Rename changelog to 9898 and verify callers

This commit updates the doc to make the order of resources during
restore is consistent with the code.

Signed-off-by: Daniel Jiang <daniel.jiang@broadcom.com>

.github/workflows/pr-ci-check.yml

@@ -24,7 +24,7 @@ jobs:
       - name: Make ci
         run: make ci
       - name: Upload test coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage.out

.github/workflows/push.yml

@@ -45,7 +45,7 @@ jobs:
       - name: Test
         run: make test
       - name: Upload test coverage
-        uses: codecov/codecov-action@v5
+        uses: codecov/codecov-action@v6
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
           files: coverage.out

changelogs/unreleased/9792-subhramit

@@ -0,0 +1 @@
+Restores from backups not in a completed or partially failed phase are now rejected.

changelogs/unreleased/9847-adam-jian-zhang

@@ -0,0 +1 @@
+Fix issue #9813, add validations for ClusterScopedFilterPolicy

changelogs/unreleased/9881-adam-jian-zhang

@@ -0,0 +1 @@
+Fix issue #9816, add cli support for backup with ClusterScopedFilterPolicy and NamespacedFilterPolicies

changelogs/unreleased/9898-kaovilai

@@ -0,0 +1 @@
+Make ToSystemAffinity deterministic by sorting MatchLabels keys to avoid spurious affinity spec diffs and restarts

hack/build-image/Dockerfile

@@ -96,7 +96,9 @@ RUN ARCH=$(go env GOARCH) && \
     chmod +x /usr/bin/goreleaser
 
 # get golangci-lint
-RUN curl -sSfL https://raw.githubusercontent.com/golangci/golangci-lint/HEAD/install.sh | sh -s -- -b $(go env GOPATH)/bin v2.5.0
+# Use "go install" so the download goes through GOPROXY instead of the GitHub
+# release API/CDN, which has been returning intermittent/persistent HTTP 504s.
+RUN go install github.com/golangci/golangci-lint/v2/cmd/golangci-lint@v2.5.0
 
 # install kubectl
 RUN curl -LO https://storage.googleapis.com/kubernetes-release/release/$(curl -s https://storage.googleapis.com/kubernetes-release/release/stable.txt)/bin/linux/$(go env GOARCH)/kubectl

internal/resourcepolicies/resource_policies.go

@@ -261,6 +261,10 @@ func (p *Policies) Validate() error {
 		}
 	}
 
+	if err := p.validateClusterScopedFilterPolicy(); err != nil {
+		return errors.WithStack(err)
+	}
+
 	if err := p.validateNamespacedFilterPolicies(); err != nil {
 		return errors.WithStack(err)
 	}
@@ -414,3 +418,44 @@ func (p *Policies) validateNamespacedFilterPolicies() error {
 
 	return nil
 }
+
+func (p *Policies) validateClusterScopedFilterPolicy() error {
+	if p.clusterScopedFilterPolicy == nil {
+		return nil
+	}
+
+	if len(p.clusterScopedFilterPolicy.ResourceFilters) == 0 {
+		return fmt.Errorf("clusterScopedFilterPolicy: resourceFilters cannot be empty; remove the policy block entirely if it is not needed")
+	}
+
+	seenKinds := make(map[string]int)
+	for j, rf := range p.clusterScopedFilterPolicy.ResourceFilters {
+		if rf.IsCatchAll() {
+			return fmt.Errorf("clusterScopedFilterPolicy.resourceFilters[%d]: kinds must be specified (catch-all is not supported)", j)
+		}
+
+		for _, kind := range rf.Kinds {
+			if prevJ, ok := seenKinds[kind]; ok {
+				return fmt.Errorf("clusterScopedFilterPolicy: kind %q appears in both resourceFilters[%d] and resourceFilters[%d]", kind, prevJ, j)
+			}
+			seenKinds[kind] = j
+		}
+
+		if len(rf.LabelSelector) > 0 && len(rf.OrLabelSelectors) > 0 {
+			return fmt.Errorf("clusterScopedFilterPolicy.resourceFilters[%d]: labelSelector and orLabelSelectors cannot co-exist", j)
+		}
+
+		for k, pattern := range rf.Names {
+			if _, err := glob.Compile(pattern); err != nil {
+				return fmt.Errorf("clusterScopedFilterPolicy.resourceFilters[%d].names[%d]: invalid glob pattern %q: %v", j, k, pattern, err)
+			}
+		}
+		for k, pattern := range rf.ExcludedNames {
+			if _, err := glob.Compile(pattern); err != nil {
+				return fmt.Errorf("clusterScopedFilterPolicy.resourceFilters[%d].excludedNames[%d]: invalid glob pattern %q: %v", j, k, pattern, err)
+			}
+		}
+	}
+
+	return nil
+}

internal/resourcepolicies/resource_policies_test.go

@@ -1536,3 +1536,147 @@ namespacedFilterPolicies:
 	assert.Equal(t, []string{"team-*", "another-pattern"}, policy2.Namespaces)
 	assert.Equal(t, []string{"Deployment", "Service"}, policy2.ResourceFilters[0].Kinds)
 }
+
+func TestClusterScopedFilterPolicies(t *testing.T) {
+	testCases := []struct {
+		name     string
+		yamlData string
+		wantErr  bool
+		errMsg   string
+	}{
+		{
+			name: "valid - single kind with names",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole"]
+    names: ["my-app-*"]`,
+			wantErr: false,
+		},
+		{
+			name: "valid - multi-kind with labelSelector",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole", "ClusterRoleBinding"]
+    labelSelector:
+      app: my-app`,
+			wantErr: false,
+		},
+		{
+			name: "valid - orLabelSelectors",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["CustomResourceDefinition"]
+    orLabelSelectors:
+    - app: my-app
+    - app: other-app`,
+			wantErr: false,
+		},
+		{
+			name: "valid - excludedNames",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole"]
+    names: ["my-*"]
+    excludedNames: ["my-debug-*"]`,
+			wantErr: false,
+		},
+		{
+			name: "invalid - empty resourceFilters",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters: []`,
+			wantErr: true,
+			errMsg:  "resourceFilters cannot be empty; remove the policy block entirely if it is not needed",
+		},
+		{
+			name: "invalid - empty kinds in clusterScopedFilterPolicy",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: []
+    names: ["my-app-*"]`,
+			wantErr: true,
+			errMsg:  "kinds must be specified",
+		},
+		{
+			name: "invalid - asterisk kinds (explicit catch-all) in clusterScopedFilterPolicy",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["*"]
+    labelSelector:
+      app: my-app`,
+			wantErr: true,
+			errMsg:  "kinds must be specified",
+		},
+		{
+			name: "invalid - duplicate kinds across entries",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole"]
+    names: ["my-app-*"]
+  - kinds: ["ClusterRole"]
+    labelSelector:
+      app: other`,
+			wantErr: true,
+			errMsg:  `kind "ClusterRole" appears in both`,
+		},
+		{
+			name: "invalid - labelSelector and orLabelSelectors co-exist",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole"]
+    labelSelector:
+      app: my-app
+    orLabelSelectors:
+    - app: other`,
+			wantErr: true,
+			errMsg:  "labelSelector and orLabelSelectors cannot co-exist",
+		},
+		{
+			name: "invalid - bad glob in names",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole"]
+    names: ["[invalid"]`,
+			wantErr: true,
+			errMsg:  "invalid glob pattern",
+		},
+		{
+			name: "invalid - bad glob in excludedNames",
+			yamlData: `version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["ClusterRole"]
+    excludedNames: ["[bad"]`,
+			wantErr: true,
+			errMsg:  "invalid glob pattern",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			resPolicies, err := unmarshalResourcePolicies(&tc.yamlData)
+			require.NoError(t, err)
+
+			policies := &Policies{}
+			err = policies.BuildPolicy(resPolicies)
+			require.NoError(t, err)
+
+			err = policies.Validate()
+			if tc.wantErr {
+				require.Error(t, err)
+				assert.Contains(t, err.Error(), tc.errMsg)
+			} else {
+				require.NoError(t, err)
+			}
+		})
+	}
+}

pkg/cmd/util/output/backup_describer.go

@@ -21,6 +21,7 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"sort"
 	"strconv"
 	"strings"
@@ -30,6 +31,7 @@ import (
 
 	snapshotv1api "github.com/kubernetes-csi/external-snapshotter/client/v8/apis/volumesnapshot/v1"
 	"github.com/pkg/errors"
+	"github.com/sirupsen/logrus"
 
 	"github.com/fatih/color"
 	kbclient "sigs.k8s.io/controller-runtime/pkg/client"
@@ -40,6 +42,7 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/cmd/util/downloadrequest"
 	"github.com/vmware-tanzu/velero/pkg/itemoperation"
 
+	"github.com/vmware-tanzu/velero/internal/resourcepolicies"
 	"github.com/vmware-tanzu/velero/internal/volume"
 	"github.com/vmware-tanzu/velero/pkg/util/collections"
 	"github.com/vmware-tanzu/velero/pkg/util/results"
@@ -91,6 +94,9 @@ func DescribeBackup(
 		if backup.Spec.ResourcePolicy != nil {
 			d.Println()
 			DescribeResourcePolicies(d, backup.Spec.ResourcePolicy)
+
+			// Display fine-grained filter policies if they exist
+			DescribeFineGrainedFilterPolicies(ctx, kbClient, d, backup)
 		}
 
 		if backup.Spec.UploaderConfig != nil && backup.Spec.UploaderConfig.ParallelFilesUpload > 0 {
@@ -130,6 +136,119 @@ func DescribeResourcePolicies(d *Describer, resPolicies *corev1api.TypedLocalObj
 	d.Printf("\tName:\t%s\n", resPolicies.Name)
 }
 
+// DescribeFineGrainedFilterPolicies describes cluster-scoped and namespace-scoped filter policies if present
+func DescribeFineGrainedFilterPolicies(ctx context.Context, kbClient kbclient.Client, d *Describer, backup *velerov1api.Backup) {
+	if backup.Spec.ResourcePolicy == nil {
+		return
+	}
+
+	// Create a discard logger for the resource policies function since this is CLI output context
+	discardLogger := logrus.New()
+	discardLogger.Out = io.Discard
+
+	resourcePolicies, err := resourcepolicies.GetResourcePoliciesFromBackup(*backup, kbClient, discardLogger)
+	if err != nil {
+		// Don't fail the describe if we can't read policies, just skip
+		return
+	}
+
+	if resourcePolicies == nil {
+		return
+	}
+
+	clusterScopedFilterPolicy := resourcePolicies.GetClusterScopedFilterPolicy()
+	if clusterScopedFilterPolicy != nil {
+		d.Printf("\nCluster Scoped Filter Policy:\n")
+		d.Printf("  Resource Filters:\n")
+		for _, rf := range clusterScopedFilterPolicy.ResourceFilters {
+			kindsStr := strings.Join(rf.Kinds, ", ")
+			d.Printf("    %s:\n", kindsStr)
+
+			// Label selector
+			if len(rf.LabelSelector) > 0 {
+				selectorStr := formatLabelMap(rf.LabelSelector)
+				d.Printf("      Label selector:     %s\n", selectorStr)
+			} else if len(rf.OrLabelSelectors) > 0 {
+				var orStrs []string
+				for _, ols := range rf.OrLabelSelectors {
+					orStrs = append(orStrs, formatLabelMap(ols))
+				}
+				d.Printf("      OR label selectors: [%s]\n", strings.Join(orStrs, ", "))
+			} else {
+				d.Printf("      Label selector:     <none>\n")
+			}
+
+			// Name patterns
+			if len(rf.Names) > 0 {
+				d.Printf("      Included names:     [%s]\n", strings.Join(rf.Names, ", "))
+			} else {
+				d.Printf("      Included names:     <none>\n")
+			}
+
+			if len(rf.ExcludedNames) > 0 {
+				d.Printf("      Excluded names:     [%s]\n", strings.Join(rf.ExcludedNames, ", "))
+			} else {
+				d.Printf("      Excluded names:     <none>\n")
+			}
+		}
+	}
+
+	nfPolicies := resourcePolicies.GetNamespacedFilterPolicies()
+	if len(nfPolicies) > 0 {
+		d.Printf("\nNamespace-Scoped Filter Policies:\n")
+		for _, policy := range nfPolicies {
+			for _, ns := range policy.Namespaces {
+				d.Printf("  %s:\n", ns)
+				d.Printf("    Resource Filters:\n")
+				for _, rf := range policy.ResourceFilters {
+					var kindsStr string
+					if rf.IsCatchAll() {
+						kindsStr = "<catch-all> (all other kinds)"
+					} else {
+						kindsStr = strings.Join(rf.Kinds, ", ")
+					}
+					d.Printf("      %s:\n", kindsStr)
+
+					// Label selector
+					if len(rf.LabelSelector) > 0 {
+						selectorStr := formatLabelMap(rf.LabelSelector)
+						d.Printf("        Label selector:     %s\n", selectorStr)
+					} else if len(rf.OrLabelSelectors) > 0 {
+						var orStrs []string
+						for _, ols := range rf.OrLabelSelectors {
+							orStrs = append(orStrs, formatLabelMap(ols))
+						}
+						d.Printf("        OR label selectors: [%s]\n", strings.Join(orStrs, ", "))
+					} else {
+						d.Printf("        Label selector:     <none>\n")
+					}
+
+					// Name patterns
+					if len(rf.Names) > 0 {
+						d.Printf("        Included names:     [%s]\n", strings.Join(rf.Names, ", "))
+					} else {
+						d.Printf("        Included names:     <none>\n")
+					}
+
+					if len(rf.ExcludedNames) > 0 {
+						d.Printf("        Excluded names:     [%s]\n", strings.Join(rf.ExcludedNames, ", "))
+					} else {
+						d.Printf("        Excluded names:     <none>\n")
+					}
+				}
+			}
+		}
+	}
+}
+
+func formatLabelMap(labelMap map[string]string) string {
+	var pairs []string
+	for k, v := range labelMap {
+		pairs = append(pairs, fmt.Sprintf("%s=%s", k, v))
+	}
+	return strings.Join(pairs, ",")
+}
+
 // DescribeUploaderConfigForBackup describes uploader config in human-readable format
 func DescribeUploaderConfigForBackup(d *Describer, spec velerov1api.BackupSpec) {
 	d.Printf("Uploader config:\n")

pkg/cmd/util/output/backup_describer_test.go

@@ -18,6 +18,7 @@ package output
 
 import (
 	"bytes"
+	"context"
 	"testing"
 	"text/tabwriter"
 	"time"
@@ -25,6 +26,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1api "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	"github.com/vmware-tanzu/velero/internal/volume"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -866,3 +869,85 @@ func TestDescribeBackupItemOperation(t *testing.T) {
 	d.out.Flush()
 	assert.Equal(t, expected, d.buf.String())
 }
+
+func TestDescribeFineGrainedFilterPolicies(t *testing.T) {
+	yamlData := `
+version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["StorageClass"]
+    labelSelector: {"app": "velero"}
+  - kinds: ["ClusterRole"]
+    orLabelSelectors:
+    - {"app": "velero"}
+    - {"app": "test"}
+    names: ["role1"]
+    excludedNames: ["role2"]
+namespacedFilterPolicies:
+- namespaces: ["ns1", "ns2"]
+  resourceFilters:
+  - kinds: ["Pod", "ConfigMap"]
+    labelSelector: {"app": "velero"}
+  - kinds: ["*"]
+`
+	cm := &corev1api.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-policy",
+			Namespace: "velero",
+		},
+		Data: map[string]string{
+			"policy.yaml": yamlData,
+		},
+	}
+
+	client := fake.NewClientBuilder().WithRuntimeObjects(cm).Build()
+
+	backup := builder.ForBackup("velero", "test-backup").
+		ResourcePolicies("test-policy").Result()
+
+	d := &Describer{
+		Prefix: "",
+		out:    &tabwriter.Writer{},
+		buf:    &bytes.Buffer{},
+	}
+	d.out.Init(d.buf, 0, 8, 2, ' ', 0)
+
+	DescribeFineGrainedFilterPolicies(context.Background(), client, d, backup)
+	d.out.Flush()
+
+	expected := `
+Cluster Scoped Filter Policy:
+  Resource Filters:
+    StorageClass:
+      Label selector:     app=velero
+      Included names:     <none>
+      Excluded names:     <none>
+    ClusterRole:
+      OR label selectors: [app=velero, app=test]
+      Included names:     [role1]
+      Excluded names:     [role2]
+
+Namespace-Scoped Filter Policies:
+  ns1:
+    Resource Filters:
+      Pod, ConfigMap:
+        Label selector:     app=velero
+        Included names:     <none>
+        Excluded names:     <none>
+      <catch-all> (all other kinds):
+        Label selector:     <none>
+        Included names:     <none>
+        Excluded names:     <none>
+  ns2:
+    Resource Filters:
+      Pod, ConfigMap:
+        Label selector:     app=velero
+        Included names:     <none>
+        Excluded names:     <none>
+      <catch-all> (all other kinds):
+        Label selector:     <none>
+        Included names:     <none>
+        Excluded names:     <none>
+`
+	assert.Equal(t, expected, d.buf.String())
+}

pkg/cmd/util/output/backup_structured_describer.go

@@ -21,13 +21,16 @@ import (
 	"context"
 	"encoding/json"
 	"fmt"
+	"io"
 	"strings"
 
+	"github.com/sirupsen/logrus"
 	corev1api "k8s.io/api/core/v1"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 
 	kbclient "sigs.k8s.io/controller-runtime/pkg/client"
 
+	"github.com/vmware-tanzu/velero/internal/resourcepolicies"
 	"github.com/vmware-tanzu/velero/internal/volume"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/cmd/util/cacert"
@@ -54,6 +57,7 @@ func DescribeBackupInSF(
 
 		if backup.Spec.ResourcePolicy != nil {
 			DescribeResourcePoliciesInSF(d, backup.Spec.ResourcePolicy)
+			DescribeFineGrainedFilterPoliciesInSF(ctx, kbClient, d, backup)
 		}
 
 		status := backup.Status
@@ -222,6 +226,88 @@ func DescribeBackupSpecInSF(d *StructuredDescriber, spec velerov1api.BackupSpec)
 	d.Describe("spec", backupSpecInfo)
 }
 
+// DescribeFineGrainedFilterPoliciesInSF adds the clusterScopedFilterPolicy
+// and namespacedFilterPolicies sections to the structured describer output when present
+// in the ResourcePolicy ConfigMap referenced by the backup.
+func DescribeFineGrainedFilterPoliciesInSF(ctx context.Context, kbClient kbclient.Client, d *StructuredDescriber, backup *velerov1api.Backup) {
+	if backup.Spec.ResourcePolicy == nil {
+		return
+	}
+
+	discardLogger := logrus.New()
+	discardLogger.Out = io.Discard
+
+	resPolicies, err := resourcepolicies.GetResourcePoliciesFromBackup(*backup, kbClient, discardLogger)
+	if err != nil || resPolicies == nil {
+		return
+	}
+
+	clusterScopedFilterPolicy := resPolicies.GetClusterScopedFilterPolicy()
+	if clusterScopedFilterPolicy != nil {
+		var clusterScopedFilters []map[string]any
+		for _, rf := range clusterScopedFilterPolicy.ResourceFilters {
+			entry := map[string]any{
+				"kinds": rf.Kinds,
+			}
+			if len(rf.LabelSelector) > 0 {
+				entry["labelSelector"] = rf.LabelSelector
+			}
+			if len(rf.OrLabelSelectors) > 0 {
+				entry["orLabelSelectors"] = rf.OrLabelSelectors
+			}
+			if len(rf.Names) > 0 {
+				entry["names"] = rf.Names
+			}
+			if len(rf.ExcludedNames) > 0 {
+				entry["excludedNames"] = rf.ExcludedNames
+			}
+			clusterScopedFilters = append(clusterScopedFilters, entry)
+		}
+		d.Describe("clusterScopedFilterPolicy", map[string]any{
+			"resourceFilters": clusterScopedFilters,
+		})
+	}
+
+	nfPolicies := resPolicies.GetNamespacedFilterPolicies()
+	if len(nfPolicies) == 0 {
+		return
+	}
+
+	var structuredPolicies []map[string]any
+	for _, policy := range nfPolicies {
+		for _, ns := range policy.Namespaces {
+			var rfEntries []map[string]any
+			for _, rf := range policy.ResourceFilters {
+				entry := map[string]any{}
+				if rf.IsCatchAll() {
+					entry["kinds"] = []string{}
+					entry["isCatchAll"] = true
+				} else {
+					entry["kinds"] = rf.Kinds
+				}
+				if len(rf.LabelSelector) > 0 {
+					entry["labelSelector"] = rf.LabelSelector
+				}
+				if len(rf.OrLabelSelectors) > 0 {
+					entry["orLabelSelectors"] = rf.OrLabelSelectors
+				}
+				if len(rf.Names) > 0 {
+					entry["names"] = rf.Names
+				}
+				if len(rf.ExcludedNames) > 0 {
+					entry["excludedNames"] = rf.ExcludedNames
+				}
+				rfEntries = append(rfEntries, entry)
+			}
+			structuredPolicies = append(structuredPolicies, map[string]any{
+				"namespace":       ns,
+				"resourceFilters": rfEntries,
+			})
+		}
+	}
+	d.Describe("namespacedFilterPolicies", structuredPolicies)
+}
+
 // DescribeBackupStatusInSF describes a backup status in structured format.
 func DescribeBackupStatusInSF(ctx context.Context, kbClient kbclient.Client, d *StructuredDescriber, backup *velerov1api.Backup, details bool,
 	insecureSkipTLSVerify bool, caCertPath string, podVolumeBackups []velerov1api.PodVolumeBackup) {

pkg/cmd/util/output/backup_structured_describer_test.go

@@ -17,6 +17,7 @@ limitations under the License.
 package output
 
 import (
+	"context"
 	"reflect"
 	"testing"
 	"time"
@@ -24,6 +25,8 @@ import (
 	"github.com/stretchr/testify/assert"
 	"github.com/stretchr/testify/require"
 	corev1api "k8s.io/api/core/v1"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"sigs.k8s.io/controller-runtime/pkg/client/fake"
 
 	"github.com/vmware-tanzu/velero/internal/volume"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -707,3 +710,96 @@ func TestDescribeDeleteBackupRequestsInSF(t *testing.T) {
 		})
 	}
 }
+
+func TestDescribeFineGrainedFilterPoliciesInSF(t *testing.T) {
+	yamlData := `
+version: v1
+clusterScopedFilterPolicy:
+  resourceFilters:
+  - kinds: ["StorageClass"]
+    labelSelector: {"app": "velero"}
+  - kinds: ["ClusterRole"]
+    orLabelSelectors:
+    - {"app": "velero"}
+    - {"app": "test"}
+    names: ["role1"]
+    excludedNames: ["role2"]
+namespacedFilterPolicies:
+- namespaces: ["ns1", "ns2"]
+  resourceFilters:
+  - kinds: ["Pod", "ConfigMap"]
+    labelSelector: {"app": "velero"}
+  - kinds: ["*"]
+`
+	cm := &corev1api.ConfigMap{
+		ObjectMeta: metav1.ObjectMeta{
+			Name:      "test-policy",
+			Namespace: "velero",
+		},
+		Data: map[string]string{
+			"policy.yaml": yamlData,
+		},
+	}
+
+	client := fake.NewClientBuilder().WithRuntimeObjects(cm).Build()
+
+	backup := builder.ForBackup("velero", "test-backup").
+		ResourcePolicies("test-policy").Result()
+
+	sd := &StructuredDescriber{
+		output: make(map[string]any),
+		format: "",
+	}
+
+	DescribeFineGrainedFilterPoliciesInSF(context.Background(), client, sd, backup)
+
+	expect := map[string]any{
+		"clusterScopedFilterPolicy": map[string]any{
+			"resourceFilters": []map[string]any{
+				{
+					"kinds":         []string{"StorageClass"},
+					"labelSelector": map[string]string{"app": "velero"},
+				},
+				{
+					"kinds": []string{"ClusterRole"},
+					"orLabelSelectors": []map[string]string{
+						{"app": "velero"},
+						{"app": "test"},
+					},
+					"names":         []string{"role1"},
+					"excludedNames": []string{"role2"},
+				},
+			},
+		},
+		"namespacedFilterPolicies": []map[string]any{
+			{
+				"namespace": "ns1",
+				"resourceFilters": []map[string]any{
+					{
+						"kinds":         []string{"Pod", "ConfigMap"},
+						"labelSelector": map[string]string{"app": "velero"},
+					},
+					{
+						"kinds":      []string{},
+						"isCatchAll": true,
+					},
+				},
+			},
+			{
+				"namespace": "ns2",
+				"resourceFilters": []map[string]any{
+					{
+						"kinds":         []string{"Pod", "ConfigMap"},
+						"labelSelector": map[string]string{"app": "velero"},
+					},
+					{
+						"kinds":      []string{},
+						"isCatchAll": true,
+					},
+				},
+			},
+		},
+	}
+
+	assert.True(t, reflect.DeepEqual(sd.output, expect))
+}

pkg/controller/restore_controller.go

@@ -399,6 +399,17 @@ func (r *restoreReconciler) validateAndComplete(restore *api.Restore) (backupInf
 		return backupInfo{}, nil
 	}
 
+	// reject restores from backups that are not in a usable phase
+	switch info.backup.Status.Phase {
+	case api.BackupPhaseCompleted, api.BackupPhasePartiallyFailed:
+		// ok
+	default:
+		restore.Status.ValidationErrors = append(restore.Status.ValidationErrors,
+			fmt.Sprintf("backup %q is in phase %q and cannot be used as a restore source",
+				info.backup.Name, info.backup.Status.Phase))
+		return backupInfo{}, nil
+	}
+
 	// Fill in the ScheduleName so it's easier to consume for metrics.
 	if restore.Spec.ScheduleName == "" {
 		restore.Spec.ScheduleName = info.backup.GetLabels()[api.ScheduleNameLabel]

pkg/controller/restore_controller_test.go

@@ -305,7 +305,7 @@ func TestRestoreReconcile(t *testing.T) {
 			name:                  "restorer throwing an error causes the restore to fail",
 			location:              defaultStorageLocation,
 			restore:               NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
-			backup:                defaultBackup().StorageLocation("default").Result(),
+			backup:                defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 			restorerError:         errors.New("blarg"),
 			expectedErr:           false,
 			expectedPhase:         string(velerov1api.RestorePhaseInProgress),
@@ -319,7 +319,7 @@ func TestRestoreReconcile(t *testing.T) {
 			name:                  "valid restore with none existingresourcepolicy gets executed",
 			location:              defaultStorageLocation,
 			restore:               NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).ExistingResourcePolicy("none").Result(),
-			backup:                defaultBackup().StorageLocation("default").Result(),
+			backup:                defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 			expectedErr:           false,
 			expectedPhase:         string(velerov1api.RestorePhaseInProgress),
 			expectedStartTime:     &timestamp,
@@ -330,7 +330,7 @@ func TestRestoreReconcile(t *testing.T) {
 			name:                  "valid restore with update existingresourcepolicy gets executed",
 			location:              defaultStorageLocation,
 			restore:               NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).ExistingResourcePolicy("update").Result(),
-			backup:                defaultBackup().StorageLocation("default").Result(),
+			backup:                defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 			expectedErr:           false,
 			expectedPhase:         string(velerov1api.RestorePhaseInProgress),
 			expectedStartTime:     &timestamp,
@@ -352,7 +352,7 @@ func TestRestoreReconcile(t *testing.T) {
 			name:                  "valid restore gets executed",
 			location:              defaultStorageLocation,
 			restore:               NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
-			backup:                defaultBackup().StorageLocation("default").Result(),
+			backup:                defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 			expectedErr:           false,
 			expectedPhase:         string(velerov1api.RestorePhaseInProgress),
 			expectedStartTime:     &timestamp,
@@ -363,7 +363,7 @@ func TestRestoreReconcile(t *testing.T) {
 			name:     "valid restore gets executed and only includes pod volume backups from restore namespace",
 			location: defaultStorageLocation,
 			restore:  NewRestore("foo", "bar2", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
-			backup:   defaultBackup().StorageLocation("default").Result(),
+			backup:   defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 			podVolumeBackups: []*velerov1api.PodVolumeBackup{
 				builder.ForPodVolumeBackup("foo", "pvb-1").ObjectMeta(builder.WithLabels(velerov1api.BackupNameLabel, "backup-1")).Result(),
 				builder.ForPodVolumeBackup("other-ns", "pvb-2").ObjectMeta(builder.WithLabels(velerov1api.BackupNameLabel, "backup-1")).Result(),
@@ -444,7 +444,7 @@ func TestRestoreReconcile(t *testing.T) {
 			expectedStartTime:               &timestamp,
 			expectedCompletedTime:           &timestamp,
 			backupStoreGetBackupContentsErr: errors.New("Couldn't download backup"),
-			backup:                          defaultBackup().StorageLocation("default").Result(),
+			backup:                          defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 		},
 		{
 			name:              "restore attached with an expected finalizer gets cleaned up successfully",
@@ -473,7 +473,7 @@ func TestRestoreReconcile(t *testing.T) {
 			name:                  "valid restore with empty VolumeInfos",
 			location:              defaultStorageLocation,
 			restore:               NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
-			backup:                defaultBackup().StorageLocation("default").Result(),
+			backup:                defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseCompleted).Result(),
 			emptyVolumeInfo:       true,
 			expectedErr:           false,
 			expectedPhase:         string(velerov1api.RestorePhaseInProgress),
@@ -497,6 +497,44 @@ func TestRestoreReconcile(t *testing.T) {
 			backup:      defaultBackup().StorageLocation("default").Result(),
 			expectedErr: true,
 		},
+		{
+			name:                     "restore from backup in Deleting phase fails validation",
+			location:                 defaultStorageLocation,
+			restore:                  NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
+			backup:                   defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseDeleting).Result(),
+			expectedErr:              false,
+			expectedPhase:            string(velerov1api.RestorePhaseFailedValidation),
+			expectedValidationErrors: []string{`backup "backup-1" is in phase "Deleting" and cannot be used as a restore source`},
+		},
+		{
+			name:                     "restore from backup in InProgress phase fails validation",
+			location:                 defaultStorageLocation,
+			restore:                  NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
+			backup:                   defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseInProgress).Result(),
+			expectedErr:              false,
+			expectedPhase:            string(velerov1api.RestorePhaseFailedValidation),
+			expectedValidationErrors: []string{`backup "backup-1" is in phase "InProgress" and cannot be used as a restore source`},
+		},
+		{
+			name:                  "restore from backup in PartiallyFailed phase succeeds",
+			location:              defaultStorageLocation,
+			restore:               NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
+			backup:                defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhasePartiallyFailed).Result(),
+			expectedErr:           false,
+			expectedPhase:         string(velerov1api.RestorePhaseInProgress),
+			expectedStartTime:     &timestamp,
+			expectedCompletedTime: &timestamp,
+			expectedRestorerCall:  NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseInProgress).Result(),
+		},
+		{
+			name:                     "restore from backup in Failed phase fails validation",
+			location:                 defaultStorageLocation,
+			restore:                  NewRestore("foo", "bar", "backup-1", "ns-1", "", velerov1api.RestorePhaseNew).Result(),
+			backup:                   defaultBackup().StorageLocation("default").Phase(velerov1api.BackupPhaseFailed).Result(),
+			expectedErr:              false,
+			expectedPhase:            string(velerov1api.RestorePhaseFailedValidation),
+			expectedValidationErrors: []string{`backup "backup-1" is in phase "Failed" and cannot be used as a restore source`},
+		},
 	}
 
 	formatFlag := logging.FormatText

pkg/util/kube/pod.go

@@ -20,6 +20,7 @@ import (
 	"fmt"
 	"io"
 	"os"
+	"sort"
 	"strings"
 	"time"
 
@@ -236,7 +237,20 @@ func CollectPodLogs(ctx context.Context, podGetter corev1client.CoreV1Interface,
 func ToSystemAffinity(loadAffinity *LoadAffinity, volumeTopology *corev1api.NodeSelector) *corev1api.Affinity {
 	requirements := []corev1api.NodeSelectorRequirement{}
 	if loadAffinity != nil {
-		for k, v := range loadAffinity.NodeSelector.MatchLabels {
+		// MatchLabels is a map, so its iteration order is not deterministic.
+		// Sort the keys so the generated requirements (and therefore the
+		// resulting affinity) have a stable order. This output may be embedded
+		// into objects that are reconciled continuously (e.g. DaemonSet pod
+		// templates), where an order-only difference would be treated as a spec
+		// change and trigger unnecessary rollouts/restarts.
+		keys := make([]string, 0, len(loadAffinity.NodeSelector.MatchLabels))
+		for k := range loadAffinity.NodeSelector.MatchLabels {
+			keys = append(keys, k)
+		}
+		sort.Strings(keys)
+
+		for _, k := range keys {
+			v := loadAffinity.NodeSelector.MatchLabels[k]
 			requirements = append(requirements, corev1api.NodeSelectorRequirement{
 				Key:      k,
 				Values:   []string{v},

pkg/util/kube/pod_test.go

@@ -834,6 +834,45 @@ func TestToSystemAffinity(t *testing.T) {
 				},
 			},
 		},
+		{
+			name: "with multiple match labels are sorted by key",
+			loadAffinity: &LoadAffinity{
+				NodeSelector: metav1.LabelSelector{
+					MatchLabels: map[string]string{
+						"key-c": "value-c",
+						"key-a": "value-a",
+						"key-b": "value-b",
+					},
+				},
+			},
+			expected: &corev1api.Affinity{
+				NodeAffinity: &corev1api.NodeAffinity{
+					RequiredDuringSchedulingIgnoredDuringExecution: &corev1api.NodeSelector{
+						NodeSelectorTerms: []corev1api.NodeSelectorTerm{
+							{
+								MatchExpressions: []corev1api.NodeSelectorRequirement{
+									{
+										Key:      "key-a",
+										Values:   []string{"value-a"},
+										Operator: corev1api.NodeSelectorOpIn,
+									},
+									{
+										Key:      "key-b",
+										Values:   []string{"value-b"},
+										Operator: corev1api.NodeSelectorOpIn,
+									},
+									{
+										Key:      "key-c",
+										Values:   []string{"value-c"},
+										Operator: corev1api.NodeSelectorOpIn,
+									},
+								},
+							},
+						},
+					},
+				},
+			},
+		},
 		{
 			name: "with olume topology",
 			volumeTopology: &corev1api.NodeSelector{

site/content/docs/main/restore-reference.md

@@ -27,7 +27,7 @@ The following is an overview of Velero's restore process that starts after you r
 
 1. The Velero client makes a call to the Kubernetes API server to create a [`Restore`](api-types/restore.md) object.
 
-1. The `RestoreController` notices the new Restore object and performs validation.
+1. The `RestoreController` notices the new Restore object and performs validation. This includes verifying that the referenced backup is in a usable phase. Only backups in `Completed` or `PartiallyFailed` phase are accepted as restore sources.
 
 1. The `RestoreController` fetches basic information about the backup being restored, like the [BackupStorageLocation](locations.md) (BSL). It also fetches a tarball of the cluster resources in the backup, any volumes that will be restored using File System Backup, and any volume snapshots to be restored.
 
@@ -78,26 +78,41 @@ By default, Velero will restore resources in the following order:
 * VolumeSnapshotClass
 * VolumeSnapshotContents
 * VolumeSnapshots
+* DataUploads
 * PersistentVolumes
 * PersistentVolumeClaims
+* ClusterRoles
+* Roles
+* ServiceAccounts
+* ClusterRoleBindings
+* RoleBindings
 * Secrets
 * ConfigMaps
-* ServiceAccounts
 * LimitRanges
+* PriorityClasses
 * Pods
 * ReplicaSets
+* ClusterClasses
+* Endpoints
+* Services
+* ClusterBootstraps
 * Clusters
 * ClusterResourceSets
+* Apps (apps.kappctrl.k14s.io)
+* PackageInstalls
 
-It's recommended that you use the default order for your restores. You are able to customize this order if you need to by setting the `--restore-resource-priorities` flag on the Velero server and specifying a different resource order. This customized order will apply to all future restores. You don't have to specify all resources in the `--restore-resource-priorities` flag. Velero will append resources not listed to the end of your customized list in alphabetical order.
+It's recommended that you use the default order for your restores. You are able to customize this order if you need to by setting the `--restore-resource-priorities` flag on the Velero server and specifying a different resource order. This customized order will apply to all future restores. You don't have to specify all resources in the `--restore-resource-priorities` flag. The priority list contains two parts which are split by the `-` element: resources before the `-` element are restored first as high priorities, resources after the `-` element are restored last as low priorities, and any resource not in the list will be restored alphabetically between the high and low priorities.
 
 ```shell
 velero server \
 --restore-resource-priorities=customresourcedefinitions,namespaces,storageclasses,\
 volumesnapshotclass.snapshot.storage.k8s.io,volumesnapshotcontents.snapshot.storage.k8s.io,\
-volumesnapshots.snapshot.storage.k8s.io,persistentvolumes,persistentvolumeclaims,secrets,\
-configmaps,serviceaccounts,limitranges,pods,replicasets.apps,clusters.cluster.x-k8s.io,\
-clusterresourcesets.addons.cluster.x-k8s.io
+volumesnapshots.snapshot.storage.k8s.io,datauploads.velero.io,persistentvolumes,\
+persistentvolumeclaims,clusterroles,roles,serviceaccounts,clusterrolebindings,rolebindings,\
+secrets,configmaps,limitranges,priorityclasses,pods,replicasets.apps,\
+clusterclasses.cluster.x-k8s.io,endpoints,services,-,clusterbootstraps.run.tanzu.vmware.com,\
+clusters.cluster.x-k8s.io,clusterresourcesets.addons.cluster.x-k8s.io,apps.kappctrl.k14s.io,\
+packageinstalls.packaging.carvel.dev
 ```
 
 

site/content/docs/v1.17/restore-reference.md

@@ -78,26 +78,41 @@ By default, Velero will restore resources in the following order:
 * VolumeSnapshotClass
 * VolumeSnapshotContents
 * VolumeSnapshots
+* DataUploads
 * PersistentVolumes
 * PersistentVolumeClaims
+* ClusterRoles
+* Roles
+* ServiceAccounts
+* ClusterRoleBindings
+* RoleBindings
 * Secrets
 * ConfigMaps
-* ServiceAccounts
 * LimitRanges
+* PriorityClasses
 * Pods
 * ReplicaSets
+* ClusterClasses
+* Endpoints
+* Services
+* ClusterBootstraps
 * Clusters
 * ClusterResourceSets
+* Apps (apps.kappctrl.k14s.io)
+* PackageInstalls
 
-It's recommended that you use the default order for your restores. You are able to customize this order if you need to by setting the `--restore-resource-priorities` flag on the Velero server and specifying a different resource order. This customized order will apply to all future restores. You don't have to specify all resources in the `--restore-resource-priorities` flag. Velero will append resources not listed to the end of your customized list in alphabetical order.
+It's recommended that you use the default order for your restores. You are able to customize this order if you need to by setting the `--restore-resource-priorities` flag on the Velero server and specifying a different resource order. This customized order will apply to all future restores. You don't have to specify all resources in the `--restore-resource-priorities` flag. The priority list contains two parts which are split by the `-` element: resources before the `-` element are restored first as high priorities, resources after the `-` element are restored last as low priorities, and any resource not in the list will be restored alphabetically between the high and low priorities.
 
 ```shell
 velero server \
 --restore-resource-priorities=customresourcedefinitions,namespaces,storageclasses,\
 volumesnapshotclass.snapshot.storage.k8s.io,volumesnapshotcontents.snapshot.storage.k8s.io,\
-volumesnapshots.snapshot.storage.k8s.io,persistentvolumes,persistentvolumeclaims,secrets,\
-configmaps,serviceaccounts,limitranges,pods,replicasets.apps,clusters.cluster.x-k8s.io,\
-clusterresourcesets.addons.cluster.x-k8s.io
+volumesnapshots.snapshot.storage.k8s.io,datauploads.velero.io,persistentvolumes,\
+persistentvolumeclaims,clusterroles,roles,serviceaccounts,clusterrolebindings,rolebindings,\
+secrets,configmaps,limitranges,priorityclasses,pods,replicasets.apps,\
+clusterclasses.cluster.x-k8s.io,endpoints,services,-,clusterbootstraps.run.tanzu.vmware.com,\
+clusters.cluster.x-k8s.io,clusterresourcesets.addons.cluster.x-k8s.io,apps.kappctrl.k14s.io,\
+packageinstalls.packaging.carvel.dev
 ```
 
 

site/content/docs/v1.18/restore-reference.md

@@ -78,26 +78,41 @@ By default, Velero will restore resources in the following order:
 * VolumeSnapshotClass
 * VolumeSnapshotContents
 * VolumeSnapshots
+* DataUploads
 * PersistentVolumes
 * PersistentVolumeClaims
+* ClusterRoles
+* Roles
+* ServiceAccounts
+* ClusterRoleBindings
+* RoleBindings
 * Secrets
 * ConfigMaps
-* ServiceAccounts
 * LimitRanges
+* PriorityClasses
 * Pods
 * ReplicaSets
+* ClusterClasses
+* Endpoints
+* Services
+* ClusterBootstraps
 * Clusters
 * ClusterResourceSets
+* Apps (apps.kappctrl.k14s.io)
+* PackageInstalls
 
-It's recommended that you use the default order for your restores. You are able to customize this order if you need to by setting the `--restore-resource-priorities` flag on the Velero server and specifying a different resource order. This customized order will apply to all future restores. You don't have to specify all resources in the `--restore-resource-priorities` flag. Velero will append resources not listed to the end of your customized list in alphabetical order.
+It's recommended that you use the default order for your restores. You are able to customize this order if you need to by setting the `--restore-resource-priorities` flag on the Velero server and specifying a different resource order. This customized order will apply to all future restores. You don't have to specify all resources in the `--restore-resource-priorities` flag. The priority list contains two parts which are split by the `-` element: resources before the `-` element are restored first as high priorities, resources after the `-` element are restored last as low priorities, and any resource not in the list will be restored alphabetically between the high and low priorities.
 
 ```shell
 velero server \
 --restore-resource-priorities=customresourcedefinitions,namespaces,storageclasses,\
 volumesnapshotclass.snapshot.storage.k8s.io,volumesnapshotcontents.snapshot.storage.k8s.io,\
-volumesnapshots.snapshot.storage.k8s.io,persistentvolumes,persistentvolumeclaims,secrets,\
-configmaps,serviceaccounts,limitranges,pods,replicasets.apps,clusters.cluster.x-k8s.io,\
-clusterresourcesets.addons.cluster.x-k8s.io
+volumesnapshots.snapshot.storage.k8s.io,datauploads.velero.io,persistentvolumes,\
+persistentvolumeclaims,clusterroles,roles,serviceaccounts,clusterrolebindings,rolebindings,\
+secrets,configmaps,limitranges,priorityclasses,pods,replicasets.apps,\
+clusterclasses.cluster.x-k8s.io,endpoints,services,-,clusterbootstraps.run.tanzu.vmware.com,\
+clusters.cluster.x-k8s.io,clusterresourcesets.addons.cluster.x-k8s.io,apps.kappctrl.k14s.io,\
+packageinstalls.packaging.carvel.dev
 ```