IMAGE} 2>/dev/null )

-HUGO_IMAGE := ghcr.io/gohugoio/hugo
+HUGO_IMAGE := hugo-builder

 # Which architecture to build - see $(ALL_ARCH) for options.
 # if the 'local' rule is being run, detect the ARCH from 'go env'
@@ -79,8 +81,10 @@ TAG_LATEST ?= false

 ifeq ($(TAG_LATEST), true)
 	IMAGE_TAGS ?= $(IMAGE):$(VERSION) $(IMAGE):latest
+	GCR_IMAGE_TAGS ?= $(GCR_IMAGE):$(VERSION) $(GCR_IMAGE):latest
 else
 	IMAGE_TAGS ?= $(IMAGE):$(VERSION)
+	GCR_IMAGE_TAGS ?= $(GCR_IMAGE):$(VERSION)
 endif

 # check buildx is enabled only if docker is in path
@@ -105,11 +109,14 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v
 endef
 # comma cannot be escaped and can only be used in Make function arguments by putting into variable
 comma=,
+# The version of restic binary to be downloaded
+RESTIC_VERSION ?= 0.15.0

-CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 linux-ppc64le linux-s390x
+CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 linux-ppc64le
 BUILD_OUTPUT_TYPE ?= docker
 BUILD_OS ?= linux
 BUILD_ARCH ?= amd64
+BUILD_TAG_GCR ?= false
 BUILD_WINDOWS_VERSION ?= ltsc2022

 ifeq ($(BUILD_OUTPUT_TYPE), docker)
@@ -127,6 +134,9 @@ ALL_OS_ARCH.windows = $(foreach os, $(filter windows,$(ALL_OS)), $(foreach arch,
 ALL_OS_ARCH = $(ALL_OS_ARCH.linux)$(ALL_OS_ARCH.windows)

 ALL_IMAGE_TAGS = $(IMAGE_TAGS)
+ifeq ($(BUILD_TAG_GCR), true)
+	ALL_IMAGE_TAGS += $(GCR_IMAGE_TAGS)
+endif

 # set git sha and tree state
 GIT_SHA = $(shell git rev-parse HEAD)
@@ -211,7 +221,6 @@ shell: build-dirs build-env
 		-v "$$(pwd)/.go/std/$(GOOS)/$(GOARCH):/usr/local/go/pkg/$(GOOS)_$(GOARCH)_static:delegated" \
 		-v "$$(pwd)/.go/go-build:/.cache/go-build:delegated" \
 		-v "$$(pwd)/.go/golangci-lint:/.cache/golangci-lint:delegated" \
-        -v "$$(pwd)/.go/goimports:/.cache/goimports:delegated" \
 		-w /github.com/vmware-tanzu/velero \
 		$(BUILDER_IMAGE) \
 		/bin/sh $(CMD)
@@ -259,6 +268,7 @@ container-linux:
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
 	--build-arg=REGISTRY=$(REGISTRY) \
+	--build-arg=RESTIC_VERSION=$(RESTIC_VERSION) \
 	--provenance=false \
 	--sbom=false \
 	-f $(VELERO_DOCKERFILE) .
@@ -343,7 +353,7 @@ update-crd:

 build-dirs:
 	@mkdir -p _output/bin/$(GOOS)/$(GOARCH)
-	@mkdir -p .go/src/$(PKG) .go/pkg .go/bin .go/std/$(GOOS)/$(GOARCH) .go/go-build .go/golangci-lint .go/goimports
+	@mkdir -p .go/src/$(PKG) .go/pkg .go/bin .go/std/$(GOOS)/$(GOARCH) .go/go-build .go/golangci-lint

 build-env:
 	@# if we have overridden the value for the build-image Dockerfile,
@@ -449,7 +459,7 @@ release:
 serve-docs: build-image-hugo
 	docker run \
 	--rm \
-	-v "$$(pwd)/site:/project" \
+	-v "$$(pwd)/site:/srv/hugo" \
 	-it -p 1313:1313 \
 	$(HUGO_IMAGE) \
 	server --bind=0.0.0.0 --enableGitInfo=false
@@ -485,4 +495,4 @@ new-changelog:
 	fi
 	@mkdir -p ./changelogs/unreleased/ && \
 	echo $(CHANGELOG_BODY) > ./changelogs/unreleased/$(GH_PR_NUMBER)-$(GH_LOGIN) && \
-	echo \"$(CHANGELOG_BODY)\" added to "./changelogs/unreleased/$(GH_PR_NUMBER)-$(GH_LOGIN)"
+	echo \"$(CHANGELOG_BODY)\" added to "./changelogs/unreleased/$(GH_PR_NUMBER)-$(GH_LOGIN)"
@@ -1,7 +1,7 @@
 ![100]

 [![Build Status][1]][2] [![CII Best Practices](https://bestpractices.coreinfrastructure.org/projects/3811/badge)](https://bestpractices.coreinfrastructure.org/projects/3811)
-![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/velero-io/velero)
+![GitHub release (latest SemVer)](https://img.shields.io/github/v/release/vmware-tanzu/velero)

 ## Overview

@@ -42,39 +42,25 @@ The following is a list of the supported Kubernetes versions for each Velero ver

 | Velero version | Expected Kubernetes version compatibility | Tested on Kubernetes version        |
 |----------------|-------------------------------------------|-------------------------------------|
-| 1.18           | 1.18-latest                               | 1.33.7, 1.34.1, and 1.35.0          |
-| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0  |
 | 1.16           | 1.18-latest                               | 1.31.4, 1.32.3, and 1.33.0          |
 | 1.15           | 1.18-latest                               | 1.28.8, 1.29.8, 1.30.4 and 1.31.1   |
 | 1.14           | 1.18-latest                               | 1.27.9, 1.28.9, and 1.29.4          |
+| 1.13           | 1.18-latest                               | 1.26.5, 1.27.3, 1.27.8, and 1.28.3  |
+| 1.12           | 1.18-latest                               | 1.25.7, 1.26.5, 1.26.7, and 1.27.3  |
+| 1.11           | 1.18-latest                               | 1.23.10, 1.24.9, 1.25.5, and 1.26.1 |

 Velero supports IPv4, IPv6, and dual stack environments. Support for this was tested against Velero v1.8.

 The Velero maintainers are continuously working to expand testing coverage, but are not able to test every combination of Velero and supported Kubernetes versions for each Velero release. The table above is meant to track the current testing coverage and the expected supported Kubernetes versions for each Velero version.

-If you are interested in using a different version of Kubernetes with a given Velero version, we'd recommend that you perform testing before installing or upgrading your environment. For full information around capabilities within a release, also see the Velero [release notes](https://github.com/velero-io/velero/releases) or Kubernetes [release notes](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG). See the Velero [support page](https://velero.io/docs/latest/support-process/) for information about supported versions of Velero.
+If you are interested in using a different version of Kubernetes with a given Velero version, we'd recommend that you perform testing before installing or upgrading your environment. For full information around capabilities within a release, also see the Velero [release notes](https://github.com/vmware-tanzu/velero/releases) or Kubernetes [release notes](https://github.com/kubernetes/kubernetes/tree/master/CHANGELOG). See the Velero [support page](https://velero.io/docs/latest/support-process/) for information about supported versions of Velero.

 For each release, Velero maintainers run the test to ensure the upgrade path from n-2 minor release.  For example, before the release of v1.10.x, the test will verify that the backup created by v1.9.x and v1.8.x can be restored using the build to be tagged as v1.10.x.

-## Cloud Native Computing Foundation
-<!-- remove sandbox once promoted -->
-Velero is a [Cloud Native Computing Foundation](https://www.cncf.io/) sandbox project.
-
-<p align="center">
-  <a href="https://www.cncf.io/">
-    <img src="https://raw.githubusercontent.com/cncf/artwork/main/other/cncf/horizontal/color/cncf-color.svg"
-         alt="Cloud Native Computing Foundation logo" width="300"/>
-  </a>
-</p>
-
-Copyright Contributors to Velero, established as Velero a Series of LF Projects, LLC.
-For website terms of use, trademark policy and other project policies please see
-<https://lfprojects.org/policies/>.
-
-[1]: https://github.com/velero-io/velero/workflows/Main%20CI/badge.svg
-[2]: https://github.com/velero-io/velero/actions?query=workflow%3A"Main+CI"
-[4]: https://github.com/velero-io/velero/issues
-[6]: https://github.com/velero-io/velero/releases
+[1]: https://github.com/vmware-tanzu/velero/workflows/Main%20CI/badge.svg
+[2]: https://github.com/vmware-tanzu/velero/actions?query=workflow%3A"Main+CI"
+[4]: https://github.com/vmware-tanzu/velero/issues
+[6]: https://github.com/vmware-tanzu/velero/releases
 [9]: https://kubernetes.io/docs/setup/
 [10]: https://kubernetes.io/docs/tasks/tools/install-kubectl/#install-with-homebrew-on-macos
 [11]: https://kubernetes.io/docs/tasks/tools/install-kubectl/#tabset-1
@@ -12,13 +12,13 @@ The Velero project maintains the following [governance document](https://github.

 Security is of the highest importance and all security vulnerabilities or suspected security vulnerabilities should be reported to Velero privately, to minimize attacks against current users of Velero before they are fixed. Vulnerabilities will be investigated and patched on the next patch (or minor) release as soon as possible. This information could be kept entirely internal to the project.  

-If you know of a publicly disclosed security vulnerability for Velero, please **IMMEDIATELY** contact the Security Team (velero-security.pdl@broadcom.com).
+If you know of a publicly disclosed security vulnerability for Velero, please **IMMEDIATELY** contact the VMware Security Team (security@vmware.com).

 

 **IMPORTANT: Do not file public issues on GitHub for security vulnerabilities**

-To report a vulnerability or a security-related issue, please contact the email address with the details of the vulnerability. The email will be fielded by the Security Team and then shared with the Velero maintainers who have committer and release permissions. Emails will be addressed within 3 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel. Use [GitHub issues](https://github.com/vmware-tanzu/velero/issues/new/choose) instead.
+To report a vulnerability or a security-related issue, please contact the VMware email address with the details of the vulnerability. The email will be fielded by the VMware Security Team and then shared with the Velero maintainers who have committer and release permissions. Emails will be addressed within 3 business days, including a detailed plan to investigate the issue and any potential workarounds to perform in the meantime. Do not report non-security-impacting bugs through this channel. Use [GitHub issues](https://github.com/vmware-tanzu/velero/issues/new/choose) instead.


 ## Proposed Email Content
@@ -29,7 +29,7 @@ Provide a descriptive subject line and in the body of the email include the foll

 *   Basic identity information, such as your name and your affiliation or company.
 *   Detailed steps to reproduce the vulnerability  (POC scripts, screenshots, and logs are all helpful to us).
-*   Description of the effects of the vulnerability on Velero and the related hardware and software configurations, so that the Security Team can reproduce it.
+*   Description of the effects of the vulnerability on Velero and the related hardware and software configurations, so that the VMware Security Team can reproduce it.
 *   How the vulnerability affects Velero usage and an estimation of the attack surface, if there is one.
 *   List other projects or dependencies that were used in conjunction with Velero to produce the vulnerability.

@@ -49,7 +49,7 @@ Provide a descriptive subject line and in the body of the email include the foll

 ## Patch, Release, and Disclosure

-The Security Team will respond to vulnerability reports as follows:
+The VMware Security Team will respond to vulnerability reports as follows:

 

@@ -62,7 +62,7 @@ The Security Team will respond to vulnerability reports as follows:
 5. The Security Team will also create a [CVSS](https://www.first.org/cvss/specification-document) using the [CVSS Calculator](https://www.first.org/cvss/calculator/3.0). The Security Team makes the final call on the calculated CVSS; it is better to move quickly than making the CVSS perfect. Issues may also be reported to [Mitre](https://cve.mitre.org/) using this [scoring calculator](https://nvd.nist.gov/vuln-metrics/cvss/v3-calculator). The CVE will initially be set to private.
 6. The Security Team will work on fixing the vulnerability and perform internal testing before preparing to roll out the fix.
 7. The Security Team will provide early disclosure of the vulnerability by emailing the [Velero Distributors](https://groups.google.com/u/1/g/projectvelero-distributors) mailing list. Distributors can initially plan for the vulnerability patch ahead of the fix, and later can test the fix and provide feedback to the Velero team. See the section **Early Disclosure to Velero Distributors List** for details about how to join this mailing list. 
-8. A public disclosure date is negotiated by the SecurityTeam, the bug submitter, and the distributors list. We prefer to fully disclose the bug as soon as possible once a user mitigation or patch is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for distributor coordination. The timeframe for disclosure is from immediate (especially if it’s already publicly known) to a few weeks. For a critical vulnerability with a straightforward mitigation, we expect the report date for the public disclosure date to be on the order of 14 business days. The Security Team holds the final say when setting a public disclosure date.
+8. A public disclosure date is negotiated by the VMware SecurityTeam, the bug submitter, and the distributors list. We prefer to fully disclose the bug as soon as possible once a user mitigation or patch is available. It is reasonable to delay disclosure when the bug or the fix is not yet fully understood, the solution is not well-tested, or for distributor coordination. The timeframe for disclosure is from immediate (especially if it’s already publicly known) to a few weeks. For a critical vulnerability with a straightforward mitigation, we expect the report date for the public disclosure date to be on the order of 14 business days. The VMware Security Team holds the final say when setting a public disclosure date.
 9. Once the fix is confirmed, the Security Team will patch the vulnerability in the next patch or minor release, and backport a patch release into all earlier supported releases. Upon release of the patched version of Velero, we will follow the **Public Disclosure Process**.


@@ -79,7 +79,7 @@ The Security Team will also publish any mitigating steps users can take until th



-*   Use velero-security.pdl@broadcom.com to report security concerns to the Security Team, who uses the list to privately discuss security issues and fixes prior to disclosure.
+*   Use security@vmware.com to report security concerns to the VMware Security Team, who uses the list to privately discuss security issues and fixes prior to disclosure.
 *   Join the [Velero Distributors](https://groups.google.com/u/1/g/projectvelero-distributors) mailing list for early private information and vulnerability disclosure. Early disclosure may include mitigating steps and additional information on security patch releases. See below for information on how Velero distributors or vendors can apply to join this list.


@@ -107,11 +107,11 @@ To be eligible to join the [Velero Distributors](https://groups.google.com/u/1/g

 ## Embargo Policy

-The information that members receive on the Velero Distributors mailing list must not be made public, shared, or even hinted at anywhere beyond those who need to know within your specific team, unless you receive explicit approval to do so from the Security Team. This remains true until the public disclosure date/time agreed upon by the list. Members of the list and others cannot use the information for any reason other than to get the issue fixed for your respective distribution's users.
+The information that members receive on the Velero Distributors mailing list must not be made public, shared, or even hinted at anywhere beyond those who need to know within your specific team, unless you receive explicit approval to do so from the VMware Security Team. This remains true until the public disclosure date/time agreed upon by the list. Members of the list and others cannot use the information for any reason other than to get the issue fixed for your respective distribution's users.

 Before you share any information from the list with members of your team who are required to fix the issue, these team members must agree to the same terms, and only be provided with information on a need-to-know basis.

-In the unfortunate event that you share information beyond what is permitted by this policy, you must urgently inform the Security Team (velero-security.pdl@broadcom.com) of exactly what information was leaked and to whom. If you continue to leak information and break the policy outlined here, you will be permanently removed from the list.
+In the unfortunate event that you share information beyond what is permitted by this policy, you must urgently inform the VMware Security Team (security@vmware.com) of exactly what information was leaked and to whom. If you continue to leak information and break the policy outlined here, you will be permanently removed from the list.

 

@@ -123,6 +123,6 @@ Send new membership requests to projectvelero-distributors@googlegroups.com. In

 ## Confidentiality, integrity and availability

-We consider vulnerabilities leading to the compromise of data confidentiality, elevation of privilege, or integrity to be our highest priority concerns. Availability, in particular in areas relating to DoS and resource exhaustion, is also a serious security concern. The Security Team takes all vulnerabilities, potential vulnerabilities, and suspected vulnerabilities seriously and will investigate them in an urgent and expeditious manner.
+We consider vulnerabilities leading to the compromise of data confidentiality, elevation of privilege, or integrity to be our highest priority concerns. Availability, in particular in areas relating to DoS and resource exhaustion, is also a serious security concern. The VMware Security Team takes all vulnerabilities, potential vulnerabilities, and suspected vulnerabilities seriously and will investigate them in an urgent and expeditious manner.

 Note that we do not currently consider the default settings for Velero to be secure-by-default. It is necessary for operators to explicitly configure settings, role based access control, and other resource related features in Velero to provide a hardened Velero environment. We will not act on any security disclosure that relates to a lack of safe defaults. Over time, we will work towards improved safe-by-default configuration, taking into account backwards compatibility.
@@ -52,7 +52,7 @@ git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip(

 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.26 as tilt-helper
+FROM golang:1.23.7 as tilt-helper

 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
@@ -103,6 +103,11 @@ local_resource(
    deps = ["internal", "pkg/cmd"],
 )

+local_resource(
+    "restic_binary",
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/restic; BIN=velero GOOS=linux GOARCH=amd64 GOARM="" RESTIC_VERSION=0.13.1 OUTPUT_DIR=_tiltbuild/restic ./hack/build-restic.sh',
+)
+
 # Note: we need a distro with a bash shell to exec into the Velero container
 tilt_dockerfile_header = """
 FROM ubuntu:22.04 as tilt
@@ -113,6 +118,7 @@ WORKDIR /
 COPY --from=tilt-helper /start.sh .
 COPY --from=tilt-helper /restart.sh .
 COPY velero .
+COPY restic/restic /usr/bin/restic
 """

 dockerfile_contents = "\n".join([
@@ -1,143 +0,0 @@
-## v1.17
-
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.17.0
-
-### Container Image
-`velero/velero:v1.17.0`
-
-### Documentation
-https://velero.io/docs/v1.17/
-
-### Upgrading
-https://velero.io/docs/v1.17/upgrade-to-1.17/
-
-### Highlights
-#### Modernized fs-backup
-In v1.17, Velero fs-backup is modernized to the micro-service architecture, which brings below benefits:  
- Many features that were absent to fs-backup are now available, i.e., load concurrency control, cancel, resume on restart, etc.
- fs-backup is more robust, the running backup/restore could survive from node-agent restart; and the resource allocation is in a more granular manner, the failure of one backup/restore won't impact others.  
- The resource usage of node-agent is steady, especially, the node-agent pods won't request huge memory and hold it for a long time.  
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/vgdp-micro-service-for-fs-backup/vgdp-micro-service-for-fs-backup.md for more details.  
-
-#### fs-backup support Windows cluster
-In v1.17, Velero fs-backup supports to backup/restore Windows workloads. By leveraging the new micro-service architecture for fs-backup, data mover pods could run in Windows nodes and backup/restore Windows volumes. Together with CSI snapshot data movement for Windows which is delivered in 1.16, Velero now supports Windows workload backup/restore in full scenarios.  
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/vgdp-micro-service-for-fs-backup/vgdp-micro-service-for-fs-backup.md for more details.  
-
-#### Volume group snapshot support
-In v1.17, Velero supports [volume group snapshots](https://kubernetes.io/blog/2024/12/18/kubernetes-1-32-volume-group-snapshot-beta/) which is a beta feature in Kubernetes upstream, for both CSI snapshot backup and CSI snapshot data movement. This allows a snapshot to be taken from multiple volumes at the same point-in-time to achieve write order consistency, which is helpful to achieve better data consistency when multiple volumes being backed up are correlated.  
-Check the document https://velero.io/docs/main/volume-group-snapshots/ for more details.  
-
-#### Priority class support
-In v1.17, [Kubernetes priority class](https://kubernetes.io/docs/concepts/scheduling-eviction/pod-priority-preemption/#priorityclass) is supported for all modules across Velero. Specifically, users are allowed to configure priority class to Velero server, node-agent, data mover pods, backup repository maintenance jobs separately.  
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/priority-class-name-support_design.md for more details.  
-
-#### Scalability and Resiliency improvements of data movers
-##### Reduce excessive number of data mover pods in Pending state
-In v1.17, Velero allows users to set a `PrepareQueueLength` in the node-agent configuration, data mover pods and volumes out of this number won't be created until data path quota is available, so that excessive number cluster resources won't  be taken unnecessarily, which is particularly helpful for large scale environments. This improvement applies to all kinds of data movements, including fs-backup and CSI snapshot data movement.  
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/node-agent-load-soothing.md for more details.  
-
-##### Enhancement on node-agent restart handling for data movements
-In v1.17, data movements in all phases could survive from node-agent restart and resume themselves; when a data movement gets orphaned in special cases, e.g., cluster node absent, it could also be canceled appropriately after the restart. This improvement applies to all kinds of data movements, including fs-backup and CSI snapshot data movement.  
-Check issue https://github.com/vmware-tanzu/velero/issues/8534 for more details.  
-
-##### CSI snapshot data movement restore node-selection and node-selection by storage class
-In v1.17, CSI snapshot data movement restore acquires the same node-selection capability as backup, that is, users could specify which nodes can/cannot run data mover pods for both backup and restore now. And users are also allowed to configure the node-selection per storage class, which is particularly helpful to the environments where a storage class are not usable by all cluster nodes.  
-Check issue https://github.com/vmware-tanzu/velero/issues/8186 and https://github.com/vmware-tanzu/velero/issues/8223 for more details.  
-
-#### Include/exclude policy support for resource policy
-In v1.17, Velero resource policy supports `includeExcludePolicy` besides the existing `volumePolicy`. This allows users to set include/exclude filters for resources in a resource policy configmap, so that these filters are reusable among multiple backups.  
-Check the document https://velero.io/docs/main/resource-filtering/#creating-resource-policies:~:text=resources%3D%22*%22-,Resource%20policies,-Velero%20provides%20resource for more details.  
-
-### Runtime and dependencies
-Golang runtime: 1.24.6  
-kopia: 0.21.1  
-
-### Limitations/Known issues
-
-### Breaking changes
-#### Deprecation of Restic
-According to [Velero deprecation policy](https://github.com/vmware-tanzu/velero/blob/main/GOVERNANCE.md#deprecation-policy), backup of fs-backup under Restic path is removed in v1.17, so `--uploader-type=restic` is not a valid installation configuration anymore. This means you cannot create a backup under Restic path, but you can still restore from the previous backups under Restic path until v1.19.  
-
-#### Repository maintenance job configurations are removed from Velero server parameter
-Since the repository maintenance job configurations are moved to repository maintenance job configMap, in v1.17 below Velero sever parameters are removed:
- --keep-latest-maintenance-jobs
- --maintenance-job-cpu-request
- --maintenance-job-mem-request
- --maintenance-job-cpu-limit
- --maintenance-job-mem-limit
-
-### All Changes
-  * Add ConfigMap parameters validation for install CLI and server start. (#9200, @blackpiglet)
-  * Add priorityclasses to high priority restore list (#9175, @kaovilai)
-  * Introduced context-based logger for backend implementations (Azure, GCS, S3, and Filesystem) (#9168, @priyansh17)
-  * Fix issue #9140, add os=windows:NoSchedule toleration for Windows pods (#9165, @Lyndon-Li)
-  * Remove the repository maintenance job parameters from velero server. (#9147, @blackpiglet)
-  * Add include/exclude policy to resources policy (#9145, @reasonerjt)
-  * Add ConfigMap support for keepLatestMaintenanceJobs with CLI parameter fallback (#9135, @shubham-pampattiwar)
-  * Fix the dd and du's node affinity issue. (#9130, @blackpiglet)
-  * Remove the WaitUntilVSCHandleIsReady from vs BIA. (#9124, @blackpiglet)
-  * Add comprehensive Volume Group Snapshots documentation with workflow diagrams and examples (#9123, @shubham-pampattiwar)
-  * Fix issue #9065, add doc for node-agent prepare queue length (#9118, @Lyndon-Li)
-  * Fix issue #9095, update restore doc for PVC selected-node (#9117, @Lyndon-Li)
-  * Update CSI Snapshot Data Movement doc for issue #8534, #8185 (#9113, @Lyndon-Li)
-  * Fix issue #8986, refactor fs-backup doc after VGDP Micro Service for fs-backup (#9112, @Lyndon-Li)
-  * Return error if timeout when checking server version (#9111, @ywk253100)
-  * Update "Default Volumes to Fs Backup" to "File System Backup (Default)" (#9105, @shubham-pampattiwar)
-  * Fix issue #9077, don't block backup deletion on list VS error (#9100, @Lyndon-Li)
-  * Bump up Kopia to v0.21.1 (#9098, @Lyndon-Li)
-  * Add imagePullSecrets inheritance for VGDP pod and maintenance job. (#9096, @blackpiglet)
-  * Avoid checking the VS and VSC status in the backup finalizing phase. (#9092, @blackpiglet)
-  * Fix issue #9053, Always remove selected-node annotation during PVC restore when no node mapping exists. Breaking change: Previously, the annotation was preserved if the node existed. (#9076, @Lyndon-Li)
-  * Enable parameterized kubelet mount path during node-agent installation (#9074, @longxiucai)
-  * Fix issue #8857, support third party tolerations for data mover pods (#9072, @Lyndon-Li)
-  * Fix issue #8813, remove restic from the valid uploader type (#9069, @Lyndon-Li)
-  * Fix issue #8185, allow users to disable pod volume host path mount for node-agent (#9068, @Lyndon-Li)
-  * Fix #8344, add the design for a mechanism to soothe creation of data mover pods for DataUpload, DataDownload, PodVolumeBackup and PodVolumeRestore (#9067, @Lyndon-Li)
-  * Fix #8344, add a mechanism to soothe creation of data mover pods for DataUpload, DataDownload, PodVolumeBackup and PodVolumeRestore (#9064, @Lyndon-Li)
-  * Add Gauge metric for BSL availability (#9059, @reasonerjt)
-  * Fix missing defaultVolumesToFsBackup flag output in Velero describe backup cmd (#9056, @shubham-pampattiwar)
-  * Allow for proper tracking of multiple hooks per container (#9048, @sseago)
-  * Make the backup repository controller doesn't invalidate the BSL on restart (#9046, @blackpiglet)
-  * Removed username/password credential handling from newConfigCredential as azidentity.UsernamePasswordCredentialOptions is reported as deprecated. (#9041, @priyansh17)
-  * Remove dependency with VolumeSnapshotClass in DataUpload. (#9040, @blackpiglet)
-  * Fix issue #8961, cancel PVB/PVR on Velero server restart (#9031, @Lyndon-Li)
-  * Fix issue #8962, resume PVB/PVR during node-agent restarts (#9030, @Lyndon-Li)
-  * Bump kopia v0.20.1 (#9027, @Lyndon-Li)
-  * Fix issue #8965, support PVB/PVR's cancel state in the backup/restore (#9026, @Lyndon-Li)
-  * Fix Issue 8816 When specifying LabelSelector on restore, related items such as PVC and VolumeSnapshot are not included (#9024, @amastbau)
-  * Fix issue #8963, add legacy PVR controller for Restic path (#9022, @Lyndon-Li)
-  * Fix issue #8964, add Windows support for VGDP MS for fs-backup (#9021, @Lyndon-Li)
-  * Accommodate VGS workflows in PVC CSI plugin (#9019, @shubham-pampattiwar)
-  * Fix issue #8958, add VGDP MS PVB controller (#9015, @Lyndon-Li)
-  * Fix issue #8959, add VGDP MS PVR controller (#9014, @Lyndon-Li)
-  * Fix issue #8988, add data path for VGDP ms PVR (#9005, @Lyndon-Li)
-  * Fix issue #8988, add data path for VGDP ms pvb (#8998, @Lyndon-Li)
-  * Skip VS and VSC not created by backup. (#8990, @blackpiglet)
-  * Make ResticIdentifier optional for kopia BackupRepositories (#8987, @kaovilai)
-  * Fix issue #8960, implement PodVolume exposer for PVB/PVR (#8985, @Lyndon-Li)
-  * fix: update mc command in minio-deployment example (#8982, @vishal-chdhry)
-  * Fix issue #8957, add design for VGDP MS for fs-backup (#8979, @Lyndon-Li)
-  * Add BSL status check for backup/restore operations. (#8976, @blackpiglet)
-  * Mark BackupRepository not ready when BSL changed (#8975, @ywk253100)
-  * Add support for [distributed snapshotting](https://github.com/kubernetes-csi/external-snapshotter/tree/4cedb3f45790ac593ebfa3324c490abedf739477?tab=readme-ov-file#distributed-snapshotting) (#8969, @flx5)
-  * Fix issue #8534, refactor dm controllers to tolerate cancel request in more cases, e.g., node restart, node drain (#8952, @Lyndon-Li)
-  * The backup and restore VGDP affinity enhancement implementation. (#8949, @blackpiglet)
-  * Remove CSI VS and VSC metadata from backup. (#8946, @blackpiglet)
-  * Extend PVCAction itemblock plugin to support grouping PVCs under VGS label key (#8944, @shubham-pampattiwar)
-  * Copy security context from origin pod (#8943, @farodin91)
-  * Add support for configuring VGS label key (#8938, @shubham-pampattiwar)
-  * Add VolumeSnapshotContent into the RIA and the mustHave resource list. (#8924, @blackpiglet)
-  * Mounted cloud credentials should not be world-readable (#8919, @sseago)
-  * Warn for not found error in patching managed fields (#8902, @sseago)
-  * Fix issue 8878, relief node os deduction error checks (#8891, @Lyndon-Li)
-  * Skip namespace in terminating state in backup resource collection. (#8890, @blackpiglet)
-  * Implement PriorityClass Support (#8883, @kaovilai)
-  * Fix Velero adding restore-wait init container when not needed. (#8880, @kaovilai)
-  * Pass the logger in kopia related operations. (#8875, @hu-keyu)
-  * Inherit the dnsPolicy and dnsConfig from the node agent pod. This is done so that the kopia task uses the same configuration. (#8845, @flx5)
-  * Add design for VolumeGroupSnapshot support (#8778, @shubham-pampattiwar)
-  * Inherit k8s default volumeSnapshotClass. (#8719, @hu-keyu)
-  * CLI automatically discovers and uses cacert from BSL for download requests (#8557, @kaovilai)
-  * This PR aims to add s390x support to Velero binary. (#7505, @pandurangkhandeparker)
@@ -1,109 +0,0 @@
-## v1.18
-
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.18.0
-
-### Container Image
-`velero/velero:v1.18.0`
-
-### Documentation
-https://velero.io/docs/v1.18/
-
-### Upgrading
-https://velero.io/docs/v1.18/upgrade-to-1.18/
-
-### Highlights
-#### Concurrent backup
-In v1.18, Velero is capable to process multiple backups concurrently. This is a significant usability improvement, especially for multiple tenants or multiple users case, backups submitted from different users could run their backups simultaneously without interfering with each other.  
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/concurrent-backup-processing.md for more details.
-
-#### Cache volume for data movers
-In v1.18, Velero allows users to configure cache volumes for data mover pods during restore for CSI snapshot data movement and fs-backup. This brings below benefits:
- Solve the problem that data mover pods fail to when pod's ephemeral disk is limited
- Solve the problem that multiple data mover pods fail to run concurrently in one node when the node's ephemeral disk is limited
- Working together with backup repository's cache limit configuration, cache volume with appropriate size helps to improve the restore throughput
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/backup-repo-cache-volume.md for more details.
-
-#### Incremental size for data movers
-In v1.18, Velero allows users to observe the incremental size of data movers backups for CSI snapshot data movement and fs-backup, so that users could visually see the data reduction due to incremental backup.
-
-#### Wildcard support for namespaces
-In v1.18, Velero allows to use Glob regular expressions for namespace filters during backup and restore, so that users could filter namespaces in a batch manner.
-
-#### VolumePolicy for PVC phase
-In v1.18, Velero VolumePolicy supports actions by PVC phase, which help users to do special operations for PVCs with a specific phase, e.g., skip PVCs in Pending/Lost status from the backup.  
-
-#### Scalability and Resiliency improvements
-##### Prevent Velero server OOM Kill for large backup repositories
-In v1.18, some backup repository operations are delay executed out of Velero server, so Velero server won't be OOM Killed.
-
-#### Performance improvement for VolumePolicy
-In v1.18, VolumePolicy is enhanced for large number of pods/PVCs so that the performance is significantly improved.
-
-#### Events for data mover pod diagnostic
-In v1.18, events are recorded into data mover pod diagnostic, which allows user to see more information for troubleshooting when the data mover pod fails.
-
-### Runtime and dependencies
-Golang runtime: 1.25.7  
-kopia: 0.22.3
-
-### Limitations/Known issues
-
-### Breaking changes
-#### Deprecation of PVC selected node feature
-According to [Velero deprecation policy](https://github.com/vmware-tanzu/velero/blob/main/GOVERNANCE.md#deprecation-policy), PVC selected node feature is deprecated in v1.18. Velero could appropriately handle PVC's selected-node annotation, so users don't need to do anything particularly.
-
-### All Changes
-* Remove backup from running list when backup fails validation (#9498, @sseago)
-* Maintenance Job only uses the first element of the LoadAffinity array (#9494, @blackpiglet)
-* Fix issue #9478, add diagnose info on expose peek fails (#9481, @Lyndon-Li)
-* Add Role, RoleBinding, ClusterRole, and ClusterRoleBinding in restore sequence. (#9474, @blackpiglet)
-* Add maintenance job and data mover pod's labels and annotations setting. (#9452, @blackpiglet)
-* Fix plugin init container names exceeding DNS-1123 limit (#9445, @mpryc)
-* Add PVC-to-Pod cache to improve volume policy performance (#9441, @shubham-pampattiwar)
-* Remove VolumeSnapshotClass from CSI B/R process. (#9431, @blackpiglet)
-* Use hookIndex for recording multiple restore exec hooks. (#9366, @blackpiglet)
-* Sanitize Azure HTTP responses in BSL status messages (#9321, @shubham-pampattiwar)
-* Remove labels associated with previous backups (#9206, @Joeavaikath)
-* Add VolumePolicy support for PVC Phase conditions to allow skipping Pending PVCs (#9166, @claude)
-* feat: Enhance BackupStorageLocation with Secret-based CA certificate support (#9141, @kaovilai)
-* Add `--apply` flag to `install` command, allowing usage of Kubernetes apply to make changes to existing installs (#9132, @mjnagel)
-* Fix issue #9194, add doc for GOMAXPROCS behavior change (#9420, @Lyndon-Li)
-* Apply volume policies to VolumeGroupSnapshot PVC filtering (#9419, @shubham-pampattiwar)
-* Fix issue #9276, add doc for cache volume support (#9418, @Lyndon-Li)
-* Add Prometheus metrics for maintenance jobs (#9414, @shubham-pampattiwar)
-* Fix issue #9400, connect repo first time after creation so that init params could be written (#9407, @Lyndon-Li)
-* Cache volume for PVR (#9397, @Lyndon-Li)
-* Cache volume support for DataDownload (#9391, @Lyndon-Li)
-* don't copy securitycontext from first container if configmap found (#9389, @sseago)
-* Refactor repo provider interface for static configuration (#9379, @Lyndon-Li)
-* Fix issue #9365, prevent fake completion notification due to multiple update of single PVR (#9375, @Lyndon-Li)
-* Add cache volume configuration (#9370, @Lyndon-Li)
-* Track actual resource names for GenerateName in restore status (#9368, @shubham-pampattiwar)
-* Fix managed fields patch for resources using GenerateName (#9367, @shubham-pampattiwar)
-* Support cache volume for generic restore exposer and pod volume exposer (#9362, @Lyndon-Li)
-* Add incrementalSize to DU/PVB for reporting new/changed size (#9357, @sseago)
-* Add snapshotSize for DataDownload, PodVolumeRestore (#9354, @Lyndon-Li)
-* Add cache dir configuration for udmrepo (#9353, @Lyndon-Li)
-* Fix the Job build error when BackupReposiotry name longer than 63. (#9350, @blackpiglet)
-* Add cache configuration to VGDP (#9342, @Lyndon-Li)
-* Fix issue #9332, add bytesDone for cache files (#9333, @Lyndon-Li)
-* Fix typos in documentation (#9329, @T4iFooN-IX)
-* Concurrent backup processing (#9307, @sseago)
-* VerifyJSONConfigs verify every elements in Data. (#9302, @blackpiglet)
-* Fix issue #9267, add events to data mover prepare diagnostic (#9296, @Lyndon-Li)
-* Add option for privileged fs-backup pod (#9295, @sseago)
-* Fix issue #9193, don't connect repo in repo controller (#9291, @Lyndon-Li)
-* Implement concurrency control for cache of native VolumeSnapshotter plugin. (#9281, @0xLeo258)
-* Fix issue #7904, remove the code and doc for PVC node selection (#9269, @Lyndon-Li)
-* Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases (#9264, @shubham-pampattiwar)
-* Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment (#9256, @shubham-pampattiwar)
-* Implement wildcard namespace pattern expansion for backup namespace includes/excludes. This change adds support for wildcard patterns (*, ?, [abc], {a,b,c}) in namespace includes and excludes during backup operations (#9255, @Joeavaikath)
-* Protect VolumeSnapshot field from race condition during multi-thread backup (#9248, @0xLeo258)
-* Update AzureAD Microsoft Authentication Library to v1.5.0 (#9244, @priyansh17)
-* Get pod list once per namespace in pvc IBA (#9226, @sseago)
-* Fix issue #7725, add design for backup repo cache configuration (#9148, @Lyndon-Li)
-* Fix issue #9229, don't attach backupPVC to the source node (#9233, @Lyndon-Li)
-* feat: Permit specifying annotations for the BackupPVC (#9173, @clementnuss)
@@ -1 +0,0 @@
-Include InitContainer configured as Sidecars when validating the existence of the target containers configured for the Backup Hooks
@@ -1 +0,0 @@
-Support all glob wildcard characters in namespace validation
@@ -1 +0,0 @@
-Fix VolumePolicy PVC phase condition filter for unbound PVCs (#9507)
@@ -1 +0,0 @@
-Fix VolumeGroupSnapshot restore failure with Ceph RBD CSI driver by creating stub VolumeGroupSnapshotContent during restore and looking up VolumeSnapshotClass by driver for credential support
@@ -1 +0,0 @@
-Add block data mover design for block level incremental backup by integrating with Kubernetes CBT
@@ -1 +0,0 @@
-Fix issue #9343, include PV topology to data mover pod affinities
@@ -1 +0,0 @@
-Fix issue #9496, support customized host os
@@ -1 +0,0 @@
-Add custom action type to volume policies
@@ -1 +0,0 @@
-If BIA return updateObj with SkipFromBackupAnnotation, treat it as skip the resource from backup.
@@ -1 +0,0 @@
-Issue #9544: Add test coverage for S3 bucket name in MRAP ARN notation and fix bucket validation to accept ARN format
@@ -1 +0,0 @@
-Wildcard namespaces: Log warning on empty resolution
@@ -1 +0,0 @@
-Fix issue #9475, use node-selector instead of nodName for generic restore
@@ -1 +0,0 @@
-Fix issue #9460, flush buffer before data mover completes
@@ -1 +0,0 @@
-Add schedule_expected_interval_seconds metric for dynamic backup alerting thresholds (#9559)
@@ -1 +0,0 @@
-Add ephemeral storage limit and request support for data mover and maintenance job
@@ -1 +0,0 @@
-Fix DBR stuck when CSI snapshot no longer exists in cloud provider
@@ -1 +0,0 @@
-update go-hclog to current version
@@ -1 +0,0 @@
-Add check for file extraction from tarball.
@@ -1 +0,0 @@
-Implement original VolumeSnapshotContent deletion for legacy backups
@@ -1 +0,0 @@
-Fix issue #9626, let go for uninitialized repo under readonly mode
@@ -1 +0,0 @@
-Fix issue #9636, fix configmap lookup in non-default namespaces
@@ -1 +0,0 @@
-Fix issue #9641, Remove redundant ReadyToUse polling in CSI VolumeSnapshotContent delete plugin
@@ -1 +0,0 @@
-Fix service restore with null healthCheckNodePort in last-applied-configuration label
@@ -1 +0,0 @@
-Fix issue #9658, Honor --stderrthreshold when --logtostderr is enabled
@@ -1 +0,0 @@
-Fix issue #9659, in the case that PVB/PVR/DU/DD is cancelled before the data path is really started, call EndEvent to prevent data mover pod from crashing because of delay event distribution
@@ -1 +0,0 @@
-Fix issue #9666, fix node-agent node detection in multiple instances scenario
@@ -1 +0,0 @@
-Fix issue #9470, remove restic from repository
@@ -1 +0,0 @@
-Fix issue #9469, remove restic for uploader
@@ -1 +0,0 @@
-Fix issue #9681, fix restores and podvolumerestores list options to only list in installed namespace
@@ -1 +0,0 @@
-Fix issue #9428, increase repo maintenance history queue length from 3 to 25
@@ -1 +0,0 @@
-Fix wildcard expansion when includes is empty and excludes has wildcards
@@ -1 +0,0 @@
-Enhance backup deletion logic to handle tarball download failures
@@ -1 +0,0 @@
-Bump external-snapshotter to v8.4.0 and migrate VolumeGroupSnapshot API from v1beta1 to v1beta2 for Kubernetes 1.34+ compatibility
@@ -1 +0,0 @@
-Fix issue #9699, add a 2-second gap between temporary CSI VolumeSnapshotContent create and delete operations
@@ -1 +0,0 @@
-Update Debian base image from bookworm to trixie
@@ -1 +0,0 @@
-Fix issue #9703, fix CSI PVC Backup Plugin list options to only list in installed namespace
@@ -1 +0,0 @@
-perf: better string concatenation
@@ -1 +0,0 @@
-Fix issue #9709, add interfaces for CBT service and CBT bitmap
@@ -1 +0,0 @@
-Fix issue #9723, extend Unified Repo Interface to support block uploader
@@ -1 +0,0 @@
-Remove Restic build from Dockerfile, Makefile and Tiltfile.
@@ -1 +0,0 @@
-Remove Restic code path from PodVolumeRestore.
@@ -1 +0,0 @@
-Add CBT bitmap implementation for block data mover
@@ -1 +0,0 @@
-fix: lint permission issue
@@ -1 +0,0 @@
-Fix DataUploadDeleteAction creating snapshot-info ConfigMaps labeled with the wrong backup name when a DataUpload CR from another backup is incidentally captured in the backup tarball, which caused Kopia snapshots to be leaked in object storage on expiry of the real owning backup.
@@ -1 +0,0 @@
-Restores from backups not in a completed or partially failed phase are now rejected.
@@ -1 +0,0 @@
-Uploader interface for block data mover
@@ -1 +0,0 @@
-Add Kopia repo snapshot operations for block data mover
@@ -1 +0,0 @@
-Add metadata operation to Kopia repo for block data mover
@@ -1 +0,0 @@
-Data path naming adjustment for block data mover
@@ -1 +0,0 @@
-Fix issue #9811, add interface to support ClusterScopedFilterPolicy and NamespacedFilterPolicy
@@ -1 +0,0 @@
-Fix issue #9812, validate ClusterScopedFilterPolicy and NamespacedFilterPolicy incompatible with legacy filters 
@@ -1 +0,0 @@
-Replace vmware-tanzu/velero GitHub org references with velero-io/velero (#9844)
@@ -1 +0,0 @@
-Fix issue #9823, add incremental aware object writer for block data mover
@@ -1 +0,0 @@
-Implement the CBT service.
@@ -1 +0,0 @@
-Fix issue #9813, add validations for ClusterScopedFilterPolicy
@@ -1 +0,0 @@
-Fix issue #9814, add validations for NamespacedFilterPolicies
@@ -1 +0,0 @@
-Add the Write implementation for incremental aware object writer
@@ -1 +0,0 @@
-Remove restic command package
@@ -1 +0,0 @@
-Enhance backup exposer for block data mover
@@ -1 +0,0 @@
-Add cbt service parameters to node-agent-config for block data mover
@@ -1 +0,0 @@
-Remove Restic cases and workflow from E2E
@@ -1 +0,0 @@
-Add totalSize to repo snapshot operation; and pin unified repo snapshots to Kopia repository and so pin them with Velero backup lifecycle
@@ -1 +0,0 @@
-Fix issue #9816, add cli support for backup with ClusterScopedFilterPolicy and NamespacedFilterPolicies
@@ -1 +0,0 @@
-Make ToSystemAffinity deterministic by sorting MatchLabels keys to avoid spurious affinity spec diffs and restarts
@@ -35,7 +35,7 @@ func main() {
 	for {
 		<-ticker.C
 		if done() {
-			fmt.Println("All PodVolumeRestores are done")
+			fmt.Println("All restic restores are done")
 			err := removeFolder()
 			if err != nil {
 				fmt.Println(err)
@@ -65,7 +65,6 @@ func done() bool {

 		doneFile := filepath.Join("/restores", child.Name(), ".velero", os.Args[1])

-		// #nosec G304,G703 -- doneFile is generated from internal logic and not user-controllable.
 		if _, err := os.Stat(doneFile); os.IsNotExist(err) {
 			fmt.Printf("The filesystem restore done file %s is not found yet. Retry later.\n", doneFile)
 			return false
@@ -69,7 +69,9 @@ spec:
                - ""
                type: string
              resticIdentifier:
-                description: Deprecated
+                description: |-
+                  ResticIdentifier is the full restic-compatible string for identifying
+                  this repository.
                type: string
              volumeNamespace:
                description: |-
@@ -79,6 +81,7 @@ spec:
            required:
            - backupStorageLocation
            - maintenanceFrequency
+            - resticIdentifier
            - volumeNamespace
            type: object
          status:
@@ -507,10 +507,6 @@ spec:
                      uploads to perform when using the uploader.
                    type: integer
                type: object
-              volumeGroupSnapshotLabelKey:
-                description: VolumeGroupSnapshotLabelKey specifies the label key to
-                  group PVCs under a VGS.
-                type: string
              volumeSnapshotLocations:
                description: VolumeSnapshotLocations is a list containing names of
                  VolumeSnapshotLocations associated with this backup.
@@ -594,8 +590,6 @@ spec:
                description: Phase is the current state of the Backup.
                enum:
                - New
-                - Queued
-                - ReadyToStart
                - FailedValidation
                - InProgress
                - WaitingForPluginOperations
@@ -627,11 +621,6 @@ spec:
                      filters that happen as items are processed.
                    type: integer
                type: object
-              queuePosition:
-                description: |-
-                  QueuePosition is the position of the backup in the queue.
-                  Only relevant when Phase is "Queued"
-                type: integer
              startTimestamp:
                description: |-
                  StartTimestamp records the time a backup was started.
@@ -113,38 +113,10 @@ spec:
                    description: Bucket is the bucket to use for object storage.
                    type: string
                  caCert:
-                    description: |-
-                      CACert defines a CA bundle to use when verifying TLS connections to the provider.
-                      Deprecated: Use CACertRef instead.
+                    description: CACert defines a CA bundle to use when verifying
+                      TLS connections to the provider.
                    format: byte
                    type: string
-                  caCertRef:
-                    description: |-
-                      CACertRef is a reference to a Secret containing the CA certificate bundle to use
-                      when verifying TLS connections to the provider. The Secret must be in the same
-                      namespace as the BackupStorageLocation.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
-                        type: string
-                      name:
-                        default: ""
-                        description: |-
-                          Name of the referent.
-                          This field is effectively required, but due to backwards compatibility is
-                          allowed to be empty. Instances of this type with an empty value here are
-                          almost certainly wrong.
-                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        type: string
-                      optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
-                        type: boolean
-                    required:
-                    - key
-                    type: object
-                    x-kubernetes-map-type: atomic
                  prefix:
                    description: Prefix is the path inside a bucket to use for Velero
                      storage. Optional.
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
lyndon-li	3df026ffdb	Merge pull request #8834 from Lyndon-Li/release-1.16 Run the E2E test on kind / build (push) Failing after 6m12s Details Run the E2E test on kind / setup-test-matrix (push) Successful in 3s Details Run the E2E test on kind / run-e2e-test (push) Has been skipped Details Main CI / Build (push) Failing after 37s Details Pin velero image for 1.16.0	2025-03-31 15:15:43 +08:00
Lyndon-Li	406a730c2a	pin velero image Signed-off-by: Lyndon-Li <lyonghui@vmware.com>	2025-03-31 13:39:27 +08:00
				`@@ -1 +0,0 @@`
				`Include InitContainer configured as Sidecars when validating the existence of the target containers configured for the Backup Hooks`
				`@@ -1 +0,0 @@`
				`Support all glob wildcard characters in namespace validation`
				`@@ -1 +0,0 @@`
				`Fix VolumePolicy PVC phase condition filter for unbound PVCs (#9507)`
				`@@ -1 +0,0 @@`
				`Fix VolumeGroupSnapshot restore failure with Ceph RBD CSI driver by creating stub VolumeGroupSnapshotContent during restore and looking up VolumeSnapshotClass by driver for credential support`
				`@@ -1 +0,0 @@`
				`Add block data mover design for block level incremental backup by integrating with Kubernetes CBT`
				`@@ -1 +0,0 @@`
				`Fix issue #9343, include PV topology to data mover pod affinities`
				`@@ -1 +0,0 @@`
				`Fix issue #9496, support customized host os`
				`@@ -1 +0,0 @@`
				`If BIA return updateObj with SkipFromBackupAnnotation, treat it as skip the resource from backup.`
				`@@ -1 +0,0 @@`
				`Issue #9544: Add test coverage for S3 bucket name in MRAP ARN notation and fix bucket validation to accept ARN format`