Rename PR-copilot to 9430-copilot

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

.github/workflows/e2e-test-kind.yaml

@@ -21,7 +21,7 @@ jobs:
       minio-dockerfile-sha: ${{ steps.minio-version.outputs.dockerfile_sha }}
     steps:
       - name: Check out the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
       
       - name: Set up Go version
         uses: actions/setup-go@v6
@@ -112,7 +112,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Set up Go version
         uses: actions/setup-go@v6

.github/workflows/get-go-version.yaml

@@ -17,7 +17,7 @@ jobs:
         version: ${{ steps.pick-version.outputs.version }}
       steps:
         - name: Check out the code
-          uses: actions/checkout@v6
+          uses: actions/checkout@v5
 
         - id: pick-version
           run: |

.github/workflows/nightly-trivy-scan.yml

@@ -19,10 +19,10 @@ jobs:
 
     steps:
       - name: Checkout code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Run Trivy vulnerability scanner
-        uses: aquasecurity/trivy-action@57a97c7e7821a5776cebc9bb87c984fa69cba8f1
+        uses: aquasecurity/trivy-action@master
         with:
           image-ref: 'docker.io/velero/${{ matrix.images }}:${{ matrix.versions }}'
           severity: 'CRITICAL,HIGH,MEDIUM'

.github/workflows/pr-changelog-check.yml

@@ -12,7 +12,7 @@ jobs:
     steps:
 
     - name: Check out the code
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
 
     - name: Changelog check
       if: ${{ !(contains(github.event.pull_request.labels.*.name, 'kind/changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}}

.github/workflows/pr-ci-check.yml

@@ -14,7 +14,7 @@ jobs:
       fail-fast: false
     steps:
       - name: Check out the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Set up Go version
         uses: actions/setup-go@v6

.github/workflows/pr-codespell.yml

@@ -8,7 +8,7 @@ jobs:
     steps:
 
     - name: Check out the code
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
 
     - name: Codespell
       uses: codespell-project/actions-codespell@master

.github/workflows/pr-containers.yml

@@ -13,7 +13,7 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
       name: Checkout
 
     - name: Set up QEMU

.github/workflows/pr-filepath-check.yml

@@ -1,93 +0,0 @@
-name: Pull Request File Path Check
-on: [pull_request]
-jobs:
-
-  filepath-check:
-    name: Check for invalid characters in file paths
-    runs-on: ubuntu-latest
-    steps:
-
-    - name: Check out the code
-      uses: actions/checkout@v6
-
-    - name: Validate file paths for Go module compatibility
-      run: |
-        # Go's module zip rejects filenames containing certain characters.
-        # See golang.org/x/mod/module fileNameOK() for the full specification.
-        #
-        # Allowed ASCII: letters, digits, and: !#$%&()+,-.=@[]^_{}~ and space
-        # Allowed non-ASCII: unicode letters only
-        # Rejected: " ' * < > ? ` | / \ : and any non-letter unicode (control
-        #           chars, format chars like U+200E LEFT-TO-RIGHT MARK, etc.)
-        #
-        # This check catches issues like the U+200E incident in PR #9552.
-
-        EXIT_STATUS=0
-
-        git ls-files -z | python3 -c "
-        import sys, unicodedata
-
-        data = sys.stdin.buffer.read()
-        files = data.split(b'\x00')
-
-        # Characters explicitly rejected by Go's fileNameOK
-        # (path separators / and \ are inherent to paths so we check per-element)
-        bad_ascii = set('\"' + \"'\" + '*<>?\`|:')
-
-        allowed_ascii = set('!#$%&()+,-.=@[]^_{}~ ')
-
-        def is_ok(ch):
-            if ch.isascii():
-                return ch.isalnum() or ch in allowed_ascii
-            return ch.isalpha()
-
-        bad_files = []  # list of (original_path, clean_path, char_desc)
-        for f in files:
-            if not f:
-                continue
-            try:
-                name = f.decode('utf-8')
-            except UnicodeDecodeError:
-                print(f'::error::Non-UTF-8 bytes in filename: {f!r}')
-                bad_files.append((repr(f), None, 'non-UTF-8 bytes'))
-                continue
-
-            # Check each path element (split on /)
-            for element in name.split('/'):
-                for ch in element:
-                    if not is_ok(ch):
-                        cp = ord(ch)
-                        char_name = unicodedata.name(ch, f'U+{cp:04X}')
-                        char_desc = f'U+{cp:04X} ({char_name})'
-                        # Build cleaned path by stripping invalid chars
-                        clean = '/'.join(
-                            ''.join(c for c in elem if is_ok(c))
-                            for elem in name.split('/')
-                        )
-                        print(f'::error file={name}::File \"{name}\" contains invalid char {char_desc}')
-                        bad_files.append((name, clean, char_desc))
-                        break
-
-        if bad_files:
-            print()
-            print('The following files have characters that are invalid in Go module zip archives:')
-            print()
-            for original, clean, desc in bad_files:
-                print(f'  {original}  — {desc}')
-            print()
-            print('To fix, rename the files to remove the problematic characters:')
-            print()
-            for original, clean, desc in bad_files:
-                if clean:
-                    print(f'  mv \"{original}\" \"{clean}\" && git add \"{clean}\"')
-                    print(f'  # or: git mv \"{original}\" \"{clean}\"')
-                else:
-                    print(f'  # {original} — cannot auto-suggest rename (non-UTF-8)')
-            print()
-            print('See https://github.com/vmware-tanzu/velero/pull/9552 for context.')
-            sys.exit(1)
-        else:
-            print('All file paths are valid for Go module zip.')
-        " || EXIT_STATUS=1
-
-        exit $EXIT_STATUS

.github/workflows/pr-goreleaser.yml

@@ -14,7 +14,7 @@ jobs:
     name: Build
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
       name: Checkout
 
     - name: Verify .goreleaser.yml and try a dryrun release.

.github/workflows/pr-linter-check.yml

@@ -18,7 +18,7 @@ jobs:
     needs: get-go-version
     steps:
       - name: Check out the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Set up Go version
         uses: actions/setup-go@v6
@@ -28,5 +28,5 @@ jobs:
       - name: Linter check
         uses: golangci/golangci-lint-action@v9
         with:
-          version: v2.5.0
+          version: v2.1.1
           args: --verbose

.github/workflows/push-builder.yml

@@ -12,7 +12,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v5
       with:
         # The default value is "1" which fetches only a single commit. If we merge PR without squash or rebase,
         # there are at least two commits: the first one is the merge commit and the second one is the real commit

.github/workflows/push.yml

@@ -20,7 +20,7 @@ jobs:
     needs: get-go-version
     steps:
       - name: Check out the code
-        uses: actions/checkout@v6
+        uses: actions/checkout@v5
 
       - name: Set up Go version
         uses: actions/setup-go@v6

.github/workflows/rebase.yml

@@ -9,7 +9,7 @@ jobs:
     runs-on: ubuntu-latest
     steps:
     - name: Checkout the latest code
-      uses: actions/checkout@v6
+      uses: actions/checkout@v5
       with:
         fetch-depth: 0
     - name: Automatic Rebase

.github/workflows/stale-issues.yml

@@ -7,7 +7,7 @@ jobs:
   stale:
     runs-on: ubuntu-latest
     steps:
-      - uses: actions/stale@v10.1.1
+      - uses: actions/stale@v10.1.0
         with:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
           stale-issue-message: "This issue is stale because it has been open 60 days with no activity. Remove stale label or comment or this will be closed in 14 days. If a Velero team member has requested log or more information, please provide the output of the shared commands."

ADOPTERS.md

@@ -17,7 +17,6 @@ If you're using Velero and want to add your organization to this list,
 <a href="https://www.replicated.com/" border="0" target="_blank"><img alt="replicated.com" src="site/static/img/adopters/replicated-logo-red.svg" height="50"></a>
 <a href="https://cloudcasa.io/" border="0" target="_blank"><img alt="cloudcasa.io" src="site/static/img/adopters/cloudcasa.svg" height="50"></a>
 <a href="https://azure.microsoft.com/" border="0" target="_blank"><img alt="azure.com" src="site/static/img/adopters/azure.svg" height="50"></a>
-<a href="https://www.broadcom.com/" border="0" target="_blank"><img alt="broadcom.com" src="site/static/img/adopters/broadcom.svg" height="50"></a>
 ## Success Stories
 
 Below is a list of adopters of Velero in **production environments** that have
@@ -69,9 +68,6 @@ Replicated uses the Velero open source project to enable snapshots in [KOTS][101
 **[Microsoft Azure][105]**<br>
 [Azure Backup for AKS][106] is an Azure native, Kubernetes aware, Enterprise ready backup for containerized applications deployed on Azure Kubernetes Service (AKS). AKS Backup utilizes Velero to perform backup and restore operations to protect stateful applications in AKS clusters.<br>
 
-**[Broadcom][107]**<br>
-[VMware Cloud Foundation][108] (VCF) offers built-in [vSphere Kubernetes Service][109] (VKS),  a Kubernetes runtime that includes a CNCF certified Kubernetes distribution, to deploy and manage containerized workloads. VCF empowers platform engineers with native [Kubernetes multi-cluster management][110] capability for managing Kubernetes (K8s) infrastructure at scale. VCF utilizes Velero for Kubernetes data protection enabling platform engineers to back up and restore containerized workloads manifests & persistent volumes, helping to increase the resiliency of stateful applications in VKS cluster.
-
 ## Adding your organization to the list of Velero Adopters
 
 If you are using Velero and would like to be included in the list of `Velero Adopters`, add an SVG version of your logo to the `site/static/img/adopters` directory in this repo and submit a [pull request][3] with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). See this for an example [PR][4].
@@ -129,8 +125,3 @@ If you would like to add your logo to a future `Adopters of Velero` section on [
 
 [105]: https://azure.microsoft.com/
 [106]: https://learn.microsoft.com/azure/backup/backup-overview
-
-[107]: https://www.broadcom.com/
-[108]: https://www.vmware.com/products/cloud-infrastructure/vmware-cloud-foundation
-[109]: https://www.vmware.com/products/cloud-infrastructure/vsphere-kubernetes-service
-[110]: https://blogs.vmware.com/cloud-foundation/2025/09/29/empowering-platform-engineers-with-native-kubernetes-multi-cluster-management-in-vmware-cloud-foundation/

Dockerfile

@@ -13,7 +13,7 @@
 # limitations under the License.
 
 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.25-trixie AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS velero-builder
 
 ARG GOPROXY
 ARG BIN
@@ -48,6 +48,30 @@ RUN mkdir -p /output/usr/bin && \
     -ldflags "${LDFLAGS}" ${PKG}/cmd/velero-helper && \
     go clean -modcache -cache
 
+# Restic binary build section
+FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS restic-builder
+
+ARG GOPROXY
+ARG BIN
+ARG TARGETOS
+ARG TARGETARCH
+ARG TARGETVARIANT
+ARG RESTIC_VERSION
+
+ENV CGO_ENABLED=0 \
+    GO111MODULE=on \
+    GOPROXY=${GOPROXY} \
+    GOOS=${TARGETOS} \
+    GOARCH=${TARGETARCH} \
+    GOARM=${TARGETVARIANT}
+
+COPY . /go/src/github.com/vmware-tanzu/velero
+
+RUN mkdir -p /output/usr/bin && \
+    export GOARM=$(echo "${GOARM}" | cut -c2-) && \
+    /go/src/github.com/vmware-tanzu/velero/hack/build-restic.sh && \
+    go clean -modcache -cache
+
 # Velero image packing section
 FROM paketobuildpacks/run-jammy-tiny:latest
 
@@ -55,4 +79,7 @@ LABEL maintainer="Xun Jiang <jxun@vmware.com>"
 
 COPY --from=velero-builder /output /
 
+COPY --from=restic-builder /output /
+
 USER cnb:cnb
+

Dockerfile-Windows

@@ -15,7 +15,7 @@
 ARG OS_VERSION=1809
 
 # Velero binary build section
-FROM --platform=$BUILDPLATFORM golang:1.25-trixie AS velero-builder
+FROM --platform=$BUILDPLATFORM golang:1.24-bookworm AS velero-builder
 
 ARG GOPROXY
 ARG BIN

MAINTAINERS.md

@@ -7,11 +7,11 @@
 | Maintainer          | GitHub ID                                                     | Affiliation                                      |
 |---------------------|---------------------------------------------------------------|--------------------------------------------------|
 | Scott Seago         | [sseago](https://github.com/sseago)                           | [OpenShift](https://github.com/openshift)        |
-| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | Broadcom                                         |
-| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | Broadcom                                         |
-| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | Broadcom                                         |
+| Daniel Jiang        | [reasonerjt](https://github.com/reasonerjt)                   | [VMware](https://www.github.com/vmware/)         |
+| Wenkai Yin          | [ywk253100](https://github.com/ywk253100)                     | [VMware](https://www.github.com/vmware/)         |
+| Xun Jiang           | [blackpiglet](https://github.com/blackpiglet)                 | [VMware](https://www.github.com/vmware/)         |
 | Shubham Pampattiwar | [shubham-pampattiwar](https://github.com/shubham-pampattiwar) | [OpenShift](https://github.com/openshift)        |
-| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | Broadcom                                         |
+| Yonghui Li          | [Lyndon-Li](https://github.com/Lyndon-Li)                     | [VMware](https://www.github.com/vmware/)         |
 | Anshul Ahuja        | [anshulahuja98](https://github.com/anshulahuja98)             | [Microsoft Azure](https://www.github.com/azure/) |
 | Tiger Kaovilai      | [kaovilai](https://github.com/kaovilai)                       | [OpenShift](https://github.com/openshift)        |
 
@@ -27,3 +27,14 @@
 * JenTing Hsiao ([jenting](https://github.com/jenting))
 * Dave Smith-Uchida ([dsu-igeek](https://github.com/dsu-igeek))
 * Ming Qiu ([qiuming-best](https://github.com/qiuming-best))
+
+## Velero Contributors & Stakeholders
+
+| Feature Area           |                                         Lead                                         |
+|------------------------|:------------------------------------------------------------------------------------:|
+| Technical Lead         |               Daniel Jiang [reasonerjt](https://github.com/reasonerjt)               |
+| Kubernetes CSI Liaison |                                                                                      |
+| Deployment             |                                                                                      |
+| Community Management   |            Orlin Vasilev [OrlinVasilev](https://github.com/OrlinVasilev)             |
+| Product Management     | Pradeep Kumar Chaturvedi [pradeepkchaturvedi](https://github.com/pradeepkchaturvedi) |
+

Makefile

@@ -105,6 +105,8 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v
 endef
 # comma cannot be escaped and can only be used in Make function arguments by putting into variable
 comma=,
+# The version of restic binary to be downloaded
+RESTIC_VERSION ?= 0.15.0
 
 CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 darwin-arm64 windows-amd64 linux-ppc64le linux-s390x
 BUILD_OUTPUT_TYPE ?= docker
@@ -258,6 +260,7 @@ container-linux:
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
 	--build-arg=REGISTRY=$(REGISTRY) \
+	--build-arg=RESTIC_VERSION=$(RESTIC_VERSION) \
 	--provenance=false \
 	--sbom=false \
 	-f $(VELERO_DOCKERFILE) .

README.md

@@ -42,11 +42,13 @@ The following is a list of the supported Kubernetes versions for each Velero ver
 
 | Velero version | Expected Kubernetes version compatibility | Tested on Kubernetes version        |
 |----------------|-------------------------------------------|-------------------------------------|
-| 1.18           | 1.18-latest                               | 1.33.7, 1.34.1, and 1.35.0          |
-| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0  |
+| 1.17           | 1.18-latest                               | 1.31.7, 1.32.3, 1.33.1, and 1.34.0          |
 | 1.16           | 1.18-latest                               | 1.31.4, 1.32.3, and 1.33.0          |
 | 1.15           | 1.18-latest                               | 1.28.8, 1.29.8, 1.30.4 and 1.31.1   |
 | 1.14           | 1.18-latest                               | 1.27.9, 1.28.9, and 1.29.4          |
+| 1.13           | 1.18-latest                               | 1.26.5, 1.27.3, 1.27.8, and 1.28.3  |
+| 1.12           | 1.18-latest                               | 1.25.7, 1.26.5, 1.26.7, and 1.27.3  |
+| 1.11           | 1.18-latest                               | 1.23.10, 1.24.9, 1.25.5, and 1.26.1 |
 
 Velero supports IPv4, IPv6, and dual stack environments. Support for this was tested against Velero v1.8.
 

Tiltfile

@@ -52,7 +52,7 @@ git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip(
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.25 as tilt-helper
+FROM golang:1.24 as tilt-helper
 
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
@@ -103,6 +103,11 @@ local_resource(
     deps = ["internal", "pkg/cmd"],
 )
 
+local_resource(
+    "restic_binary",
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/restic; BIN=velero GOOS=linux GOARCH=amd64 GOARM="" RESTIC_VERSION=0.13.1 OUTPUT_DIR=_tiltbuild/restic ./hack/build-restic.sh',
+)
+
 # Note: we need a distro with a bash shell to exec into the Velero container
 tilt_dockerfile_header = """
 FROM ubuntu:22.04 as tilt
@@ -113,6 +118,7 @@ WORKDIR /
 COPY --from=tilt-helper /start.sh .
 COPY --from=tilt-helper /restart.sh .
 COPY velero .
+COPY restic/restic /usr/bin/restic
 """
 
 dockerfile_contents = "\n".join([

changelogs/CHANGELOG-1.18.md

@@ -1,109 +0,0 @@
-## v1.18
-
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.18.0
-
-### Container Image
-`velero/velero:v1.18.0`
-
-### Documentation
-https://velero.io/docs/v1.18/
-
-### Upgrading
-https://velero.io/docs/v1.18/upgrade-to-1.18/
-
-### Highlights
-#### Concurrent backup
-In v1.18, Velero is capable to process multiple backups concurrently. This is a significant usability improvement, especially for multiple tenants or multiple users case, backups submitted from different users could run their backups simultaneously without interfering with each other.  
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/concurrent-backup-processing.md for more details.
-
-#### Cache volume for data movers
-In v1.18, Velero allows users to configure cache volumes for data mover pods during restore for CSI snapshot data movement and fs-backup. This brings below benefits:
-- Solve the problem that data mover pods fail to when pod's ephemeral disk is limited
-- Solve the problem that multiple data mover pods fail to run concurrently in one node when the node's ephemeral disk is limited
-- Working together with backup repository's cache limit configuration, cache volume with appropriate size helps to improve the restore throughput
-
-Check design https://github.com/vmware-tanzu/velero/blob/main/design/Implemented/backup-repo-cache-volume.md for more details.
-
-#### Incremental size for data movers
-In v1.18, Velero allows users to observe the incremental size of data movers backups for CSI snapshot data movement and fs-backup, so that users could visually see the data reduction due to incremental backup.
-
-#### Wildcard support for namespaces
-In v1.18, Velero allows to use Glob regular expressions for namespace filters during backup and restore, so that users could filter namespaces in a batch manner.
-
-#### VolumePolicy for PVC phase
-In v1.18, Velero VolumePolicy supports actions by PVC phase, which help users to do special operations for PVCs with a specific phase, e.g., skip PVCs in Pending/Lost status from the backup.  
-
-#### Scalability and Resiliency improvements
-##### Prevent Velero server OOM Kill for large backup repositories
-In v1.18, some backup repository operations are delay executed out of Velero server, so Velero server won't be OOM Killed.
-
-#### Performance improvement for VolumePolicy
-In v1.18, VolumePolicy is enhanced for large number of pods/PVCs so that the performance is significantly improved.
-
-#### Events for data mover pod diagnostic
-In v1.18, events are recorded into data mover pod diagnostic, which allows user to see more information for troubleshooting when the data mover pod fails.
-
-### Runtime and dependencies
-Golang runtime: 1.25.7  
-kopia: 0.22.3
-
-### Limitations/Known issues
-
-### Breaking changes
-#### Deprecation of PVC selected node feature
-According to [Velero deprecation policy](https://github.com/vmware-tanzu/velero/blob/main/GOVERNANCE.md#deprecation-policy), PVC selected node feature is deprecated in v1.18. Velero could appropriately handle PVC's selected-node annotation, so users don't need to do anything particularly.
-
-### All Changes
-* Remove backup from running list when backup fails validation (#9498, @sseago)
-* Maintenance Job only uses the first element of the LoadAffinity array (#9494, @blackpiglet)
-* Fix issue #9478, add diagnose info on expose peek fails (#9481, @Lyndon-Li)
-* Add Role, RoleBinding, ClusterRole, and ClusterRoleBinding in restore sequence. (#9474, @blackpiglet)
-* Add maintenance job and data mover pod's labels and annotations setting. (#9452, @blackpiglet)
-* Fix plugin init container names exceeding DNS-1123 limit (#9445, @mpryc)
-* Add PVC-to-Pod cache to improve volume policy performance (#9441, @shubham-pampattiwar)
-* Remove VolumeSnapshotClass from CSI B/R process. (#9431, @blackpiglet)
-* Use hookIndex for recording multiple restore exec hooks. (#9366, @blackpiglet)
-* Sanitize Azure HTTP responses in BSL status messages (#9321, @shubham-pampattiwar)
-* Remove labels associated with previous backups (#9206, @Joeavaikath)
-* Add VolumePolicy support for PVC Phase conditions to allow skipping Pending PVCs (#9166, @claude)
-* feat: Enhance BackupStorageLocation with Secret-based CA certificate support (#9141, @kaovilai)
-* Add `--apply` flag to `install` command, allowing usage of Kubernetes apply to make changes to existing installs (#9132, @mjnagel)
-* Fix issue #9194, add doc for GOMAXPROCS behavior change (#9420, @Lyndon-Li)
-* Apply volume policies to VolumeGroupSnapshot PVC filtering (#9419, @shubham-pampattiwar)
-* Fix issue #9276, add doc for cache volume support (#9418, @Lyndon-Li)
-* Add Prometheus metrics for maintenance jobs (#9414, @shubham-pampattiwar)
-* Fix issue #9400, connect repo first time after creation so that init params could be written (#9407, @Lyndon-Li)
-* Cache volume for PVR (#9397, @Lyndon-Li)
-* Cache volume support for DataDownload (#9391, @Lyndon-Li)
-* don't copy securitycontext from first container if configmap found (#9389, @sseago)
-* Refactor repo provider interface for static configuration (#9379, @Lyndon-Li)
-* Fix issue #9365, prevent fake completion notification due to multiple update of single PVR (#9375, @Lyndon-Li)
-* Add cache volume configuration (#9370, @Lyndon-Li)
-* Track actual resource names for GenerateName in restore status (#9368, @shubham-pampattiwar)
-* Fix managed fields patch for resources using GenerateName (#9367, @shubham-pampattiwar)
-* Support cache volume for generic restore exposer and pod volume exposer (#9362, @Lyndon-Li)
-* Add incrementalSize to DU/PVB for reporting new/changed size (#9357, @sseago)
-* Add snapshotSize for DataDownload, PodVolumeRestore (#9354, @Lyndon-Li)
-* Add cache dir configuration for udmrepo (#9353, @Lyndon-Li)
-* Fix the Job build error when BackupReposiotry name longer than 63. (#9350, @blackpiglet)
-* Add cache configuration to VGDP (#9342, @Lyndon-Li)
-* Fix issue #9332, add bytesDone for cache files (#9333, @Lyndon-Li)
-* Fix typos in documentation (#9329, @T4iFooN-IX)
-* Concurrent backup processing (#9307, @sseago)
-* VerifyJSONConfigs verify every elements in Data. (#9302, @blackpiglet)
-* Fix issue #9267, add events to data mover prepare diagnostic (#9296, @Lyndon-Li)
-* Add option for privileged fs-backup pod (#9295, @sseago)
-* Fix issue #9193, don't connect repo in repo controller (#9291, @Lyndon-Li)
-* Implement concurrency control for cache of native VolumeSnapshotter plugin. (#9281, @0xLeo258)
-* Fix issue #7904, remove the code and doc for PVC node selection (#9269, @Lyndon-Li)
-* Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases (#9264, @shubham-pampattiwar)
-* Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment (#9256, @shubham-pampattiwar)
-* Implement wildcard namespace pattern expansion for backup namespace includes/excludes. This change adds support for wildcard patterns (*, ?, [abc], {a,b,c}) in namespace includes and excludes during backup operations (#9255, @Joeavaikath)
-* Protect VolumeSnapshot field from race condition during multi-thread backup (#9248, @0xLeo258)
-* Update AzureAD Microsoft Authentication Library to v1.5.0 (#9244, @priyansh17)
-* Get pod list once per namespace in pvc IBA (#9226, @sseago)
-* Fix issue #7725, add design for backup repo cache configuration (#9148, @Lyndon-Li)
-* Fix issue #9229, don't attach backupPVC to the source node (#9233, @Lyndon-Li)
-* feat: Permit specifying annotations for the BackupPVC (#9173, @clementnuss)

changelogs/unreleased/9148-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #7725, add design for backup repo cache configuration

changelogs/unreleased/9173-clementnuss

@@ -0,0 +1 @@
+feat: Permit specifying annotations for the BackupPVC

changelogs/unreleased/9226-sseago

@@ -0,0 +1 @@
+Get pod list once per namespace in pvc IBA

changelogs/unreleased/9233-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9229, don't attach backupPVC to the source node

changelogs/unreleased/9244-priyansh17

@@ -0,0 +1 @@
+Update AzureAD Microsoft Authentication Library to v1.5.0

changelogs/unreleased/9248-0xLeo258

@@ -0,0 +1 @@
+Protect VolumeSnapshot field from race condition during multi-thread backup

changelogs/unreleased/9256-shubham-pampattiwar

@@ -0,0 +1 @@
+Fix repository maintenance jobs to inherit allowlisted tolerations from Velero deployment

changelogs/unreleased/9264-shubham-pampattiwar

@@ -0,0 +1 @@
+Fix schedule controller to prevent backup queue accumulation during extended blocking scenarios by properly handling empty backup phases

changelogs/unreleased/9269-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #7904, remove the code and doc for PVC node selection

changelogs/unreleased/9281-0xLeo258

@@ -0,0 +1 @@
+Implement concurrency control for cache of native VolumeSnapshotter plugin.

changelogs/unreleased/9291-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9193, don't connect repo in repo controller

changelogs/unreleased/9295-sseago

@@ -0,0 +1 @@
+Add option for privileged fs-backup pod

changelogs/unreleased/9296-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9267, add events to data mover prepare diagnostic

changelogs/unreleased/9302-blackpiglet

@@ -0,0 +1 @@
+VerifyJSONConfigs verify every elements in Data.

changelogs/unreleased/9329-T4iFooN-IX

@@ -0,0 +1 @@
+Fix typos in documentation

changelogs/unreleased/9333-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9332, add bytesDone for cache files

changelogs/unreleased/9342-Lyndon-Li

@@ -0,0 +1 @@
+Add cache configuration to VGDP

changelogs/unreleased/9350-blackpiglet

@@ -0,0 +1 @@
+Fix the Job build error when BackupReposiotry name longer than 63.

changelogs/unreleased/9353-Lyndon-Li

@@ -0,0 +1 @@
+Add cache dir configuration for udmrepo

changelogs/unreleased/9354-Lyndon-Li

@@ -0,0 +1 @@
+Add snapshotSize for DataDownload, PodVolumeRestore

changelogs/unreleased/9357-sseago

@@ -0,0 +1 @@
+Add incrementalSize to DU/PVB for reporting new/changed size

changelogs/unreleased/9362-Lyndon-Li

@@ -0,0 +1 @@
+Support cache volume for generic restore exposer and pod volume exposer

changelogs/unreleased/9367-shubham-pampattiwar

@@ -0,0 +1 @@
+Fix managed fields patch for resources using GenerateName

changelogs/unreleased/9368-shubham-pampattiwar

@@ -0,0 +1 @@
+Track actual resource names for GenerateName in restore status

changelogs/unreleased/9370-Lyndon-Li

@@ -0,0 +1 @@
+Add cache volume configuration

changelogs/unreleased/9375-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9365, prevent fake completion notification due to multiple update of single PVR

changelogs/unreleased/9379-Lyndon-Li

@@ -0,0 +1 @@
+Refactor repo provider interface for static configuration

changelogs/unreleased/9389-sseago

@@ -0,0 +1 @@
+don't copy securitycontext from first container if configmap found

changelogs/unreleased/9391-Lyndon-Li

@@ -0,0 +1 @@
+Cache volume support for DataDownload

changelogs/unreleased/9397-Lyndon-Li

@@ -0,0 +1 @@
+Cache volume for PVR

changelogs/unreleased/9403-GabriFedi97

@@ -1 +0,0 @@
-Include InitContainer configured as Sidecars when validating the existence of the target containers configured for the Backup Hooks

changelogs/unreleased/9407-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9400, connect repo first time after creation so that init params could be written

changelogs/unreleased/9418-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9276, add doc for cache volume support

changelogs/unreleased/9419-shubham-pampattiwar

@@ -0,0 +1 @@
+Apply volume policies to VolumeGroupSnapshot PVC filtering

changelogs/unreleased/9420-Lyndon-Li

@@ -0,0 +1 @@
+Fix issue #9194, add doc for GOMAXPROCS behavior change

changelogs/unreleased/9430-copilot

@@ -0,0 +1 @@
+Skip DeleteSnapshot call when ProviderSnapshotID is empty to avoid unnecessary API calls

changelogs/unreleased/9502-Joeavaikath

@@ -1 +0,0 @@
-Support all glob wildcard characters in namespace validation

changelogs/unreleased/9508-kaovilai

@@ -1 +0,0 @@
-Fix VolumePolicy PVC phase condition filter for unbound PVCs (#9507)

changelogs/unreleased/9516-shubham-pampattiwar

@@ -1 +0,0 @@
-Fix VolumeGroupSnapshot restore failure with Ceph RBD CSI driver by creating stub VolumeGroupSnapshotContent during restore and looking up VolumeSnapshotClass by driver for credential support

changelogs/unreleased/9528-Lyndon-Li

@@ -1 +0,0 @@
-Add block data mover design for block level incremental backup by integrating with Kubernetes CBT

changelogs/unreleased/9532-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9343, include PV topology to data mover pod affinities

changelogs/unreleased/9533-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9496, support customized host os

changelogs/unreleased/9540-sseago

@@ -1 +0,0 @@
-Add custom action type to volume policies

changelogs/unreleased/9547-blackpiglet

@@ -1 +0,0 @@
-If BIA return updateObj with SkipFromBackupAnnotation, treat it as skip the resource from backup.

changelogs/unreleased/9554-testsabirweb

@@ -1 +0,0 @@
-Issue #9544: Add test coverage for S3 bucket name in MRAP ARN notation and fix bucket validation to accept ARN format

changelogs/unreleased/9560-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9475, use node-selector instead of nodName for generic restore

changelogs/unreleased/9561-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9460, flush buffer before data mover completes

changelogs/unreleased/9570-H-M-Quang-Ngo

@@ -1 +0,0 @@
-Add schedule_expected_interval_seconds metric for dynamic backup alerting thresholds (#9559)

changelogs/unreleased/9574-blackpiglet

@@ -1 +0,0 @@
-Add ephemeral storage limit and request support for data mover and maintenance job

changelogs/unreleased/9581-shubham-pampattiwar

@@ -1 +0,0 @@
-Fix DBR stuck when CSI snapshot no longer exists in cloud provider

changelogs/unreleased/9614-blackpiglet

@@ -1 +0,0 @@
-Add check for file extraction from tarball.

changelogs/unreleased/9628-priyansh17

@@ -1 +0,0 @@
-Implement original VolumeSnapshotContent deletion for legacy backups

changelogs/unreleased/9634-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9626, let go for uninitialized repo under readonly mode

changelogs/unreleased/9638-adam-jian-zhang

@@ -1 +0,0 @@
-Fix issue #9636, fix configmap lookup in non-default namespaces

changelogs/unreleased/9643-priyansh17

@@ -1 +0,0 @@
-Fix issue #9641, Remove redundant ReadyToUse polling in CSI VolumeSnapshotContent delete plugin

changelogs/unreleased/9653-BassinD

@@ -1 +0,0 @@
-Fix service restore with null healthCheckNodePort in last-applied-configuration label

changelogs/unreleased/9663-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9659, in the case that PVB/PVR/DU/DD is cancelled before the data path is really started, call EndEvent to prevent data mover pod from crashing because of delay event distribution

changelogs/unreleased/9668-adam-jian-zhang

@@ -1 +0,0 @@
-Fix issue #9666, fix node-agent node detection in multiple instances scenario

changelogs/unreleased/9676-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9470, remove restic from repository

changelogs/unreleased/9677-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9469, remove restic for uploader

changelogs/unreleased/9682-adam-jian-zhang

@@ -1 +0,0 @@
-Fix issue #9681, fix restores and podvolumerestores list options to only list in installed namespace

changelogs/unreleased/9683-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9428, increase repo maintenance history queue length from 3 to 25

changelogs/unreleased/9693-priyansh17

@@ -1 +0,0 @@
-Enhance backup deletion logic to handle tarball download failures

changelogs/unreleased/9695-shubham-pampattiwar

@@ -1 +0,0 @@
-Bump external-snapshotter to v8.4.0 and migrate VolumeGroupSnapshot API from v1beta1 to v1beta2 for Kubernetes 1.34+ compatibility

changelogs/unreleased/9700-priyansh17

@@ -1 +0,0 @@
-Fix issue #9699, add a 2-second gap between temporary CSI VolumeSnapshotContent create and delete operations

changelogs/unreleased/9701-emirot

@@ -1 +0,0 @@
-Update Debian base image from bookworm to trixie

changelogs/unreleased/9704-adam-jian-zhang

@@ -1 +0,0 @@
-Fix issue #9703, fix CSI PVC Backup Plugin list options to only list in installed namespace

changelogs/unreleased/9705-emirot

@@ -1 +0,0 @@
-perf: better string concatenation

changelogs/unreleased/9724-Lyndon-Li

@@ -1 +0,0 @@
-Fix issue #9723, extend Unified Repo Interface to support block uploader

changelogs/unreleased/9728-blackpiglet

@@ -1 +0,0 @@
-Remove Restic build from Dockerfile, Makefile and Tiltfile.

config/crd/v1/bases/velero.io_backuprepositories.yaml

@@ -69,7 +69,9 @@ spec:
                 - ""
                 type: string
               resticIdentifier:
-                description: Deprecated
+                description: |-
+                  ResticIdentifier is the full restic-compatible string for identifying
+                  this repository. This field is only used when RepositoryType is "restic".
                 type: string
               volumeNamespace:
                 description: |-

config/crd/v1/bases/velero.io_backups.yaml

@@ -594,8 +594,6 @@ spec:
                 description: Phase is the current state of the Backup.
                 enum:
                 - New
-                - Queued
-                - ReadyToStart
                 - FailedValidation
                 - InProgress
                 - WaitingForPluginOperations
@@ -627,11 +625,6 @@ spec:
                       filters that happen as items are processed.
                     type: integer
                 type: object
-              queuePosition:
-                description: |-
-                  QueuePosition is the position of the backup in the queue.
-                  Only relevant when Phase is "Queued"
-                type: integer
               startTimestamp:
                 description: |-
                   StartTimestamp records the time a backup was started.

config/crd/v1/bases/velero.io_backupstoragelocations.yaml

@@ -113,38 +113,10 @@ spec:
                     description: Bucket is the bucket to use for object storage.
                     type: string
                   caCert:
-                    description: |-
-                      CACert defines a CA bundle to use when verifying TLS connections to the provider.
-                      Deprecated: Use CACertRef instead.
+                    description: CACert defines a CA bundle to use when verifying
+                      TLS connections to the provider.
                     format: byte
                     type: string
-                  caCertRef:
-                    description: |-
-                      CACertRef is a reference to a Secret containing the CA certificate bundle to use
-                      when verifying TLS connections to the provider. The Secret must be in the same
-                      namespace as the BackupStorageLocation.
-                    properties:
-                      key:
-                        description: The key of the secret to select from.  Must be
-                          a valid secret key.
-                        type: string
-                      name:
-                        default: ""
-                        description: |-
-                          Name of the referent.
-                          This field is effectively required, but due to backwards compatibility is
-                          allowed to be empty. Instances of this type with an empty value here are
-                          almost certainly wrong.
-                          More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
-                        type: string
-                      optional:
-                        description: Specify whether the Secret or its key must be
-                          defined
-                        type: boolean
-                    required:
-                    - key
-                    type: object
-                    x-kubernetes-map-type: atomic
                   prefix:
                     description: Prefix is the path inside a bucket to use for Velero
                       storage. Optional.

design/Implemented/apply-flag.md

@@ -1,70 +0,0 @@
-# Apply flag for install command
-
-## Abstract
-Add an `--apply` flag to the install command that enables applying existing resources rather than creating them. This can be useful as part of the upgrade process for existing installations.
-
-## Background
-The current Velero install command creates resources but doesn't provide a direct way to apply updates to an existing installation.
-Users attempting to run the install command on an existing installation receive "already exists" messages.
-Upgrade steps for existing installs typically involve a three (or more) step process to apply updated CRDs (using `--dry-run` and piping to `kubectl apply`) and then updating/setting images on the Velero deployment and node-agent.
-
-## Goals
-- Provide a simple flag to enable applying resources on an existing Velero installation.
-- Use server-side apply to update existing resources rather than attempting to create them.
-- Maintain consistency with the regular install flow.
-
-## Non Goals
-- Implement special logic for specific version-to-version upgrades (i.e. resource deletion, etc).
-- Add complex upgrade validation or pre/post-upgrade hooks.
-- Provide rollback capabilities.
-
-## High-Level Design
-The `--apply` flag will be added to the Velero install command.
-When this flag is set, the installation process will use server-side apply to update existing resources instead of using create on new resources.
-This flag can be used as _part_ of the upgrade process, but will not always fully handle an upgrade.
-
-## Detailed Design
-The implementation adds a new boolean flag `--apply` to the install command.
-This flag will be passed through to the underlying install functions where the resource creation logic resides.
-
-When the flag is set to true:
-- The `createOrApplyResource` function will use server-side apply with field manager "velero-cli" and `force=true` to update resources.
-- Resources will be applied in the same order as they would be created during installation.
-- Custom Resource Definitions will still be processed first, and the system will wait for them to be established before continuing.
-
-The server-side apply approach with `force=true` ensures that resources are updated even if there are conflicts with the last applied state.
-This provides a best-effort mechanism to apply resources that follows the same flow as installation but updates resources instead of creating them.
-
-No special handling is added for specific versions or resource structures, making this a general-purpose mechanism for applying resources.
-
-## Alternatives Considered
-1. Creating a separate `upgrade` command that would duplicate much of the install command logic.
-   - Rejected due to code duplication and maintenance overhead.
-
-2. Implementing version-specific upgrade logic to handle breaking changes between versions.
-   - Rejected as overly complex and difficult to maintain across multiple version paths.
-   - This could be considered again in the future, but is not in the scope of the current design.
-
-3. Adding automatic detection of existing resources and switching to apply mode.
-   - Rejected as it could lead to unexpected behavior and confusion if users unintentionally apply changes to existing resources.
-
-## Security Considerations
-The apply flag maintains the same security profile as the install command.
-No additional permissions are required beyond what is needed for resource creation.
-The use of `force=true` with server-side apply could potentially override manual changes made to resources, but this is a necessary trade-off to ensure apply is successful.
-
-## Compatibility
-This enhancement is compatible with all existing Velero installations as it is a new opt-in flag.
-It does not change any resource formats or API contracts.
-The apply process is best-effort and does not guarantee compatibility between arbitrary versions of Velero.
-Users should still consult release notes for any breaking changes that may require manual intervention.
-This flag could be adopted by the helm chart, specifically for CRD updates, to simplify the CRD update job.
-
-## Implementation
-The implementation involves:
-1. Adding support for `Apply` to the existing Kubernetes client code.
-1. Adding the `--apply` flag to the install command options.
-1. Changing `createResource` to `createOrApplyResource` and updating it to use server-side apply when the `apply` boolean is set.
-
-The implementation is straightforward and follows existing code patterns.
-No migration of state or special handling of specific resources is required.

design/Implemented/bsl-certificate-support_design.md

@@ -1,417 +0,0 @@
-# Design for BSL Certificate Support Enhancement
-
-## Abstract
-
-This design document describes the enhancement of BackupStorageLocation (BSL) certificate management in Velero, introducing a Secret-based certificate reference mechanism (`caCertRef`) alongside the existing inline certificate field (`caCert`). This enhancement provides a more secure, Kubernetes-native approach to certificate management while enabling future CLI improvements for automatic certificate discovery.
-
-## Background
-
-Currently, Velero supports TLS certificate verification for object storage providers through an inline `caCert` field in the BSL specification. While functional, this approach has several limitations:
-
-- **Security**: Certificates are stored directly in the BSL YAML, potentially exposing sensitive data
-- **Management**: Certificate rotation requires updating the BSL resource itself
-- **CLI Usability**: Users must manually specify certificates when using CLI commands
-- **Size Limitations**: Large certificate bundles can make BSL resources unwieldy
-
-Issue #9097 and PR #8557 highlight the need for improved certificate management that addresses these concerns while maintaining backward compatibility.
-
-## Goals
-
-- Provide a secure, Secret-based certificate storage mechanism
-- Maintain full backward compatibility with existing BSL configurations
-- Enable future CLI enhancements for automatic certificate discovery
-- Simplify certificate rotation and management
-- Provide clear migration path for existing users
-
-## Non-Goals
-
-- Removing support for inline certificates immediately
-- Changing the behavior of existing BSL configurations
-- Implementing client-side certificate validation
-- Supporting certificates from ConfigMaps or other resource types
-
-## High-Level Design
-
-### API Changes
-
-#### New Field: CACertRef
-
-```go
-type ObjectStorageLocation struct {
-    // Existing field (now deprecated)
-    // +optional
-    // +kubebuilder:deprecatedversion:warning="caCert is deprecated, use caCertRef instead"
-    CACert []byte `json:"caCert,omitempty"`
-
-    // New field for Secret reference
-    // +optional
-    CACertRef *corev1api.SecretKeySelector `json:"caCertRef,omitempty"`
-}
-```
-
-The `SecretKeySelector` follows standard Kubernetes patterns:
-```go
-type SecretKeySelector struct {
-    // Name of the Secret
-    Name string `json:"name"`
-    // Key within the Secret
-    Key string `json:"key"`
-}
-```
-
-### Certificate Resolution Logic
-
-The system follows a priority-based resolution:
-
-1. If `caCertRef` is specified, retrieve certificate from the referenced Secret
-2. If `caCert` is specified (and `caCertRef` is not), use the inline certificate
-3. If neither is specified, no custom CA certificate is used
-
-### Validation
-
-BSL validation ensures mutual exclusivity:
-```go
-func (bsl *BackupStorageLocation) Validate() error {
-    if bsl.Spec.ObjectStorage != nil &&
-        bsl.Spec.ObjectStorage.CACert != nil &&
-        bsl.Spec.ObjectStorage.CACertRef != nil {
-        return errors.New("cannot specify both caCert and caCertRef in objectStorage")
-    }
-    return nil
-}
-```
-
-## Detailed Design
-
-### BSL Controller Changes
-
-The BSL controller incorporates validation during reconciliation:
-
-```go
-func (r *backupStorageLocationReconciler) Reconcile(req ctrl.Request) (ctrl.Result, error) {
-    // ... existing code ...
-    
-    // Validate BSL configuration
-    if err := location.Validate(); err != nil {
-        r.logger.WithError(err).Error("BSL validation failed")
-        return ctrl.Result{}, err
-    }
-    
-    // ... continue reconciliation ...
-}
-```
-
-### Repository Provider Integration
-
-All repository providers implement consistent certificate handling:
-
-```go
-func configureCACert(bsl *velerov1api.BackupStorageLocation, credGetter *credentials.CredentialGetter) ([]byte, error) {
-    if bsl.Spec.ObjectStorage == nil {
-        return nil, nil
-    }
-
-    // Prefer caCertRef (new method)
-    if bsl.Spec.ObjectStorage.CACertRef != nil {
-        certString, err := credGetter.FromSecret.Get(bsl.Spec.ObjectStorage.CACertRef)
-        if err != nil {
-            return nil, errors.Wrap(err, "error getting CA certificate from secret")
-        }
-        return []byte(certString), nil
-    }
-
-    // Fall back to caCert (deprecated)
-    if bsl.Spec.ObjectStorage.CACert != nil {
-        return bsl.Spec.ObjectStorage.CACert, nil
-    }
-
-    return nil, nil
-}
-```
-
-### CLI Certificate Discovery Integration
-
-#### Background: PR #8557 Implementation
-PR #8557 ("CLI automatically discovers and uses cacert from BSL") was merged in August 2025, introducing automatic CA certificate discovery from BackupStorageLocation for Velero CLI download operations. This eliminated the need for users to manually specify the `--cacert` flag when performing operations like `backup describe`, `backup download`, `backup logs`, and `restore logs`.
-
-#### Current Implementation (Post PR #8557)
-The CLI now automatically discovers certificates from BSL through the `pkg/cmd/util/cacert/bsl_cacert.go` module:
-
-```go
-// Current implementation only supports inline caCert
-func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
-    // ... fetch BSL ...
-    if bsl.Spec.ObjectStorage != nil && len(bsl.Spec.ObjectStorage.CACert) > 0 {
-        return string(bsl.Spec.ObjectStorage.CACert), nil
-    }
-    return "", nil
-}
-```
-
-#### Enhancement with caCertRef Support
-This design extends the existing CLI certificate discovery to support the new `caCertRef` field:
-
-```go
-// Enhanced implementation supporting both caCert and caCertRef
-func GetCACertFromBSL(ctx context.Context, client kbclient.Client, namespace, bslName string) (string, error) {
-    // ... fetch BSL ...
-
-    // Prefer caCertRef over inline caCert
-    if bsl.Spec.ObjectStorage.CACertRef != nil {
-        secret := &corev1api.Secret{}
-        key := types.NamespacedName{
-            Name:      bsl.Spec.ObjectStorage.CACertRef.Name,
-            Namespace: namespace,
-        }
-        if err := client.Get(ctx, key, secret); err != nil {
-            return "", errors.Wrap(err, "error getting certificate secret")
-        }
-
-        certData, ok := secret.Data[bsl.Spec.ObjectStorage.CACertRef.Key]
-        if !ok {
-            return "", errors.Errorf("key %s not found in secret",
-                bsl.Spec.ObjectStorage.CACertRef.Key)
-        }
-        return string(certData), nil
-    }
-
-    // Fall back to inline caCert (deprecated)
-    if bsl.Spec.ObjectStorage.CACert != nil {
-        return string(bsl.Spec.ObjectStorage.CACert), nil
-    }
-
-    return "", nil
-}
-```
-
-#### Certificate Resolution Priority
-
-The CLI follows this priority order for certificate resolution:
-
-1. **`--cacert` flag** - Manual override, highest priority
-2. **`caCertRef`** - Secret-based certificate (recommended)
-3. **`caCert`** - Inline certificate (deprecated)
-4. **System certificate pool** - Default fallback
-
-#### User Experience Improvements
-
-With both PR #8557 and this enhancement:
-
-```bash
-# Automatic discovery - works with both caCert and caCertRef
-velero backup describe my-backup
-velero backup download my-backup
-velero backup logs my-backup
-velero restore logs my-restore
-
-# Manual override still available
-velero backup describe my-backup --cacert /custom/ca.crt
-
-# Debug output shows certificate source
-velero backup download my-backup --log-level=debug
-# [DEBUG] Resolved CA certificate from BSL 'default' Secret 'storage-ca-cert' key 'ca-bundle.crt'
-```
-
-#### RBAC Considerations for CLI
-
-CLI users need read access to Secrets when using `caCertRef`:
-
-```yaml
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: velero-cli-user
-  namespace: velero
-rules:
-- apiGroups: ["velero.io"]
-  resources: ["backups", "restores", "backupstoragelocations"]
-  verbs: ["get", "list"]
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
-  # Limited to secrets referenced by BSLs
-```
-
-### Migration Strategy
-
-#### Phase 1: Introduction (Current)
-- Add `caCertRef` field
-- Mark `caCert` as deprecated
-- Both fields supported, mutual exclusivity enforced
-
-#### Phase 2: Migration Period
-- Documentation and tools to help users migrate
-- Warning messages for `caCert` usage
-- CLI enhancements to leverage `caCertRef`
-
-#### Phase 3: Future Removal
-- Remove `caCert` field in major version update
-- Provide migration tool for automatic conversion
-
-## User Experience
-
-### Creating a BSL with Certificate Reference
-
-1. Create a Secret containing the CA certificate:
-```yaml
-apiVersion: v1
-kind: Secret
-metadata:
-  name: storage-ca-cert
-  namespace: velero
-type: Opaque
-data:
-  ca-bundle.crt: <base64-encoded-certificate>
-```
-
-2. Reference the Secret in BSL:
-```yaml
-apiVersion: velero.io/v1
-kind: BackupStorageLocation
-metadata:
-  name: default
-  namespace: velero
-spec:
-  provider: aws
-  objectStorage:
-    bucket: my-bucket
-    caCertRef:
-      name: storage-ca-cert
-      key: ca-bundle.crt
-```
-
-### Certificate Rotation
-
-With Secret-based certificates:
-```bash
-# Update the Secret with new certificate
-kubectl create secret generic storage-ca-cert \
-  --from-file=ca-bundle.crt=new-ca.crt \
-  --dry-run=client -o yaml | kubectl apply -f -
-
-# No BSL update required - changes take effect on next use
-```
-
-### CLI Usage Examples
-
-#### Immediate Benefits
-- No change required for existing workflows
-- Certificate validation errors include helpful context
-
-#### Future CLI Enhancements
-```bash
-# Automatic certificate discovery
-velero backup download my-backup
-
-# Manual override still available
-velero backup download my-backup --cacert /custom/ca.crt
-
-# Debug certificate resolution
-velero backup download my-backup --log-level=debug
-# [DEBUG] Resolved CA certificate from BSL 'default' Secret 'storage-ca-cert'
-```
-
-## Security Considerations
-
-### Advantages of Secret-based Storage
-
-1. **Encryption at Rest**: Secrets are encrypted in etcd
-2. **RBAC Control**: Fine-grained access control via Kubernetes RBAC
-3. **Audit Trail**: Secret access is auditable
-4. **Separation of Concerns**: Certificates separate from configuration
-
-### Required Permissions
-
-The Velero server requires additional RBAC permissions:
-```yaml
-- apiGroups: [""]
-  resources: ["secrets"]
-  verbs: ["get"]
-  # Scoped to secrets referenced by BSLs
-```
-
-## Compatibility
-
-### Backward Compatibility
-
-- Existing BSLs with `caCert` continue to function unchanged
-- No breaking changes to API
-- Gradual migration path
-
-### Forward Compatibility
-
-- Design allows for future enhancements:
-  - Multiple certificate support
-  - Certificate chain validation
-  - Automatic certificate discovery from cloud providers
-
-## Implementation Phases
-
-### Phase 1: Core Implementation ✓ (Current PR)
-- API changes with new `caCertRef` field
-- Controller validation
-- Repository provider updates
-- Basic testing
-
-### Phase 2: CLI Enhancement (Future)
-- Automatic certificate discovery in CLI
-- Enhanced error messages
-- Debug logging for certificate resolution
-
-### Phase 3: Migration Tools (Future)
-- Automated migration scripts
-- Validation tools
-- Documentation updates
-
-## Testing
-
-### Unit Tests
-- BSL validation logic
-- Certificate resolution in providers
-- Controller behavior
-
-### Integration Tests
-- End-to-end backup/restore with `caCertRef`
-- Certificate rotation scenarios
-- Migration from `caCert` to `caCertRef`
-
-### Manual Testing Scenarios
-1. Create BSL with `caCertRef`
-2. Perform backup/restore operations
-3. Rotate certificate in Secret
-4. Verify continued operation
-
-## Documentation
-
-### User Documentation
-- Migration guide from `caCert` to `caCertRef`
-- Examples for common cloud providers
-- Troubleshooting guide
-
-### API Documentation
-- Updated API reference
-- Deprecation notices
-- Field descriptions
-
-## Alternatives Considered
-
-### ConfigMap-based Storage
-- Pros: Similar to Secrets, simpler API
-- Cons: Not designed for sensitive data, no encryption at rest
-- Decision: Secrets are the Kubernetes-standard for sensitive data
-
-### External Certificate Management
-- Pros: Integration with cert-manager, etc.
-- Cons: Additional complexity, dependencies
-- Decision: Keep it simple, allow users to manage certificates as needed
-
-### Immediate Removal of Inline Certificates
-- Pros: Cleaner API, forces best practices
-- Cons: Breaking change, migration burden
-- Decision: Gradual deprecation respects existing users
-
-## Conclusion
-
-This design provides a secure, Kubernetes-native approach to certificate management in Velero while maintaining backward compatibility. It establishes the foundation for enhanced CLI functionality and improved user experience, addressing the concerns raised in issue #9097 and enabling the features proposed in PR #8557.
-
-The phased approach ensures smooth migration for existing users while delivering immediate security benefits for new deployments.