Merge pull request #4030 from zubron/cherry-pick-apiservice-action-1-6-3

Cherry-pick and update changelog for v1.6.3

.github/ISSUE_TEMPLATE/config.yml

@@ -0,0 +1,5 @@
+blank_issues_enabled: false
+contact_links:
+  - name: Velero Q&A
+    url: https://github.com/vmware-tanzu/velero/discussions/categories/community-support-q-a 
+    about: Have questions about Velero? Please ask them here.

.github/auto_assign.yml

@@ -1,11 +1,14 @@
 addReviewers: true
 addAssignees: author
 
-# Set this to the length of the reviewers list because the default was not including everyone
-numberOfReviewers: 4
+# Only require 2, random reviewers.
+# TODO expand this to support using reviewGroups
+numberOfReviewers: 2
 
 reviewers:
   - nrb
   - ashish-amarnath
   - carlisia
   - zubron
+  - dsu-igeek
+  - jenting

.github/labels.yml

@@ -0,0 +1,41 @@
+area:
+  - "Cloud/AWS"
+  - "Cloud/GCP"
+  - "Cloud/Azure"
+  - "Design"
+  - "Plugins"
+
+# Labels that can be applied to PRs with the /kind command
+kind:
+  - "changelog-not-required"
+  - "tech-debt"
+
+# Works with https://github.com/actions/labeler/
+# Below this line, the keys are labels to be applied, and the values are the file globs to match against.
+# Anything in the `design` directory gets the `Design` label.
+Area/Design:
+  - design/*
+
+# Anything in the site directory gets the website label *EXCEPT* docs
+Website:
+  - any: ["site/**/*", "!site/content/docs/**/*"]
+
+Documentation:
+  - site/content/docs/**/*
+
+Dependencies:
+  - go.mod
+
+# Anything that has plugin infra will be labeled.
+# Individual plugins don't necessarily live here, though
+Area/Plugins:
+  - "pkg/plugins/**/*"
+
+has-unit-tests:
+  - "pkg/**/*_test.go"
+
+has-e2e-2tests:
+  - "test/e2e/**/*"
+
+has-changelog:
+  - "changelogs/**"

.github/pull_request_template.md

@@ -0,0 +1,13 @@
+Thank you for contributing to Velero!
+
+# Please add a summary of your change
+
+# Does your change fix a particular issue?
+
+Fixes #(issue)
+
+# Please indicate you've done the following:
+
+- [ ] [Accepted the DCO](https://velero.io/docs/v1.5/code-standards/#dco-sign-off). Commits without the DCO will delay acceptance.
+- [ ] [Created a changelog file](https://velero.io/docs/v1.5/code-standards/#adding-a-changelog) or added `/kind changelog-not-required`.
+- [ ] Updated the corresponding documentation in `site/content/docs/main`.

.github/workflows/auto_assign_prs.yml

@@ -1,16 +1,16 @@
-name: 'Auto Assign PR Reviewers'
+name: "Auto Assign PR Reviewers"
 # pull_request_target means that this will run on pull requests, but in the context of the base repo.
 # This should mean PRs from forks are supported.
-on: 
+on:
   pull_request_target:
-    types: [opened, reopened, sychronized]
+    types: [opened, reopened, ready_for_review]
 
-
-jobs: 
+jobs:
+  # Automatically assigns reviewers and owner
   add-reviews:
     runs-on: ubuntu-latest
     steps:
       - uses: kentaro-m/auto-assign-action@v1.1.1
-        with: 
+        with:
           configuration-path: ".github/auto_assign.yml"
-          repo-token: '${{ secrets.GITHUB_TOKEN }}'
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/auto_label_prs.yml

@@ -0,0 +1,19 @@
+name: "Auto Label PRs"
+# pull_request_target means that this will run on pull requests, but in the context of the base repo.
+# This should mean PRs from forks are supported. 
+# Because it includes the `synchronize` parameter, any push of a new commit to the HEAD ref of a pull request
+# will trigger this process.
+
+on:
+  pull_request_target:
+    types: [opened, reopened, synchronize, ready_for_review]
+
+jobs:
+  # Automatically labels PRs based on file globs in the change.
+  triage:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/labeler@v3
+        with:
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-path: .github/labels.yml

.github/workflows/crds-verify-kind.yaml

@@ -58,6 +58,8 @@ jobs:
           - 1.18.15
           - 1.19.7
           - 1.20.2
+          - 1.21.1
+          - 1.22.0
     # All steps run in parallel unless otherwise specified.
     # See https://docs.github.com/en/actions/learn-github-actions/managing-complex-workflows#creating-dependent-jobs
     steps:
@@ -75,6 +77,7 @@ jobs:
             velero-${{ github.event.pull_request.number }}-
       - uses: engineerd/setup-kind@v0.5.0
         with:
+          version: "v0.11.1"
           image: "kindest/node:v${{ matrix.k8s }}"
       - name: Install CRDs
         run: |

.github/workflows/e2e-test-kind.yaml

@@ -0,0 +1,114 @@
+name: "Run the E2E test on kind"
+on:
+  push:
+  pull_request:
+    # Do not run when the change only includes these directories.
+    paths-ignore:
+      - "site/**"
+      - "design/**"
+jobs:
+  # Build the Velero CLI and image once for all Kubernetes versions, and cache it so the fan-out workers can get it.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      # Look for a CLI that's made for this PR
+      - name: Fetch built CLI
+        id: cli-cache
+        uses: actions/cache@v2
+        with:
+          path: ./_output/bin/linux/amd64/velero
+          # The cache key a combination of the current PR number and the commit SHA
+          key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Fetch built image
+        id: image-cache
+        uses: actions/cache@v2
+        with:
+          path: ./velero.tar
+          # The cache key a combination of the current PR number and the commit SHA
+          key: velero-image-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Fetch cached go modules
+        uses: actions/cache@v2
+        if: steps.cli-cache.outputs.cache-hit != 'true'
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Check out the code
+        uses: actions/checkout@v2
+        if: steps.cli-cache.outputs.cache-hit != 'true' || steps.image-cache.outputs.cache-hit != 'true'
+      # If no binaries were built for this PR, build it now.
+      - name: Build Velero CLI
+        if: steps.cli-cache.outputs.cache-hit != 'true'
+        run: |
+          make local
+      # If no image were built for this PR, build it now.
+      - name: Build Velero Image
+        if: steps.image-cache.outputs.cache-hit != 'true'
+        run: |
+          IMAGE=velero VERSION=pr-test make container
+          docker save velero:pr-test -o ./velero.tar
+  # Run E2E test against all kubernetes versions on kind
+  run-e2e-test:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        k8s:
+          # doesn't cover 1.15 as 1.15 doesn't support "apiextensions.k8s.io/v1" that is needed for the case
+          #- 1.15.12
+          - 1.16.15
+          - 1.17.17
+          - 1.18.15
+          - 1.19.7
+          - 1.20.2
+          - 1.21.1
+          - 1.22.0
+      fail-fast: false
+    steps:
+      - name: Check out the code
+        uses: actions/checkout@v2
+      - name: Install MinIO
+        run:
+          docker run -d --rm -p 9000:9000 -e "MINIO_ACCESS_KEY=minio" -e "MINIO_SECRET_KEY=minio123" -e "MINIO_DEFAULT_BUCKETS=bucket,additional-bucket" bitnami/minio:2021.6.17-debian-10-r7
+      - uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: "v0.11.1"
+          image: "kindest/node:v${{ matrix.k8s }}"
+      - name: Fetch built CLI
+        id: cli-cache
+        uses: actions/cache@v2
+        with:
+          path: ./_output/bin/linux/amd64/velero
+          key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Fetch built Image
+        id: image-cache
+        uses: actions/cache@v2
+        with:
+          path: ./velero.tar
+          key: velero-image-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Load Velero Image
+        run:
+          kind load image-archive velero.tar
+      # always try to fetch the cached go modules as the e2e test needs it either
+      - name: Fetch cached go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Run E2E test
+        run: |
+          cat << EOF > /tmp/credential
+          [default]
+          aws_access_key_id=minio
+          aws_secret_access_key=minio123
+          EOF
+          GOPATH=~/go CLOUD_PROVIDER=kind \
+              OBJECT_STORE_PROVIDER=aws BSL_CONFIG=region=minio,s3ForcePathStyle="true",s3Url=http://$(hostname -i):9000 \
+              CREDS_FILE=/tmp/credential BSL_BUCKET=bucket \
+              ADDITIONAL_OBJECT_STORE_PROVIDER=aws ADDITIONAL_BSL_CONFIG=region=minio,s3ForcePathStyle="true",s3Url=http://$(hostname -i):9000 \
+              ADDITIONAL_CREDS_FILE=/tmp/credential ADDITIONAL_BSL_BUCKET=additional-bucket \
+              GINKGO_FOCUS=Basic VELERO_IMAGE=velero:pr-test \
+              make -C test/e2e run

.github/workflows/milestoned-issues.yml

@@ -0,0 +1,18 @@
+name: Add issues with a milestone to the milestone's board
+
+on:
+  issues:
+    types: [milestoned]
+
+jobs:
+  automate-project-columns:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: alex-page/github-project-automation-plus@v0.3.0
+        with:
+          # Do NOT add PRs to the board, as that's duplication. Their corresponding issue should be on the board.
+          if: ${{ !github.event.issue.pull_request }}
+          project: "${{ github.event.issue.milestone.title }}"
+          column: "To Do"
+          repo-token: ${{ secrets.GH_TOKEN }}
+

.github/workflows/opened-issues-triage.yml

@@ -0,0 +1,15 @@
+name: Move new issues into Triage
+
+on:
+  issues:
+    types: [opened]
+
+jobs:
+  automate-project-columns:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: alex-page/github-project-automation-plus@v0.3.0
+        with:
+          project: "Velero Support Board"
+          column: "New"
+          repo-token: ${{ secrets.GH_TOKEN }}

.github/workflows/pr-changelog-check.yml

@@ -11,5 +11,5 @@ jobs:
       uses: actions/checkout@v2
 
     - name: Changelog check
-      if: ${{ !(contains(github.event.pull_request.labels.*.name, 'changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}}
+      if: ${{ !(contains(github.event.pull_request.labels.*.name, 'kind/changelog-not-required') || contains(github.event.pull_request.labels.*.name, 'Design') || contains(github.event.pull_request.labels.*.name, 'Website') || contains(github.event.pull_request.labels.*.name, 'Documentation'))}}
       run: ./hack/changelog-check.sh

.github/workflows/pr-codespell.yml

@@ -0,0 +1,20 @@
+name: Pull Request Codespell Check
+on: [pull_request]
+jobs:
+
+  codespell:
+    name: Run Codespell
+    runs-on: ubuntu-latest
+    steps:
+
+    - name: Check out the code
+      uses: actions/checkout@v2
+
+    - name: Codespell
+      uses: codespell-project/actions-codespell@master
+      with:
+        # ignore the config/.../crd.go file as it's generated binary data that is edited elswhere.
+        skip: .git,*.png,*.jpg,*.woff,*.ttf,*.gif,*.ico,./config/crd/v1beta1/crds/crds.go,./config/crd/v1/crds/crds.go
+        ignore_words_list: iam,aks,ist,bridget,ue
+        check_filenames: true
+        check_hidden: true

.github/workflows/prow-action.yml

@@ -0,0 +1,20 @@
+# Adds support for prow-like commands
+# Uses .github/labels.yaml to define areas and kinds
+name: "Prow github actions"
+on:
+  issue_comment:
+    types: [created]
+
+jobs:
+  execute:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: jpmcb/prow-github-actions@v1.1.2
+        with:
+          # Only support /kind command for now.
+          # TODO: before allowing the /lgtm command, see if we can block merging if changelog labels are missing.
+          prow-commands: "/area
+            /kind
+            /cc
+            /uncc"
+          github-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/push-builder.yml

@@ -17,7 +17,9 @@ jobs:
     - name: Build
       run: make build-image
 
+    # Only try to publish the container image from the root repo; forks don't have permission to do so and will always get failures.
     - name: Publish container image
+      if: github.repository == 'vmware-tanzu/velero'
       run: |
         docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
        

.github/workflows/push.yml

@@ -13,21 +13,26 @@ jobs:
     runs-on: ubuntu-latest
     steps:
 
-    - name: Set up Go 1.14
+    - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.14
+        go-version: 1.15
       id: go
 
     - name: Check out code into the Go module directory
       uses: actions/checkout@v2
 
+    - name: Set up QEMU
+      id: qemu
+      uses: docker/setup-qemu-action@v1
+      with:
+        platforms: all
+
     - name: Set up Docker Buildx
       id: buildx
-      uses: crazy-max/ghaction-docker-buildx@v3
+      uses: docker/setup-buildx-action@v1
       with:
-        buildx-version: latest
-        qemu-version: latest
+        version: latest
 
     - name: Build
       run: make local
@@ -35,7 +40,9 @@ jobs:
     - name: Test
       run: make test
 
+    # Only try to publish the container image from the root repo; forks don't have permission to do so and will always get failures.
     - name: Publish container image
+      if: github.repository == 'vmware-tanzu/velero'
       run: |
         docker login -u ${{ secrets.DOCKER_USER }} -p ${{ secrets.DOCKER_PASSWORD }}
         ./hack/docker-push.sh

.github/workflows/stale-issues.yml

@@ -0,0 +1,24 @@
+name: "Close stale issues and PRs"
+on:
+  schedule:
+    # First of every month
+    - cron: "30 1 * * *"
+
+jobs:
+  stale:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/stale@v3
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          stale-issue-message: "This issue is stale because it has been open 30 days with no activity. Remove stale label or comment or this will be closed in 5 days. If a Velero team member has requested log or more information, please provide the output of the shared commands."
+          close-issue-message: "This issue was closed because it has been stalled for 5 days with no activity."
+          days-before-issue-stale: 30
+          days-before-issue-close: 5
+          # Disable stale PRs for now; they can remain open.
+          days-before-pr-stale: -1
+          days-before-pr-close: -1
+          # Only issues made after Feb 09 2021.
+          start-date: "2021-09-02T00:00:00"
+          # Only make issues stale if they have these labels. Comma separated.
+          only-labels: "Needs info,Duplicate"

.gitignore

@@ -28,7 +28,6 @@ debug
 
 /velero
 .idea/
-Tiltfile
 
 .container-*
 .vimrc
@@ -43,3 +42,11 @@ site/public
 site/resources
 
 .vs
+
+# these are files for local Tilt development:
+_tiltbuild
+tilt-resources/tilt-settings.json
+tilt-resources/velero_v1_backupstoragelocation.yaml
+tilt-resources/deployment.yaml
+tilt-resources/restic.yaml
+tilt-resources/cloud

.goreleaser.yml

@@ -41,7 +41,7 @@ builds:
       - goos: windows
         goarch: ppc64le
     ldflags:
-      - -X "github.com/vmware-tanzu/velero/pkg/buildinfo.Version={{ .Tag }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA={{ .FullCommit }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitTreeState={{ .Env.GIT_TREE_STATE }}"
+      - -X "github.com/vmware-tanzu/velero/pkg/buildinfo.Version={{ .Tag }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA={{ .FullCommit }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitTreeState={{ .Env.GIT_TREE_STATE }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.ImageRegistry={{ .Env.REGISTRY }}"
 archives:
   - name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
     wrap_in_directory: true

ADOPTERS.md

@@ -3,16 +3,16 @@
 If you're using Velero and want to add your organization to this list, 
 [follow these directions][1]!
 
-<a href="https://www.bitgo.com" border="0" target="_blank"><img alt="bitgo.com" src="site/img/adopters/BitGo.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://www.nirmata.com" border="0" target="_blank"><img alt="nirmata.com" src="site/img/adopters/nirmata.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://kyma-project.io/" border="0" target="_blank"><img alt="kyma-project.io" src="site/img/adopters/kyma.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://redhat.com/" border="0" target="_blank"><img alt="redhat.com" src="site/img/adopters/redhat.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://dellemc.com/" border="0" target="_blank"><img alt="dellemc.com" src="site/img/adopters/DellEMC.png" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://bugsnag.com/" border="0" target="_blank"><img alt="bugsnag.com" src="site/img/adopters/bugsnag.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://okteto.com/" border="0" target="_blank"><img alt="okteto.com" src="site/img/adopters/okteto.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://banzaicloud.com/" border="0" target="_blank"><img alt="banzaicloud.com" src="site/img/adopters/banzaicloud.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://sighup.io/" border="0" target="_blank"><img alt="sighup.io" src="site/img/adopters/sighup.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
-<a href="https://mayadata.io/" border="0" target="_blank"><img alt="mayadata.io" src="site/img/adopters/mayadata.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://www.bitgo.com" border="0" target="_blank"><img alt="bitgo.com" src="site/static/img/adopters/BitGo.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://www.nirmata.com" border="0" target="_blank"><img alt="nirmata.com" src="site/static/img/adopters/nirmata.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://kyma-project.io/" border="0" target="_blank"><img alt="kyma-project.io" src="site/static/img/adopters/kyma.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://redhat.com/" border="0" target="_blank"><img alt="redhat.com" src="site/static/img/adopters/redhat.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://dellemc.com/" border="0" target="_blank"><img alt="dellemc.com" src="site/static/img/adopters/DellEMC.png" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://bugsnag.com/" border="0" target="_blank"><img alt="bugsnag.com" src="site/static/img/adopters/bugsnag.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://okteto.com/" border="0" target="_blank"><img alt="okteto.com" src="site/static/img/adopters/okteto.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://banzaicloud.com/" border="0" target="_blank"><img alt="banzaicloud.com" src="site/static/img/adopters/banzaicloud.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://sighup.io/" border="0" target="_blank"><img alt="sighup.io" src="site/static/img/adopters/sighup.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://mayadata.io/" border="0" target="_blank"><img alt="mayadata.io" src="site/static/img/adopters/mayadata.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
 
 ## Success Stories
 
@@ -56,7 +56,7 @@ Okteto integrates Velero in [Okteto Cloud][94] and [Okteto Enterprise][95] to pe
 ​
 ## Adding your organization to the list of Velero Adopters
 
-If you are using Velero and would like to be included in the list of `Velero Adopters`, add an SVG version of your logo to the `site/img/adopters` directory in this repo and submit a [pull request][3] with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). See this for an example [PR][4].
+If you are using Velero and would like to be included in the list of `Velero Adopters`, add an SVG version of your logo to the `site/static/img/adopters` directory in this repo and submit a [pull request][3] with your change. Name the image file something that reflects your company (e.g., if your company is called Acme, name the image acme.png). See this for an example [PR][4].
 
 ### Adding a logo to velero.io
 

CHANGELOG.md

@@ -1,7 +1,8 @@
 ## Current release:
-  * [CHANGELOG-1.5.md][15]
+  * [CHANGELOG-1.6.md][16]
 
 ## Older releases:
+  * [CHANGELOG-1.5.md][15]
   * [CHANGELOG-1.4.md][14]
   * [CHANGELOG-1.3.md][13]
   * [CHANGELOG-1.2.md][12]
@@ -18,6 +19,7 @@
   * [CHANGELOG-0.3.md][1]
 
 
+[16]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.6.md
 [15]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.5.md
 [14]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.4.md
 [13]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.3.md

CODE_OF_CONDUCT.md

@@ -2,19 +2,28 @@
 
 ## Our Pledge
 
-We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone, regardless of age, body size, visible or invisible disability, ethnicity, sex characteristics, gender identity and expression, level of experience, education, socio-economic status, nationality, personal appearance, race, religion, or sexual identity and orientation.
+We as members, contributors, and leaders pledge to make participation in the Velero project and our
+community a harassment-free experience for everyone, regardless of age, body
+size, visible or invisible disability, ethnicity, sex characteristics, gender
+identity and expression, level of experience, education, socio-economic status,
+nationality, personal appearance, race, religion, or sexual identity
+and orientation.
 
-We pledge to act and interact in ways that contribute to an open, welcoming, diverse, inclusive, and healthy community.
+We pledge to act and interact in ways that contribute to an open, welcoming,
+diverse, inclusive, and healthy community.
 
 ## Our Standards
 
-Examples of behavior that contributes to a positive environment for our community include:
+Examples of behavior that contributes to a positive environment for our
+community include:
 
 * Demonstrating empathy and kindness toward other people
 * Being respectful of differing opinions, viewpoints, and experiences
 * Giving and gracefully accepting constructive feedback
-* Accepting responsibility and apologizing to those affected by our mistakes, and learning from the experience
-* Focusing on what is best not just for us as individuals, but for the overall community
+* Accepting responsibility and apologizing to those affected by our mistakes,
+  and learning from the experience
+* Focusing on what is best not just for us as individuals, but for the
+  overall community
 
 Examples of unacceptable behavior include:
 
@@ -29,56 +38,90 @@ Examples of unacceptable behavior include:
 
 ## Enforcement Responsibilities
 
-Community leaders are responsible for clarifying and enforcing our standards of acceptable behavior and will take appropriate and fair corrective action in response to any behavior that they deem inappropriate, threatening, offensive, or harmful.
+Community leaders are responsible for clarifying and enforcing our standards of
+acceptable behavior and will take appropriate and fair corrective action in
+response to any behavior that they deem inappropriate, threatening, offensive,
+or harmful.
 
-Community leaders have the right and responsibility to remove, edit, or reject comments, commits, code, wiki edits, issues, and other contributions that are not aligned to this Code of Conduct, and will communicate reasons for moderation decisions when appropriate.
+Community leaders have the right and responsibility to remove, edit, or reject
+comments, commits, code, wiki edits, issues, and other contributions that are
+not aligned to this Code of Conduct, and will communicate reasons for moderation
+decisions when appropriate.
 
 ## Scope
 
-This Code of Conduct applies within all community spaces, and also applies when an individual is officially representing the community in public spaces. Examples of representing our community include using an official e-mail address, posting via an official social media account, or acting as an appointed representative at an online or offline event.
+This Code of Conduct applies within all community spaces, and also applies when
+an individual is officially representing the community in public spaces.
+Examples of representing our community include using an official e-mail address,
+posting via an official social media account, or acting as an appointed
+representative at an online or offline event.
 
 ## Enforcement
 
-Instances of abusive, harassing, or otherwise unacceptable behavior may be reported to the community leaders responsible for enforcement at [oss-coc@vmware.com](mailto:oss-coc@vmware.com). All complaints will be reviewed and investigated promptly and fairly.
+Instances of abusive, harassing, or otherwise unacceptable behavior may be
+reported to the community leaders responsible for enforcement at oss-coc@vmware.com.
+All complaints will be reviewed and investigated promptly and fairly.
 
-All community leaders are obligated to respect the privacy and security of the reporter of any incident.
+All community leaders are obligated to respect the privacy and security of the
+reporter of any incident.
 
 ## Enforcement Guidelines
 
-Community leaders will follow these Community Impact Guidelines in determining the consequences for any action they deem in violation of this Code of Conduct:
+Community leaders will follow these Community Impact Guidelines in determining
+the consequences for any action they deem in violation of this Code of Conduct:
 
 ### 1. Correction
 
-**Community Impact**: Use of inappropriate language or other behavior deemed unprofessional or unwelcome in the community.
+**Community Impact**: Use of inappropriate language or other behavior deemed
+unprofessional or unwelcome in the community.
 
-**Consequence**: A private, written warning from community leaders, providing clarity around the nature of the violation and an explanation of why the behavior was inappropriate. A public apology may be requested.
+**Consequence**: A private, written warning from community leaders, providing
+clarity around the nature of the violation and an explanation of why the
+behavior was inappropriate. A public apology may be requested.
 
 ### 2. Warning
 
-**Community Impact**: A violation through a single incident or series of actions.
+**Community Impact**: A violation through a single incident or series
+of actions.
 
-**Consequence**: A warning with consequences for continued behavior. No interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, for a specified period of time. This includes avoiding interactions in community spaces as well as external channels like social media. Violating these terms may lead to a temporary or permanent ban.
+**Consequence**: A warning with consequences for continued behavior. No
+interaction with the people involved, including unsolicited interaction with
+those enforcing the Code of Conduct, for a specified period of time. This
+includes avoiding interactions in community spaces as well as external channels
+like social media. Violating these terms may lead to a temporary or
+permanent ban.
 
 ### 3. Temporary Ban
 
-**Community Impact**: A serious violation of community standards, including sustained inappropriate behavior.
+**Community Impact**: A serious violation of community standards, including
+sustained inappropriate behavior.
 
-**Consequence**: A temporary ban from any sort of interaction or public communication with the community for a specified period of time. No public or private interaction with the people involved, including unsolicited interaction with those enforcing the Code of Conduct, is allowed during this period. Violating these terms may lead to a permanent ban.
+**Consequence**: A temporary ban from any sort of interaction or public
+communication with the community for a specified period of time. No public or
+private interaction with the people involved, including unsolicited interaction
+with those enforcing the Code of Conduct, is allowed during this period.
+Violating these terms may lead to a permanent ban.
 
 ### 4. Permanent Ban
 
-**Community Impact**: Demonstrating a pattern of violation of community standards, including sustained inappropriate behavior,  harassment of an individual, or aggression toward or disparagement of classes of individuals.
+**Community Impact**: Demonstrating a pattern of violation of community
+standards, including sustained inappropriate behavior,  harassment of an
+individual, or aggression toward or disparagement of classes of individuals.
 
-**Consequence**: A permanent ban from any sort of public interaction within the community.
+**Consequence**: A permanent ban from any sort of public interaction within
+the community.
 
 ## Attribution
 
-This Code of Conduct is adapted from the [Contributor Covenant][homepage], version 2.0,
-available at https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
+This Code of Conduct is adapted from the [Contributor Covenant][homepage],
+version 2.0, available at
+https://www.contributor-covenant.org/version/2/0/code_of_conduct.html.
 
-Community Impact Guidelines were inspired by [Mozilla's code of conduct enforcement ladder](https://github.com/mozilla/diversity).
+Community Impact Guidelines were inspired by [Mozilla's code of conduct
+enforcement ladder](https://github.com/mozilla/diversity).
 
 [homepage]: https://www.contributor-covenant.org
 
 For answers to common questions about this code of conduct, see the FAQ at
-https://www.contributor-covenant.org/faq. Translations are available at https://www.contributor-covenant.org/translations.
+https://www.contributor-covenant.org/faq. Translations are available at
+https://www.contributor-covenant.org/translations.

Dockerfile

@@ -11,18 +11,19 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM --platform=$BUILDPLATFORM golang:1.14 as builder-env
+FROM --platform=$BUILDPLATFORM golang:1.15 as builder-env
 
 ARG GOPROXY
 ARG PKG
 ARG VERSION
 ARG GIT_SHA
 ARG GIT_TREE_STATE
+ARG REGISTRY
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
     GOPROXY=${GOPROXY} \
-    LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE}"
+    LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"
 
 WORKDIR /go/src/github.com/vmware-tanzu/velero
 
@@ -53,7 +54,7 @@ FROM ubuntu:focal
 
 LABEL maintainer="Nolan Brubaker <brubakern@vmware.com>"
 
-RUN apt-get update && apt-get install -y ca-certificates && rm -rf /var/lib/apt/lists/*
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -qq -y ca-certificates tzdata && rm -rf /var/lib/apt/lists/*
 
 COPY --from=builder /output /
 

MAINTAINERS.md

@@ -6,11 +6,12 @@
 
 | Maintainer | GitHub ID | Affiliation |
 | --------------- | --------- | ----------- |
-| Carlisia Campos | [carlisia](https://github.com/carlisia) | [VMware](https://www.github.com/vmware/) |
+| Carlisia Thompson | [carlisia](https://github.com/carlisia) | [VMware](https://www.github.com/vmware/) |
 | Nolan Brubaker | [nrb](https://github.com/nrb) | [VMware](https://www.github.com/vmware/) |
 | Ashish Amarnath | [ashish-amarnath](https://github.com/ashish-amarnath) | [VMware](https://www.github.com/vmware/) |
-| Stephanie Bauman | [stephbman](https://github.com/stephbman) | [VMware](https://www.github.com/vmware/) |
 | Bridget McErlean | [zubron](https://github.com/zubron) | [VMware](https://www.github.com/vmware/) |
+| Dave Smith-Uchida | [dsu-igeek](https://github.com/dsu-igeek) | [VMware](https://www.github.com/vmware/) |
+| JenTing Hsiao | [jenting](https://github.com/jenting) | [SUSE](https://github.com/SUSE/) 
 
 ## Emeritus Maintainers
 * Adnan Abdulhussein ([prydonius](https://github.com/prydonius))
@@ -23,6 +24,6 @@
 | ----------------------------- | :---------------------: |
 | Technical Lead | Nolan Brubaker (nrb) |
 | Kubernetes CSI Liaison | Nolan Brubaker (nrb), Ashish Amarnath (ashish-amarnath) |
-| Deployment | Carlisia Campos (carlisia), Carlos Tadeu Panato Junior (cpanato), JenTing Hsiao (jenting) | 
+| Deployment | Carlisia Thompson (carlisia), Carlos Tadeu Panato Junior (cpanato), JenTing Hsiao (jenting) | 
 | Community Management | Jonas Rosland (jonasrosland) |
-| Product Management | Stephanie Bauman (stephbman) |
+| Product Management | Michael Michael (michmike) |

Makefile

@@ -82,7 +82,7 @@ see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-v
 endef
 
 # The version of restic binary to be downloaded for power architecture
-RESTIC_VERSION ?= 0.9.6
+RESTIC_VERSION ?= 0.12.0
 
 CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 windows-amd64 linux-ppc64le
 BUILDX_PLATFORMS ?= $(subst -,/,$(ARCH))
@@ -110,7 +110,6 @@ GOPROXY ?= https://proxy.golang.org
 
 # If you want to build all binaries, see the 'all-build' rule.
 # If you want to build all containers, see the 'all-containers' rule.
-# If you want to build AND push all containers, see the 'all-push' rule.
 all:
 	@$(MAKE) build
 	@$(MAKE) build BIN=velero-restic-restore-helper
@@ -129,6 +128,7 @@ local: build-dirs
 	GOOS=$(GOOS) \
 	GOARCH=$(GOARCH) \
 	VERSION=$(VERSION) \
+	REGISTRY=$(REGISTRY) \
 	PKG=$(PKG) \
 	BIN=$(BIN) \
 	GIT_SHA=$(GIT_SHA) \
@@ -144,6 +144,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs
 		GOOS=$(GOOS) \
 		GOARCH=$(GOARCH) \
 		VERSION=$(VERSION) \
+		REGISTRY=$(REGISTRY) \
 		PKG=$(PKG) \
 		BIN=$(BIN) \
 		GIT_SHA=$(GIT_SHA) \
@@ -186,6 +187,7 @@ endif
 	--build-arg=VERSION=$(VERSION) \
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
+	--build-arg=REGISTRY=$(REGISTRY) \
 	-f $(VELERO_DOCKERFILE) .
 
 container:
@@ -201,6 +203,7 @@ endif
 	--build-arg=VERSION=$(VERSION) \
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
+	--build-arg=REGISTRY=$(REGISTRY) \
 	--build-arg=RESTIC_VERSION=$(RESTIC_VERSION) \
 	-f $(VELERO_DOCKERFILE) .
 	@echo "container: $(IMAGE):$(VERSION)"
@@ -324,7 +327,7 @@ ci: verify-modules verify all test
 
 
 changelog:
-	hack/changelog.sh
+	hack/release-tools/changelog.sh
 
 # release builds a GitHub release using goreleaser within the build container.
 #
@@ -346,6 +349,7 @@ release:
 		GITHUB_TOKEN=$(GITHUB_TOKEN) \
 		RELEASE_NOTES_FILE=$(RELEASE_NOTES_FILE) \
 		PUBLISH=$(PUBLISH) \
+		REGISTRY=$(REGISTRY) \
 		./hack/release-tools/goreleaser.sh'"
 
 serve-docs: build-image-hugo
@@ -359,3 +363,7 @@ serve-docs: build-image-hugo
 # Please read the documentation in the script for instructions on how to use it.
 gen-docs:
 	@hack/release-tools/gen-docs.sh
+
+.PHONY: test-e2e
+test-e2e: local
+	$(MAKE) -C test/e2e run

ROADMAP.md

@@ -1,7 +1,7 @@
 ## Velero Roadmap
 
 ### About this document
-This document provides a link to the [Velero Project board](https://app.zenhub.com/workspaces/velero-5c59c15e39d47b774b5864e3/board?repos=99143276,112385197,190224441,214524700,214524630,213946861) that serves as the up to date description of items that are in the release pipeline. The board has separate swim lanes based on prioritization. Most items are gathered from the community or include a feedback loop with the community. This should serve as a reference point for Velero users and contributors to understand where the project is heading, and help determine if a contribution could be conflicting with a longer term plan. You will need the ZenHub plugin to view the board.
+This document provides a link to the [Velero Project boards](https://github.com/vmware-tanzu/velero/projects) that serves as the up to date description of items that are in the release pipeline. The release boards have separate swim lanes based on prioritization. Most items are gathered from the community or include a feedback loop with the community. This should serve as a reference point for Velero users and contributors to understand where the project is heading, and help determine if a contribution could be conflicting with a longer term plan. 
 
 ### How to help?
 Discussion on the roadmap can take place in threads under [Issues](https://github.com/vmware-tanzu/velero/issues) or in [community meetings](https://velero.io/community/). Please open and comment on an issue if you want to provide suggestions, use cases, and feedback to an item in the roadmap. Please review the roadmap to avoid potential duplicated effort.
@@ -15,22 +15,55 @@ We work with and rely on community feedback to focus our efforts to improve Vele
 The following table includes the current roadmap for Velero. If you have any questions or would like to contribute to Velero, please attend a [community meeting](https://velero.io/community/) to discuss with our team. If you don't know where to start, we are always looking for contributors that will help us reduce technical, automation, and documentation debt.
 Please take the timelines & dates as proposals and goals. Priorities and requirements change based on community feedback, roadblocks encountered, community contributions, etc. If you depend on a specific item, we encourage you to attend community meetings to get updated status information, or help us deliver that feature by contributing to Velero.
 
-`Last Updated: May 2020`
+`Last Updated: March 2021`
 
+#### 1.7.0 Roadmap
+The release roadmap is split into Core items that are required for the release, desired items that may be removed from the
+release and opportunistic items that will be added to the release if possible.
+
+##### Core items
+
+|Issue|Description|
+|---|---|
+|[3493](https://github.com/vmware-tanzu/velero/issues/3493)|[Carvel](https://github.com/vmware-tanzu/velero/issues/3493) based installation (in addition to the existing *velero install* CLI).|
+|[3531](https://github.com/vmware-tanzu/velero/issues/3531)|Test plan for Velero|
+|[675](https://github.com/vmware-tanzu/velero/issues/675)|Velero command to generate debugging information.  Will integrate with [Crashd - Crash Diagnostics](https://github.com/vmware-tanzu/velero/issues/675)|
+|[2066](https://github.com/vmware-tanzu/velero/issues/2066)|CSI Snapshots GA|
+|[3285](https://github.com/vmware-tanzu/velero/issues/3285)|Support Velero plugin versioning|
+|[1975](https://github.com/vmware-tanzu/velero/issues/1975)|IPV6 support|
+
+
+
+##### Desired items
+|Issue|Description|
+|---|---|
+|[3533](https://github.com/vmware-tanzu/velero/issues/3533)|Upload Progress Monitoring|
+|[2922](https://github.com/vmware-tanzu/velero/issues/2922)|Plugin timeouts|
+|[3500](https://github.com/vmware-tanzu/velero/issues/3500)|Use distroless containers as a base|
+|[3535](https://github.com/vmware-tanzu/velero/issues/3535)|Design doc for multiple cluster support|
+|[3536](https://github.com/vmware-tanzu/velero/issues/3536)|Manifest for backup/restore|
+
+##### Opportunistic items
+|Issue|Description|
+|---|---|
+|Issues TBD|Controller migrations|
+
+#### Long term roadmap items
 |Theme|Description|Timeline|
-|--|--|--|
-|Restic Improvements|Introduce improvements in annotating resources for Restic backup|August 2020|
-|Extensibility|Add restore hooks for enhanced recovery scenarios|August 2020|
-|CSI|Continue improving the CSI snapshot capabilities and participate in the upstream K8s CSI community|Long running (dependent on CSI working group)|
-|Backup/Restore|Improvements to long-running copy operations from a performance and reliability standpoint|August 2020|
-|UX|Improvements to install and configuration user experience|August 2020|
-|Restic Improvements|Improve the use of Restic in Velero and offer stable support|Dec 2020|
-|Perf & Scale|Introduce a scalable model by using a worker pod for each backup/restore operation and improve operations|Dec 2020|
-|Backup/Restore|Better backup and restore semantics for certain Kubernetes resources like stateful sets, operators|Dec 2020|
-|Security|Enable the use of custom credential providers|Dec 2020|
-|Self-Service & Multitenancy|Reduce friction by enabling developers to backup their namespaces via self-service. Introduce a Velero multi-tenancy model, enabling owners of namespaces to backup and restore within their access scope|Mar 2021|
-|Backup/Restore|Cross availability zone or region backup and restore|Mar 2021|
-|Application Consistency|Offer blueprints for backing up and restoring popular applications|May 2021|
-|Backup/Restore|Data only backup and restore|May 2021|
-|Backup/Restore|Introduce the ability to overwrite existing objects during a restore|May 2021|
-|Backup/Restore|What-if dry run for backup and restore|May 2021|
+|---|---|---|
+|Restic Improvements|Introduce improvements in annotating resources for Restic backup|TBD|
+|Extensibility|Add restore hooks for enhanced recovery scenarios|TBD|
+|CSI|Continue improving the CSI snapshot capabilities and participate in the upstream K8s CSI community|1.7.0 + Long running (dependent on CSI working group)|
+|Backup/Restore|Improvements to long-running copy operations from a performance and reliability standpoint|1.7.0|
+|Quality/Reliability| Enable automated end-to-end testing |1.6.0|
+|UX|Improvements to install and configuration user experience|Dec 2020|
+|Restic Improvements|Improve the use of Restic in Velero and offer stable support|TBD|
+|Perf & Scale|Introduce a scalable model by using a worker pod for each backup/restore operation and improve operations|1.8.0|
+|Backup/Restore|Better backup and restore semantics for certain Kubernetes resources like stateful sets, operators|2.0|
+|Security|Enable the use of custom credential providers|1.6.0|
+|Self-Service & Multitenancy|Reduce friction by enabling developers to backup their namespaces via self-service. Introduce a Velero multi-tenancy model, enabling owners of namespaces to backup and restore within their access scope|TBD|
+|Backup/Restore|Cross availability zone or region backup and restore|TBD|
+|Application Consistency|Offer blueprints for backing up and restoring popular applications|TBD|
+|Backup/Restore|Data only backup and restore|TBD|
+|Backup/Restore|Introduce the ability to overwrite existing objects during a restore|TBD|
+|Backup/Restore|What-if dry run for backup and restore|1.7.0|

Tiltfile

@@ -0,0 +1,265 @@
+# -*- mode: Python -*-
+
+k8s_yaml([
+    'config/crd/v1/bases/velero.io_backups.yaml',
+    'config/crd/v1/bases/velero.io_backupstoragelocations.yaml',
+    'config/crd/v1/bases/velero.io_deletebackuprequests.yaml',
+    'config/crd/v1/bases/velero.io_downloadrequests.yaml',
+    'config/crd/v1/bases/velero.io_podvolumebackups.yaml',
+    'config/crd/v1/bases/velero.io_podvolumerestores.yaml',
+    'config/crd/v1/bases/velero.io_resticrepositories.yaml',
+    'config/crd/v1/bases/velero.io_restores.yaml',
+    'config/crd/v1/bases/velero.io_schedules.yaml',
+    'config/crd/v1/bases/velero.io_serverstatusrequests.yaml',
+    'config/crd/v1/bases/velero.io_volumesnapshotlocations.yaml',
+])
+
+# default values
+settings = {
+    "default_registry": "",
+    "enable_restic": False,
+    "enable_debug": False,
+    "debug_continue_on_start": True,  # Continue the velero process by default when in debug mode
+    "create_backup_locations": False,
+    "setup-minio": False,
+}
+
+# global settings
+settings.update(read_json(
+    "tilt-resources/tilt-settings.json",
+    default = {},
+))
+
+k8s_yaml(kustomize('tilt-resources'))
+k8s_yaml('tilt-resources/deployment.yaml')
+if settings.get("enable_debug"):
+    k8s_resource('velero', port_forwards = '2345')
+    # TODO: Need to figure out how to apply port forwards for all restic pods
+if settings.get("enable_restic"):
+    k8s_yaml('tilt-resources/restic.yaml')
+if settings.get("create_backup_locations"):
+    k8s_yaml('tilt-resources/velero_v1_backupstoragelocation.yaml')
+if settings.get("setup-minio"):
+    k8s_yaml('examples/minio/00-minio-deployment.yaml', allow_duplicates = True)
+
+# By default, Tilt automatically allows Minikube, Docker for Desktop, Microk8s, Red Hat CodeReady Containers, Kind, K3D, and Krucible.
+allow_k8s_contexts(settings.get("allowed_contexts"))
+default_registry(settings.get("default_registry"))
+local_goos = str(local("go env GOOS", quiet = True, echo_off = True)).strip()
+git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip()
+
+tilt_helper_dockerfile_header = """
+# Tilt image
+FROM golang:1.15.3 as tilt-helper
+
+# Support live reloading with Tilt
+RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
+    wget --output-document /start.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/start.sh && \
+    chmod +x /start.sh && chmod +x /restart.sh
+"""
+
+additional_docker_helper_commands = """
+# Install delve to allow debugging
+RUN go get github.com/go-delve/delve/cmd/dlv
+
+RUN wget -qO- https://dl.k8s.io/v1.19.2/kubernetes-client-linux-amd64.tar.gz | tar xvz
+RUN wget -qO- https://get.docker.com | sh
+"""
+
+additional_docker_build_commands = """
+COPY --from=tilt-helper /go/bin/dlv /usr/bin/dlv
+COPY --from=tilt-helper /usr/bin/docker /usr/bin/docker
+COPY --from=tilt-helper /go/kubernetes/client/bin/kubectl /usr/bin/kubectl
+"""
+
+##############################
+# Setup Velero
+##############################
+
+def get_debug_flag():
+    """
+    Returns the flag to enable debug building of Velero if debug
+    mode is enabled.
+    """
+
+    if settings.get('enable_debug'):
+        return "DEBUG=1"
+    return ""
+
+
+# Set up a local_resource build of the Velero binary. The binary is written to _tiltbuild/velero.
+local_resource(
+    "velero_server_binary",
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild;PKG=. BIN=velero GOOS=linux GOARCH=amd64 GIT_SHA=' + git_sha + ' VERSION=main GIT_TREE_STATE=dirty OUTPUT_DIR=_tiltbuild ' + get_debug_flag() + ' ./hack/build.sh',
+    deps = ["cmd", "internal", "pkg"],
+    ignore = ["pkg/cmd"],
+)
+
+local_resource(
+    "velero_local_binary",
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/local;PKG=. BIN=velero GOOS=' + local_goos + ' GOARCH=amd64 GIT_SHA=' + git_sha + ' VERSION=main GIT_TREE_STATE=dirty OUTPUT_DIR=_tiltbuild/local ' + get_debug_flag() + ' ./hack/build.sh',
+    deps = ["internal", "pkg/cmd"],
+)
+
+local_resource(
+    "restic_binary",
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/restic; BIN=velero GOOS=' + local_goos + ' GOARCH=amd64 RESTIC_VERSION=0.12.0 OUTPUT_DIR=_tiltbuild/restic ./hack/download-restic.sh',
+)
+
+# Note: we need a distro with a bash shell to exec into the Velero container
+tilt_dockerfile_header = """
+FROM ubuntu:focal as tilt
+
+RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -qq -y ca-certificates tzdata && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
+COPY --from=tilt-helper /start.sh .
+COPY --from=tilt-helper /restart.sh .
+COPY velero .
+COPY restic/restic /usr/bin/restic
+"""
+
+dockerfile_contents = "\n".join([
+    tilt_helper_dockerfile_header,
+    additional_docker_helper_commands,
+    tilt_dockerfile_header,
+    additional_docker_build_commands,
+])
+
+def get_velero_entrypoint():
+    """
+    Returns the entrypoint for the Velero container image.
+    """
+
+    entrypoint = ["sh", "/start.sh"]
+
+    if settings.get("enable_debug"):
+        # If debug mode is enabled, start the velero process using Delve
+        entrypoint.extend(
+            ["dlv", "--listen=:2345", "--headless=true", "--api-version=2", "--accept-multiclient", "exec"])
+
+        # Set whether or not to continue the debugged process on start
+        # See https://github.com/go-delve/delve/blob/master/Documentation/usage/dlv_exec.md
+        if settings.get("debug_continue_on_start"):
+            entrypoint.append("--continue")
+
+        entrypoint.append("--")
+
+    entrypoint.append("/velero")
+
+    return entrypoint
+
+
+# Set up an image build for Velero. The live update configuration syncs the output from the local_resource
+# build into the container.
+docker_build(
+    ref = "velero/velero",
+    context = "_tiltbuild",
+    dockerfile_contents = dockerfile_contents,
+    target = "tilt",
+    entrypoint = get_velero_entrypoint(),
+    live_update = [
+        sync("./_tiltbuild/velero", "/velero"),
+        run("sh /restart.sh"),
+    ])
+
+
+##############################
+# Setup plugins
+##############################
+
+def load_provider_tiltfiles():
+    all_providers = settings.get("providers", {})
+    enable_providers = settings.get("enable_providers", [])
+    providers = []
+
+    ## Load settings only for providers to enable
+    for name in enable_providers:
+        repo = all_providers.get(name)
+        if not repo:
+            print("Enabled provider '{}' does not exist in list of supported providers".format(name))
+            continue
+        file = repo + "/tilt-provider.json"
+        if not os.path.exists(file):
+            print("Provider settings not found for \"{}\". Please ensure this plugin repository has a tilt-provider.json file included.".format(name))
+            continue
+        provider_details = read_json(file, default = {})
+        if type(provider_details) == "dict":
+            provider_details["name"] = name
+            if "context" in provider_details:
+                provider_details["context"] = os.path.join(repo, "/", provider_details["context"])
+            else:
+                provider_details["context"] = repo
+            if "go_main" not in provider_details:
+                provider_details["go_main"] = "main.go"
+            providers.append(provider_details)
+
+    return providers
+
+
+# Enable each provider
+def enable_providers(providers):
+    if not providers:
+        print("No providers to enable.")
+        return
+    for p in providers:
+        enable_provider(p)
+
+
+# Configures a provider by doing the following:
+#
+# 1. Enables a local_resource go build of the provider's local binary
+# 2. Configures a docker build for the provider, with live updating of the local binary
+def enable_provider(provider):
+    name = provider.get("name")
+    plugin_name = provider.get("plugin_name")
+
+    # Note: we need a distro with a shell to do a copy of the plugin binary
+    tilt_dockerfile_header = """
+    FROM ubuntu:focal as tilt
+    WORKDIR /
+    COPY --from=tilt-helper /start.sh .
+    COPY --from=tilt-helper /restart.sh .
+    COPY """ + plugin_name + """ .
+    """
+
+    dockerfile_contents = "\n".join([
+        tilt_helper_dockerfile_header,
+        additional_docker_helper_commands,
+        tilt_dockerfile_header,
+        additional_docker_build_commands,
+    ])
+
+    context = provider.get("context")
+    go_main = provider.get("go_main", "main.go")
+
+    live_reload_deps = []
+    for d in provider.get("live_reload_deps", []):
+        live_reload_deps.append(os.path.join(context, "/", d))
+
+    # Set up a local_resource build of the plugin binary. The main.go path must be provided via go_main option. The binary is written to _tiltbuild/<NAME>.
+    local_resource(
+        name + "_plugin",
+        cmd = 'cd ' + context + ';mkdir -p _tiltbuild;PKG=' + context + ' BIN=' + go_main + ' GOOS=linux GOARCH=amd64 OUTPUT_DIR=_tiltbuild ./hack/build.sh',
+        deps = live_reload_deps,
+    )
+
+    # Set up an image build for the plugin. The live update configuration syncs the output from the local_resource
+    # build into the init container, and that restarts the Velero container.
+    docker_build(
+        ref = provider.get("image"),
+        context = os.path.join(context, "/_tiltbuild/"),
+        dockerfile_contents = dockerfile_contents,
+        target = "tilt",
+        entrypoint = ["/bin/bash", "-c", "cp /" + plugin_name + " /target/."],
+        live_update = [
+            sync(os.path.join(context, "/_tiltbuild/", plugin_name), os.path.join("/", plugin_name))
+        ]
+    )
+
+
+##############################
+# Start
+#############################
+
+enable_providers(load_provider_tiltfiles())

changelogs/CHANGELOG-0.5.md

@@ -8,7 +8,7 @@
 
 ### Bug fixes
   * If a Service is headless, retain ClusterIP = None when backing up and restoring.
-  * Use the specifed --label-selector when listing backups, schedules, and restores.
+  * Use the specified --label-selector when listing backups, schedules, and restores.
   * Restore namespace mapping functionality that was accidentally broken in 0.5.0.
   * Always include namespaces in the backup, regardless of the --include-cluster-resources setting.
 

changelogs/CHANGELOG-0.9.md

@@ -104,7 +104,7 @@
 ### Download
   - https://github.com/heptio/ark/releases/tag/v0.9.3
 ### Bug Fixes
-  * Initalize Prometheus metrics when creating a new schedule (#689, @lemaral)
+  * Initialize Prometheus metrics when creating a new schedule (#689, @lemaral)
 
 
 ## v0.9.2

changelogs/CHANGELOG-1.1.md

@@ -75,7 +75,7 @@ Finally, thanks to testing by [Dylan Murray](https://github.com/dymurray) and [S
   * Adds configurable CPU/memory requests and limits to the Velero Deployment generated by velero install. (#1678, @prydonius)
   * Store restic PodVolumeBackups in obj storage & use that as source of truth like regular backups. (#1577, @carlisia)
   * Update Velero Deployment to use apps/v1 API group. `velero install` and `velero plugin add/remove` commands will now require Kubernetes 1.9+ (#1673, @nrb)
-  * Respect the --kubecontext and --kubeconfig arugments for `velero install`. (#1656, @nrb)
+  * Respect the --kubecontext and --kubeconfig arguments for `velero install`. (#1656, @nrb)
   * add plugin for updating PV & PVC storage classes on restore based on a config map (#1621, @skriss)
   * Add restic support for CSI volumes (#1615, @nrb)
   * bug fix: Fixed namespace usage with cli command 'version' (#1630, @jwmatthews)

changelogs/CHANGELOG-1.3.md

@@ -109,7 +109,7 @@ We fixed a large number of bugs and made some smaller usability improvements in
   * bug fix: only prioritize restoring `replicasets.apps`, not `replicasets.extensions` (#2157, @skriss)
   * bug fix: restore both `replicasets.apps` *and* `replicasets.extensions` before `deployments` (#2120, @skriss)
   * bug fix: don't restore cluster-scoped resources when restoring specific namespaces and IncludeClusterResources is nil (#2118, @skriss)
-  * Enableing Velero to switch credentials (`AWS_PROFILE`) if multiple s3-compatible backupLocations are present (#2096, @dinesh)
+  * Enabling Velero to switch credentials (`AWS_PROFILE`) if multiple s3-compatible backupLocations are present (#2096, @dinesh)
   * bug fix: deep-copy backup's labels when constructing snapshot tags, so the PV name isn't added as a label to the backup (#2075, @skriss)
   * remove the `fsfreeze-pause` image being published from this repo; replace it with `ubuntu:bionic` in the nginx example app (#2068, @skriss)
   * add support for a private registry with a custom port in a restic-helper image (#1999, @cognoz)

changelogs/CHANGELOG-1.5.md

@@ -1,62 +1,3 @@
-## v1.5.4
-### 2021-03-31
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.5.4
-
-### Container Image
-`velero/velero:v1.5.4`
-
-### Documentation
-https://velero.io/docs/v1.5/
-
-### Upgrading
-https://velero.io/docs/v1.5/upgrade-to-1.5/
-
-  * Fixed a bug where restic volumes would not be restored when using a namespace mapping. (#3475, @zubron)
-  * Add CAPI Cluster and ClusterResourceSets to default restore priorities so that the capi-controller-manager does not panic on restores. (#3446, @nrb)
-
-## v1.5.3
-### 2021-01-14
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.5.3
-
-### Container Image
-`velero/velero:v1.5.3`
-
-### Documentation
-https://velero.io/docs/v1.5/
-
-### Upgrading
-https://velero.io/docs/v1.5/upgrade-to-1.5/
-
-### All Changes
-  * Increased default Velero pod memory limit to 512Mi (#3234, @dsmithuchida)
-  * 🐛 BSLs with validation disabled should be validated at least once (#3084, @ashish-amarnath)
-  * Fixed an issue where the deletion of a backup would fail if the backup tarball couldn't be downloaded from object storage. Now the tarball is only downloaded if there are associated DeleteItemAction plugins and if downloading the tarball fails, the plugins are skipped. (#2993, @zubron)
-  * 🐛  ItemAction plugins for unresolvable types should not be run for all types (#3059, @ashish-amarnath)
-  * 🐛  Use namespace and name to match PVB to Pod restore (#3051, @ashish-amarnath)
-  * Allows the restic-wait container to exist in any order in the pod being restored. Prints a warning message in the case where the restic-wait container isn't the first container in the list of initialization containers. (#3011, @doughepi)
-
-## v1.5.2
-### 2020-10-20
-### Download
-https://github.com/vmware-tanzu/velero/releases/tag/v1.5.2
-
-### Container Image
-`velero/velero:v1.5.2`
-
-### Documentation
-https://velero.io/docs/v1.5/
-
-### Upgrading
-https://velero.io/docs/v1.5/upgrade-to-1.5/
-
-### All Changes
-  * Fix BSL controller to avoid invoking init() on all BSLs regardless of ValidationFrequency (#2992, @betta1)
-  * cli: allow creating multiple instances of Velero across two different namespaces (#2886, @alaypatel07)
-  * Restore CRD Resource name to fix CRD wait functionality. (#2949, @sseago)
-  * Ensure that bound PVCs and PVs remain bound on restore. (#3007, @nrb)
-
 ## v1.5.1
 ### 2020-09-16
 
@@ -139,4 +80,3 @@ Displays the Timestamps when issued a print or describe (#2748, @thejasbabu)
   * when creating new backup from schedule from cli, allow backup name to be automatically generated (#2569, @cblecker)
   * Convert manifests + BSL api client to kubebuilder (#2561, @carlisia)
   * backup/restore: reinstantiate backup store just before uploading artifacts to ensure credentials are up-to-date (#2550, @skriss)
-

changelogs/CHANGELOG-1.6.md

@@ -0,0 +1,148 @@
+## v1.6.3
+### 2021-07-30
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.6.3
+
+### Container Image
+`velero/velero:v1.6.3`
+
+### Documentation
+https://velero.io/docs/v1.6/
+
+### Upgrading
+https://velero.io/docs/v1.6/upgrade-to-1.6/
+
+### Highlights
+
+This release introduces changes to provide compatibility with Kubernetes v1.22.
+
+The `apiextensions.k8s.io/v1beta1` API version of `CustomResourceDefinition` will no longer be served in Kubernetes v1.22.
+Velero will now use the cluster preferred API version for the `CustomResourceDefinition`s that it creates.
+
+If you are using Kubernetes v1.15 or earlier, the `apiextensions.k8s.io/v1beta1` API version will be used.
+If you are using Kubernetes v1.22 or later, the `apiextensions.k8s.io/v1` API version will be used.
+For clusters between these versions, the cluster preferred API version will be used.
+
+The `rbac.authorization.k8s.io/v1beta1` API version of `ClusterRoleBinding` will no longer be served in Kubernetes v1.22.
+Velero will now use the `rbac.authorization.k8s.io/v1` API version for the `ClusterRoleBinding`s that it creates.
+This API version was introduced in Kubernetes v1.8.
+
+### All Changes
+
+  * enable e2e tests to choose crd apiVersion (#3941, @sseago)
+  * Upgrade Velero ClusterRoleBinding to use v1 API (#3995, @jenting)
+  * Install Kubernetes preferred CRDs API version (v1beta1/v1). (#3999, @jenting)
+  * Use the cluster preferred CRD API version when polling for Velero CRD readiness. (#4015, @zubron)
+  * Add a RestoreItemAction plugin (`velero.io/apiservice`) which skips the restore of any `APIService` which is managed by Kubernetes. These are identified using the `kube-aggregator.kubernetes.io/automanaged` label. (#4028, @zubron)
+
+## v1.6.2
+### 2021-07-16
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.6.2
+
+### Container Image
+`velero/velero:v1.6.2`
+
+### Documentation
+https://velero.io/docs/v1.6/
+
+### Upgrading
+https://velero.io/docs/v1.6/upgrade-to-1.6/
+
+This release contains no user facing changes but includes fixes for CVE-2021-3121 and CVE-2021-3580.
+
+## v1.6.1
+### 2021-06-21
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.6.1
+
+### Container Image
+`velero/velero:v1.6.1`
+
+### Documentation
+https://velero.io/docs/v1.6/
+
+### Upgrading
+https://velero.io/docs/v1.6/upgrade-to-1.6/
+
+### All Changes
+
+  * Fix CR restore regression introduced in 1.6 restore progress. (#3845, @sseago)
+  * Skip the restore of volumes that originally came from a projected volume when using restic. (#3877, @zubron)
+  * skip backuping projected volume when using restic (#3866, @alaypatel07)
+  * 🐛 Fix plugin name derivation from image name (#3711, @ashish-amarnath)
+
+## v1.6.0
+### 2021-04-12
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.6.0
+
+### Container Image
+`velero/velero:v1.6.0`
+
+### Documentation
+https://velero.io/docs/v1.6/
+
+### Upgrading
+https://velero.io/docs/v1.6/upgrade-to-1.6/
+
+### Highlights
+
+ * Support for per-BSL credentials
+ * Progress reporting for restores
+ * Restore API Groups by priority level
+ * Restic v0.12.0 upgrade
+ * End-to-end testing 
+ * CLI usability improvements
+
+### All Changes
+
+  * Add support for restic to use per-BSL credentials. Velero will now serialize the secret referenced by the `Credential` field in the BSL and use this path when setting provider specific environment variables for restic commands.  (#3489, @zubron)
+  * Upgrade restic from v0.9.6 to v0.12.0. (#3528, @ashish-amarnath)
+  * Progress reporting added for Velero Restores (#3125, @pranavgaikwad)
+  * Add uninstall option for velero cli (#3399, @vadasambar)
+  * Add support for per-BSL credentials. Velero will now serialize the secret referenced by the `Credential` field in the BSL and pass this path through to Object Storage plugins via the `config` map using the `credentialsFile` key. (#3442, @zubron)
+  * Fixed a bug where restic volumes would not be restored when using a namespace mapping. (#3475, @zubron)
+  * Restore API group version by priority. Increase timeout to 3 minutes in DeploymentIsReady(...) function in the install package (#3133, @codegold79)
+  * Add field and cli flag to associate a credential with a BSL on BSL create|set. (#3190, @carlisia)
+  * Add colored output to `describe schedule/backup/restore` commands (#3275, @mike1808)
+  * Add CAPI Cluster and ClusterResourceSets to default restore priorities so that the capi-controller-manager does not panic on restores. (#3446, @nrb)
+  * Use label to select Velero deployment in plugin cmd (#3447, @codegold79)
+  * feat: support setting BackupStorageLocation CA certificate via `velero backup-location set --cacert` (#3167, @jenting)
+  * Add restic initContainer length check in pod volume restore to prevent restic plugin container disappear in runtime (#3198, @shellwedance)
+  * Bump versions of external snapshotter and others in order to make `go get` to succeed (#3202, @georgettica)
+  * Support fish shell completion (#3231, @jenting)
+  * Change the logging level of PV deletion timeout from Debug to Warn (#3316, @MadhavJivrajani)
+  * Set the BSL created at install time as the "default" (#3172, @carlisia)
+  * Capitalize all help messages (#3209, @jenting)
+  * Increased default Velero pod memory limit to 512Mi (#3234, @dsmithuchida)
+  * Fixed an issue where the deletion of a backup would fail if the backup tarball couldn't be downloaded from object storage. Now the tarball is only downloaded if there are associated DeleteItemAction plugins and if downloading the tarball fails, the plugins are skipped. (#2993, @zubron)
+  * feat: add delete sub-command for BSL (#3073, @jenting)
+  * 🐛 BSLs with validation disabled should be validated at least once (#3084, @ashish-amarnath)
+  * feat: support configures BackupStorageLocation custom resources to indicate which one is the default (#3092, @jenting)
+  * Added "--preserve-nodeports" flag to preserve original nodePorts when restoring. (#3095, @yusufgungor)
+  * Owner reference in backup when created from schedule (#3127, @matheusjuvelino)
+  * issue: add flag to the schedule cmd to configure the `useOwnerReferencesInBackup` option #3176 (#3182, @matheusjuvelino)
+  * cli: allow creating multiple instances of Velero across two different namespaces (#2886, @alaypatel07)
+  * Feature: It is possible to change the timezone of the container by specifying in the manifest.. env: [TZ: Zone/Country], or in the Helm Chart.. configuration: {extraEnvVars: [TZ: 'Zone/Country']} (#2944, @mickkael)
+  * Fix issue where bare `velero` command returned an error code. (#2947, @nrb)
+  * Restore CRD Resource name to fix CRD wait functionality. (#2949, @sseago)
+  * Fixed 'velero.io/change-pvc-node-selector' plugin to fetch configmap using label key "velero.io/change-pvc-node-selector"  (#2970, @mynktl)
+  * Compile with Go 1.15 (#2974, @gliptak)
+  * Fix BSL controller to avoid invoking init() on all BSLs regardless of ValidationFrequency (#2992, @betta1)
+  * Ensure that bound PVCs and PVs remain bound on restore. (#3007, @nrb)
+  * Allows the restic-wait container to exist in any order in the pod being restored. Prints a warning message in the case where the restic-wait container isn't the first container in the list of initialization containers. (#3011, @doughepi)
+  * Add warning to velero version cmd if the client and server versions mismatch.  (#3024, @cvhariharan)
+  * 🐛  Use namespace and name to match PVB to Pod restore (#3051, @ashish-amarnath)
+  * Fixed various typos across codebase (#3057, @invidian)
+  * 🐛  ItemAction plugins for unresolvable types should not be run for all types (#3059, @ashish-amarnath)
+  * Basic end-to-end tests, generate data/backup/remove/restore/verify. Uses distributed data generator (#3060, @dsu-igeek)
+  * Added GitHub Workflow running Codespell for spell checking (#3064, @invidian)
+  * Pass annotations from schedule to backup it creates the same way it is done for labels. Add WithannotationsMap function to builder to be able to pass map instead of key/val list (#3067, @funkycode)
+  * Add instructions to clone repository for examples in docs (#3074, @MadhavJivrajani)
+  * 🏃‍♂️ update setup-kind github actions CI (#3085, @ashish-amarnath)
+  * Modify wrong function name to correct one. (#3106, @shellwedance)

config/crd/v1/bases/velero.io_backups.yaml

@@ -0,0 +1,433 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: backups.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: Backup
+    listKind: BackupList
+    plural: backups
+    singular: backup
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Backup is a Velero resource that represents the capture of Kubernetes
+          cluster state at a point in time (API objects and associated volume state).
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BackupSpec defines the specification for a Velero backup.
+            properties:
+              defaultVolumesToRestic:
+                description: DefaultVolumesToRestic specifies whether restic should
+                  be used to take a backup of all pod volumes by default.
+                type: boolean
+              excludedNamespaces:
+                description: ExcludedNamespaces contains a list of namespaces that
+                  are not included in the backup.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              excludedResources:
+                description: ExcludedResources is a slice of resource names that are
+                  not included in the backup.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              hooks:
+                description: Hooks represent custom behaviors that should be executed
+                  at different phases of the backup.
+                properties:
+                  resources:
+                    description: Resources are hooks that should be executed when
+                      backing up individual instances of a resource.
+                    items:
+                      description: BackupResourceHookSpec defines one or more BackupResourceHooks
+                        that should be executed based on the rules defined for namespaces,
+                        resources, and label selector.
+                      properties:
+                        excludedNamespaces:
+                          description: ExcludedNamespaces specifies the namespaces
+                            to which this hook spec does not apply.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        excludedResources:
+                          description: ExcludedResources specifies the resources to
+                            which this hook spec does not apply.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        includedNamespaces:
+                          description: IncludedNamespaces specifies the namespaces
+                            to which this hook spec applies. If empty, it applies
+                            to all namespaces.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        includedResources:
+                          description: IncludedResources specifies the resources to
+                            which this hook spec applies. If empty, it applies to
+                            all resources.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        labelSelector:
+                          description: LabelSelector, if specified, filters the resources
+                            to which this hook spec applies.
+                          nullable: true
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: A label selector requirement is a selector
+                                  that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: operator represents a key's relationship
+                                      to a set of values. Valid operators are In,
+                                      NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: values is an array of string values.
+                                      If the operator is In or NotIn, the values array
+                                      must be non-empty. If the operator is Exists
+                                      or DoesNotExist, the values array must be empty.
+                                      This array is replaced during a strategic merge
+                                      patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: matchLabels is a map of {key,value} pairs.
+                                A single {key,value} in the matchLabels map is equivalent
+                                to an element of matchExpressions, whose key field
+                                is "key", the operator is "In", and the values array
+                                contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                        name:
+                          description: Name is the name of this hook.
+                          type: string
+                        post:
+                          description: PostHooks is a list of BackupResourceHooks
+                            to execute after storing the item in the backup. These
+                            are executed after all "additional items" from item actions
+                            are processed.
+                          items:
+                            description: BackupResourceHook defines a hook for a resource.
+                            properties:
+                              exec:
+                                description: Exec defines an exec hook.
+                                properties:
+                                  command:
+                                    description: Command is the command and arguments
+                                      to execute.
+                                    items:
+                                      type: string
+                                    minItems: 1
+                                    type: array
+                                  container:
+                                    description: Container is the container in the
+                                      pod where the command should be executed. If
+                                      not specified, the pod's first container is
+                                      used.
+                                    type: string
+                                  onError:
+                                    description: OnError specifies how Velero should
+                                      behave if it encounters an error executing this
+                                      hook.
+                                    enum:
+                                    - Continue
+                                    - Fail
+                                    type: string
+                                  timeout:
+                                    description: Timeout defines the maximum amount
+                                      of time Velero should wait for the hook to complete
+                                      before considering the execution a failure.
+                                    type: string
+                                required:
+                                - command
+                                type: object
+                            required:
+                            - exec
+                            type: object
+                          type: array
+                        pre:
+                          description: PreHooks is a list of BackupResourceHooks to
+                            execute prior to storing the item in the backup. These
+                            are executed before any "additional items" from item actions
+                            are processed.
+                          items:
+                            description: BackupResourceHook defines a hook for a resource.
+                            properties:
+                              exec:
+                                description: Exec defines an exec hook.
+                                properties:
+                                  command:
+                                    description: Command is the command and arguments
+                                      to execute.
+                                    items:
+                                      type: string
+                                    minItems: 1
+                                    type: array
+                                  container:
+                                    description: Container is the container in the
+                                      pod where the command should be executed. If
+                                      not specified, the pod's first container is
+                                      used.
+                                    type: string
+                                  onError:
+                                    description: OnError specifies how Velero should
+                                      behave if it encounters an error executing this
+                                      hook.
+                                    enum:
+                                    - Continue
+                                    - Fail
+                                    type: string
+                                  timeout:
+                                    description: Timeout defines the maximum amount
+                                      of time Velero should wait for the hook to complete
+                                      before considering the execution a failure.
+                                    type: string
+                                required:
+                                - command
+                                type: object
+                            required:
+                            - exec
+                            type: object
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    nullable: true
+                    type: array
+                type: object
+              includeClusterResources:
+                description: IncludeClusterResources specifies whether cluster-scoped
+                  resources should be included for consideration in the backup.
+                nullable: true
+                type: boolean
+              includedNamespaces:
+                description: IncludedNamespaces is a slice of namespace names to include
+                  objects from. If empty, all namespaces are included.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              includedResources:
+                description: IncludedResources is a slice of resource names to include
+                  in the backup. If empty, all resources are included.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              labelSelector:
+                description: LabelSelector is a metav1.LabelSelector to filter with
+                  when adding individual objects to the backup. If empty or nil, all
+                  objects are included. Optional.
+                nullable: true
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              orderedResources:
+                additionalProperties:
+                  type: string
+                description: OrderedResources specifies the backup order of resources
+                  of specific Kind. The map key is the Kind name and value is a list
+                  of resource names separated by commas. Each resource name has format
+                  "namespace/resourcename".  For cluster resources, simply use "resourcename".
+                nullable: true
+                type: object
+              snapshotVolumes:
+                description: SnapshotVolumes specifies whether to take cloud snapshots
+                  of any PV's referenced in the set of objects included in the Backup.
+                nullable: true
+                type: boolean
+              storageLocation:
+                description: StorageLocation is a string containing the name of a
+                  BackupStorageLocation where the backup should be stored.
+                type: string
+              ttl:
+                description: TTL is a time.Duration-parseable string describing how
+                  long the Backup should be retained for.
+                type: string
+              volumeSnapshotLocations:
+                description: VolumeSnapshotLocations is a list containing names of
+                  VolumeSnapshotLocations associated with this backup.
+                items:
+                  type: string
+                type: array
+            type: object
+          status:
+            description: BackupStatus captures the current status of a Velero backup.
+            properties:
+              completionTimestamp:
+                description: CompletionTimestamp records the time a backup was completed.
+                  Completion time is recorded even on failed backups. Completion time
+                  is recorded before uploading the backup object. The server's time
+                  is used for CompletionTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              errors:
+                description: Errors is a count of all error messages that were generated
+                  during execution of the backup.  The actual errors are in the backup's
+                  log file in object storage.
+                type: integer
+              expiration:
+                description: Expiration is when this Backup is eligible for garbage-collection.
+                format: date-time
+                nullable: true
+                type: string
+              formatVersion:
+                description: FormatVersion is the backup format version, including
+                  major, minor, and patch version.
+                type: string
+              phase:
+                description: Phase is the current state of the Backup.
+                enum:
+                - New
+                - FailedValidation
+                - InProgress
+                - Completed
+                - PartiallyFailed
+                - Failed
+                - Deleting
+                type: string
+              progress:
+                description: Progress contains information about the backup's execution
+                  progress. Note that this information is best-effort only -- if Velero
+                  fails to update it during a backup for any reason, it may be inaccurate/stale.
+                nullable: true
+                properties:
+                  itemsBackedUp:
+                    description: ItemsBackedUp is the number of items that have actually
+                      been written to the backup tarball so far.
+                    type: integer
+                  totalItems:
+                    description: TotalItems is the total number of items to be backed
+                      up. This number may change throughout the execution of the backup
+                      due to plugins that return additional related items to back
+                      up, the velero.io/exclude-from-backup label, and various other
+                      filters that happen as items are processed.
+                    type: integer
+                type: object
+              startTimestamp:
+                description: StartTimestamp records the time a backup was started.
+                  Separate from CreationTimestamp, since that value changes on restores.
+                  The server's time is used for StartTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              validationErrors:
+                description: ValidationErrors is a slice of all validation errors
+                  (if applicable).
+                items:
+                  type: string
+                nullable: true
+                type: array
+              version:
+                description: 'Version is the backup format major version. Deprecated:
+                  Please see FormatVersion'
+                type: integer
+              volumeSnapshotsAttempted:
+                description: VolumeSnapshotsAttempted is the total number of attempted
+                  volume snapshots for this backup.
+                type: integer
+              volumeSnapshotsCompleted:
+                description: VolumeSnapshotsCompleted is the total number of successfully
+                  completed volume snapshots for this backup.
+                type: integer
+              warnings:
+                description: Warnings is a count of all warning messages that were
+                  generated during execution of the backup. The actual warnings are
+                  in the backup's log file in object storage.
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_backupstoragelocations.yaml

@@ -0,0 +1,178 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: backupstoragelocations.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: BackupStorageLocation
+    listKind: BackupStorageLocationList
+    plural: backupstoragelocations
+    shortNames:
+    - bsl
+    singular: backupstoragelocation
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Backup Storage Location status such as Available/Unavailable
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: LastValidationTime is the last time the backup store location was
+        validated
+      jsonPath: .status.lastValidationTime
+      name: Last Validated
+      type: date
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Default backup storage location
+      jsonPath: .spec.default
+      name: Default
+      type: boolean
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: BackupStorageLocation is a location where Velero stores backup
+          objects
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BackupStorageLocationSpec defines the desired state of a
+              Velero BackupStorageLocation
+            properties:
+              accessMode:
+                description: AccessMode defines the permissions for the backup storage
+                  location.
+                enum:
+                - ReadOnly
+                - ReadWrite
+                type: string
+              backupSyncPeriod:
+                description: BackupSyncPeriod defines how frequently to sync backup
+                  API objects from object storage. A value of 0 disables sync.
+                nullable: true
+                type: string
+              config:
+                additionalProperties:
+                  type: string
+                description: Config is for provider-specific configuration fields.
+                type: object
+              credential:
+                description: Credential contains the credential information intended
+                  to be used with this location
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be a
+                      valid secret key.
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                  optional:
+                    description: Specify whether the Secret or its key must be defined
+                    type: boolean
+                required:
+                - key
+                type: object
+              default:
+                description: Default indicates this location is the default backup
+                  storage location.
+                type: boolean
+              objectStorage:
+                description: ObjectStorageLocation specifies the settings necessary
+                  to connect to a provider's object storage.
+                properties:
+                  bucket:
+                    description: Bucket is the bucket to use for object storage.
+                    type: string
+                  caCert:
+                    description: CACert defines a CA bundle to use when verifying
+                      TLS connections to the provider.
+                    format: byte
+                    type: string
+                  prefix:
+                    description: Prefix is the path inside a bucket to use for Velero
+                      storage. Optional.
+                    type: string
+                required:
+                - bucket
+                type: object
+              provider:
+                description: Provider is the provider of the backup storage.
+                type: string
+              validationFrequency:
+                description: ValidationFrequency defines how frequently to validate
+                  the corresponding object storage. A value of 0 disables validation.
+                nullable: true
+                type: string
+            required:
+            - objectStorage
+            - provider
+            type: object
+          status:
+            description: BackupStorageLocationStatus defines the observed state of
+              BackupStorageLocation
+            properties:
+              accessMode:
+                description: "AccessMode is an unused field. \n Deprecated: there
+                  is now an AccessMode field on the Spec and this field will be removed
+                  entirely as of v2.0."
+                enum:
+                - ReadOnly
+                - ReadWrite
+                type: string
+              lastSyncedRevision:
+                description: "LastSyncedRevision is the value of the `metadata/revision`
+                  file in the backup storage location the last time the BSL's contents
+                  were synced into the cluster. \n Deprecated: this field is no longer
+                  updated or used for detecting changes to the location's contents
+                  and will be removed entirely in v2.0."
+                type: string
+              lastSyncedTime:
+                description: LastSyncedTime is the last time the contents of the location
+                  were synced into the cluster.
+                format: date-time
+                nullable: true
+                type: string
+              lastValidationTime:
+                description: LastValidationTime is the last time the backup store
+                  location was validated the cluster.
+                format: date-time
+                nullable: true
+                type: string
+              phase:
+                description: Phase is the current state of the BackupStorageLocation.
+                enum:
+                - Available
+                - Unavailable
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_deletebackuprequests.yaml

@@ -0,0 +1,71 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: deletebackuprequests.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: DeleteBackupRequest
+    listKind: DeleteBackupRequestList
+    plural: deletebackuprequests
+    singular: deletebackuprequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: DeleteBackupRequest is a request to delete one or more backups.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DeleteBackupRequestSpec is the specification for which backups
+              to delete.
+            properties:
+              backupName:
+                type: string
+            required:
+            - backupName
+            type: object
+          status:
+            description: DeleteBackupRequestStatus is the current status of a DeleteBackupRequest.
+            properties:
+              errors:
+                description: Errors contains any errors that were encountered during
+                  the deletion process.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              phase:
+                description: Phase is the current state of the DeleteBackupRequest.
+                enum:
+                - New
+                - InProgress
+                - Processed
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_downloadrequests.yaml

@@ -0,0 +1,94 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: downloadrequests.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: DownloadRequest
+    listKind: DownloadRequestList
+    plural: downloadrequests
+    singular: downloadrequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: DownloadRequest is a request to download an artifact from backup
+          object storage, such as a backup log file.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DownloadRequestSpec is the specification for a download request.
+            properties:
+              target:
+                description: Target is what to download (e.g. logs for a backup).
+                properties:
+                  kind:
+                    description: Kind is the type of file to download.
+                    enum:
+                    - BackupLog
+                    - BackupContents
+                    - BackupVolumeSnapshots
+                    - BackupResourceList
+                    - RestoreLog
+                    - RestoreResults
+                    type: string
+                  name:
+                    description: Name is the name of the kubernetes resource with
+                      which the file is associated.
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+            required:
+            - target
+            type: object
+          status:
+            description: DownloadRequestStatus is the current status of a DownloadRequest.
+            properties:
+              downloadURL:
+                description: DownloadURL contains the pre-signed URL for the target
+                  file.
+                type: string
+              expiration:
+                description: Expiration is when this DownloadRequest expires and can
+                  be deleted by the system.
+                format: date-time
+                nullable: true
+                type: string
+              phase:
+                description: Phase is the current state of the DownloadRequest.
+                enum:
+                - New
+                - Processed
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_podvolumebackups.yaml

@@ -0,0 +1,161 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: podvolumebackups.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: PodVolumeBackup
+    listKind: PodVolumeBackupList
+    plural: podvolumebackups
+    singular: podvolumebackup
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PodVolumeBackupSpec is the specification for a PodVolumeBackup.
+            properties:
+              backupStorageLocation:
+                description: BackupStorageLocation is the name of the backup storage
+                  location where the restic repository is stored.
+                type: string
+              node:
+                description: Node is the name of the node that the Pod is running
+                  on.
+                type: string
+              pod:
+                description: Pod is a reference to the pod containing the volume to
+                  be backed up.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              repoIdentifier:
+                description: RepoIdentifier is the restic repository identifier.
+                type: string
+              tags:
+                additionalProperties:
+                  type: string
+                description: Tags are a map of key-value pairs that should be applied
+                  to the volume backup as tags.
+                type: object
+              volume:
+                description: Volume is the name of the volume within the Pod to be
+                  backed up.
+                type: string
+            required:
+            - backupStorageLocation
+            - node
+            - pod
+            - repoIdentifier
+            - volume
+            type: object
+          status:
+            description: PodVolumeBackupStatus is the current status of a PodVolumeBackup.
+            properties:
+              completionTimestamp:
+                description: CompletionTimestamp records the time a backup was completed.
+                  Completion time is recorded even on failed backups. Completion time
+                  is recorded before uploading the backup object. The server's time
+                  is used for CompletionTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              message:
+                description: Message is a message about the pod volume backup's status.
+                type: string
+              path:
+                description: Path is the full path within the controller pod being
+                  backed up.
+                type: string
+              phase:
+                description: Phase is the current state of the PodVolumeBackup.
+                enum:
+                - New
+                - InProgress
+                - Completed
+                - Failed
+                type: string
+              progress:
+                description: Progress holds the total number of bytes of the volume
+                  and the current number of backed up bytes. This can be used to display
+                  progress information about the backup operation.
+                properties:
+                  bytesDone:
+                    format: int64
+                    type: integer
+                  totalBytes:
+                    format: int64
+                    type: integer
+                type: object
+              snapshotID:
+                description: SnapshotID is the identifier for the snapshot of the
+                  pod volume.
+                type: string
+              startTimestamp:
+                description: StartTimestamp records the time a backup was started.
+                  Separate from CreationTimestamp, since that value changes on restores.
+                  The server's time is used for StartTimestamps
+                format: date-time
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_podvolumerestores.yaml

@@ -0,0 +1,144 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: podvolumerestores.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: PodVolumeRestore
+    listKind: PodVolumeRestoreList
+    plural: podvolumerestores
+    singular: podvolumerestore
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PodVolumeRestoreSpec is the specification for a PodVolumeRestore.
+            properties:
+              backupStorageLocation:
+                description: BackupStorageLocation is the name of the backup storage
+                  location where the restic repository is stored.
+                type: string
+              pod:
+                description: Pod is a reference to the pod containing the volume to
+                  be restored.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              repoIdentifier:
+                description: RepoIdentifier is the restic repository identifier.
+                type: string
+              snapshotID:
+                description: SnapshotID is the ID of the volume snapshot to be restored.
+                type: string
+              volume:
+                description: Volume is the name of the volume within the Pod to be
+                  restored.
+                type: string
+            required:
+            - backupStorageLocation
+            - pod
+            - repoIdentifier
+            - snapshotID
+            - volume
+            type: object
+          status:
+            description: PodVolumeRestoreStatus is the current status of a PodVolumeRestore.
+            properties:
+              completionTimestamp:
+                description: CompletionTimestamp records the time a restore was completed.
+                  Completion time is recorded even on failed restores. The server's
+                  time is used for CompletionTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              message:
+                description: Message is a message about the pod volume restore's status.
+                type: string
+              phase:
+                description: Phase is the current state of the PodVolumeRestore.
+                enum:
+                - New
+                - InProgress
+                - Completed
+                - Failed
+                type: string
+              progress:
+                description: Progress holds the total number of bytes of the snapshot
+                  and the current number of restored bytes. This can be used to display
+                  progress information about the restore operation.
+                properties:
+                  bytesDone:
+                    format: int64
+                    type: integer
+                  totalBytes:
+                    format: int64
+                    type: integer
+                type: object
+              startTimestamp:
+                description: StartTimestamp records the time a restore was started.
+                  The server's time is used for StartTimestamps
+                format: date-time
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_resticrepositories.yaml

@@ -0,0 +1,89 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: resticrepositories.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: ResticRepository
+    listKind: ResticRepositoryList
+    plural: resticrepositories
+    singular: resticrepository
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResticRepositorySpec is the specification for a ResticRepository.
+            properties:
+              backupStorageLocation:
+                description: BackupStorageLocation is the name of the BackupStorageLocation
+                  that should contain this repository.
+                type: string
+              maintenanceFrequency:
+                description: MaintenanceFrequency is how often maintenance should
+                  be run.
+                type: string
+              resticIdentifier:
+                description: ResticIdentifier is the full restic-compatible string
+                  for identifying this repository.
+                type: string
+              volumeNamespace:
+                description: VolumeNamespace is the namespace this restic repository
+                  contains pod volume backups for.
+                type: string
+            required:
+            - backupStorageLocation
+            - maintenanceFrequency
+            - resticIdentifier
+            - volumeNamespace
+            type: object
+          status:
+            description: ResticRepositoryStatus is the current status of a ResticRepository.
+            properties:
+              lastMaintenanceTime:
+                description: LastMaintenanceTime is the last time maintenance was
+                  run.
+                format: date-time
+                nullable: true
+                type: string
+              message:
+                description: Message is a message about the current status of the
+                  ResticRepository.
+                type: string
+              phase:
+                description: Phase is the current state of the ResticRepository.
+                enum:
+                - New
+                - Ready
+                - NotReady
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_schedules.yaml

@@ -0,0 +1,394 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: schedules.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: Schedule
+    listKind: ScheduleList
+    plural: schedules
+    singular: schedule
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Schedule is a Velero resource that represents a pre-scheduled
+          or periodic Backup that should be run.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ScheduleSpec defines the specification for a Velero schedule
+            properties:
+              schedule:
+                description: Schedule is a Cron expression defining when to run the
+                  Backup.
+                type: string
+              template:
+                description: Template is the definition of the Backup to be run on
+                  the provided schedule
+                properties:
+                  defaultVolumesToRestic:
+                    description: DefaultVolumesToRestic specifies whether restic should
+                      be used to take a backup of all pod volumes by default.
+                    type: boolean
+                  excludedNamespaces:
+                    description: ExcludedNamespaces contains a list of namespaces
+                      that are not included in the backup.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  excludedResources:
+                    description: ExcludedResources is a slice of resource names that
+                      are not included in the backup.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  hooks:
+                    description: Hooks represent custom behaviors that should be executed
+                      at different phases of the backup.
+                    properties:
+                      resources:
+                        description: Resources are hooks that should be executed when
+                          backing up individual instances of a resource.
+                        items:
+                          description: BackupResourceHookSpec defines one or more
+                            BackupResourceHooks that should be executed based on the
+                            rules defined for namespaces, resources, and label selector.
+                          properties:
+                            excludedNamespaces:
+                              description: ExcludedNamespaces specifies the namespaces
+                                to which this hook spec does not apply.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            excludedResources:
+                              description: ExcludedResources specifies the resources
+                                to which this hook spec does not apply.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            includedNamespaces:
+                              description: IncludedNamespaces specifies the namespaces
+                                to which this hook spec applies. If empty, it applies
+                                to all namespaces.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            includedResources:
+                              description: IncludedResources specifies the resources
+                                to which this hook spec applies. If empty, it applies
+                                to all resources.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            labelSelector:
+                              description: LabelSelector, if specified, filters the
+                                resources to which this hook spec applies.
+                              nullable: true
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: A label selector requirement is a
+                                      selector that contains values, a key, and an
+                                      operator that relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: operator represents a key's relationship
+                                          to a set of values. Valid operators are
+                                          In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: values is an array of string
+                                          values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the
+                                          operator is Exists or DoesNotExist, the
+                                          values array must be empty. This array is
+                                          replaced during a strategic merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: matchLabels is a map of {key,value}
+                                    pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions,
+                                    whose key field is "key", the operator is "In",
+                                    and the values array contains only "value". The
+                                    requirements are ANDed.
+                                  type: object
+                              type: object
+                            name:
+                              description: Name is the name of this hook.
+                              type: string
+                            post:
+                              description: PostHooks is a list of BackupResourceHooks
+                                to execute after storing the item in the backup. These
+                                are executed after all "additional items" from item
+                                actions are processed.
+                              items:
+                                description: BackupResourceHook defines a hook for
+                                  a resource.
+                                properties:
+                                  exec:
+                                    description: Exec defines an exec hook.
+                                    properties:
+                                      command:
+                                        description: Command is the command and arguments
+                                          to execute.
+                                        items:
+                                          type: string
+                                        minItems: 1
+                                        type: array
+                                      container:
+                                        description: Container is the container in
+                                          the pod where the command should be executed.
+                                          If not specified, the pod's first container
+                                          is used.
+                                        type: string
+                                      onError:
+                                        description: OnError specifies how Velero
+                                          should behave if it encounters an error
+                                          executing this hook.
+                                        enum:
+                                        - Continue
+                                        - Fail
+                                        type: string
+                                      timeout:
+                                        description: Timeout defines the maximum amount
+                                          of time Velero should wait for the hook
+                                          to complete before considering the execution
+                                          a failure.
+                                        type: string
+                                    required:
+                                    - command
+                                    type: object
+                                required:
+                                - exec
+                                type: object
+                              type: array
+                            pre:
+                              description: PreHooks is a list of BackupResourceHooks
+                                to execute prior to storing the item in the backup.
+                                These are executed before any "additional items" from
+                                item actions are processed.
+                              items:
+                                description: BackupResourceHook defines a hook for
+                                  a resource.
+                                properties:
+                                  exec:
+                                    description: Exec defines an exec hook.
+                                    properties:
+                                      command:
+                                        description: Command is the command and arguments
+                                          to execute.
+                                        items:
+                                          type: string
+                                        minItems: 1
+                                        type: array
+                                      container:
+                                        description: Container is the container in
+                                          the pod where the command should be executed.
+                                          If not specified, the pod's first container
+                                          is used.
+                                        type: string
+                                      onError:
+                                        description: OnError specifies how Velero
+                                          should behave if it encounters an error
+                                          executing this hook.
+                                        enum:
+                                        - Continue
+                                        - Fail
+                                        type: string
+                                      timeout:
+                                        description: Timeout defines the maximum amount
+                                          of time Velero should wait for the hook
+                                          to complete before considering the execution
+                                          a failure.
+                                        type: string
+                                    required:
+                                    - command
+                                    type: object
+                                required:
+                                - exec
+                                type: object
+                              type: array
+                          required:
+                          - name
+                          type: object
+                        nullable: true
+                        type: array
+                    type: object
+                  includeClusterResources:
+                    description: IncludeClusterResources specifies whether cluster-scoped
+                      resources should be included for consideration in the backup.
+                    nullable: true
+                    type: boolean
+                  includedNamespaces:
+                    description: IncludedNamespaces is a slice of namespace names
+                      to include objects from. If empty, all namespaces are included.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  includedResources:
+                    description: IncludedResources is a slice of resource names to
+                      include in the backup. If empty, all resources are included.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  labelSelector:
+                    description: LabelSelector is a metav1.LabelSelector to filter
+                      with when adding individual objects to the backup. If empty
+                      or nil, all objects are included. Optional.
+                    nullable: true
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  orderedResources:
+                    additionalProperties:
+                      type: string
+                    description: OrderedResources specifies the backup order of resources
+                      of specific Kind. The map key is the Kind name and value is
+                      a list of resource names separated by commas. Each resource
+                      name has format "namespace/resourcename".  For cluster resources,
+                      simply use "resourcename".
+                    nullable: true
+                    type: object
+                  snapshotVolumes:
+                    description: SnapshotVolumes specifies whether to take cloud snapshots
+                      of any PV's referenced in the set of objects included in the
+                      Backup.
+                    nullable: true
+                    type: boolean
+                  storageLocation:
+                    description: StorageLocation is a string containing the name of
+                      a BackupStorageLocation where the backup should be stored.
+                    type: string
+                  ttl:
+                    description: TTL is a time.Duration-parseable string describing
+                      how long the Backup should be retained for.
+                    type: string
+                  volumeSnapshotLocations:
+                    description: VolumeSnapshotLocations is a list containing names
+                      of VolumeSnapshotLocations associated with this backup.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              useOwnerReferencesInBackup:
+                description: UseOwnerReferencesBackup specifies whether to use OwnerReferences
+                  on backups created by this Schedule.
+                nullable: true
+                type: boolean
+            required:
+            - schedule
+            - template
+            type: object
+          status:
+            description: ScheduleStatus captures the current state of a Velero schedule
+            properties:
+              lastBackup:
+                description: LastBackup is the last time a Backup was run for this
+                  Schedule schedule
+                format: date-time
+                nullable: true
+                type: string
+              phase:
+                description: Phase is the current phase of the Schedule
+                enum:
+                - New
+                - Enabled
+                - FailedValidation
+                type: string
+              validationErrors:
+                description: ValidationErrors is a slice of all validation errors
+                  (if applicable)
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_serverstatusrequests.yaml

@@ -0,0 +1,87 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: serverstatusrequests.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: ServerStatusRequest
+    listKind: ServerStatusRequestList
+    plural: serverstatusrequests
+    shortNames:
+    - ssr
+    singular: serverstatusrequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ServerStatusRequest is a request to access current status information
+          about the Velero server.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServerStatusRequestSpec is the specification for a ServerStatusRequest.
+            type: object
+          status:
+            description: ServerStatusRequestStatus is the current status of a ServerStatusRequest.
+            properties:
+              phase:
+                description: Phase is the current lifecycle phase of the ServerStatusRequest.
+                enum:
+                - New
+                - Processed
+                type: string
+              plugins:
+                description: Plugins list information about the plugins running on
+                  the Velero server
+                items:
+                  description: PluginInfo contains attributes of a Velero plugin
+                  properties:
+                    kind:
+                      type: string
+                    name:
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                nullable: true
+                type: array
+              processedTimestamp:
+                description: ProcessedTimestamp is when the ServerStatusRequest was
+                  processed by the ServerStatusRequestController.
+                format: date-time
+                nullable: true
+                type: string
+              serverVersion:
+                description: ServerVersion is the Velero server version.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_volumesnapshotlocations.yaml

@@ -0,0 +1,72 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: volumesnapshotlocations.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: VolumeSnapshotLocation
+    listKind: VolumeSnapshotLocationList
+    plural: volumesnapshotlocations
+    singular: volumesnapshotlocation
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: VolumeSnapshotLocation is a location where Velero stores volume
+          snapshots.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: VolumeSnapshotLocationSpec defines the specification for
+              a Velero VolumeSnapshotLocation.
+            properties:
+              config:
+                additionalProperties:
+                  type: string
+                description: Config is for provider-specific configuration fields.
+                type: object
+              provider:
+                description: Provider is the provider of the volume storage.
+                type: string
+            required:
+            - provider
+            type: object
+          status:
+            description: VolumeSnapshotLocationStatus describes the current status
+              of a Velero VolumeSnapshotLocation.
+            properties:
+              phase:
+                description: VolumeSnapshotLocationPhase is the lifecycle phase of
+                  a Velero VolumeSnapshotLocation.
+                enum:
+                - Available
+                - Unavailable
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/crds/doc.go

@@ -1,4 +1,4 @@
 // Package crds embeds the controller-tools generated CRD manifests
 package crds
 
-//go:generate go run ../../../hack/crd-gen/main.go
+//go:generate go run ../../../../hack/crd-gen/v1/main.go

config/crd/v1beta1/bases/velero.io_backups.yaml

@@ -18,7 +18,7 @@ spec:
   scope: Namespaced
   validation:
     openAPIV3Schema:
-      description: Backup is a Velero resource that respresents the capture of Kubernetes
+      description: Backup is a Velero resource that represents the capture of Kubernetes
         cluster state at a point in time (API objects and associated volume state).
       properties:
         apiVersion:
@@ -308,7 +308,7 @@ spec:
                 type: string
               description: OrderedResources specifies the backup order of resources
                 of specific Kind. The map key is the Kind name and value is a list
-                of resource names separeted by commas. Each resource name has format
+                of resource names separated by commas. Each resource name has format
                 "namespace/resourcename".  For cluster resources, simply use "resourcename".
               nullable: true
               type: object

config/crd/v1beta1/bases/velero.io_backupstoragelocations.yaml

@@ -21,6 +21,10 @@ spec:
   - JSONPath: .metadata.creationTimestamp
     name: Age
     type: date
+  - JSONPath: .spec.default
+    description: Default backup storage location
+    name: Default
+    type: boolean
   group: velero.io
   names:
     kind: BackupStorageLocation
@@ -71,6 +75,28 @@ spec:
                 type: string
               description: Config is for provider-specific configuration fields.
               type: object
+            credential:
+              description: Credential contains the credential information intended
+                to be used with this location
+              properties:
+                key:
+                  description: The key of the secret to select from.  Must be a valid
+                    secret key.
+                  type: string
+                name:
+                  description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                    TODO: Add other useful fields. apiVersion, kind, uid?'
+                  type: string
+                optional:
+                  description: Specify whether the Secret or its key must be defined
+                  type: boolean
+              required:
+              - key
+              type: object
+            default:
+              description: Default indicates this location is the default backup storage
+                location.
+              type: boolean
             objectStorage:
               description: ObjectStorageLocation specifies the settings necessary
                 to connect to a provider's object storage.

config/crd/v1beta1/bases/velero.io_downloadrequests.yaml

@@ -16,6 +16,8 @@ spec:
     singular: downloadrequest
   preserveUnknownFields: false
   scope: Namespaced
+  subresources:
+    status: {}
   validation:
     openAPIV3Schema:
       description: DownloadRequest is a request to download an artifact from backup

config/crd/v1beta1/bases/velero.io_restores.yaml

@@ -281,10 +281,10 @@ spec:
                                                 fieldRef:
                                                   description: 'Selects a field of
                                                     the pod: supports metadata.name,
-                                                    metadata.namespace, metadata.labels,
-                                                    metadata.annotations, spec.nodeName,
-                                                    spec.serviceAccountName, status.hostIP,
-                                                    status.podIP, status.podIPs.'
+                                                    metadata.namespace, `metadata.labels[''<KEY>'']`,
+                                                    `metadata.annotations[''<KEY>'']`,
+                                                    spec.nodeName, spec.serviceAccountName,
+                                                    status.hostIP, status.podIP, status.podIPs.'
                                                   properties:
                                                     apiVersion:
                                                       description: Version of the
@@ -1146,6 +1146,36 @@ spec:
                                                   label that applies to the container.
                                                 type: string
                                             type: object
+                                          seccompProfile:
+                                            description: The seccomp options to use
+                                              by this container. If seccomp options
+                                              are provided at both the pod & container
+                                              level, the container options override
+                                              the pod options.
+                                            properties:
+                                              localhostProfile:
+                                                description: localhostProfile indicates
+                                                  a profile defined in a file on the
+                                                  node should be used. The profile
+                                                  must be preconfigured on the node
+                                                  to work. Must be a descending path,
+                                                  relative to the kubelet's configured
+                                                  seccomp profile location. Must only
+                                                  be set if type is "Localhost".
+                                                type: string
+                                              type:
+                                                description: "type indicates which
+                                                  kind of seccomp profile will be
+                                                  applied. Valid options are: \n Localhost
+                                                  - a profile defined in a file on
+                                                  the node should be used. RuntimeDefault
+                                                  - the container runtime default
+                                                  profile should be used. Unconfined
+                                                  - no profile should be applied."
+                                                type: string
+                                            required:
+                                            - type
+                                            type: object
                                           windowsOptions:
                                             description: The Windows specific settings
                                               applied to all containers. If unspecified,
@@ -1545,6 +1575,11 @@ spec:
                 target namespace names to restore into. Any source namespaces not
                 included in the map will be restored into namespaces of the same name.
               type: object
+            preserveNodePorts:
+              description: PreserveNodePorts specifies whether to restore old nodePorts
+                from backup.
+              nullable: true
+              type: boolean
             restorePVs:
               description: RestorePVs specifies whether to restore all included PVs
                 from snapshot (via the cloudprovider).
@@ -1587,6 +1622,22 @@ spec:
               - PartiallyFailed
               - Failed
               type: string
+            progress:
+              description: Progress contains information about the restore's execution
+                progress. Note that this information is best-effort only -- if Velero
+                fails to update it during a restore for any reason, it may be inaccurate/stale.
+              nullable: true
+              properties:
+                itemsRestored:
+                  description: ItemsRestored is the number of items that have actually
+                    been restored so far
+                  type: integer
+                totalItems:
+                  description: TotalItems is the total number of items to be restored.
+                    This number may change throughout the execution of the restore
+                    due to plugins that return additional related items to restore
+                  type: integer
+              type: object
             startTimestamp:
               description: StartTimestamp records the time the restore operation was
                 started. The server's time is used for StartTimestamps

config/crd/v1beta1/bases/velero.io_schedules.yaml

@@ -323,7 +323,7 @@ spec:
                     type: string
                   description: OrderedResources specifies the backup order of resources
                     of specific Kind. The map key is the Kind name and value is a
-                    list of resource names separeted by commas. Each resource name
+                    list of resource names separated by commas. Each resource name
                     has format "namespace/resourcename".  For cluster resources, simply
                     use "resourcename".
                   nullable: true
@@ -348,6 +348,11 @@ spec:
                     type: string
                   type: array
               type: object
+            useOwnerReferencesInBackup:
+              description: UseOwnerReferencesBackup specifies whether to use OwnerReferences
+                on backups created by this Schedule.
+              nullable: true
+              type: boolean
           required:
           - schedule
           - template

config/crd/v1beta1/bases/velero.io_volumesnapshotlocations.yaml

@@ -53,7 +53,7 @@ spec:
             a Velero VolumeSnapshotLocation.
           properties:
             phase:
-              description: VolumeSnapshotLocationPhase is the lifecyle phase of a
+              description: VolumeSnapshotLocationPhase is the lifecycle phase of a
                 Velero VolumeSnapshotLocation.
               enum:
               - Available

config/crd/v1beta1/crds/doc.go

@@ -0,0 +1,4 @@
+// Package crds embeds the controller-tools generated CRD manifests
+package crds
+
+//go:generate go run ../../../../hack/crd-gen/v1beta1/main.go

config/rbac/role.yaml

@@ -26,6 +26,26 @@ rules:
   - get
   - patch
   - update
+- apiGroups:
+  - velero.io
+  resources:
+  - downloadrequests
+  verbs:
+  - create
+  - delete
+  - get
+  - list
+  - patch
+  - update
+  - watch
+- apiGroups:
+  - velero.io
+  resources:
+  - downloadrequests/status
+  verbs:
+  - get
+  - patch
+  - update
 - apiGroups:
   - velero.io
   resources:

config/samples/velero_v1_serverstatusrequest.yaml

@@ -1,25 +0,0 @@
----
-apiVersion: velero.io/v1
-kind: ServerStatusRequest
-metadata:
-  creationTimestamp: "2020-08-21T15:34:34Z"
-  generateName: velero-cli-
-  generation: 1
-  name: velero-cli-6wkzd
-  namespace: velero
-  resourceVersion: "544749"
-  selfLink: /apis/velero.io/v1/namespaces/velero/serverstatusrequests/velero-cli-6wkzd
-  uid: 335ea64e-1904-40ec-8106-1f2b22e9540e
-spec: {}
-status:
-  phase: Processed
-  plugins:
-  - kind: ObjectStore
-    name: velero.io/aws
-  - kind: VolumeSnapshotter
-    name: velero.io/aws
-  - kind: BackupItemAction
-    name: velero.io/crd-remap-version
-  - kind: BackupItemAction
-    name: velero.io/pod
-  processedTimestamp: "2020-08-21T15:34:34Z"

design/CLI/PoC/base/CRDs.yaml

@@ -17,7 +17,7 @@ spec:
   scope: ""
   validation:
     openAPIV3Schema:
-      description: Backup is a Velero resource that respresents the capture of Kubernetes
+      description: Backup is a Velero resource that represents the capture of Kubernetes
         cluster state at a point in time (API objects and associated volume state).
       properties:
         apiVersion:
@@ -679,6 +679,10 @@ spec:
                 PVs from snapshot (via the cloudprovider).
               nullable: true
               type: boolean
+            preserveNodePorts:
+              description: PreserveNodePorts specifies whether to restore old nodePorts from backup.
+              nullable: true
+              type: boolean
             scheduleName:
               description: ScheduleName is the unique name of the Velero schedule
                 to restore from. If specified, and BackupName is empty, Velero will

design/CLI/PoC/base/volumesnapshotlocations.yaml

@@ -52,7 +52,7 @@ spec:
             of a Velero VolumeSnapshotLocation.
           properties:
             phase:
-              description: VolumeSnapshotLocationPhase is the lifecyle phase of
+              description: VolumeSnapshotLocationPhase is the lifecycle phase of
                 a Velero VolumeSnapshotLocation.
               enum:
                 - Available

design/Implemented/backup-resource-list.md

@@ -84,7 +84,7 @@ If the metadata file does not exist, this is an older backup and we cannot displ
 
 ### Fetch backup contents archive and walkthrough to list contents
 
-Instead of recording new metadata about what resources have been backed up, we could simply download the backup contents archive and walkthrough it to list the contents everytime `velero backup describe <name> --details` is run.
+Instead of recording new metadata about what resources have been backed up, we could simply download the backup contents archive and walkthrough it to list the contents every time `velero backup describe <name> --details` is run.
 
 The advantage of this approach is that we don't need to change any backup procedures as we already have this content, and we will also be able to list resources for older backups.
 Additionally, if we wanted to expose more information about the backed up resources, we can do so without having to update what we store in the metadata.

design/Implemented/csi-snapshots.md

@@ -176,7 +176,7 @@ This will allow the development to continue on the feature while it's in pre-pro
 [`BackupStore.PutBackup`][9] will receive an additional argument, `volumeSnapshots io.Reader`, that contains the JSON representation of `VolumeSnapshots`.
 This will be written to a file named `csi-snapshots.json.gz`.
 
-[`defaultRestorePriorities`][11] should be rewritten to the following to accomodate proper association between the CSI objects and PVCs. `CustomResourceDefinition`s are moved up because they're necessary for creating the CSI CRDs. The CSI CRDs are created before `PersistentVolume`s and `PersistentVolumeClaim`s so that they may be used as data sources.
+[`defaultRestorePriorities`][11] should be rewritten to the following to accommodate proper association between the CSI objects and PVCs. `CustomResourceDefinition`s are moved up because they're necessary for creating the CSI CRDs. The CSI CRDs are created before `PersistentVolume`s and `PersistentVolumeClaim`s so that they may be used as data sources.
 GitHub issue [1565][17] represents this work.
 
 ```go
@@ -248,7 +248,7 @@ Volumes with any other `PersistentVolumeSource` set will use Velero's current Vo
 ### VolumeSnapshotLocations and VolumeSnapshotClasses
 
 Velero uses its own `VolumeSnapshotLocation` CRDs to specify configuration options for a given storage system.
-In Velero, this often includes topology information such as regions or availibility zones, as well as credential information.
+In Velero, this often includes topology information such as regions or availability zones, as well as credential information.
 
 CSI volume snapshotting has a `VolumeSnapshotClass` CRD which also contains configuration options for a given storage system, but these options are not the same as those that Velero would use.
 Since CSI volume snapshotting is operating within the same storage system that manages the volumes already, it does not need the same topology or credential information that Velero does.
@@ -269,7 +269,7 @@ Additionally, the VolumeSnapshotter plugins and CSI volume snapshot drivers over
 Thus, there's not a logical place to fit the creation of VolumeSnapshot creation in the VolumeSnapshotter interface.
 
 * Implement CSI logic directly in Velero core code.
-The plugins could be packaged separately, but that doesn't necessarily make sense with server and client changes being made to accomodate CSI snapshot lookup.
+The plugins could be packaged separately, but that doesn't necessarily make sense with server and client changes being made to accommodate CSI snapshot lookup.
 
 * Implementing the CSI logic entirely in external plugins.
 As mentioned above, the necessary plugins for `PersistentVolumeClaim`, `VolumeSnapshot`, and `VolumeSnapshotContent` could be hosted out-out-of-tree from Velero.

design/Implemented/delete-item-action.md

@@ -19,7 +19,7 @@ This design seeks to provide the missing extension point.
 
 ## Non Goals
 
-- Specific implementations of hte DeleteItemAction API beyond test cases.
+- Specific implementations of the DeleteItemAction API beyond test cases.
 - Rollback of DeleteItemAction execution.
 
 ## High-Level Design

design/Implemented/move-gh-org.md

@@ -45,7 +45,7 @@ Currently, the Velero repository sits under the Heptio GitHub organization. With
 
 ### Notes/How-Tos
 
-#### Transfering the GH repository
+#### Transferring the GH repository
 
 All action items needed for the repo transfer are listed in the Todo list above. For details about what gets moved and other info, this is the GH documentation: https://help.github.com/en/articles/transferring-a-repository
 
@@ -57,7 +57,7 @@ Someone with owner permission on the new repository needs to go to their Travis
 
 After this, webhook notifications can be added following these instructions: https://docs.travis-ci.com/user/notifications/#configuring-webhook-notifications.
 
-#### Transfering ZenHub
+#### Transferring ZenHub
 
 Pre-requisite: A new Zenhub account must exist for a vmware or vmware-tanzu organization.
 

design/Implemented/plugin-backup-and-restore-progress-design.md

@@ -413,7 +413,7 @@ However, it can provide preference over latest supported API.
 If new fields are added without changing API version, it won't cause any problem as these resources are intended to provide information, and, there is no reconciliation on these resources.
 
 ### Compatibility of latest plugin with older version of Velero
-Plugin that supports this CR should handle the situation gracefully when CRDs are not installed. It can handle the errors occured during creation/updation of the CRs.
+Plugin that supports this CR should handle the situation gracefully when CRDs are not installed. It can handle the errors occurred during creation/updation of the CRs.
 
 ## Limitations:
 
@@ -432,7 +432,7 @@ But, this involves good amount of changes and needs a way for backward compatibi
 As volume plugins are mostly K8s native, its fine to go ahead with current limiation.
 
 ### Update Backup CR
-Instead of creating new CRs, plugins can directly update the status of Backup CR. But, this deviates from current approach of having seperate CRs like PodVolumeBackup/PodVolumeRestore to know operations progress.
+Instead of creating new CRs, plugins can directly update the status of Backup CR. But, this deviates from current approach of having separate CRs like PodVolumeBackup/PodVolumeRestore to know operations progress.
 
 ### Restricting on name rather than using labels
 Instead of using labels to identify the CR related to particular backup on a volume, restrictions can be placed on the name of VolumePluginBackup CR to be same as the value returned from CreateSnapshot.

design/Implemented/restic-backup-and-restore-progress.md

@@ -63,7 +63,7 @@ With the `--json` flag, `restic backup` outputs single lines of JSON reporting t
 The [command factory for backup](https://github.com/heptio/velero/blob/af4b9373fc73047f843cd4bc3648603d780c8b74/pkg/restic/command_factory.go#L37) will be updated to include the `--json` flag.
 The code to run the `restic backup` command (https://github.com/heptio/velero/blob/af4b9373fc73047f843cd4bc3648603d780c8b74/pkg/controller/pod_volume_backup_controller.go#L241) will be changed to include a Goroutine that reads from the command's stdout stream.
 The implementation of this will largely follow [@jmontleon's PoC](https://github.com/fusor/velero/pull/4/files) of this.
-The Goroutine will periodically read the stream (every 10 seconds) and get the last printed status line, which will be convered to JSON.
+The Goroutine will periodically read the stream (every 10 seconds) and get the last printed status line, which will be converted to JSON.
 If `bytes_done` is empty, restic has not finished scanning the volume and hasn't calculated the `total_bytes`.
 In this case, we will not update the PodVolumeBackup and instead will wait for the next iteration.
 Once we get a non-zero value for `bytes_done`, the `bytes_done` and `total_bytes` properties will be read and the PodVolumeBackup will be patched to update `status.Progress.BytesDone` and `status.Progress.TotalBytes` respectively.

design/restore-progress.md

@@ -0,0 +1,220 @@
+# Restore progress reporting
+
+Velero _Backup_ resource provides real-time progress of an ongoing backup by means of a _Progress_ field in the CR. Velero _Restore_, on the other hand, only shows one of the phases (InProgress, Completed, PartiallyFailed, Failed) of the ongoing restore. In this document, we propose detailed progress reporting for Velero _Restore_. With the introduction of the proposed _Progress_ field, Velero _Restore_ CR will look like:
+
+```yml
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: test-restore
+  namespace: velero
+spec:
+    [...]
+status:
+  phase: InProgress
+  progress:
+    itemsRestored: 100
+    totalItems: 140
+```
+
+## Goals
+
+- Enable progress reporting for Velero Restore
+
+## Non Goals
+
+- Estimate time to completion
+
+## Background
+
+The current _Restore_ CR lets users know whether a restore is in-progress or completed (failed/succeeded). While this basic piece of information is useful to the end user, there seems to be room for improvement in the user experience. The _Restore_ CR can show detailed progress in terms of the number of resources restored so far and the total number of resources to be restored. This will be particularly useful for restores that run for a longer duration of time. Such progress reporting already exists for Velero _Backup_. This document proposes similar implementation for Velero _Restore_.
+
+## High-Level Design
+
+We propose to divide the restore process in two steps. The first step will collect all the items to be restored from the backup tarball. It will apply the label selector and include/exclude rules on the resources / items and store them (preserving the priority order) in an in-memory data structure. The second step will read the collected items and restore them. 
+
+## Detailed Design
+
+### Progress struct
+
+A new struct will be introduced to store progress information:
+
+```go
+type RestoreProgress struct {
+    TotalItems    int `json:"totalItems,omitempty`
+    ItemsRestored int `json:"itemsRestored,omitempty`
+}
+```
+
+`RestoreStatus` will include the above struct:
+
+```go
+type RestoreStatus struct {
+    [...]
+
+    Progress *RestoreProgress `json:"progress,omitempty"`
+}
+```
+
+### Modifications to restore.go
+
+Currently, the restore process works by looping through the resources in the backup tarball and restoring them one-by-one in the same pass:
+
+```go
+func (ctx *context) execute(...) {
+    [...]
+
+    for _, resource := range getOrderedResources(...) {
+        [...]
+
+        for namespace, items := range resourceList.ItemsByNamespace {
+            [...]
+
+            for _, item := range items {
+                [...]
+
+                // restore item here
+                w, e := restoreItem(...)
+            }
+        }
+    }
+}
+```
+
+We propose to remove the call to `restoreItem()` in the inner most loop and instead store the item in a data structure. Once all the items are collected, we loop through the array of collected items and make a call to `restoreItem()`:
+
+```go
+func (ctx *context) getOrderedResourceCollection(...) {
+    collectedResources := []restoreResource
+    for _, resource := range getOrderedResources(...) {
+        [...]
+
+        for namespace, items := range resourceList.ItemsByNamespace {
+            [...]
+            collectedResource := restoreResource{}
+            for _, item := range items {
+                [...]
+
+                // store item in a data structure
+                collectedResource.itemsByNamespace[originalNamespace] = append(collectedResource.itemsByNamespace[originalNamespace], item)
+            }
+        }
+        collectedResources.append(collectedResources, collectedResource)
+    }
+    return collectedResources
+}
+
+func (ctx *context) execute(...) {
+    [...]
+
+    // get all items
+    resources := ctx.getOrderedResourceCollection(...)
+
+    for _, resource := range resources {
+        [...]
+
+        for _, items := range resource.itemsByNamespace {
+            [...]
+
+            for _, item := range items {
+                [...]
+
+                // restore the item
+                w, e := restoreItem(...)
+            }
+        }
+    }
+
+    [...]
+}
+```
+
+We introduce two new structs to hold the collected items:
+
+```go
+type restoreResource struct {
+    resource            string
+    itemsByNamespace    map[string][]restoreItem
+    totalItems          int
+}
+
+type restoreItem struct {
+    targetNamespace string
+    name            string
+}
+```
+
+Each group resource is represented by `restoreResource`. The map `itemsByNamespace` is indexed by `originalNamespace`, and the values are list of `items` in the original namespace. `totalItems` is simply the count of all items which are present in the nested map of namespace and items. It is updated every time an item is added to the map. Each item represented by `restoreItem` has `name` and the resolved `targetNamespace`.
+
+### Calculating progress
+
+The total number of items can be calculated by simply adding the number of total items present in the map of all resources.
+
+```go
+totalItems := 0
+
+for _, resource := range collectedResources {
+	totalItems += resource.totalItems
+}
+```
+
+The additional items returned by the plugins will still be discovered at the time of plugin execution. The number of `totalItems` will be adjusted to include such additional items. As a result, the number of total items is expected to change whenever plugins execute:
+
+```go
+    i := 0
+    for _, resource := range resources {
+        [...]
+
+        for _, items := range resource.itemsByNamespace {
+            [...]
+
+            for _, item := range items {
+                [...]
+
+                // restore the item
+                w, e := restoreItem(...)
+		i++
+		// calculate the actual count of resources
+		actualTotalItems := len(ctx.restoredItems) + (totalItems - i)
+            }
+        }
+    }
+```
+
+### Updating progress 
+
+The updates to the `progress` field in the CR can be sent on a channel as soon as an item is restored. A goroutine receiving update on that channel can make an `Update()` call to update the _Restore_ CR. This will require us to pass an instance of `RestoresGetter` to the `kubernetesRestorer` struct.
+
+
+## Alternatives Considered
+
+As an alternative, we have considered an approach which doesn't divide the restore process in two steps. 
+
+With that approach, the total number of items will be read from the Backup CR. We will keep three counters, `totalItems`, `skippedItems` and `restoredItems`:
+
+```yml
+status:
+  phase: InProgress
+  progress:
+    totalItems: 100
+    skippedItems: 20
+    restoredItems: 79
+```
+
+This approach doesn't require us to find the number of total items beforehand.
+
+## Security Considerations
+
+Omitted
+
+## Compatibility
+
+Omitted
+
+## Implementation
+
+TBD
+
+## Open Issues
+
+https://github.com/vmware-tanzu/velero/issues/21

design/restore-with-EnableAPIGroupVersions-feature.md

@@ -0,0 +1,207 @@
+# Restore API Group Version by Priority Level When EnableAPIGroupVersions Feature is Set
+
+Status: Draft
+
+## Abstract
+
+This document proposes a solution to select an API group version to restore from the versions backed up using the feature flag EnableAPIGroupVersions.
+
+## Background
+
+It is possible that between the time a backup has been made and a restore occurs that the target Kubernetes version has incremented more than one version. In such a case where at least a versions of Kubernetes was skipped, the preferred source cluster's API group versions for resources may no longer be supported by the target cluster. With [PR#2373](https://github.com/vmware-tanzu/velero/pull/2373), all supported API group versions were backed up if the EnableAPIGroupVersions feature flag was set for Velero. The next step (outlined by this design proposal) will be to see if any of the backed up versions are supported in the target cluster and if so, choose one to restore for each backed up resource.
+
+## Goals
+
+- Choose an API group to restore from backups given a priority system or a user-provided prioritization of versions.
+- Restore resources using the chosen API group version.
+
+## Non Goals
+
+- Allow users to restore onto a cluster that is running a Kubernetes version older than the source cluster. The changes proposed here only allow for skipping ahead to a newer Kubernetes version, but not going backward.
+- Allow restoring from backups created using Velero version 1.3 or older. This proposal will only work on backups created using Velero 1.4+.
+- Modifying the compressed backup tarball files. We don't want to risk corrupting the backups.
+- Using plugins to restore a resource when the target supports none of the source cluster's API group versions. The ability to use plugins will hopefully be something added in the future, but not at this time.
+
+## High-Level Design
+
+During restore, the proposal is that Velero will determine if the `APIGroupVersionsFeatureFlag` was enabled in the target cluster and `Status.FormatVersion 1.1.0` was used during backup. Only if these two conditions are met will the changes proposed here take effect.
+
+The proposed code starts with creating three lists for each backed up resource. The three lists will be created by
+  (1) reading the directory names in the backup tarball file and seeing which API group versions were backed up from the source cluster,
+  (2) looking at the target cluster and determining which API group versions are supported, and
+  (3) getting config maps from the target cluster in order to get user-defined prioritization of versions.
+
+  The three lists will be used to create a map of chosen versions for each resource to restore. If there is a user-defined list of priority versions, the versions will be checked against the supported versions lists. The highest user-defined priority version that is/was supported by both target and source clusters will be the chosen version for that resource. If no user specified versions are supported by neither target nor source, the versions will be logged and the restore will continue with other prioritizations.
+
+  Without a user-defined prioritization of versions, the following version prioritization will be followed, starting from the highest priority: target cluster preferred version, source cluster preferred version, and a common supported version. Should there be multiple common supported versions, the one that will be chosen will be based on the [Kubernetes version priorities](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#version-priority).
+  
+  Once the version to restore is chosen, the file path to the backed up resource in the tarball will be modified such that it points to the resources' chosen API group version. If no version is found in common between the source and target clusters, the chosen version will default to the source cluster's preferred version (the version being restored currently without the changes proposed here). Restore will be allowed to continue as before.
+
+## Detailed Design
+
+There are six objectives to achieve the above stated goals:
+
+1. Determine if the APIGroupVersionsFeatureFlag is enabled and Backup Objects use Status.FormatVersion 1.1.0.
+1. List the backed up API group versions.
+1. List the API group versions supported by the target cluster.
+1. Get the user-defined version priorities.
+1. Use a priority system to determine which version to restore. The source preferred version will be the default if the priorities fail.
+1. Modify the paths to the backup files in the tarball in the resource restore process.
+
+### Objective 1: Determine if the APIGroupVersionsFeatureFlag is enabled and Backup Objects use Status.FormatVersion 1.1.0
+
+For restore to be able to choose from multiple supported backed up versions, the feature flag must have been enabled during the restore processes. Backup objects must also have [Status.FormatVersion == "1.1.0"](https://github.com/vmware-tanzu/velero/blob/a1e182e723a8c5f6d4175d8db2361233a94d2502/pkg/backup/backup.go#L58).
+
+The reason for checking for the feature flag during restore is to ensure the user would like to restore a version that might not be the source cluster preferred version. This check is done via `features.IsEnabled(velerov1api.APIGroupVersionsFeatureFlag)`.
+
+The reason for checking `Status.FormatVersion` is to ensure the changes made by this proposed design is backward compatible. Only with Velero version 1.4 and forward was Format Version 1.1.0 used to structure the backup directories. Format Version 1.1.0 is required for the restore process proposed in this design doc to work. Before v1.4, the backed up files were in a directory structure that will not be recognized by the proposed code changes. In this case, restore should not attempt to restore from multiple versions as they will not exist.
+
+The [`Status.FormatVersion`](https://github.com/vmware-tanzu/velero/blob/6808acd92e30848056a21faf373af03ddb8a3b71/pkg/apis/velero/v1/backup.go#L235) is stored in a `restoreContext` struct field called [`backup`](https://github.com/vmware-tanzu/velero/blob/6808acd92e30848056a21faf373af03ddb8a3b71/pkg/restore/restore.go#L229). The full chain is `ctx.backup.Status.FormatVersion`.  
+
+The above two checks can be done inside a new method on the `*restoreContext` object with the method signature `meetsAPIGVRestoreReqs() bool`. This method can remain in the `restore` package, but for organizational purposes, it can be moved to a file called `prioritize_group_version.go`.
+
+### Objective 2: List the backed up API group versions
+
+Currently, in `pkg/restore/restore.go`, in the `execute(...)` method, around [line 363](https://github.com/vmware-tanzu/velero/blob/7a103b9eda878769018386ecae78da4e4f8dde83/pkg/restore/restore.go#L363), the resources and their backed up items are saved in a map called `backupResources`.
+
+At this point, the feature flag and format versions can be checked (described in Objective #1). If the requirements are met, the `backedupResources` map can be sent to a method (to be created) with the signature `ctx.chooseAPIVersionsToRestore(backupResources)`. The `ctx` object has the type `*restore.Context`.
+
+The `chooseAPIVersionsToRestore` method can remain in the `restore` package, but for organizational purposes, it can be moved to a file called `prioritize_group_version.go`.
+
+Inside the `chooseAPIVersionsToRestore` method, we can take advantage of the `archive` package's `Parser` type.  `ParseGroupVersions(backupDir string) (map[string]metav1.APIGroup, error)`. The `ParseGroupVersions(...)` method will loop through the `resources`, `resource.group`, and group version directories to populate a map called `sourceRGVersions`.
+
+The `sourceRGVersions` map's keys will be strings in the format `<resource>.<group>`, e.g. "horizontalpodautoscalers.autoscaling". The values will be APIGroup structs. The API Group struct can be imported from k8s.io/apimachinery/pkg/apis/meta/v1. Order the APIGroup.Versions slices using a sort function copied from `k8s.io/apimachinery/pkg/version`.
+
+```go
+sort.SliceStable(gvs, func(i, j int) bool {
+    return version.CompareKubeAwareVersionStrings(gvs[i].Version, gvs[j].Version) > 0
+})
+```
+
+### Objective 3: List the API group versions supported by the target cluster
+
+Still within the `chooseAPIVersionsToRestore` method, the target cluster's resource group versions can now be obtained.
+
+```go
+targetRGVersions := ctx.discoveryHelper.APIGroups()
+```
+
+Order the APIGroup.Versions slices using a sort function copied from `k8s.io/apimachinery/pkg/version`.
+
+```go
+sort.SliceStable(gvs, func(i, j int) bool {
+    return version.CompareKubeAwareVersionStrings(gvs[i].Version, gvs[j].Version) > 0
+})
+```
+
+### Objective 4: Get the user-defined version priorities
+
+Still within the `chooseAPIVersionsToRestore` method, the user-defined version priorities can be retrieved. These priorities are expected to be in a config map named `enableapigroupversions` in the `velero` namespace. An example config map is
+
+```yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: enableapigroupversions
+  namespace: velero
+data:
+  restoreResourcesVersionPriority: | -
+    rockbands.music.example.io=v2beta1,v2beta2
+    orchestras.music.example.io=v2,v3alpha1
+    subscriptions.operators.coreos.com=v2,v1
+```
+
+In the config map, the resources and groups and the user-defined version priorities will be listed in the `data.restoreResourcesVersionPriority` field following the following general format: `<group>.<resource>=<version 1>[, <version n> ...]`.
+
+A map will be created to store the user-defined priority versions. The map's keys will be strings in the format `<resource>.<group>`. The values will be APIGroup structs that will be imported from `k8s.io/apimachinery/pkg/apis/meta/v1`. Within the APIGroup structs will be versions in the order that the user provides in the config map. The PreferredVersion field in APIGroup struct will be left empty.
+
+### Objective 5: Use a priority system to determine which version to restore. The source preferred version will be the default if the priorities fail
+
+Determining the priority will also be done in the `chooseAPIVersionsToRestore` method. Once a version is chosen, it will be stored in a new map of the form `map[string]ChosenGRVersion` where the key is the `<resource>.<group>` and the values are of the `ChosenGroupVersion` struct type (shown below). The map will be saved to the `restore.Context` object in a field called `chosenGrpVersToRestore`.
+
+```go
+type ChosenGroupVersion struct {
+    Group   string
+    Version string
+    Dir     string
+}
+```
+
+The first method called will be `ctx.gatherSTUVersions()` and it will gather the source cluster group resource and versions (`sgvs`), target cluster group versions (`tgvs`), and custom user resource and group versions (`ugvs`).
+
+Loop through the source cluster resource and group versions (`sgvs`). Find the versions for the group in the target cluster.
+
+An attempt will first be made to `findSupportedUserVersion`. Loop through the resource.groups in the custom user resource and group versions (`ugvs`) map. If a version is supported by both `tgvs` and `sgvs`, that will be set as the chosen version for the corresponding resource in `ctx.chosenGrpVersToRestore`
+
+If no three-way match can be made between the versions in `ugvs`, `tgvs`, and `sgvs`, move on to attempting to use the target cluster preferred version. Loop through the `sgvs` versions for the resource and see if any of them match the first item in the `tgvs` version list. Because the versions in `tgvs` have been ordered, the first version in the version slide will be the preferred version.
+
+If target preferred version cannot be used, attempt to choose the source cluster preferred version. Loop through the target versions and see if any of them match the first item in the source version slice, which will be the preferred version due to Kubernetes version ordering.
+
+If neither clusters' preferred version can be used, look through remaining versions in the target version list and see if there is a match with the remaining versions in the source versions list.
+
+If none of the previous checks produce a chosen version, the source preferred version will be the default and the restore process will continue.
+
+Here is another way to list the priority versions described above:
+
+- **Priority 0** ((User override). Users determine restore version priority using a config map
+- **Priority 1**. Target preferred version can be used.
+- **Priority 2**. Source preferred version can be used.
+- **Priority 3**. A common supported version can be used. This means
+  - target supported version == source supported version
+  - if multiple support versions intersect, choose the version using the [Kubernetes’ version prioritization system](https://kubernetes.io/docs/tasks/extend-kubernetes/custom-resources/custom-resource-definition-versioning/#version-priority)
+
+If there is no common supported version between target and source clusters, then the default `ChosenGRVersion` will be the source preferred version. This is the version that would have been assumed for restore before the changes proposed here.
+
+Note that adding a field to `restore.Context` will mean having to make a map for the field during instantiation.
+
+To see example cases with version priorities, see a blog post written by Rafael Brito: https://github.com/brito-rafa/k8s-webhooks/tree/master/examples-for-projectvelero.
+
+### Objective 6: Modify the paths to the backup files in the tarball
+
+The method doing the bulk of the restoration work is `ctx.restoreResource(...)`. Inside this method, around [line 714](https://github.com/vmware-tanzu/velero/blob/7a103b9eda878769018386ecae78da4e4f8dde83/pkg/restore/restore.go#L714) in `pkg/restore/restore.go`, the path to backup json file for the item being restored is set.
+
+After the groupResource is instantiated at pkg/restore/restore.go:733, and before the `for` loop that ranges through the `items`, the `ctx.chosenGRVsToRestore` map can be checked. If the groupResource exists in the map, the path saved to `resource` variable can be updated.
+
+Currently, the item paths look something like
+
+```bash
+/var/folders/zj/vc4ln5h14djg9svz7x_t1d0r0000gq/T/620385697/resources/horizontalpodautoscalers.autoscaling/namespaces/myexample/php-apache-autoscaler.json
+```
+
+This proposal will have the path changed to something like
+
+```bash
+/var/folders/zj/vc4ln5h14djg9svz7x_t1d0r0000gq/T/620385697/resources/horizontalpodautoscalers.autoscaling/v2beta2/namespaces/myexample/php-apache-autoscaler.json
+```
+
+The `horizontalpodautoscalers.autoscaling` part of the path will be updated to `horizontalpodautoscalers.autoscaling/v2beta2` using
+
+```go
+version, ok := ctx.chosenGVsToRestore[groupResource.String()]
+  if ok {
+    resource = filepath.Join(groupResource.String(), version.VerDir)
+  }
+```
+
+The restore can now proceed as normal.
+
+## Alternatives Considered
+
+- Look for plugins if no common supported API group version could be found between the target and source clusters. We had considered searching for plugins that could handle converting an outdated resource to a new one that is supported in the target cluster, but it is difficult, will take a lot of time, and currently will not be useful because we are not aware of such plugins. It would be better to keep the initial changes simple to see how it works out and progress to more complex solutions as demand necessitates.
+- It was considered to modify the backed up json files such that the resources API versions are supported by the target but modifying backups is discouraged for several reasons, including introducing data corruption.
+
+## Security Considerations
+
+I can't think of any additional risks in terms of Velero security here.
+
+## Compatibility
+
+I have made it such that the changes in code will only affect Velero installations that have `APIGroupVersionsFeatureFlag` enabled during restore and Format Version 1.1.0 was used during backup. If both these requirements are not met, the changes will have no affect on the restore process, making the changes here entirely backward compatible.
+
+## Implementation
+
+This first draft of the proposal will be submitted Oct. 30, 2020. Once this proposal is approved, I can have the code and unit tests written within a week and submit a PR that fixes Issue #2551.
+
+## Open Issues
+
+At the time of writing this design proposal, I had not seen any of @jenting's work for solving Issue #2551. He had independently covered the first two priorities I mentioned above before I was even aware of the issue. I hope to not let his efforts go to waste and welcome incorporating his ideas here to make this design proposal better.

design/secrets.md

@@ -0,0 +1,135 @@
+# Support for multiple provider credentials
+
+Currently, Velero only supports a single credential secret per location provider/plugin. Velero creates and stores the plugin credential secret under the hard-coded key `secret.cloud-credentials.data.cloud`.
+
+This makes it so switching from one plugin to another necessitates overriding the existing credential secret with the appropriate one for the new plugin.
+
+## Goals
+
+- To allow Velero to create and store multiple secrets for provider credentials, even multiple credentials for the same provider
+- To improve the UX for configuring the velero deployment with multiple plugins/providers.
+
+## Non Goals
+
+- To make any change except what's necessary to handle multiple credentials
+- To allow multiple credentials for or change the UX for node-based authentication (e.g. AWS IAM, GCP Workload Identity, Azure AAD Pod Identity).
+
+## Design overview
+
+Instead of one credential per Velero deployment, multiple credentials can be added and used with different BSLs VSLs.
+  
+There are two aspects to handling multiple credentials:
+
+- Modifying how credentials are configured and specified by the user
+- Modifying how credentials are provided to the plugin processes
+
+Each of these aspects will be discussed in turn.
+
+### Credential configuration
+
+Currently, Velero creates a secret (`cloud-credentials`) during install with a single entry that contains the contents of the credentials file passed by the user.
+
+Instead of adding new CLI options to Velero to create and manage credentials, users will create their own Kubernetes secrets within the Velero namespace and reference these.
+This approach is being chosen as it allows users to directly manage Kubernetes secrets objects as they wish and it removes the need for wrapper functions to be created within Velero to manage the creation of secrets.
+An initial approach to this problem included modifying the existing `cloud-credentials` secret to add a new entry with each new set of credentials.
+It is likely that this approach would encounter problems as users added more credentials as the maximum size of Secret in Kubernetes is 1MB.
+By allowing users to create Secrets as they need to, we remove these potential limitations.
+
+To enable the use of existing Kubernetes secrets, BSLs and VSLs will be modified to have a new field `Credential`.
+This field will be a [`SecretKeySelector`](https://godoc.org/k8s.io/api/core/v1#SecretKeySelector) which will enable the user to specify which key within a particular secret the BSL/VSL should use.
+
+The CLI for managing BSLs and VSLs will be modified to allow the user to set these credentials.
+Both `velero backup-location (create|set)` and `velero snapshot-location (create|set)` will have a new flag (`--credential`) to specify the secret and key within the secret to use.
+This flag will take a key-value pair in the format `<secret-name>=<key-in-secret>`.
+The arguments will be validated to ensure that the secret exists in the Velero namespace.
+
+### Making credentials available to plugins
+
+There are three different approaches that can be taken to provide credentials to plugin processes:
+
+1. Providing the path to the credentials file as an environment variable per plugin. This is how credentials are currently passed.
+1. Include the path to the credentials file in the `config` map passed to a plugin.
+1. Include the details of the secret in the `config` map passed to a plugin.
+
+The last two options require changes to the plugin as the plugin will need to instantiate a client using the provided credentials.
+The client libraries used by the plugins will not be able to rely on the credentials details being available in the environment as they currently do.
+
+We have selected option 2 as the approach to take which will be described below.
+
+### Including the credentials file path in the `config` map
+
+Prior to using any secret for a BSL or VSL, it will need to be serialized to disk.
+Using the details in the `Credential` field in the BSL/VSL, the contents of the Secret will be read and serialized.
+To achieve this, we will create a new package, `credentials`, which will introduce new types and functions to manage the fetching of credentials based on a `SecretKeySelector`.
+This will also be responsible for serializing the fetched credentials to a temporary directory on the Velero pod filesystem.
+
+The path where a set of credentials will be written to will be a fixed path based on the namespace, name, and key from the secret rather than a randomly named file as is usual with temporary files.
+The reason for this is that `BackupStore`s are frequently created within the controllers and the credentials must be serialized before any plugin APIs are called, which would result in a quick accumulation of temporary credentials files.
+For example, the default validation frequency for BackupStorageLocations is one minute.
+This means that any time a `BackupStore`, or other type which requires credentials, is created, the credentials will be fetched from the API server and may overwrite any existing use of that credential.
+
+If we instead wanted to use an unique file each time, we could work around the of multiple files being written by cleaning up the temporary files upon completion of the plugin operations, if this information is known.
+
+Once the credentials have been serialized, this path will be made available to the plugins.
+Instead of setting the necessary environment variable for the plugin process, the `config` map for the BSL/VSL will be modified to include an addiitional entry with the path to the credentials file: `credentialsFile`.
+This will be passed through when [initializing the BSL/VSL](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/velero/object_store.go#L27-L30) and it will be the responsibility of the plugin to use the passed credentials when starting a session.
+For an example of how this would affect the AWS plugin, see [this PR](https://github.com/vmware-tanzu/velero-plugin-for-aws/pull/69).
+
+The restic controllers will also need to be updated to use the correct credentials.
+The BackupStorageLocation for a given PVB/PVR will be fetched and the `Credential` field from that BSL will be serialized.
+The existing setup for the restic commands use the credentials from the environment variables with [some repo provider specific overrides](https://github.com/vmware-tanzu/velero/blob/main/pkg/controller/pod_volume_backup_controller.go#L260-L273).
+Instead of relying on the existing environment variables, if there are credentials for a particular BSL, the environment will be specifically created for each `RepoIdentifier`.
+This will use a lot of the existing logic with the exception that it will be modified to work with a serialized secret rather than find the secret file from an environment variable.
+Currently, GCP is the only provider that relies on the existing environment variables with no specific overrides.
+For GCP, the environment variable will be overwritten with the path of the serialized secret.
+
+
+## Backwards compatibility
+
+For now, regardless of the approaches used above, we will still support the existing workflow.
+
+Users will be able to set credentials during install and a secret will be created for them.
+This secret will still be mounted into the Velero pods and the appropriate environment variables set.
+This will allow users to use versions of plugins which haven't yet been updated to use credentials directly, such as with many community created plugins.
+
+Multiple credential handling will only be used in the case where a particular BSL/VSL has been modified to use an existing secret.
+
+## Security Considerations
+
+Although the handling of secrets will be similar to how credentials are currently managed within Velero, care must be taken to ensure that any new code does not leak the contents of secrets, for example, including them within logs.
+
+## Alternatives Considered
+
+As mentioned above, there were three potential approaches for providing this support.
+The approaches that were not selected are detailed below for reference.
+
+#### Providing the credentials via environment variables
+
+To continue to provide the credentials via the environment, plugins will need to be invoked differently so that the correct credential is used.
+Currently, there is a single secret, which is mounted into every pod deployed by Velero (the Velero Deployment and the Restic DaemonSet) at the path `/credentials/cloud`.
+This path is made known to all plugins through provider specific environment variables and all possible provider environment variables are set to this path.
+
+Instead of setting the environment variables for all the pods, we can modify plugin processes are created so that the environment variables are set on a per plugin process basis.
+Prior to using any secret for a BSL or VSL, it will need to be serialized to disk.
+Using the details in the `Credential` field in the BSL/VSL, the contents of the Secret will be read and serialized to a file.
+Each plugin process would still have the same set of environment variables set, however the value used for each of these variables would instead be the path to the serialized secret.
+
+To set the environment variables for a plugin process, the plugin manager must be modified so that when creating an ObjectStore or VolumeSnapshotter, we pass in the entire BSL/VSL object, rather than [just the provider](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L132-L158).
+The plugin manager currently stores a map of [plugin executables to an associated `RestartableProcess`](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L59-L70).
+New restartable processes are created only [with the executable that the process would run](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L122).
+This could be modified to also take the necessary environment variables so that when [underlying go-plugin process is created](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/client_builder.go#L78), these environment variables could be provided and would be set on the plugin process.
+
+Taking this approach would not require any changes from plugins as the credentials information would be made available to them in the same way.
+However, it is quite a significant change in how we initialize and invoke plugins.
+
+We would also need to ensure that the restic controllers are updated in the same way so that correct credentials are used (when creating a `ResticRepository` or processing `PodVolumeBackup`/`PodVolumeRestore`).
+This could be achieved by modifying the existing function to [run a restic command](https://github.com/vmware-tanzu/velero/blob/main/pkg/restic/repository_manager.go#L237-L290).
+This function already sets environment variables for the restic process depending on which storage provider is being used.
+
+#### Include the details of the secret in `config` map passed to a plugin
+
+This approach is like the selected approach of passing the credentials file via the `config` map, however instead of the Velero process being responsible for serializing the file to disk prior to invoking the plugin, the `Credential SecretKeySelector` details will be passed through to the plugin.
+It will be the responsibility of the plugin to fetch the secret from the Kubernetes API and perform the necessary steps to make it available for use when creating a session, for example, serializing the contents to disk, or evaluating the contents and adding to the process environment.
+
+This approach has an additional burden on the plugin author over the previous approach as it requires the author to create a client to communicate with the Kubernetes API to retrieve the secret.
+Although it would be the responsibility of the plugin to serialize the credential and use it directly, Velero would still be responsible for serializing the secret so that it could be used with the restic controllers as in the selected approach.

design/wait-for-additional-items.md

@@ -0,0 +1,251 @@
+# Wait for AdditionalItems to be ready on Restore
+
+When a velero `RestoreItemAction` plugin returns a list of resources
+via `AdditionalItems`, velero restores these resources before
+restoring the current resource. There is a race condition here, as it
+is possible that after running the restore on these returned items,
+the current item's restore might execute before the additional items
+are available. Depending on the nature of the dependency between the
+current item and the additional items, this could cause the restore of
+the current item to fail.
+
+## Goals
+
+- Enable Velero to ensure that Additional items returned by a restore
+  plugin's `Execute` func are ready before restoring the current item
+- Augment the RestoreItemAction plugin interface to allow the plugins
+  to determine when an additional item is ready, since doing so
+  requires knowledge specific to the resource type.
+
+## Background
+
+Because Velero does not wait after restoring additional items to
+restore the current item, in some cases the current item restore will
+fail if the additional items are not yet ready. Velero (and the
+`RestoreItemAction` plugins) need to implement this "wait until ready"
+functionality.
+
+## High-Level Design
+
+After each RestoreItemAction execute call (and following restore of
+any returned additional items) , we need to wait for these returned
+Additional Items to be ready before restoring the current item. In
+order to do this, we also need to extend the `RestoreItemActionExecuteOutput`
+struct to allow the plugin which returned additional items to
+determine whether they are ready.
+
+## Detailed Design
+
+### `restoreItem` Changes
+
+When each `RestoreItemAction` `Execute()` call returns, the
+`RestoreItemActionExecuteOutput` struct contains a slice of
+`AdditionalItems` which must be restored before this item can be
+restored. After restoring these items, Velero needs to be able to wait
+for them to be ready before moving on to the next item. Right after
+looping over the additional items at
+https://github.com/vmware-tanzu/velero/blob/main/pkg/restore/restore.go#L960-L991
+
+we still have a reference to the additional items (`GroupResource` and
+namespaced name), as well as a reference to the `RestoreItemAction`
+plugin which required it.
+
+At this point, if the `RestoreItemActionExecuteOutput` includes a
+non-nil `AdditionalItemsReadyFunc` we need to call a func similar to
+`crdAvailable` which we will call `itemsAvailable`
+https://github.com/vmware-tanzu/velero/blob/main/pkg/restore/restore.go#L623
+This func should also be defined within restore.go
+
+Instead of the one minute CRD timeout, we'll use a timeout specific to
+waiting for additional items. There will be a new field added to
+serverConfig, `additionalItemsReadyTimeout`, with a
+`defaultAdditionalItemsReadyTimeout` const set to 10 minutes. In addition,
+each plugin will be able to define an override for the global
+server-level value, which will be added as another optional field in
+the `RestoreItemActionExecuteOutput` struct. Instead of the
+`IsUnstructuredCRDReady` call, we'll call the returned
+`AdditionalItemsReadyFunc` passing in the same `AdditionalItems` slice
+as an argument (with items which failed to restore filtered out). If
+this func returns an error, then `itemsAvailable` will
+propagate the error, and `restoreItem` will handle it the same way it
+handles an error return on restoring an additional item. If the
+timeout is reached without ready returning true, velero will continue
+on to attempt restore of the current item.
+
+### `RestoreItemActionExecuteOutput` changes
+
+Two new fields will be added to `RestoreItemActionExecuteOutput`, both
+optional. `AdditionalItemsReadyTimeout`, if specified, will override
+`serverConfig.additionalItemsReadyTimeout`. If the new func field
+`AdditionalItemsReadyFunc` is non-nil, then `restoreItem` will call
+`itemsAvailable` which will invoke the plugin func
+`AdditionalItemsReadyFunc` and wait until the func returns true or the
+timeout is reached. If `AdditionalItemsReadyFunc` is nil (the default
+case), then current velero behavior will be followed. Existing plugins
+which do not need to signal to wait for `AdditionalItems` won't need
+to change their `Execute()` functions.
+
+In addition, a new func, `WithItemsWait(readyFunc *func)` will
+be added to `RestoreItemActionExecuteOutput` similar to
+`WithoutRestore()` which will set `AdditionalItemsReadyFunc` to
+`readyfunc`. This will allow a plugin to include waiting for
+AdditionalItems like this:
+```
+func AreItemsReady (restore *api.Restore, additionalItems []ResourceIdentifier) (bool, error) {
+	...
+	return true, nil
+}
+func (p *RestorePlugin) Execute(input *velero.RestoreItemActionExecuteInput) (*velero.RestoreItemActionExecuteOutput, error) {
+	...
+	return velero.NewRestoreItemActionExecuteOutput(input.Item).WithItemsWait(AreItemsReady), nil
+}
+
+```
+
+
+```
+// RestoreItemActionExecuteOutput contains the output variables for the ItemAction's Execution function.
+type RestoreItemActionExecuteOutput struct {
+	// UpdatedItem is the item being restored mutated by ItemAction.
+	UpdatedItem runtime.Unstructured
+
+	// AdditionalItems is a list of additional related items that should
+	// be restored.
+	AdditionalItems []ResourceIdentifier
+
+	// SkipRestore tells velero to stop executing further actions
+	// on this item, and skip the restore step. When this field's
+	// value is true, AdditionalItems will be ignored.
+	SkipRestore bool
+
+	// AdditionalItemsReadyFunc is a func which returns true if
+	// the additionalItems passed into the func are
+	// ready/available. A nil value for this func means that
+	// velero will not wait for the items to be ready before
+	// attempting to restore the current item.
+	AdditionalItemsReadyFunc func(restore *api.Restore, []ResourceIdentifier) (bool, error)
+
+	// AdditionalItemsReadyTimeout will override serverConfig.additionalItemsReadyTimeout
+	// if specified. This value specifies how long velero will wait
+	// for additional items to be ready before moving on.
+	AdditionalItemsReadyTimeout *time.Duration
+}
+
+// WithoutRestore returns SkipRestore for RestoreItemActionExecuteOutput
+func (r *RestoreItemActionExecuteOutput) WithItemsWait(
+	readyFunc func(*api.Restore, []ResourceIdentifier)
+) *RestoreItemActionExecuteOutput {
+	r.AdditionalItemsReadyFunc = readyFunc
+	return r
+}
+
+```
+
+### Earlier iteration (no longer the current implementation plan)
+
+What follows is the first iteration of the design. Everything from
+here is superseded by the content above. The options below require
+either breaking backwards compatibility or dealing with runtime
+casting and optional interfaces. Adding the func pointer to
+`RestoreItemActionExecuteOutput` resolves the problem without
+requiring either.
+
+#### `RestoreItemActionExecuteOutput` changes
+
+A new boolean field will be added to
+`RestoreItemActionExecuteOutput`. If `WaitForAdditionalItems` is true,
+then `restoreItem` will call `itemsAvailable` which will invoke the
+plugin func `AreAdditionalItemsReady` and wait until the func returns
+true or the timeout is reached. If `WaitForAdditionalItems` is false
+(the default case), then current velero behavior will be
+followed. Existing plugins which do not need to signal to wait for
+`AdditionalItems` won't need to change their `Execute()` functions.
+
+In addition, a new func, `WithItemsWait()` will be added to
+`RestoreItemActionExecuteOutput` similar to `WithoutRestore()` which
+will set the `WaitForAdditionalItems` bool to `true`.
+
+```
+// RestoreItemActionExecuteOutput contains the output variables for the ItemAction's Execution function.
+type RestoreItemActionExecuteOutput struct {
+        // UpdatedItem is the item being restored mutated by ItemAction.
+        UpdatedItem runtime.Unstructured
+
+        // AdditionalItems is a list of additional related items that should
+        // be restored.
+        AdditionalItems []ResourceIdentifier
+
+        // SkipRestore tells velero to stop executing further actions
+        // on this item, and skip the restore step. When this field's
+        // value is true, AdditionalItems will be ignored.
+        SkipRestore bool
+
+        // WaitForAdditionalItems determines whether velero will wait
+	// until AreAdditionalItemsReady returns true before restoring
+	// this item. If this field's value is true, then after restoring
+	// the returned AdditionalItems, velero will not restore this item
+	// until AreAdditionalItemsReady returns true or the timeout is
+        // reached. Otherwise, AreAdditionalItemsReady is not called.
+        WaitForAdditionalItems bool
+}
+```
+
+#### `RestoreItemAction` plugin interface changes
+
+In order to implement the `AreAdditionalItemsReady` plugin func, there
+are two different approaches we could take.
+
+The first would be to simply add another entry to the
+`RestoreItemAction` interface:
+```
+type RestoreItemAction interface {
+        // AppliesTo returns information about which resources this action should be invoked for.
+        // A RestoreItemAction's Execute function will only be invoked on items that match the returned
+        // selector. A zero-valued ResourceSelector matches all resources.
+        AppliesTo() (ResourceSelector, error)
+
+        // Execute allows the ItemAction to perform arbitrary logic with the item being restored,
+        // including mutating the item itself prior to restore. The item (unmodified or modified)
+        // should be returned, along with an optional slice of ResourceIdentifiers specifying additional
+        // related items that should be restored, a warning (which will be logged but will not prevent
+        // the item from being restored) or error (which will be logged and will prevent the item
+        // from being restored) if applicable.
+        Execute(input *RestoreItemActionExecuteInput) (*RestoreItemActionExecuteOutput, error)
+
+	// AreAdditionalItemsReady allows the ItemAction to communicate whether the passed-in 
+	// slice of AdditionalItems (previously returned by Execute())
+	// are ready. Returns true if all items are ready, and false otherwise
+	AreAdditionalItemsReady(restore *api.Restore, AdditionalItems []ResourceIdentifier) (bool, error)
+}
+```
+
+The downside of this approach is that it is not backwards compatible,
+and every `RestoreItemAction` plugin will have to implement the new
+func, simply to return `true` in most cases, since the plugin will
+either never return `AdditionalItems` from Execute or not have any
+special readiness requirements.
+
+The alternative to this would be to define an additional interface for
+the optional func, leaving the `RestoreItemAction` interface alone.
+```
+type RestoreItemActionReadyCheck interface {
+	// AreAdditionalItemsReady allows the ItemAction to communicate whether the passed-in 
+	// slice of AdditionalItems (previously returned by Execute())
+	// are ready. Returns true if all items are ready, and false otherwise
+	AreAdditionalItemsReady(restore *api.Restore, AdditionalItems []ResourceIdentifier) (bool, error)
+}
+
+```
+In this case, existing plugins which do not need this functionality
+can remain as-is, while plugins which want to make use of this
+functionality will just need to implement the optional func. With the
+optional interface approach, `itemsAvailable` will only wait if the
+plugin can be type-asserted to the new interface:
+```
+	if actionWithReadyCheck, ok := action.(RestoreItemActionReadyCheck); ok {
+		// wait for ready/timeout
+	} else {
+		return true, nil
+	}
+```
+

examples/README.md

@@ -7,5 +7,5 @@ This directory contains sample YAML config files that can be used for exploring
 * `nginx-app/`: A sample nginx app that can be used to test backups and restores.
 
 
-[0]: /docs/contributions/minio.md
+[0]: https://velero.io/docs/main/contributions/minio/
 [1]: https://github.com/minio/minio

go.mod

@@ -1,9 +1,8 @@
 module github.com/vmware-tanzu/velero
 
-go 1.14
+go 1.15
 
 require (
-	cloud.google.com/go v0.46.2 // indirect
 	github.com/Azure/azure-sdk-for-go v42.0.0+incompatible
 	github.com/Azure/go-autorest/autorest v0.9.6
 	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
@@ -11,76 +10,42 @@ require (
 	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/aws/aws-sdk-go v1.28.2
 	github.com/docker/spdystream v0.0.0-20170912183627-bc6354cbbc29 // indirect
-	github.com/evanphx/json-patch v4.5.0+incompatible
+	github.com/evanphx/json-patch v4.9.0+incompatible
+	github.com/fatih/color v1.10.0
 	github.com/gobwas/glob v0.2.3
 	github.com/gofrs/uuid v3.2.0+incompatible
 	github.com/golang/protobuf v1.4.2
+	github.com/google/uuid v1.1.2
 	github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd
 	github.com/hashicorp/go-plugin v0.0.0-20190610192547-a1bc61569a26
 	github.com/joho/godotenv v1.3.0
-	github.com/kubernetes-csi/external-snapshotter/v2 v2.2.0-rc1
-	github.com/onsi/ginkgo v1.13.0
-	github.com/onsi/gomega v1.10.1
+	github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0
+	github.com/onsi/ginkgo v1.16.4
+	github.com/onsi/gomega v1.10.2
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.5.1
+	github.com/prometheus/client_golang v1.7.1
 	github.com/robfig/cron v1.1.0
-	github.com/sirupsen/logrus v1.4.2
+	github.com/sirupsen/logrus v1.6.0
 	github.com/spf13/afero v1.2.2
-	github.com/spf13/cobra v0.0.6
+	github.com/spf13/cobra v1.1.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.4.0
-	golang.org/x/net v0.0.0-20200520004742-59133d7f0dd7
+	github.com/stretchr/testify v1.5.1
+	golang.org/x/mod v0.3.0
+	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
 	google.golang.org/genproto v0.0.0-20200731012542-8145dea6a485 // indirect
 	google.golang.org/grpc v1.31.0
 	google.golang.org/protobuf v1.25.0 // indirect
-	k8s.io/api v0.18.4
-	k8s.io/apiextensions-apiserver v0.18.4
-	k8s.io/apimachinery v0.18.4
-	k8s.io/cli-runtime v0.18.4
-	k8s.io/client-go v0.18.4
+	k8s.io/api v0.19.12
+	k8s.io/apiextensions-apiserver v0.19.12
+	k8s.io/apimachinery v0.19.12
+	k8s.io/cli-runtime v0.19.12
+	k8s.io/client-go v0.19.12
 	k8s.io/klog v1.0.0
-	sigs.k8s.io/cluster-api v0.3.8
-	sigs.k8s.io/controller-runtime v0.6.1
+	k8s.io/klog/v2 v2.3.0 // indirect
+	k8s.io/kube-aggregator v0.19.12
+	k8s.io/utils v0.0.0-20201005171033-6301aaf42dc7 // indirect
+	sigs.k8s.io/cluster-api v0.3.11-0.20210106212952-b6c1b5b3db3d
+	sigs.k8s.io/controller-runtime v0.7.1-0.20201215171748-096b2e07c091
 )
 
-replace k8s.io/api => k8s.io/api v0.18.4
-
-replace k8s.io/apiextensions-apiserver => k8s.io/apiextensions-apiserver v0.18.4
-
-replace k8s.io/apimachinery => k8s.io/apimachinery v0.18.4
-
-replace k8s.io/apiserver => k8s.io/apiserver v0.18.4
-
-replace k8s.io/cli-runtime => k8s.io/cli-runtime v0.18.4
-
-replace k8s.io/client-go => k8s.io/client-go v0.18.4
-
-replace k8s.io/cloud-provider => k8s.io/cloud-provider v0.18.4
-
-replace k8s.io/cluster-bootstrap => k8s.io/cluster-bootstrap v0.18.4
-
-replace k8s.io/code-generator => k8s.io/code-generator v0.18.4
-
-replace k8s.io/component-base => k8s.io/component-base v0.18.4
-
-replace k8s.io/cri-api => k8s.io/cri-api v0.18.4
-
-replace k8s.io/kube-aggregator => k8s.io/kube-aggregator v0.18.4
-
-replace k8s.io/kube-controller-manager => k8s.io/kube-controller-manager v0.18.4
-
-replace k8s.io/kube-proxy => k8s.io/kube-proxy v0.18.4
-
-replace k8s.io/kube-scheduler => k8s.io/kube-scheduler v0.18.4
-
-replace k8s.io/kubectl => k8s.io/kubectl v0.18.4
-
-replace k8s.io/kubelet => k8s.io/kubelet v0.18.4
-
-replace k8s.io/legacy-cloud-providers => k8s.io/legacy-cloud-providers v0.18.4
-
-replace k8s.io/metrics => k8s.io/metrics v0.18.4
-
-replace k8s.io/sample-apiserver => k8s.io/sample-apiserver v0.18.4
-
-replace k8s.io/csi-translation-lib => k8s.io/csi-translation-lib v0.18.4
+replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2

hack/build-image/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.14
+FROM golang:1.15
 
 ARG GOPROXY
 

hack/build.sh

@@ -41,6 +41,11 @@ if [[ -z "${VERSION}" ]]; then
     exit 1
 fi
 
+if [[ -z "${REGISTRY}" ]]; then
+    echo "REGISTRY must be set"
+    exit 1
+fi
+
 if [[ -z "${GIT_SHA}" ]]; then
     echo "GIT_SHA must be set"
     exit 1
@@ -51,9 +56,15 @@ if [[ -z "${GIT_TREE_STATE}" ]]; then
     exit 1
 fi
 
+GCFLAGS=""
+if [[ ${DEBUG:-} = "1" ]]; then
+    GCFLAGS="all=-N -l"
+fi
+
 export CGO_ENABLED=0
 
 LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION}"
+LDFLAGS="${LDFLAGS} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"
 LDFLAGS="${LDFLAGS} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA}"
 LDFLAGS="${LDFLAGS} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE}"
 
@@ -67,6 +78,7 @@ fi
 
 go build \
     -o ${OUTPUT} \
+    -gcflags "${GCFLAGS}" \
     -installsuffix "static" \
     -ldflags "${LDFLAGS}" \
     ${PKG}/cmd/${BIN}

hack/crd-gen/v1/main.go

@@ -0,0 +1,136 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This code embeds the CRD manifests in config/crd/v1/bases in
+// config/crd/v1/crds/crds.go.
+
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"text/template"
+)
+
+// This is relative to config/crd/crds
+const goHeaderFile = "../../../../hack/boilerplate.go.txt"
+
+const tpl = `{{.GoHeader}}
+// Code generated by crds_generate.go; DO NOT EDIT.
+
+package crds
+
+import (
+	"bytes"
+	"compress/gzip"
+	"io/ioutil"
+
+	apiextinstall "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/install"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+)
+
+var rawCRDs = [][]byte{
+{{- range .RawCRDs }}
+	[]byte({{ . }}),
+{{- end }}
+}
+
+var CRDs = crds()
+
+func crds() []*apiextv1.CustomResourceDefinition {
+	apiextinstall.Install(scheme.Scheme)
+	decode := scheme.Codecs.UniversalDeserializer().Decode
+	var objs []*apiextv1.CustomResourceDefinition
+	for _, crd := range rawCRDs {
+		gzr, err := gzip.NewReader(bytes.NewReader(crd))
+		if err != nil {
+			panic(err)
+		}
+		bytes, err := ioutil.ReadAll(gzr)
+		if err != nil {
+			panic(err)
+		}
+		gzr.Close()
+
+		obj, _, err := decode(bytes, nil, nil)
+		if err != nil {
+			panic(err)
+		}
+		objs = append(objs, obj.(*apiextv1.CustomResourceDefinition))
+	}
+	return objs
+}
+`
+
+type templateData struct {
+	GoHeader string
+	RawCRDs  []string
+}
+
+func main() {
+	headerBytes, err := ioutil.ReadFile(goHeaderFile)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	data := templateData{
+		GoHeader: string(headerBytes),
+	}
+
+	// This is relative to config/crd/crds
+	manifests, err := ioutil.ReadDir("../bases")
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	for _, crd := range manifests {
+		file, err := os.Open("../bases/" + crd.Name())
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		// gzip compress manifest
+		var buf bytes.Buffer
+		gzw := gzip.NewWriter(&buf)
+		if _, err := io.Copy(gzw, file); err != nil {
+			log.Fatalln(err)
+		}
+		file.Close()
+		gzw.Close()
+
+		data.RawCRDs = append(data.RawCRDs, fmt.Sprintf("%q", buf.Bytes()))
+	}
+
+	t, err := template.New("crd").Parse(tpl)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	out, err := os.Create("crds.go")
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	if err := t.Execute(out, data); err != nil {
+		log.Fatalln(err)
+	}
+}

hack/crd-gen/v1beta1/main.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2019 the Velero contributors.
+Copyright the Velero contributors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,8 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// This code embeds the CRD manifests in config/crd/bases in
-// config/crd/crds/crds.go.
+// This code embeds the CRD manifests in config/crd/v1beta1/bases in
+// config/crd/v1beta1/crds/crds.go.
 
 package main
 
@@ -31,7 +31,7 @@ import (
 )
 
 // This is relative to config/crd/crds
-const goHeaderFile = "../../../hack/boilerplate.go.txt"
+const goHeaderFile = "../../../../hack/boilerplate.go.txt"
 
 const tpl = `{{.GoHeader}}
 // Code generated by crds_generate.go; DO NOT EDIT.

hack/docker-push.sh

@@ -91,6 +91,9 @@ echo "BUILDX_PLATFORMS: $BUILDX_PLATFORMS"
 
 echo "Building and pushing container images."
 
+# The use of "registry" as the buildx output type below instructs
+# Docker to push the image
+
 VERSION="$VERSION" \
 TAG_LATEST="$TAG_LATEST" \
 BUILDX_PLATFORMS="$BUILDX_PLATFORMS" \

hack/download-restic.sh

@@ -18,6 +18,11 @@ set -o errexit
 set -o nounset
 set -o pipefail
 
+# Use /output/usr/bin/ as the default output directory as this
+# is the path expected by the Velero Dockerfile.
+output_dir=${OUTPUT_DIR:-/output/usr/bin}
+restic_bin=${output_dir}/restic
+
 if [[ -z "${BIN}" ]]; then
     echo "BIN must be set"
     exit 1
@@ -41,14 +46,8 @@ if [[ -z "${RESTIC_VERSION}" ]]; then
     exit 1
 fi
 
-# TODO: when the new restic version is released, make ppc64le to be also downloaded from their github releases.
-#  This has been merged and will be applied to next release: https://github.com/restic/restic/pull/2342
-if [[ "${GOARCH}" = "ppc64le" ]]; then
-    wget --timeout=1 --tries=5 --quiet https://oplab9.parqtec.unicamp.br/pub/ppc64el/restic/restic-${RESTIC_VERSION} -O /output/usr/bin/restic
-else
-    wget --quiet https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_${GOOS}_${GOARCH}.bz2
-    bunzip2 restic_${RESTIC_VERSION}_${GOOS}_${GOARCH}.bz2
-    mv restic_${RESTIC_VERSION}_${GOOS}_${GOARCH} /output/usr/bin/restic
-fi
+curl -s -L https://github.com/restic/restic/releases/download/v${RESTIC_VERSION}/restic_${RESTIC_VERSION}_${GOOS}_${GOARCH}.bz2 -O
+bunzip2 restic_${RESTIC_VERSION}_${GOOS}_${GOARCH}.bz2
+mv restic_${RESTIC_VERSION}_${GOOS}_${GOARCH} ${restic_bin}
 
-chmod +x /output/usr/bin/restic
+chmod +x ${restic_bin}

hack/release-tools/goreleaser.sh

@@ -29,6 +29,11 @@ if [ -z "${RELEASE_NOTES_FILE}" ]; then
     exit 1
 fi
 
+if [ -z "${REGISTRY}" ]; then
+    echo "REGISTRY must be set"
+    exit 1
+fi
+
 GIT_DIRTY=$(git status --porcelain 2> /dev/null)
 if [[ -z "${GIT_DIRTY}" ]]; then
     export GIT_TREE_STATE=clean

hack/release-tools/tag-release.sh

@@ -26,6 +26,7 @@
 
 # - $VELERO_VERSION: defines the tag of Velero that any https://github.com/vmware-tanzu/velero/...
 #   links in the docs should redirect to.
+# - $REMOTE: defines the remote that should be used when pushing tags and branches. Defaults to "upstream"
 # - $publish: TRUE/FALSE value where FALSE (or not including it) will indicate a dry-run, and TRUE, or simply adding 'publish',
 #   will tag the release with the $VELERO_VERSION and push the tag to a remote named 'upstream'.
 # - $GITHUB_TOKEN: Needed to run the goreleaser process to generate a GitHub release. 
@@ -40,6 +41,9 @@
 # Directory in which the script itself resides, so we can use it for calling programs that are in the same directory.
 DIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" >/dev/null 2>&1 && pwd )"
 
+# Default to using upstream as the remote
+remote=${REMOTE:-upstream}
+
 # Parse out the branch we're on so we can switch back to it at the end of a dry-run, where we delete the tag. Requires git v1.8.1+
 upstream_branch=$(git symbolic-ref --short HEAD)
 
@@ -49,7 +53,7 @@ function tag_and_push() {
     
     if [[ $publish == "TRUE" ]]; then
         echo "Pushing $VELERO_VERSION"
-        git push upstream $VELERO_VERSION
+        git push "$remote" $VELERO_VERSION
     fi
 }
 
@@ -111,27 +115,41 @@ read -p "Ready to continue? "
 echo "Alright, let's go."
 
 echo "Pulling down all git tags and branches before doing any work."
-git fetch upstream --tags
+git fetch "$remote" --tags
 
 # $VELERO_PATCH gets populated by the chk_version.go scrip that parses and verifies the given version format 
 # If we've got a patch release, we'll need to create a release branch for it.
 if [[ "$VELERO_PATCH" > 0 ]]; then
     release_branch_name=release-$VELERO_MAJOR.$VELERO_MINOR
-  
-    # Check if the branch exists, creating it if not.
-    # The fetch command above should have gotten all the upstream branches, so we can safely assume this check is local & upstream branches.
-    if [[ -z $(git branch | grep $release_branch_name) ]]; then
-        git checkout -b $release_branch_name
-        echo "Release branch made."
+    remote_release_branch_name="$remote/$release_branch_name"
+
+    # Determine whether the local and remote release branches already exist
+    local_branch=$(git branch | grep "$release_branch_name")
+    remote_branch=$(git branch -r | grep "$remote_release_branch_name")
+
+    if [[ -n $remote_branch ]]; then
+      if [[ -z $local_branch ]]; then
+        # Remote branch exists, but does not exist locally. Checkout and track the remote branch.
+        git checkout --track "$remote_release_branch_name"
+      else
+        # Checkout the local release branch and ensure it is up to date with the remote
+        git checkout "$release_branch_name"
+        git pull --set-upstream "$remote" "$release_branch_name"
+      fi
     else
-        echo "Release branch $release_branch_name exists already."
+      if [[ -z $local_branch ]]; then
+        # Neither the remote or local release branch exists, create it
+        git checkout -b $release_branch_name
+      else
+        # The local branch exists so check it out.
         git checkout $release_branch_name
+      fi
     fi
 
     echo "Now you'll need to cherry-pick any relevant git commits into this release branch."
     echo "Either pause this script with ctrl-z, or open a new terminal window and do the cherry-picking."
     if [[ $publish == "TRUE" ]]; then
-        read -p "Press enter when you're done cherry-picking. THIS WILL MAKE A TAG PUSH THE BRANCH TO upstream"
+        read -p "Press enter when you're done cherry-picking. THIS WILL MAKE A TAG PUSH THE BRANCH TO $remote"
     else
         read -p "Press enter when you're done cherry-picking."
     fi
@@ -139,14 +157,14 @@ if [[ "$VELERO_PATCH" > 0 ]]; then
     # TODO can/should we add a way to review the cherry-picked commits before the push?
 
     if [[ $publish == "TRUE" ]]; then
-        echo "Pushing $release_branch_name to upstream remote"
-        git push --set-upstream upstream/$release_branch_name $release_branch_name
+        echo "Pushing $release_branch_name to \"$remote\" remote"
+        git push --set-upstream "$remote" $release_branch_name
     fi
-    
+
     tag_and_push
 else
-    echo "Checking out upstream/main."
-    git checkout upstream/main
+    echo "Checking out $remote/main."
+    git checkout "$remote"/main
 
     tag_and_push
 fi

hack/restore-crd-patch-v1.json

@@ -0,0 +1,3 @@
+[
+    { "op": "replace", "path": "/spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/hooks/properties/resources/items/properties/postHooks/items/properties/init/properties/initContainers/items/properties/ports/items/required", "value": [ "containerPort", "protocol"] }
+]

hack/test.sh

@@ -25,17 +25,18 @@ TARGETS=(
   ./cmd/...
   ./pkg/...
   ./internal/...
+  ./test/...
 )
 
 if [[ ${#@} -ne 0 ]]; then
   TARGETS=("$@")
 fi
 
-echo "Running tests:" "${TARGETS[@]}"
+echo "Running all short tests in:" "${TARGETS[@]}"
 
 if [[ -n "${GOFLAGS:-}" ]]; then
   echo "GOFLAGS: ${GOFLAGS}"
 fi
 
-go test -installsuffix "static" -timeout 60s "${TARGETS[@]}"
+go test -installsuffix "static" -short -timeout 60s "${TARGETS[@]}" 
 echo "Success!"

hack/update-generated-crd-code.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2017 the Velero contributors.
+# Copyright the Velero contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -44,21 +44,24 @@ ${GOPATH}/src/k8s.io/code-generator/generate-groups.sh \
   --output-base ../../.. \
   $@
 
-# Generate manifests e.g. CRD, RBAC etc.
-controller-gen \
-  crd:crdVersions=v1beta1,preserveUnknownFields=false,trivialVersions=true \
-  rbac:roleName=manager-role \
-  paths=./pkg/apis/velero/v1/... \
-  paths=./pkg/controller/... \
-  output:crd:artifacts:config=config/crd/bases
+# Generate both apiextensions.k8s.io/v1beta1 and apiextensions.k8s.io/v1
+for version in v1beta1 v1
+do
+  # Generate manifests e.g. CRD, RBAC etc.
+  controller-gen \
+    crd:crdVersions=$version,preserveUnknownFields=false,trivialVersions=true \
+    paths=./pkg/apis/velero/v1/... \
+    paths=./pkg/controller/... \
+    output:crd:artifacts:config=config/crd/$version/bases
 
-# this is a super hacky workaround for https://github.com/kubernetes/kubernetes/issues/91395
-# which a result of fixing the validation on CRD objects. The validation ensures the fields that are list map keys, are either marked
-# as required or have default values to ensure merging of list map items work as expected.
-# With "containerPort" and "protocol" being considered as x-kubernetes-list-map-keys in the container ports, and "protocol" was not
-# a required field, the CRD would fail validation with errors similar to the one reported in https://github.com/kubernetes/kubernetes/issues/91395.
-# once controller-gen (above) is able to generate CRDs with `protocol` as a required field, this hack can be removed.
-kubectl patch -f config/crd/bases/velero.io_restores.yaml -p "$(cat hack/restore-crd-patch.json)" --type=json --local=true  -o yaml > /tmp/velero.io_restores-yaml.patched
-mv /tmp/velero.io_restores-yaml.patched config/crd/bases/velero.io_restores.yaml
+  # this is a super hacky workaround for https://github.com/kubernetes/kubernetes/issues/91395
+  # which a result of fixing the validation on CRD objects. The validation ensures the fields that are list map keys, are either marked
+  # as required or have default values to ensure merging of list map items work as expected.
+  # With "containerPort" and "protocol" being considered as x-kubernetes-list-map-keys in the container ports, and "protocol" was not
+  # a required field, the CRD would fail validation with errors similar to the one reported in https://github.com/kubernetes/kubernetes/issues/91395.
+  # once controller-gen (above) is able to generate CRDs with `protocol` as a required field, this hack can be removed.
+  kubectl patch -f config/crd/$version/bases/velero.io_restores.yaml -p "$(cat hack/restore-crd-patch-$version.json)" --type=json --local=true -o yaml > /tmp/velero.io_restores-yaml.patched
+  mv /tmp/velero.io_restores-yaml.patched config/crd/$version/bases/velero.io_restores.yaml
 
-go generate ./config/crd/crds
+  go generate ./config/crd/$version/crds
+done

hack/verify-generated-crd-code.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -e
 #
-# Copyright 2017 the Velero contributors.
+# Copyright the Velero contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,11 +19,14 @@ HACK_DIR=$(dirname "${BASH_SOURCE}")
 ${HACK_DIR}/update-generated-crd-code.sh --verify-only
 
 # ensure no changes to generated CRDs
-if ! git diff --exit-code config/crd/crds/crds.go >/dev/null; then
-  # revert changes to state before running CRD generation to stay consistent
-  # with code-generator `--verify-only` option which discards generated changes
-  git checkout config/crd
+for version in v1beta1 v1
+do
+  if ! git diff --exit-code config/crd/$version/crds/crds.go >/dev/null; then
+    # revert changes to state before running CRD generation to stay consistent
+    # with code-generator `--verify-only` option which discards generated changes
+    git checkout config/crd
 
-  echo "CRD verification - failed! Generated CRDs are out-of-date, please run 'make update' and 'git add' the generated file(s)."
-  exit 1
-fi
+    echo "CRD verification - failed! Generated CRDs are out-of-date, please run 'make update' and 'git add' the generated file(s)."
+    exit 1
+  fi
+done

internal/credentials/file_store.go

@@ -0,0 +1,88 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"fmt"
+	"os"
+	"path/filepath"
+
+	"github.com/pkg/errors"
+	corev1api "k8s.io/api/core/v1"
+	kbclient "sigs.k8s.io/controller-runtime/pkg/client"
+
+	"github.com/vmware-tanzu/velero/pkg/util/filesystem"
+	"github.com/vmware-tanzu/velero/pkg/util/kube"
+)
+
+// FileStore defines operations for interacting with credentials
+// that are stored on a file system.
+type FileStore interface {
+	// Path returns a path on disk where the secret key defined by
+	// the given selector is serialized.
+	Path(selector *corev1api.SecretKeySelector) (string, error)
+}
+
+type namespacedFileStore struct {
+	client    kbclient.Client
+	namespace string
+	fsRoot    string
+	fs        filesystem.Interface
+}
+
+// NewNamespacedFileStore returns a FileStore which can interact with credentials
+// for the given namespace and will store them under the given fsRoot.
+func NewNamespacedFileStore(client kbclient.Client, namespace string, fsRoot string, fs filesystem.Interface) (FileStore, error) {
+	fsNamespaceRoot := filepath.Join(fsRoot, namespace)
+
+	if err := fs.MkdirAll(fsNamespaceRoot, 0755); err != nil {
+		return nil, err
+	}
+
+	return &namespacedFileStore{
+		client:    client,
+		namespace: namespace,
+		fsRoot:    fsNamespaceRoot,
+		fs:        fs,
+	}, nil
+}
+
+// Path returns a path on disk where the secret key defined by
+// the given selector is serialized.
+func (n *namespacedFileStore) Path(selector *corev1api.SecretKeySelector) (string, error) {
+	creds, err := kube.GetSecretKey(n.client, n.namespace, selector)
+	if err != nil {
+		return "", errors.Wrap(err, "unable to get key for secret")
+	}
+
+	keyFilePath := filepath.Join(n.fsRoot, fmt.Sprintf("%s-%s", selector.Name, selector.Key))
+
+	file, err := n.fs.OpenFile(keyFilePath, os.O_RDWR|os.O_CREATE, 0644)
+	if err != nil {
+		return "", errors.Wrap(err, "unable to open credentials file for writing")
+	}
+
+	if _, err := file.Write(creds); err != nil {
+		return "", errors.Wrap(err, "unable to write credentials to store")
+	}
+
+	if err := file.Close(); err != nil {
+		return "", errors.Wrap(err, "unable to close credentials file")
+	}
+
+	return keyFilePath, nil
+}

internal/credentials/file_store_test.go

@@ -0,0 +1,93 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package credentials
+
+import (
+	"context"
+	"testing"
+
+	"github.com/stretchr/testify/require"
+	corev1 "k8s.io/api/core/v1"
+
+	"github.com/vmware-tanzu/velero/pkg/builder"
+	velerotest "github.com/vmware-tanzu/velero/pkg/test"
+)
+
+func TestNamespacedFileStore(t *testing.T) {
+	testCases := []struct {
+		name             string
+		namespace        string
+		fsRoot           string
+		secrets          []*corev1.Secret
+		secretSelector   *corev1.SecretKeySelector
+		wantErr          string
+		expectedPath     string
+		expectedContents string
+	}{
+		{
+			name:           "returns an error if the secret can't be found",
+			secretSelector: builder.ForSecretKeySelector("non-existent-secret", "secret-key").Result(),
+			wantErr:        "unable to get key for secret: secrets \"non-existent-secret\" not found",
+		},
+		{
+			name:           "returns a filepath formed using fsRoot, namespace, secret name and key, with secret contents",
+			namespace:      "ns1",
+			fsRoot:         "/tmp/credentials",
+			secretSelector: builder.ForSecretKeySelector("credential", "key2").Result(),
+			secrets: []*corev1.Secret{
+				builder.ForSecret("ns1", "credential").Data(map[string][]byte{
+					"key1": []byte("ns1-secretdata1"),
+					"key2": []byte("ns1-secretdata2"),
+					"key3": []byte("ns1-secretdata3"),
+				}).Result(),
+				builder.ForSecret("ns2", "credential").Data(map[string][]byte{
+					"key2": []byte("ns2-secretdata2"),
+				}).Result(),
+			},
+			expectedPath:     "/tmp/credentials/ns1/credential-key2",
+			expectedContents: "ns1-secretdata2",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			client := velerotest.NewFakeControllerRuntimeClient(t)
+
+			for _, secret := range tc.secrets {
+				require.NoError(t, client.Create(context.Background(), secret))
+			}
+
+			fs := velerotest.NewFakeFileSystem()
+			fileStore, err := NewNamespacedFileStore(client, tc.namespace, tc.fsRoot, fs)
+			require.NoError(t, err)
+
+			path, err := fileStore.Path(tc.secretSelector)
+
+			if tc.wantErr != "" {
+				require.EqualError(t, err, tc.wantErr)
+			} else {
+				require.NoError(t, err)
+			}
+
+			require.Equal(t, path, tc.expectedPath)
+
+			contents, err := fs.ReadFile(path)
+			require.NoError(t, err)
+			require.Equal(t, []byte(tc.expectedContents), contents)
+		})
+	}
+}

internal/hook/item_hook_handler.go

@@ -123,7 +123,7 @@ func (i *InitContainerRestoreHookHandler) HandleRestoreHooks(
 	// If this pod had pod volumes backed up using restic, then we want to the pod volumes restored prior to
 	// running the restore hook init containers. This allows the restore hook init containers to prepare the
 	// restored data to be consumed by the application container(s).
-	// So if there is a "resitc-wait" init container already on the pod at index 0, we'll preserve that and run
+	// So if there is a "restic-wait" init container already on the pod at index 0, we'll preserve that and run
 	// it before running any other init container.
 	if len(pod.Spec.InitContainers) > 0 && pod.Spec.InitContainers[0].Name == restic.InitContainer {
 		initContainers = append(initContainers, pod.Spec.InitContainers[0])
@@ -132,7 +132,7 @@ func (i *InitContainerRestoreHookHandler) HandleRestoreHooks(
 
 	hooksFromAnnotations := getInitRestoreHookFromAnnotation(kube.NamespaceAndName(pod), metadata.GetAnnotations(), log)
 	if hooksFromAnnotations != nil {
-		log.Infof("Handling InitRestoreHooks from pod annotaions")
+		log.Infof("Handling InitRestoreHooks from pod annotations")
 		initContainers = append(initContainers, hooksFromAnnotations.InitContainers...)
 	} else {
 		log.Infof("Handling InitRestoreHooks from RestoreSpec")
@@ -351,7 +351,7 @@ func getInitRestoreHookFromAnnotation(podName string, annotations map[string]str
 		return nil
 	}
 	if command == "" {
-		log.Infof("RestoreHook init contianer for pod %s is using container's default entrypoint", podName, containerImage)
+		log.Infof("RestoreHook init container for pod %s is using container's default entrypoint", podName, containerImage)
 	}
 	if containerName == "" {
 		uid, err := uuid.NewV4()