Add missing files

Namespace validation now allows asterisks used in namespace includes/excludes

.github/auto-assignees.yml

@@ -0,0 +1,39 @@
+---
+# This assigns a PR to its author
+addAssignees: author
+
+reviewers:
+  # The default reviewers
+  defaults:
+    - maintainers
+
+  groups:
+    maintainers:
+      - zubron
+      - dsu-igeek
+      - jenting
+      - sseago
+      - reasonerjt
+      - ywk253100
+
+    tech-writer:
+      - a-mccarthy
+
+files:
+  'site/**':
+    - tech-writer
+  '**/*.md':
+    - tech-writer
+  # Technical design requests are ".md" files but should
+  # be reviewed by maintainers
+  '/design/**':
+    - maintainers
+
+options:
+  ignore_draft: true
+  ignored_keywords:
+    - WIP
+    - wip
+    - DO NOT MERGE
+  enable_group_assignment: true
+  number_of_reviewers: 2

.github/auto_assign.yml

@@ -1,14 +0,0 @@
-addReviewers: true
-addAssignees: author
-
-# Only require 2, random reviewers.
-# TODO expand this to support using reviewGroups
-numberOfReviewers: 2
-
-reviewers:
-  - nrb
-  - ashish-amarnath
-  - carlisia
-  - zubron
-  - dsu-igeek
-  - jenting

.github/stale.yml

@@ -0,0 +1,38 @@
+# Number of days of inactivity before an issue becomes stale
+daysUntilStale: 60
+# Number of days of inactivity before a stale issue is closed
+daysUntilClose: 14
+# Issues with these labels will never be considered stale
+exemptLabels:
+  - Epic
+  - Area/CLI
+  - Area/Cloud/AWS
+  - Area/Cloud/Azure
+  - Area/Cloud/GCP
+  - Area/Cloud/vSphere
+  - Area/CSI
+  - Area/Design
+  - Area/Documentation
+  - Area/Plugins
+  - Enhancement/User
+  - kind/tech-debt
+  - Needs investigation
+  - P0 - Hair on fire
+  - P1 - Important
+  - P2 - Long-term important
+  - P3 - Wouldn't it be nice if...
+  - Product Requirements
+  - Restic - GA
+  - Restic
+  - release-blocker
+  - Security
+# Label to use when marking an issue as stale
+staleLabel: staled
+# Comment to post when marking an issue as stale. Set to `false` to disable
+markComment: >
+  This issue has been automatically marked as stale because it has not had
+  recent activity. It will be closed if no further activity occurs. Thank you
+  for your contributions.
+# Comment to post when closing a stale issue. Set to `false` to disable
+closeComment: >
+  Closing the stale issue.

.github/workflows/auto_assign_prs.yml

@@ -1,6 +1,8 @@
-name: "Auto Assign PR Reviewers"
-# pull_request_target means that this will run on pull requests, but in the context of the base repo.
-# This should mean PRs from forks are supported.
+---
+name: "Auto Assign Author"
+
+# pull_request_target means that this will run on pull requests, but in
+# the context of the base repo. This should mean PRs from forks are supported.
 on:
   pull_request_target:
     types: [opened, reopened, ready_for_review]
@@ -10,7 +12,8 @@ jobs:
   add-reviews:
     runs-on: ubuntu-latest
     steps:
-      - uses: kentaro-m/auto-assign-action@v1.1.1
+      - name: Set the author of a PR as the assignee
+        uses: kentaro-m/auto-assign-action@v1.1.1
         with:
-          configuration-path: ".github/auto_assign.yml"
-          repo-token: "${{ secrets.GITHUB_TOKEN }}"
+          configuration-path: ".github/auto-assignees.yml"
+          repo-token: "${{ secrets.GITHUB_TOKEN }}"

.github/workflows/auto_request_review.yml

@@ -0,0 +1,17 @@
+---
+name: "Auto Request Review"
+
+on:
+  pull_request_target:
+    types: [opened, ready_for_review, reopened]
+
+jobs:
+  auto-request-review:
+    name: Auto Request Review
+    runs-on: ubuntu-latest
+    steps:
+      - name: Request a PR review based on files types/paths, and/or groups the author belongs to
+        uses: necojackarc/auto-request-review@v0.7.0
+        with:
+          token: ${{ secrets.GITHUB_TOKEN }}
+          config: .github/auto-assignees.yml

.github/workflows/crds-verify-kind.yaml

@@ -11,6 +11,11 @@ jobs:
   build-cli:
     runs-on: ubuntu-latest
     steps:
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
       # Look for a CLI that's made for this PR
       - name: Fetch built CLI
         id: cache
@@ -58,6 +63,8 @@ jobs:
           - 1.18.15
           - 1.19.7
           - 1.20.2
+          - 1.21.1
+          - 1.22.0
     # All steps run in parallel unless otherwise specified.
     # See https://docs.github.com/en/actions/learn-github-actions/managing-complex-workflows#creating-dependent-jobs
     steps:
@@ -75,6 +82,7 @@ jobs:
             velero-${{ github.event.pull_request.number }}-
       - uses: engineerd/setup-kind@v0.5.0
         with:
+          version: "v0.11.1"
           image: "kindest/node:v${{ matrix.k8s }}"
       - name: Install CRDs
         run: |

.github/workflows/e2e-test-kind.yaml

@@ -0,0 +1,124 @@
+name: "Run the E2E test on kind"
+on:
+  push:
+  pull_request:
+    # Do not run when the change only includes these directories.
+    paths-ignore:
+      - "site/**"
+      - "design/**"
+jobs:
+  # Build the Velero CLI and image once for all Kubernetes versions, and cache it so the fan-out workers can get it.
+  build:
+    runs-on: ubuntu-latest
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
+      # Look for a CLI that's made for this PR
+      - name: Fetch built CLI
+        id: cli-cache
+        uses: actions/cache@v2
+        with:
+          path: ./_output/bin/linux/amd64/velero
+          # The cache key a combination of the current PR number and the commit SHA
+          key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Fetch built image
+        id: image-cache
+        uses: actions/cache@v2
+        with:
+          path: ./velero.tar
+          # The cache key a combination of the current PR number and the commit SHA
+          key: velero-image-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Fetch cached go modules
+        uses: actions/cache@v2
+        if: steps.cli-cache.outputs.cache-hit != 'true'
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Check out the code
+        uses: actions/checkout@v2
+        if: steps.cli-cache.outputs.cache-hit != 'true' || steps.image-cache.outputs.cache-hit != 'true'
+      # If no binaries were built for this PR, build it now.
+      - name: Build Velero CLI
+        if: steps.cli-cache.outputs.cache-hit != 'true'
+        run: |
+          make local
+      # If no image were built for this PR, build it now.
+      - name: Build Velero Image
+        if: steps.image-cache.outputs.cache-hit != 'true'
+        run: |
+          IMAGE=velero VERSION=pr-test make container
+          docker save velero:pr-test -o ./velero.tar
+  # Run E2E test against all kubernetes versions on kind
+  run-e2e-test:
+    needs: build
+    runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        k8s:
+          # doesn't cover 1.15 as 1.15 doesn't support "apiextensions.k8s.io/v1" that is needed for the case
+          #- 1.15.12
+          - 1.16.15
+          - 1.17.17
+          - 1.18.15
+          - 1.19.7
+          - 1.20.2
+          - 1.21.1
+          - 1.22.0
+      fail-fast: false
+    steps:
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
+      - name: Check out the code
+        uses: actions/checkout@v2
+      - name: Install MinIO
+        run:
+          docker run -d --rm -p 9000:9000 -e "MINIO_ACCESS_KEY=minio" -e "MINIO_SECRET_KEY=minio123" -e "MINIO_DEFAULT_BUCKETS=bucket,additional-bucket" bitnami/minio:2021.6.17-debian-10-r7
+      - uses: engineerd/setup-kind@v0.5.0
+        with:
+          version: "v0.11.1"
+          image: "kindest/node:v${{ matrix.k8s }}"
+      - name: Fetch built CLI
+        id: cli-cache
+        uses: actions/cache@v2
+        with:
+          path: ./_output/bin/linux/amd64/velero
+          key: velero-cli-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Fetch built Image
+        id: image-cache
+        uses: actions/cache@v2
+        with:
+          path: ./velero.tar
+          key: velero-image-${{ github.event.pull_request.number }}-${{ github.sha }}
+      - name: Load Velero Image
+        run:
+          kind load image-archive velero.tar
+      # always try to fetch the cached go modules as the e2e test needs it either
+      - name: Fetch cached go modules
+        uses: actions/cache@v2
+        with:
+          path: ~/go/pkg/mod
+          key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
+          restore-keys: |
+            ${{ runner.os }}-go-
+      - name: Run E2E test
+        run: |
+          cat << EOF > /tmp/credential
+          [default]
+          aws_access_key_id=minio
+          aws_secret_access_key=minio123
+          EOF
+          GOPATH=~/go CLOUD_PROVIDER=kind \
+              OBJECT_STORE_PROVIDER=aws BSL_CONFIG=region=minio,s3ForcePathStyle="true",s3Url=http://$(hostname -i):9000 \
+              CREDS_FILE=/tmp/credential BSL_BUCKET=bucket \
+              ADDITIONAL_OBJECT_STORE_PROVIDER=aws ADDITIONAL_BSL_CONFIG=region=minio,s3ForcePathStyle="true",s3Url=http://$(hostname -i):9000 \
+              ADDITIONAL_CREDS_FILE=/tmp/credential ADDITIONAL_BSL_BUCKET=additional-bucket \
+              GINKGO_FOCUS=Basic VELERO_IMAGE=velero:pr-test \
+              make -C test/e2e run

.github/workflows/pr-ci-check.yml

@@ -5,9 +5,13 @@ jobs:
     name: Run CI
     runs-on: ubuntu-latest
     steps:
+      - name: Set up Go
+        uses: actions/setup-go@v2
+        with:
+          go-version: 1.16
+        id: go
       - name: Check out the code
         uses: actions/checkout@v2
-
       - name: Fetch cached go modules
         uses: actions/cache@v2
         with:
@@ -15,6 +19,5 @@ jobs:
           key: ${{ runner.os }}-go-${{ hashFiles('**/go.sum') }}
           restore-keys: |
             ${{ runner.os }}-go-
-
       - name: Make ci
         run: make ci

.github/workflows/pr-codespell.yml

@@ -14,7 +14,7 @@ jobs:
       uses: codespell-project/actions-codespell@master
       with:
         # ignore the config/.../crd.go file as it's generated binary data that is edited elswhere.
-        skip: .git,*.png,*.jpg,*.woff,*.ttf,*.gif,*.ico,./config/crd/crds/crds.go
+        skip: .git,*.png,*.jpg,*.woff,*.ttf,*.gif,*.ico,./config/crd/v1beta1/crds/crds.go,./config/crd/v1/crds/crds.go
         ignore_words_list: iam,aks,ist,bridget,ue
         check_filenames: true
         check_hidden: true

.github/workflows/push.yml

@@ -16,7 +16,7 @@ jobs:
     - name: Set up Go
       uses: actions/setup-go@v2
       with:
-        go-version: 1.15
+        go-version: 1.16
       id: go
 
     - name: Check out code into the Go module directory

.gitignore

@@ -24,8 +24,6 @@ _testmain.go
 *.test
 *.prof
 
-debug
-
 /velero
 .idea/
 
@@ -49,4 +47,4 @@ tilt-resources/tilt-settings.json
 tilt-resources/velero_v1_backupstoragelocation.yaml
 tilt-resources/deployment.yaml
 tilt-resources/restic.yaml
-tilt-resources/cloud
+tilt-resources/cloud

.goreleaser.yml

@@ -41,7 +41,7 @@ builds:
       - goos: windows
         goarch: ppc64le
     ldflags:
-      - -X "github.com/vmware-tanzu/velero/pkg/buildinfo.Version={{ .Tag }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA={{ .FullCommit }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitTreeState={{ .Env.GIT_TREE_STATE }}"
+      - -X "github.com/vmware-tanzu/velero/pkg/buildinfo.Version={{ .Tag }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitSHA={{ .FullCommit }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.GitTreeState={{ .Env.GIT_TREE_STATE }}" -X "github.com/vmware-tanzu/velero/pkg/buildinfo.ImageRegistry={{ .Env.REGISTRY }}"
 archives:
   - name_template: "{{ .ProjectName }}-{{ .Tag }}-{{ .Os }}-{{ .Arch }}"
     wrap_in_directory: true

ADOPTERS.md

@@ -13,6 +13,7 @@ If you're using Velero and want to add your organization to this list,
 <a href="https://banzaicloud.com/" border="0" target="_blank"><img alt="banzaicloud.com" src="site/static/img/adopters/banzaicloud.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
 <a href="https://sighup.io/" border="0" target="_blank"><img alt="sighup.io" src="site/static/img/adopters/sighup.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
 <a href="https://mayadata.io/" border="0" target="_blank"><img alt="mayadata.io" src="site/static/img/adopters/mayadata.svg" height="50"></a>&nbsp; &nbsp; &nbsp;
+<a href="https://www.replicated.com/" border="0" target="_blank"><img alt="replicated.com" src="site/static/img/adopters/replicated-logo-red.svg" height="50"></a>
 
 ## Success Stories
 
@@ -53,6 +54,9 @@ MayaData is a large user of Velero as well as a contributor. MayaData offers a D
 
 **[Okteto][93]**  
 Okteto integrates Velero in [Okteto Cloud][94] and [Okteto Enterprise][95] to periodically backup and restore our clusters for disaster recovery. Velero is also a core software building block to provide namespace cloning capabilities, a feature that allows our users cloning staging environments into their personal development namespace for providing production-like development environments.
+
+**[Replicated][100]**<br>
+Replicated uses the Velero open source project to enable snapshots in [KOTS][101] to backup Kubernetes manifests & persistent volumes. In addition to the default functionality that Velero provides, [KOTS][101] provides a detailed interface in the [Admin Console][102] that can be used to manage the storage destination and schedule, and to perform and monitor the backup and restore process.
 ​
 ## Adding your organization to the list of Velero Adopters
 
@@ -102,3 +106,7 @@ If you would like to add your logo to a future `Adopters of Velero` section on [
 [93]: https://okteto.com
 [94]: https://cloud.okteto.com
 [95]: https://okteto.com/enterprise/
+
+[100]: https://www.replicated.com
+[101]: https://kots.io
+[102]: https://kots.io/kotsadm/snapshots/overview/

CHANGELOG.md

@@ -1,7 +1,8 @@
 ## Current release:
-  * [CHANGELOG-1.6.md][16]
+  * [CHANGELOG-1.7.md][17]
 
 ## Older releases:
+  * [CHANGELOG-1.6.md][16]
   * [CHANGELOG-1.5.md][15]
   * [CHANGELOG-1.4.md][14]
   * [CHANGELOG-1.3.md][13]
@@ -19,6 +20,7 @@
   * [CHANGELOG-0.3.md][1]
 
 
+[17]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.7.md
 [16]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.6.md
 [15]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.5.md
 [14]: https://github.com/vmware-tanzu/velero/blob/main/changelogs/CHANGELOG-1.4.md

Dockerfile

@@ -11,18 +11,19 @@
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
-FROM --platform=$BUILDPLATFORM golang:1.15 as builder-env
+FROM --platform=$BUILDPLATFORM golang:1.16 as builder-env
 
 ARG GOPROXY
 ARG PKG
 ARG VERSION
 ARG GIT_SHA
 ARG GIT_TREE_STATE
+ARG REGISTRY
 
 ENV CGO_ENABLED=0 \
     GO111MODULE=on \
     GOPROXY=${GOPROXY} \
-    LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE}"
+    LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"
 
 WORKDIR /go/src/github.com/vmware-tanzu/velero
 
@@ -49,13 +50,11 @@ RUN mkdir -p /output/usr/bin && \
     go build -o /output/${BIN} \
     -ldflags "${LDFLAGS}" ${PKG}/cmd/${BIN}
 
-FROM ubuntu:focal
+FROM gcr.io/distroless/base-debian10:nonroot
 
 LABEL maintainer="Nolan Brubaker <brubakern@vmware.com>"
 
-RUN apt-get update && DEBIAN_FRONTEND=noninteractive apt-get install -qq -y ca-certificates tzdata && rm -rf /var/lib/apt/lists/*
-
 COPY --from=builder /output /
 
-USER nobody:nogroup
+USER nonroot:nonroot
 

MAINTAINERS.md

@@ -6,24 +6,29 @@
 
 | Maintainer | GitHub ID | Affiliation |
 | --------------- | --------- | ----------- |
-| Carlisia Thompson | [carlisia](https://github.com/carlisia) | [VMware](https://www.github.com/vmware/) |
-| Nolan Brubaker | [nrb](https://github.com/nrb) | [VMware](https://www.github.com/vmware/) |
-| Ashish Amarnath | [ashish-amarnath](https://github.com/ashish-amarnath) | [VMware](https://www.github.com/vmware/) |
 | Bridget McErlean | [zubron](https://github.com/zubron) | [VMware](https://www.github.com/vmware/) |
 | Dave Smith-Uchida | [dsu-igeek](https://github.com/dsu-igeek) | [VMware](https://www.github.com/vmware/) |
-| JenTing Hsiao | [jenting](https://github.com/jenting) | [SUSE](https://github.com/SUSE/) 
+| JenTing Hsiao | [jenting](https://github.com/jenting) | [SUSE](https://github.com/SUSE/)
+| Scott Seago | [sseago](https://github.com/sseago) | [OpenShift](https://github.com/openshift)
+| Daniel Jiang | [reasonerjt](https://github.com/reasonerjt) | [VMware](https://www.github.com/vmware/)
+| Wenkai Yin | [ywk253100](https://github.com/ywk253100) | [VMware](https://www.github.com/vmware/) |
 
 ## Emeritus Maintainers
 * Adnan Abdulhussein ([prydonius](https://github.com/prydonius))
 * Andy Goldstein ([ncdc](https://github.com/ncdc))
 * Steve Kriss ([skriss](https://github.com/skriss))
+* Carlos Panato ([cpanato](https://github.com/cpanato))
+* Nolan Brubaker ([nrb](https://github.com/nrb))
+* Ashish Amarnath ([ashish-amarnath](https://github.com/ashish-amarnath))
+* Carlisia Thompson ([carlisia](https://github.com/carlisia))
 
 ## Velero Contributors & Stakeholders
 
 | Feature Area | Lead |
 | ----------------------------- | :---------------------: |
-| Technical Lead | Nolan Brubaker (nrb) |
-| Kubernetes CSI Liaison | Nolan Brubaker (nrb), Ashish Amarnath (ashish-amarnath) |
-| Deployment | Carlisia Thompson (carlisia), Carlos Tadeu Panato Junior (cpanato), JenTing Hsiao (jenting) | 
+| Architect | Dave Smith-Uchida (dsu-igeek) |
+| Technical Lead | Daniel Jiang (reasonerjt) |
+| Kubernetes CSI Liaison |  |
+| Deployment | JenTing Hsiao (jenting) |
 | Community Management | Jonas Rosland (jonasrosland) |
-| Product Management | Michael Michael (michmike) |
+| Product Management | Eleanor Millman (eleanor-millman) |

Makefile

@@ -81,8 +81,8 @@ buildx not enabled, refusing to run this recipe
 see: https://velero.io/docs/main/build-from-source/#making-images-and-updating-velero for more info
 endef
 
-# The version of restic binary to be downloaded for power architecture
-RESTIC_VERSION ?= 0.12.0
+# The version of restic binary to be downloaded
+RESTIC_VERSION ?= 0.12.1
 
 CLI_PLATFORMS ?= linux-amd64 linux-arm linux-arm64 darwin-amd64 windows-amd64 linux-ppc64le
 BUILDX_PLATFORMS ?= $(subst -,/,$(ARCH))
@@ -110,7 +110,6 @@ GOPROXY ?= https://proxy.golang.org
 
 # If you want to build all binaries, see the 'all-build' rule.
 # If you want to build all containers, see the 'all-containers' rule.
-# If you want to build AND push all containers, see the 'all-push' rule.
 all:
 	@$(MAKE) build
 	@$(MAKE) build BIN=velero-restic-restore-helper
@@ -129,6 +128,7 @@ local: build-dirs
 	GOOS=$(GOOS) \
 	GOARCH=$(GOARCH) \
 	VERSION=$(VERSION) \
+	REGISTRY=$(REGISTRY) \
 	PKG=$(PKG) \
 	BIN=$(BIN) \
 	GIT_SHA=$(GIT_SHA) \
@@ -144,6 +144,7 @@ _output/bin/$(GOOS)/$(GOARCH)/$(BIN): build-dirs
 		GOOS=$(GOOS) \
 		GOARCH=$(GOARCH) \
 		VERSION=$(VERSION) \
+		REGISTRY=$(REGISTRY) \
 		PKG=$(PKG) \
 		BIN=$(BIN) \
 		GIT_SHA=$(GIT_SHA) \
@@ -186,6 +187,7 @@ endif
 	--build-arg=VERSION=$(VERSION) \
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
+	--build-arg=REGISTRY=$(REGISTRY) \
 	-f $(VELERO_DOCKERFILE) .
 
 container:
@@ -201,6 +203,7 @@ endif
 	--build-arg=VERSION=$(VERSION) \
 	--build-arg=GIT_SHA=$(GIT_SHA) \
 	--build-arg=GIT_TREE_STATE=$(GIT_TREE_STATE) \
+	--build-arg=REGISTRY=$(REGISTRY) \
 	--build-arg=RESTIC_VERSION=$(RESTIC_VERSION) \
 	-f $(VELERO_DOCKERFILE) .
 	@echo "container: $(IMAGE):$(VERSION)"
@@ -287,12 +290,12 @@ push-build-image:
 	@# this target will push the build-image it assumes you already have docker
 	@# credentials needed to accomplish this.
 	@# Pushing will be skipped if a custom Dockerfile was used to build the image.
-	ifneq "$(origin BUILDER_IMAGE_DOCKERFILE)" "file"
-		@echo "Dockerfile for builder image has been overridden"
-		@echo "Skipping push of custom image"
-	else
-		docker push $(BUILDER_IMAGE)
-	endif
+ifneq "$(origin BUILDER_IMAGE_DOCKERFILE)" "file"
+	@echo "Dockerfile for builder image has been overridden"
+	@echo "Skipping push of custom image"
+else
+	docker push $(BUILDER_IMAGE)
+endif
 
 build-image-hugo:
 	cd site && docker build --pull -t $(HUGO_IMAGE) .
@@ -346,6 +349,7 @@ release:
 		GITHUB_TOKEN=$(GITHUB_TOKEN) \
 		RELEASE_NOTES_FILE=$(RELEASE_NOTES_FILE) \
 		PUBLISH=$(PUBLISH) \
+		REGISTRY=$(REGISTRY) \
 		./hack/release-tools/goreleaser.sh'"
 
 serve-docs: build-image-hugo
@@ -362,4 +366,4 @@ gen-docs:
 
 .PHONY: test-e2e
 test-e2e: local
-	$(MAKE) -C test/e2e run
+	$(MAKE) -e VERSION=$(VERSION) -C test/e2e run

ROADMAP.md

@@ -15,55 +15,28 @@ We work with and rely on community feedback to focus our efforts to improve Vele
 The following table includes the current roadmap for Velero. If you have any questions or would like to contribute to Velero, please attend a [community meeting](https://velero.io/community/) to discuss with our team. If you don't know where to start, we are always looking for contributors that will help us reduce technical, automation, and documentation debt.
 Please take the timelines & dates as proposals and goals. Priorities and requirements change based on community feedback, roadblocks encountered, community contributions, etc. If you depend on a specific item, we encourage you to attend community meetings to get updated status information, or help us deliver that feature by contributing to Velero.
 
-`Last Updated: March 2021`
+`Last Updated: October 2021`
 
-#### 1.7.0 Roadmap
-The release roadmap is split into Core items that are required for the release, desired items that may be removed from the
-release and opportunistic items that will be added to the release if possible.
+#### 1.8.0 Roadmap (to be delivered January/February 2021)
 
-##### Core items
+|Issue|Description|Timeline|Notes|
+|---|---|---|---|
+|[4108](https://github.com/vmware-tanzu/velero/issues/4108), [4109](https://github.com/vmware-tanzu/velero/issues/4109)|Solution for CSI - Azure and AWS|2022 H1|Currently, Velero plugins for AWS and Azure cannot back up persistent volumes that were provisioned using the CSI driver. This will fix that.|
+|[3229](https://github.com/vmware-tanzu/velero/issues/3229),[4112](https://github.com/vmware-tanzu/velero/issues/4112)|Moving data mover functionality from the Velero Plugin for vSphere into Velero proper|2022 H1|This work is a precursor to decoupling the Astrolabe snapshotting infrastructure.|
+|[3533](https://github.com/vmware-tanzu/velero/issues/3533)|Upload Progress Monitoring|2022 H1|Finishing up the work done in the 1.7 timeframe. The data mover work depends on this.|
+|[1975](https://github.com/vmware-tanzu/velero/issues/1975)|Test dual stack mode|2022 H1|We already tested IPv6, but we want to confirm that dual stack mode works as well.|
+|[2082](https://github.com/vmware-tanzu/velero/issues/2082)|Delete Backup CRs on removing target location. |2022 H1||
+|[3516](https://github.com/vmware-tanzu/velero/issues/3516)|Restore issue with MutatingWebhookConfiguration v1beta1 API version|2022 H1||
+|[2308](https://github.com/vmware-tanzu/velero/issues/2308)|Restoring nodePort service that has nodePort preservation always fails if service already exists in the namespace|2022 H1||
+|[4115](https://github.com/vmware-tanzu/velero/issues/4115)|Support for multiple set of credentials for VolumeSnapshotLocations|2022 H1||
+|[1980](https://github.com/vmware-tanzu/velero/issues/1980)|Velero triggers backup immediately for scheduled backups|2022 H1||
+|[4067](https://github.com/vmware-tanzu/velero/issues/4067)|Pre and post backup and restore hooks|2022 H1||
+|[3742](https://github.com/vmware-tanzu/velero/issues/3742)|Carvel packaging for Velero for vSphere|2022 H1|AWS and Azure have been completed already.|
+|[3285](https://github.com/vmware-tanzu/velero/issues/3285)|Design doc for Velero plugin versioning|2022 H1||
+|[4231](https://github.com/vmware-tanzu/velero/issues/4231)|Technical health (prioritizing giving developers confidence and saving developers time)|2022 H1|More automated tests (especially the pre-release manual tests) and more automation of the running of tests.|
+|[4110](https://github.com/vmware-tanzu/velero/issues/4110)|Solution for CSI - GCP|2022 H1|Currently, the Velero plugin for GCP cannot back up persistent volumes that were provisioned using the CSI driver. This will fix that.|
+|[3742](https://github.com/vmware-tanzu/velero/issues/3742)|Carvel packaging for Velero for restic|2022 H1|AWS and Azure have been completed already.|
+|[3454](https://github.com/vmware-tanzu/velero/issues/3454),[4134](https://github.com/vmware-tanzu/velero/issues/4134),[4135](https://github.com/vmware-tanzu/velero/issues/4135)|Kubebuilder tech debt|2022 H1||
+|[4111](https://github.com/vmware-tanzu/velero/issues/4111)|Ignore items returned by ItemSnapshotter.AlsoHandles during backup|2022 H1|This will enable backup of complex objects, because we can then tell Velero to ignore things that were already backed up when Velero was previously called recursively.|
 
-|Issue|Description|
-|---|---|
-|[3493](https://github.com/vmware-tanzu/velero/issues/3493)|[Carvel](https://github.com/vmware-tanzu/velero/issues/3493) based installation (in addition to the existing *velero install* CLI).|
-|[3531](https://github.com/vmware-tanzu/velero/issues/3531)|Test plan for Velero|
-|[675](https://github.com/vmware-tanzu/velero/issues/675)|Velero command to generate debugging information.  Will integrate with [Crashd - Crash Diagnostics](https://github.com/vmware-tanzu/velero/issues/675)|
-|[2066](https://github.com/vmware-tanzu/velero/issues/2066)|CSI Snapshots GA|
-|[3285](https://github.com/vmware-tanzu/velero/issues/3285)|Support Velero plugin versioning|
-|[1975](https://github.com/vmware-tanzu/velero/issues/1975)|IPV6 support|
-
-
-
-##### Desired items
-|Issue|Description|
-|---|---|
-|[3533](https://github.com/vmware-tanzu/velero/issues/3533)|Upload Progress Monitoring|
-|[2922](https://github.com/vmware-tanzu/velero/issues/2922)|Plugin timeouts|
-|[3500](https://github.com/vmware-tanzu/velero/issues/3500)|Use distroless containers as a base|
-|[3535](https://github.com/vmware-tanzu/velero/issues/3535)|Design doc for multiple cluster support|
-|[3536](https://github.com/vmware-tanzu/velero/issues/3536)|Manifest for backup/restore|
-
-##### Opportunistic items
-|Issue|Description|
-|---|---|
-|Issues TBD|Controller migrations|
-
-#### Long term roadmap items
-|Theme|Description|Timeline|
-|---|---|---|
-|Restic Improvements|Introduce improvements in annotating resources for Restic backup|TBD|
-|Extensibility|Add restore hooks for enhanced recovery scenarios|TBD|
-|CSI|Continue improving the CSI snapshot capabilities and participate in the upstream K8s CSI community|1.7.0 + Long running (dependent on CSI working group)|
-|Backup/Restore|Improvements to long-running copy operations from a performance and reliability standpoint|1.7.0|
-|Quality/Reliability| Enable automated end-to-end testing |1.6.0|
-|UX|Improvements to install and configuration user experience|Dec 2020|
-|Restic Improvements|Improve the use of Restic in Velero and offer stable support|TBD|
-|Perf & Scale|Introduce a scalable model by using a worker pod for each backup/restore operation and improve operations|1.8.0|
-|Backup/Restore|Better backup and restore semantics for certain Kubernetes resources like stateful sets, operators|2.0|
-|Security|Enable the use of custom credential providers|1.6.0|
-|Self-Service & Multitenancy|Reduce friction by enabling developers to backup their namespaces via self-service. Introduce a Velero multi-tenancy model, enabling owners of namespaces to backup and restore within their access scope|TBD|
-|Backup/Restore|Cross availability zone or region backup and restore|TBD|
-|Application Consistency|Offer blueprints for backing up and restoring popular applications|TBD|
-|Backup/Restore|Data only backup and restore|TBD|
-|Backup/Restore|Introduce the ability to overwrite existing objects during a restore|TBD|
-|Backup/Restore|What-if dry run for backup and restore|1.7.0|
+Other work may make it into the 1.8 release, but this is the work that will be prioritized first.

Tiltfile

@@ -1,22 +1,22 @@
 # -*- mode: Python -*-
 
 k8s_yaml([
-    'config/crd/bases/velero.io_backups.yaml',
-    'config/crd/bases/velero.io_backupstoragelocations.yaml',
-    'config/crd/bases/velero.io_deletebackuprequests.yaml',
-    'config/crd/bases/velero.io_downloadrequests.yaml',
-    'config/crd/bases/velero.io_podvolumebackups.yaml',
-    'config/crd/bases/velero.io_podvolumerestores.yaml',
-    'config/crd/bases/velero.io_resticrepositories.yaml',
-    'config/crd/bases/velero.io_restores.yaml',
-    'config/crd/bases/velero.io_schedules.yaml',
-    'config/crd/bases/velero.io_serverstatusrequests.yaml',
-    'config/crd/bases/velero.io_volumesnapshotlocations.yaml',
+    'config/crd/v1/bases/velero.io_backups.yaml',
+    'config/crd/v1/bases/velero.io_backupstoragelocations.yaml',
+    'config/crd/v1/bases/velero.io_deletebackuprequests.yaml',
+    'config/crd/v1/bases/velero.io_downloadrequests.yaml',
+    'config/crd/v1/bases/velero.io_podvolumebackups.yaml',
+    'config/crd/v1/bases/velero.io_podvolumerestores.yaml',
+    'config/crd/v1/bases/velero.io_resticrepositories.yaml',
+    'config/crd/v1/bases/velero.io_restores.yaml',
+    'config/crd/v1/bases/velero.io_schedules.yaml',
+    'config/crd/v1/bases/velero.io_serverstatusrequests.yaml',
+    'config/crd/v1/bases/velero.io_volumesnapshotlocations.yaml',
 ])
 
 # default values
 settings = {
-    "default_registry": "",
+    "default_registry": "docker.io/velero",
     "enable_restic": False,
     "enable_debug": False,
     "debug_continue_on_start": True,  # Continue the velero process by default when in debug mode
@@ -50,7 +50,7 @@ git_sha = str(local("git rev-parse HEAD", quiet = True, echo_off = True)).strip(
 
 tilt_helper_dockerfile_header = """
 # Tilt image
-FROM golang:1.15.3 as tilt-helper
+FROM golang:1.16.6 as tilt-helper
 
 # Support live reloading with Tilt
 RUN wget --output-document /restart.sh --quiet https://raw.githubusercontent.com/windmilleng/rerun-process-wrapper/master/restart.sh  && \
@@ -90,14 +90,14 @@ def get_debug_flag():
 # Set up a local_resource build of the Velero binary. The binary is written to _tiltbuild/velero.
 local_resource(
     "velero_server_binary",
-    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild;PKG=. BIN=velero GOOS=linux GOARCH=amd64 GIT_SHA=' + git_sha + ' VERSION=main GIT_TREE_STATE=dirty OUTPUT_DIR=_tiltbuild ' + get_debug_flag() + ' ./hack/build.sh',
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild;PKG=. BIN=velero GOOS=linux GOARCH=amd64 GIT_SHA=' + git_sha + ' VERSION=main GIT_TREE_STATE=dirty OUTPUT_DIR=_tiltbuild ' + get_debug_flag() + ' REGISTRY=' + settings.get("default_registry") + ' ./hack/build.sh',
     deps = ["cmd", "internal", "pkg"],
     ignore = ["pkg/cmd"],
 )
 
 local_resource(
     "velero_local_binary",
-    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/local;PKG=. BIN=velero GOOS=' + local_goos + ' GOARCH=amd64 GIT_SHA=' + git_sha + ' VERSION=main GIT_TREE_STATE=dirty OUTPUT_DIR=_tiltbuild/local ' + get_debug_flag() + ' ./hack/build.sh',
+    cmd = 'cd ' + '.' + ';mkdir -p _tiltbuild/local;PKG=. BIN=velero GOOS=' + local_goos + ' GOARCH=amd64 GIT_SHA=' + git_sha + ' VERSION=main GIT_TREE_STATE=dirty OUTPUT_DIR=_tiltbuild/local ' + get_debug_flag() + ' REGISTRY=' + settings.get("default_registry") + ' ./hack/build.sh',
     deps = ["internal", "pkg/cmd"],
 )
 

assets/README.md

@@ -0,0 +1,11 @@
+# Velero Assets
+
+This folder contains logo images for Velero in gray (for light backgrounds) and white (for dark backgrounds like black tshirts or dark mode!) – horizontal and stacked… in .eps and .svg.
+
+## Some general guidelines for usage
+
+• Don’t alter the logos/graphics: resize, reformat, recolor. Keep them intact.
+
+• Don’t separate the word mark (Velero) from the icon) – we are still building a strong name and identity – and the logo by itself doesn’t have any strong recognition or association with as yet: so best practice keep the two together. Nike kept its name with the swoosh for quite some time before the swoosh became iconic.
+
+• Don’t append the name to another brand – let it stand alone!

assets/one-line/199150-vmw-os-lgo-velero-final_gry.svg

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_5" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 431.3 150" style="enable-background:new 0 0 431.3 150;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:none;}
+	.st2{fill:#009BDB;}
+	.st3{fill:#717074;}
+</style>
+<g>
+	<g>
+		<g>
+			<path class="st3" d="M196.6,55.8l-18.2,41.2h-5.1l-18.2-41.2h5.1l15.7,35.5l15.6-35.5H196.6z"/>
+			<path class="st3" d="M206.6,60.3v13.6h22.4v4.4h-22.4v14.3h24.8v4.4h-29.6V55.8h29.6v4.4H206.6z"/>
+			<path class="st3" d="M265.7,92.6v4.4h-27.2V55.8h4.7v36.8H265.7z"/>
+			<path class="st3" d="M275.7,60.3v13.6h22.4v4.4h-22.4v14.3h24.8v4.4H271V55.8h29.6v4.4H275.7z"/>
+			<path class="st3" d="M338,75.3c-1.1,1.9-2.6,3.4-4.6,4.6c-2,1.2-4.2,1.9-6.6,2.2l10.5,14.9H332l-10.4-14.8h-9.1v14.8h-4.7V55.8
+				h16.7c2.8,0,5.4,0.6,7.7,1.7c2.3,1.1,4.1,2.7,5.5,4.7c1.3,2,2,4.3,2,6.8C339.6,71.3,339.1,73.4,338,75.3z M312.4,77.8h11.2
+				c3.4,0,6.1-0.8,8.2-2.3c2.1-1.6,3.1-3.7,3.1-6.4c0-2.7-1-4.9-3.1-6.4c-2.1-1.6-4.8-2.3-8.2-2.3h-11.2V77.8z"/>
+			<path class="st3" d="M354.4,94.9c-3.3-1.9-5.8-4.5-7.8-7.8c-1.9-3.3-2.9-6.8-2.9-10.6c0-3.8,1-7.3,2.9-10.6
+				c1.9-3.3,4.5-5.9,7.8-7.8c3.3-1.9,6.8-2.9,10.5-2.9c3.8,0,7.2,1,10.5,2.9c3.2,1.9,5.8,4.5,7.7,7.8c1.9,3.3,2.9,6.8,2.9,10.6
+				c0,3.8-1,7.3-2.9,10.6c-1.9,3.3-4.5,5.9-7.7,7.8c-3.2,1.9-6.7,2.9-10.5,2.9C361.2,97.8,357.7,96.8,354.4,94.9z M373,91.1
+				c2.5-1.6,4.5-3.6,6-6.2c1.5-2.6,2.2-5.4,2.2-8.5c0-3-0.7-5.8-2.2-8.4c-1.5-2.6-3.5-4.7-6-6.2c-2.5-1.5-5.2-2.3-8.1-2.3
+				c-2.9,0-5.6,0.8-8.1,2.3c-2.5,1.5-4.5,3.6-6,6.2c-1.5,2.6-2.2,5.4-2.2,8.4c0,3,0.8,5.9,2.2,8.5c1.5,2.6,3.5,4.7,6,6.2
+				s5.2,2.3,8.1,2.3C367.8,93.5,370.5,92.7,373,91.1z"/>
+		</g>
+	</g>
+	<g>
+		<g>
+			<path class="st1" d="M132.2,77.1c0-0.7,0.1-1.4,0.1-2s0-1.4-0.1-2V77.1z"/>
+			<path class="st2" d="M117,109.3c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4c-1.8-1.4-3.4-2.7-6.7-2.7
+				c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4c-1.8-1.4-3.4-2.7-6.7-2.7c-3.3,0-4.9,1.2-6.7,2.7
+				c-1.3,1-2.7,2.2-4.8,2.8c8.3,7.3,18.9,12,30.5,13c0.3,0,0.6,0.1,1,0.1c1.1,0.1,2.3,0.1,3.4,0.1c1.2,0,2.3-0.1,3.4-0.1
+				c0.3,0,0.6,0,1-0.1c14.2-1.2,26.8-8,35.6-18.2C118.7,109.4,117.9,109.3,117,109.3z"/>
+			<path class="st2" d="M40.8,69.8c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2s6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9
+				c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2c4,0,6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2
+				c4,0,6.1,1.6,8,3.2c1.8,1.5,3.6,2.8,7,2.9c-0.5-4.8-1.6-9.5-3.3-13.8c-1.8-0.6-3.1-1.6-4.4-2.6c-1.9-1.5-3.7-2.9-7.4-2.9
+				c-3.7,0-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9c-3.7,0-5.5,1.4-7.4,2.9
+				c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9c-3.7,0-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1
+				c-4,0-5.9-1.6-7.9-3.1c-0.4-0.3-0.9-0.7-1.3-1c-1.7,3.6-3.1,7.5-3.9,11.6c2.7,0.5,4.3,1.7,5.9,3C35.5,68.4,37.2,69.8,40.8,69.8z"
+				/>
+			<path class="st2" d="M40.8,55.7c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9
+				c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9c3.7,0,5.5-1.4,7.4-2.9
+				c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.1,0.8,2.1,1.7,3.4,2.2c-7.9-19.2-26.9-32.8-48.9-32.8c-20.8,0-38.7,12-47.4,29.5
+				c0.5,0.4,1,0.7,1.4,1.1C35.3,54.2,37.1,55.7,40.8,55.7z"/>
+			<path class="st2" d="M117,94.6c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-1.9-1.5-3.5-2.8-6.8-2.8
+				c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-1.9-1.5-3.5-2.8-6.8-2.8c-3.4,0-5,1.3-6.8,2.8
+				c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-0.5-0.4-1-0.8-1.5-1.1c2.6,6,6.3,11.4,10.9,16c2.6-0.2,4-1.4,5.6-2.6
+				c2-1.6,4.2-3.4,8.6-3.4s6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7c2-1.6,4.2-3.4,8.6-3.4
+				c4.3,0,6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7c2-1.6,4.2-3.4,8.6-3.4c1.8,0,3.3,0.3,4.5,0.8
+				c1.9-2.5,3.5-5.1,5-7.9c-1-0.6-1.8-1.2-2.6-1.8C122,95.8,120.3,94.6,117,94.6z"/>
+			<path class="st2" d="M132.1,71.2c-4,0-6-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2
+				c-4,0-6.1-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2
+				c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2c-1.5-1.2-3-2.3-5.3-2.7
+				c-0.5,2.5-0.8,5.1-0.9,7.7c0,0.7-0.1,1.4-0.1,2c0,0.7,0,1.4,0.1,2c0,0.3,0,0.6,0,0.9c3.5,0.3,5.4,1.8,7.2,3.2
+				c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2s6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8
+				c1.9-1.5,4.1-3.2,8.2-3.2c4.1,0,6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2
+				c4.1,0,6.3,1.7,8.2,3.2c1.7,1.3,3.3,2.6,6.3,2.8c0.3-1.6,0.5-3.2,0.6-4.9c0-0.6,0.1-1.3,0.1-1.9V73
+				C132.2,72.4,132.1,71.2,132.1,71.2z"/>
+			<path class="st2" d="M117,79.9c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8
+				c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8c-3.5,0-5.2,1.4-7,2.8
+				c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.6-1.3-3.1-2.5-5.8-2.8c0.4,4.5,1.4,8.7,2.8,12.8c1.9,0.6,3.2,1.7,4.4,2.7
+				c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8
+				c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8
+				c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c0.7,0.6,1.4,1.1,2.2,1.6c1.6-3.5,2.8-7.2,3.6-11.1c-3.5-0.3-5.4-1.8-7.2-3.2
+				C122.2,81.2,120.4,79.9,117,79.9z"/>
+			<path class="st0" d="M108.4,109.6c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4
+				c-4.3,0-6.6,1.8-8.6,3.4c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4s-6.6,1.8-8.6,3.4
+				c-1.6,1.3-3,2.4-5.6,2.6c0.9,0.9,1.8,1.7,2.7,2.5c2.1-0.6,3.5-1.8,4.8-2.8c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7
+				c2,1.6,4.2,3.4,8.6,3.4c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7c2,1.6,4.2,3.4,8.6,3.4
+				c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c0.9,0,1.7,0.1,2.4,0.3c0.7-0.8,1.4-1.7,2-2.5c-1.2-0.5-2.7-0.8-4.5-0.8
+				C112.6,106.2,110.4,108,108.4,109.6z"/>
+			<path class="st0" d="M117,92.1c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3
+				c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3c-4.2,0-6.4,1.7-8.4,3.3
+				c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.2-1-2.5-2-4.4-2.7c0.4,1.2,0.9,2.3,1.4,3.5c0.5,0.3,1,0.7,1.5,1.1
+				c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3
+				c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3
+				c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c0.8,0.6,1.6,1.3,2.6,1.8c0.4-0.7,0.7-1.5,1.1-2.2c-0.8-0.4-1.4-1-2.2-1.6
+				C123.4,93.8,121.2,92.1,117,92.1z"/>
+			<path class="st0" d="M117,77.9c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2
+				c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2c-4.1,0-6.3,1.7-8.2,3.2
+				c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.7-1.4-3.7-2.9-7.2-3.2c0,0.6,0.1,1.3,0.1,1.9c2.7,0.3,4.2,1.5,5.8,2.8
+				c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2
+				c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2
+				c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.7,1.4,3.7,2.9,7.2,3.2c0.1-0.6,0.2-1.3,0.3-1.9c-3-0.2-4.6-1.4-6.3-2.8
+				C123.3,79.6,121.1,77.9,117,77.9z"/>
+			<path class="st0" d="M40.8,71.2c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2
+				c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9
+				c3.6,0,5.3,1.4,7.2,2.9c1.9,1.5,4,3.1,8,3.2l0-0.1c0-0.4-0.1-0.8-0.1-1.3c-3.4-0.1-5.2-1.4-7-2.9c-2-1.6-4-3.2-8-3.2
+				c-4,0-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2c-4,0-6.1,1.6-8,3.2
+				c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2s-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9
+				c-3.6,0-5.3-1.4-7.2-2.9c-1.6-1.3-3.2-2.5-5.9-3c-0.1,0.4-0.2,0.9-0.3,1.3c2.4,0.4,3.8,1.5,5.3,2.7
+				C34.7,69.6,36.7,71.2,40.8,71.2z"/>
+			<path class="st0" d="M40.8,56.5c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1
+				c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1c4,0,5.9-1.6,7.9-3.1
+				c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.3,1,2.5,2,4.4,2.6c-0.1-0.3-0.3-0.7-0.4-1c-1.3-0.6-2.4-1.4-3.4-2.2
+				c-1.9-1.5-3.9-3.1-7.9-3.1c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-1.9-1.5-3.9-3.1-7.9-3.1
+				c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9C62,51.2,60,49.6,56,49.6c-4,0-5.9,1.6-7.9,3.1
+				c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9C33,52.4,32.5,52,32,51.6c-0.1,0.2-0.3,0.5-0.4,0.8c0.4,0.3,0.9,0.6,1.3,1
+				C34.8,54.9,36.8,56.5,40.8,56.5z"/>
+		</g>
+	</g>
+</g>
+</svg>

assets/one-line/199150-vmw-os-lgo-velero-final_wht.svg

@@ -0,0 +1,105 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_5" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 431.3 150" style="enable-background:new 0 0 431.3 150;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:none;}
+	.st2{fill:#009BDB;}
+	.st3{fill:#717074;}
+</style>
+<g>
+	<g>
+		<g>
+			<path class="st0" d="M196.6,55.8l-18.2,41.2h-5.1l-18.2-41.2h5.1l15.7,35.5l15.6-35.5H196.6z"/>
+			<path class="st0" d="M206.6,60.3v13.6h22.4v4.4h-22.4v14.3h24.8v4.4h-29.6V55.8h29.6v4.4H206.6z"/>
+			<path class="st0" d="M265.7,92.6v4.4h-27.2V55.8h4.7v36.8H265.7z"/>
+			<path class="st0" d="M275.7,60.3v13.6h22.4v4.4h-22.4v14.3h24.8v4.4H271V55.8h29.6v4.4H275.7z"/>
+			<path class="st0" d="M338,75.3c-1.1,1.9-2.6,3.4-4.6,4.6c-2,1.2-4.2,1.9-6.6,2.2l10.5,14.9H332l-10.4-14.8h-9.1v14.8h-4.7V55.8
+				h16.7c2.8,0,5.4,0.6,7.7,1.7c2.3,1.1,4.1,2.7,5.5,4.7c1.3,2,2,4.3,2,6.8C339.6,71.3,339.1,73.4,338,75.3z M312.4,77.8h11.2
+				c3.4,0,6.1-0.8,8.2-2.3c2.1-1.6,3.1-3.7,3.1-6.4c0-2.7-1-4.9-3.1-6.4c-2.1-1.6-4.8-2.3-8.2-2.3h-11.2V77.8z"/>
+			<path class="st0" d="M354.4,94.9c-3.3-1.9-5.8-4.5-7.8-7.8c-1.9-3.3-2.9-6.8-2.9-10.6c0-3.8,1-7.3,2.9-10.6
+				c1.9-3.3,4.5-5.9,7.8-7.8c3.3-1.9,6.8-2.9,10.5-2.9c3.8,0,7.2,1,10.5,2.9c3.2,1.9,5.8,4.5,7.7,7.8c1.9,3.3,2.9,6.8,2.9,10.6
+				c0,3.8-1,7.3-2.9,10.6c-1.9,3.3-4.5,5.9-7.7,7.8c-3.2,1.9-6.7,2.9-10.5,2.9C361.2,97.8,357.7,96.8,354.4,94.9z M373,91.1
+				c2.5-1.6,4.5-3.6,6-6.2c1.5-2.6,2.2-5.4,2.2-8.5c0-3-0.7-5.8-2.2-8.4c-1.5-2.6-3.5-4.7-6-6.2c-2.5-1.5-5.2-2.3-8.1-2.3
+				c-2.9,0-5.6,0.8-8.1,2.3c-2.5,1.5-4.5,3.6-6,6.2c-1.5,2.6-2.2,5.4-2.2,8.4c0,3,0.8,5.9,2.2,8.5c1.5,2.6,3.5,4.7,6,6.2
+				s5.2,2.3,8.1,2.3C367.8,93.5,370.5,92.7,373,91.1z"/>
+		</g>
+	</g>
+	<g>
+		<g>
+			<path class="st1" d="M132.2,77.1c0-0.7,0.1-1.4,0.1-2s0-1.4-0.1-2V77.1z"/>
+			<path class="st2" d="M117,109.3c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4c-1.8-1.4-3.4-2.7-6.7-2.7
+				c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4c-1.8-1.4-3.4-2.7-6.7-2.7c-3.3,0-4.9,1.2-6.7,2.7
+				c-1.3,1-2.7,2.2-4.8,2.8c8.3,7.3,18.9,12,30.5,13c0.3,0,0.6,0.1,1,0.1c1.1,0.1,2.3,0.1,3.4,0.1c1.2,0,2.3-0.1,3.4-0.1
+				c0.3,0,0.6,0,1-0.1c14.2-1.2,26.8-8,35.6-18.2C118.7,109.4,117.9,109.3,117,109.3z"/>
+			<path class="st2" d="M40.8,69.8c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2s6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9
+				c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2c4,0,6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2
+				c4,0,6.1,1.6,8,3.2c1.8,1.5,3.6,2.8,7,2.9c-0.5-4.8-1.6-9.5-3.3-13.8c-1.8-0.6-3.1-1.6-4.4-2.6c-1.9-1.5-3.7-2.9-7.4-2.9
+				c-3.7,0-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9c-3.7,0-5.5,1.4-7.4,2.9
+				c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9c-3.7,0-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1
+				c-4,0-5.9-1.6-7.9-3.1c-0.4-0.3-0.9-0.7-1.3-1c-1.7,3.6-3.1,7.5-3.9,11.6c2.7,0.5,4.3,1.7,5.9,3C35.5,68.4,37.2,69.8,40.8,69.8z"
+				/>
+			<path class="st2" d="M40.8,55.7c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9
+				c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9c3.7,0,5.5-1.4,7.4-2.9
+				c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.1,0.8,2.1,1.7,3.4,2.2c-7.9-19.2-26.9-32.8-48.9-32.8c-20.8,0-38.7,12-47.4,29.5
+				c0.5,0.4,1,0.7,1.4,1.1C35.3,54.2,37.1,55.7,40.8,55.7z"/>
+			<path class="st2" d="M117,94.6c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-1.9-1.5-3.5-2.8-6.8-2.8
+				c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-1.9-1.5-3.5-2.8-6.8-2.8c-3.4,0-5,1.3-6.8,2.8
+				c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-0.5-0.4-1-0.8-1.5-1.1c2.6,6,6.3,11.4,10.9,16c2.6-0.2,4-1.4,5.6-2.6
+				c2-1.6,4.2-3.4,8.6-3.4s6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7c2-1.6,4.2-3.4,8.6-3.4
+				c4.3,0,6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7c2-1.6,4.2-3.4,8.6-3.4c1.8,0,3.3,0.3,4.5,0.8
+				c1.9-2.5,3.5-5.1,5-7.9c-1-0.6-1.8-1.2-2.6-1.8C122,95.8,120.3,94.6,117,94.6z"/>
+			<path class="st2" d="M132.1,71.2c-4,0-6-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2
+				c-4,0-6.1-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2
+				c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2c-1.5-1.2-3-2.3-5.3-2.7
+				c-0.5,2.5-0.8,5.1-0.9,7.7c0,0.7-0.1,1.4-0.1,2c0,0.7,0,1.4,0.1,2c0,0.3,0,0.6,0,0.9c3.5,0.3,5.4,1.8,7.2,3.2
+				c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2s6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8
+				c1.9-1.5,4.1-3.2,8.2-3.2c4.1,0,6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2
+				c4.1,0,6.3,1.7,8.2,3.2c1.7,1.3,3.3,2.6,6.3,2.8c0.3-1.6,0.5-3.2,0.6-4.9c0-0.6,0.1-1.3,0.1-1.9V73
+				C132.2,72.4,132.1,71.2,132.1,71.2z"/>
+			<path class="st2" d="M117,79.9c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8
+				c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8c-3.5,0-5.2,1.4-7,2.8
+				c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.6-1.3-3.1-2.5-5.8-2.8c0.4,4.5,1.4,8.7,2.8,12.8c1.9,0.6,3.2,1.7,4.4,2.7
+				c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8
+				c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8
+				c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c0.7,0.6,1.4,1.1,2.2,1.6c1.6-3.5,2.8-7.2,3.6-11.1c-3.5-0.3-5.4-1.8-7.2-3.2
+				C122.2,81.2,120.4,79.9,117,79.9z"/>
+			<path class="st0" d="M108.4,109.6c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4
+				c-4.3,0-6.6,1.8-8.6,3.4c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4s-6.6,1.8-8.6,3.4
+				c-1.6,1.3-3,2.4-5.6,2.6c0.9,0.9,1.8,1.7,2.7,2.5c2.1-0.6,3.5-1.8,4.8-2.8c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7
+				c2,1.6,4.2,3.4,8.6,3.4c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7c2,1.6,4.2,3.4,8.6,3.4
+				c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c0.9,0,1.7,0.1,2.4,0.3c0.7-0.8,1.4-1.7,2-2.5c-1.2-0.5-2.7-0.8-4.5-0.8
+				C112.6,106.2,110.4,108,108.4,109.6z"/>
+			<path class="st0" d="M117,92.1c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3
+				c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3c-4.2,0-6.4,1.7-8.4,3.3
+				c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.2-1-2.5-2-4.4-2.7c0.4,1.2,0.9,2.3,1.4,3.5c0.5,0.3,1,0.7,1.5,1.1
+				c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3
+				c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3
+				c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c0.8,0.6,1.6,1.3,2.6,1.8c0.4-0.7,0.7-1.5,1.1-2.2c-0.8-0.4-1.4-1-2.2-1.6
+				C123.4,93.8,121.2,92.1,117,92.1z"/>
+			<path class="st0" d="M117,77.9c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2
+				c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2c-4.1,0-6.3,1.7-8.2,3.2
+				c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.7-1.4-3.7-2.9-7.2-3.2c0,0.6,0.1,1.3,0.1,1.9c2.7,0.3,4.2,1.5,5.8,2.8
+				c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2
+				c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2
+				c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.7,1.4,3.7,2.9,7.2,3.2c0.1-0.6,0.2-1.3,0.3-1.9c-3-0.2-4.6-1.4-6.3-2.8
+				C123.3,79.6,121.1,77.9,117,77.9z"/>
+			<path class="st0" d="M40.8,71.2c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2
+				c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9
+				c3.6,0,5.3,1.4,7.2,2.9c1.9,1.5,4,3.1,8,3.2l0-0.1c0-0.4-0.1-0.8-0.1-1.3c-3.4-0.1-5.2-1.4-7-2.9c-2-1.6-4-3.2-8-3.2
+				c-4,0-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2c-4,0-6.1,1.6-8,3.2
+				c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2s-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9
+				c-3.6,0-5.3-1.4-7.2-2.9c-1.6-1.3-3.2-2.5-5.9-3c-0.1,0.4-0.2,0.9-0.3,1.3c2.4,0.4,3.8,1.5,5.3,2.7
+				C34.7,69.6,36.7,71.2,40.8,71.2z"/>
+			<path class="st0" d="M40.8,56.5c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1
+				c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1c4,0,5.9-1.6,7.9-3.1
+				c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.3,1,2.5,2,4.4,2.6c-0.1-0.3-0.3-0.7-0.4-1c-1.3-0.6-2.4-1.4-3.4-2.2
+				c-1.9-1.5-3.9-3.1-7.9-3.1c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-1.9-1.5-3.9-3.1-7.9-3.1
+				c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9C62,51.2,60,49.6,56,49.6c-4,0-5.9,1.6-7.9,3.1
+				c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9C33,52.4,32.5,52,32,51.6c-0.1,0.2-0.3,0.5-0.4,0.8c0.4,0.3,0.9,0.6,1.3,1
+				C34.8,54.9,36.8,56.5,40.8,56.5z"/>
+		</g>
+	</g>
+</g>
+</svg>

assets/stacked/199150-vmw-os-lgo-velero-final_stacked-gry.svg

@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_5" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 311.5 245.2" style="enable-background:new 0 0 311.5 245.2;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:none;}
+	.st2{fill:#009BDB;}
+	.st3{fill:#717074;}
+</style>
+<g>
+	<g>
+		<path class="st1" d="M211.5,83.4c0-0.7,0.1-1.4,0.1-2c0-0.7,0-1.4-0.1-2V83.4z"/>
+		<path class="st2" d="M196.3,115.5c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4
+			c-1.8-1.4-3.4-2.7-6.7-2.7c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4c-1.8-1.4-3.4-2.7-6.7-2.7
+			s-4.9,1.2-6.7,2.7c-1.3,1-2.7,2.2-4.8,2.8c8.3,7.3,18.9,12,30.5,13c0.3,0,0.6,0.1,1,0.1c1.1,0.1,2.3,0.1,3.4,0.1
+			c1.2,0,2.3-0.1,3.4-0.1c0.3,0,0.6,0,1-0.1c14.2-1.2,26.8-8,35.6-18.2C198,115.7,197.2,115.5,196.3,115.5z"/>
+		<path class="st2" d="M120.1,76.1c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2c4,0,6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9
+			c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2c4,0,6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2
+			c4,0,6.1,1.6,8,3.2c1.8,1.5,3.6,2.8,7,2.9c-0.5-4.8-1.6-9.5-3.3-13.8c-1.8-0.6-3.1-1.6-4.4-2.6c-1.9-1.5-3.7-2.9-7.4-2.9
+			c-3.7,0-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9c-3.7,0-5.5,1.4-7.4,2.9
+			c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9s-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1
+			c-4,0-5.9-1.6-7.9-3.1c-0.4-0.3-0.9-0.7-1.3-1c-1.7,3.6-3.1,7.5-3.9,11.6c2.7,0.5,4.3,1.7,5.9,3C114.8,74.7,116.5,76.1,120.1,76.1
+			z"/>
+		<path class="st2" d="M120.1,61.9c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9
+			c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9c3.7,0,5.5-1.4,7.4-2.9
+			c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.1,0.8,2.1,1.7,3.4,2.2c-7.9-19.2-26.9-32.8-48.9-32.8c-20.8,0-38.7,12-47.4,29.5
+			c0.5,0.4,1,0.7,1.4,1.1C114.6,60.5,116.4,61.9,120.1,61.9z"/>
+		<path class="st2" d="M196.3,100.8c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3
+			c-1.9-1.5-3.5-2.8-6.8-2.8c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-1.9-1.5-3.5-2.8-6.8-2.8
+			c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-0.5-0.4-1-0.8-1.5-1.1c2.6,6,6.3,11.4,10.9,16
+			c2.6-0.2,4-1.4,5.6-2.6c2-1.6,4.2-3.4,8.6-3.4c4.3,0,6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7
+			c2-1.6,4.2-3.4,8.6-3.4c4.3,0,6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7c2-1.6,4.2-3.4,8.6-3.4
+			c1.8,0,3.3,0.3,4.5,0.8c1.9-2.5,3.5-5.1,5-7.9c-1-0.6-1.8-1.2-2.6-1.8C201.3,102.1,199.6,100.8,196.3,100.8z"/>
+		<path class="st2" d="M211.4,77.5c-4,0-6-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2
+			c-4,0-6.1-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2
+			c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2c-1.5-1.2-3-2.3-5.3-2.7
+			c-0.5,2.5-0.8,5.1-0.9,7.7c0,0.7-0.1,1.4-0.1,2c0,0.7,0,1.4,0.1,2c0,0.3,0,0.6,0,0.9c3.5,0.3,5.4,1.8,7.2,3.2
+			c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2s6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8
+			c1.9-1.5,4.1-3.2,8.2-3.2c4.1,0,6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2
+			c4.1,0,6.3,1.7,8.2,3.2c1.7,1.3,3.3,2.6,6.3,2.8c0.3-1.6,0.5-3.2,0.6-4.9c0-0.6,0.1-1.3,0.1-1.9v-4.1
+			C211.5,78.6,211.4,77.5,211.4,77.5z"/>
+		<path class="st2" d="M196.3,86.1c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8
+			c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8c-3.5,0-5.2,1.4-7,2.8
+			c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.6-1.3-3.1-2.5-5.8-2.8c0.4,4.5,1.4,8.7,2.8,12.8c1.9,0.6,3.2,1.7,4.4,2.7
+			c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8
+			c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8
+			c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c0.7,0.6,1.4,1.1,2.2,1.6c1.6-3.5,2.8-7.2,3.6-11.1c-3.5-0.3-5.4-1.8-7.2-3.2
+			C201.5,87.5,199.7,86.1,196.3,86.1z"/>
+		<path class="st0" d="M187.7,115.9c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4
+			c-4.3,0-6.6,1.8-8.6,3.4c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4c-4.3,0-6.6,1.8-8.6,3.4
+			c-1.6,1.3-3,2.4-5.6,2.6c0.9,0.9,1.8,1.7,2.7,2.5c2.1-0.6,3.5-1.8,4.8-2.8c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7
+			c2,1.6,4.2,3.4,8.6,3.4c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7c2,1.6,4.2,3.4,8.6,3.4
+			c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c0.9,0,1.7,0.1,2.4,0.3c0.7-0.8,1.4-1.7,2-2.5c-1.2-0.5-2.7-0.8-4.5-0.8
+			C191.9,112.5,189.7,114.3,187.7,115.9z"/>
+		<path class="st0" d="M196.3,98.4c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3
+			c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3c-4.2,0-6.4,1.7-8.4,3.3
+			c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.2-1-2.5-2-4.4-2.7c0.4,1.2,0.9,2.3,1.4,3.5c0.5,0.3,1,0.7,1.5,1.1
+			c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3
+			c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3
+			c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c0.8,0.6,1.6,1.3,2.6,1.8c0.4-0.7,0.7-1.5,1.1-2.2c-0.8-0.4-1.4-1-2.2-1.6
+			C202.7,100.1,200.5,98.4,196.3,98.4z"/>
+		<path class="st0" d="M196.3,84.2c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2
+			c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2c-4.1,0-6.3,1.7-8.2,3.2
+			c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.7-1.4-3.7-2.9-7.2-3.2c0,0.6,0.1,1.3,0.1,1.9c2.7,0.3,4.2,1.5,5.8,2.8
+			c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2
+			c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2
+			c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.7,1.4,3.7,2.9,7.2,3.2c0.1-0.6,0.2-1.3,0.3-1.9c-3-0.2-4.6-1.4-6.3-2.8
+			C202.6,85.9,200.4,84.2,196.3,84.2z"/>
+		<path class="st0" d="M120.1,77.5c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2
+			c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9
+			c3.6,0,5.3,1.4,7.2,2.9c1.9,1.5,4,3.1,8,3.2l0-0.1c0-0.4-0.1-0.8-0.1-1.3c-3.4-0.1-5.2-1.4-7-2.9c-2-1.6-4-3.2-8-3.2
+			c-4,0-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2c-4,0-6.1,1.6-8,3.2
+			c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2c-4,0-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9
+			c-3.6,0-5.3-1.4-7.2-2.9c-1.6-1.3-3.2-2.5-5.9-3c-0.1,0.4-0.2,0.9-0.3,1.3c2.4,0.4,3.8,1.5,5.3,2.7C114,75.9,116,77.5,120.1,77.5z
+			"/>
+		<path class="st0" d="M120.1,62.8c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9s5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1
+			c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1c4,0,5.9-1.6,7.9-3.1
+			c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.3,1,2.5,2,4.4,2.6c-0.1-0.3-0.3-0.7-0.4-1c-1.3-0.6-2.4-1.4-3.4-2.2
+			c-1.9-1.5-3.9-3.1-7.9-3.1c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-1.9-1.5-3.9-3.1-7.9-3.1
+			c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-1.9-1.5-3.9-3.1-7.9-3.1c-4,0-5.9,1.6-7.9,3.1
+			c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-0.5-0.4-0.9-0.7-1.4-1.1c-0.1,0.2-0.3,0.5-0.4,0.8c0.4,0.3,0.9,0.6,1.3,1
+			C114.1,61.2,116.1,62.8,120.1,62.8z"/>
+	</g>
+</g>
+<g>
+	<g>
+		<path class="st3" d="M81.7,161.9l-18.2,41.2h-5.1l-18.2-41.2h5.1L61,197.4l15.6-35.5H81.7z"/>
+		<path class="st3" d="M91.7,166.3v13.6h22.4v4.4H91.7v14.3h24.8v4.4H87v-41.2h29.6v4.4H91.7z"/>
+		<path class="st3" d="M150.9,198.7v4.4h-27.2v-41.2h4.7v36.8H150.9z"/>
+		<path class="st3" d="M160.9,166.3v13.6h22.4v4.4h-22.4v14.3h24.8v4.4h-29.6v-41.2h29.6v4.4H160.9z"/>
+		<path class="st3" d="M223.1,181.3c-1.1,1.9-2.6,3.4-4.6,4.6c-2,1.2-4.2,1.9-6.6,2.2l10.5,14.9h-5.3l-10.4-14.8h-9.1v14.8h-4.7
+			v-41.2h16.7c2.8,0,5.4,0.6,7.7,1.7c2.3,1.1,4.1,2.7,5.5,4.7c1.3,2,2,4.3,2,6.8C224.8,177.4,224.2,179.5,223.1,181.3z M197.5,183.9
+			h11.2c3.4,0,6.1-0.8,8.2-2.3c2.1-1.6,3.1-3.7,3.1-6.4c0-2.7-1-4.9-3.1-6.4c-2.1-1.6-4.8-2.3-8.2-2.3h-11.2V183.9z"/>
+		<path class="st3" d="M239.6,200.9c-3.3-1.9-5.8-4.5-7.8-7.8c-1.9-3.3-2.9-6.8-2.9-10.6c0-3.8,1-7.3,2.9-10.6
+			c1.9-3.3,4.5-5.9,7.8-7.8c3.3-1.9,6.8-2.9,10.5-2.9c3.8,0,7.2,1,10.5,2.9c3.2,1.9,5.8,4.5,7.7,7.8c1.9,3.3,2.9,6.8,2.9,10.6
+			c0,3.8-1,7.3-2.9,10.6c-1.9,3.3-4.5,5.9-7.7,7.8c-3.2,1.9-6.7,2.9-10.5,2.9C246.3,203.8,242.8,202.9,239.6,200.9z M258.2,197.2
+			c2.5-1.6,4.5-3.6,6-6.2c1.5-2.6,2.2-5.4,2.2-8.5c0-3-0.7-5.8-2.2-8.4c-1.5-2.6-3.5-4.7-6-6.2c-2.5-1.5-5.2-2.3-8.1-2.3
+			c-2.9,0-5.6,0.8-8.1,2.3c-2.5,1.5-4.5,3.6-6,6.2c-1.5,2.6-2.2,5.4-2.2,8.4c0,3,0.8,5.9,2.2,8.5c1.5,2.6,3.5,4.7,6,6.2
+			s5.2,2.3,8.1,2.3C253,199.5,255.7,198.7,258.2,197.2z"/>
+	</g>
+</g>
+</svg>

assets/stacked/199150-vmw-os-lgo-velero-final_stacked-wht.svg

@@ -0,0 +1,103 @@
+<?xml version="1.0" encoding="utf-8"?>
+<!-- Generator: Adobe Illustrator 24.0.3, SVG Export Plug-In . SVG Version: 6.00 Build 0)  -->
+<svg version="1.1" id="Layer_5" xmlns="http://www.w3.org/2000/svg" xmlns:xlink="http://www.w3.org/1999/xlink" x="0px" y="0px"
+	 viewBox="0 0 311.5 245.2" style="enable-background:new 0 0 311.5 245.2;" xml:space="preserve">
+<style type="text/css">
+	.st0{fill:#FFFFFF;}
+	.st1{fill:none;}
+	.st2{fill:#009BDB;}
+	.st3{fill:#717074;}
+</style>
+<g>
+	<g>
+		<path class="st1" d="M211.5,83.4c0-0.7,0.1-1.4,0.1-2c0-0.7,0-1.4-0.1-2V83.4z"/>
+		<path class="st2" d="M196.3,115.5c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4
+			c-1.8-1.4-3.4-2.7-6.7-2.7c-3.3,0-4.9,1.2-6.7,2.7c-2,1.6-4.2,3.4-8.6,3.4c-4.3,0-6.6-1.8-8.6-3.4c-1.8-1.4-3.4-2.7-6.7-2.7
+			s-4.9,1.2-6.7,2.7c-1.3,1-2.7,2.2-4.8,2.8c8.3,7.3,18.9,12,30.5,13c0.3,0,0.6,0.1,1,0.1c1.1,0.1,2.3,0.1,3.4,0.1
+			c1.2,0,2.3-0.1,3.4-0.1c0.3,0,0.6,0,1-0.1c14.2-1.2,26.8-8,35.6-18.2C198,115.7,197.2,115.5,196.3,115.5z"/>
+		<path class="st2" d="M120.1,76.1c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2c4,0,6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9
+			c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2c4,0,6.1,1.6,8,3.2c1.9,1.5,3.6,2.9,7.2,2.9c3.6,0,5.3-1.4,7.2-2.9c2-1.6,4-3.2,8-3.2
+			c4,0,6.1,1.6,8,3.2c1.8,1.5,3.6,2.8,7,2.9c-0.5-4.8-1.6-9.5-3.3-13.8c-1.8-0.6-3.1-1.6-4.4-2.6c-1.9-1.5-3.7-2.9-7.4-2.9
+			c-3.7,0-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9c-3.7,0-5.5,1.4-7.4,2.9
+			c-1.9,1.5-3.9,3.1-7.9,3.1c-4,0-5.9-1.6-7.9-3.1c-1.9-1.5-3.7-2.9-7.4-2.9s-5.5,1.4-7.4,2.9c-1.9,1.5-3.9,3.1-7.9,3.1
+			c-4,0-5.9-1.6-7.9-3.1c-0.4-0.3-0.9-0.7-1.3-1c-1.7,3.6-3.1,7.5-3.9,11.6c2.7,0.5,4.3,1.7,5.9,3C114.8,74.7,116.5,76.1,120.1,76.1
+			z"/>
+		<path class="st2" d="M120.1,61.9c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9
+			c3.7,0,5.5-1.4,7.4-2.9c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.9,1.5,3.7,2.9,7.4,2.9c3.7,0,5.5-1.4,7.4-2.9
+			c1.9-1.5,3.9-3.1,7.9-3.1c4,0,5.9,1.6,7.9,3.1c1.1,0.8,2.1,1.7,3.4,2.2c-7.9-19.2-26.9-32.8-48.9-32.8c-20.8,0-38.7,12-47.4,29.5
+			c0.5,0.4,1,0.7,1.4,1.1C114.6,60.5,116.4,61.9,120.1,61.9z"/>
+		<path class="st2" d="M196.3,100.8c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3
+			c-1.9-1.5-3.5-2.8-6.8-2.8c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-1.9-1.5-3.5-2.8-6.8-2.8
+			c-3.4,0-5,1.3-6.8,2.8c-1.9,1.5-4.1,3.3-8.4,3.3c-4.2,0-6.4-1.7-8.4-3.3c-0.5-0.4-1-0.8-1.5-1.1c2.6,6,6.3,11.4,10.9,16
+			c2.6-0.2,4-1.4,5.6-2.6c2-1.6,4.2-3.4,8.6-3.4c4.3,0,6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7
+			c2-1.6,4.2-3.4,8.6-3.4c4.3,0,6.6,1.8,8.6,3.4c1.8,1.4,3.4,2.7,6.7,2.7c3.3,0,4.9-1.2,6.7-2.7c2-1.6,4.2-3.4,8.6-3.4
+			c1.8,0,3.3,0.3,4.5,0.8c1.9-2.5,3.5-5.1,5-7.9c-1-0.6-1.8-1.2-2.6-1.8C201.3,102.1,199.6,100.8,196.3,100.8z"/>
+		<path class="st2" d="M211.4,77.5c-4,0-6-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2
+			c-4,0-6.1-1.6-8-3.2c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2
+			c-1.9-1.5-3.6-2.9-7.2-2.9c-3.6,0-5.3,1.4-7.2,2.9c-2,1.6-4,3.2-8,3.2c-4,0-6.1-1.6-8-3.2c-1.5-1.2-3-2.3-5.3-2.7
+			c-0.5,2.5-0.8,5.1-0.9,7.7c0,0.7-0.1,1.4-0.1,2c0,0.7,0,1.4,0.1,2c0,0.3,0,0.6,0,0.9c3.5,0.3,5.4,1.8,7.2,3.2
+			c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2s6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8
+			c1.9-1.5,4.1-3.2,8.2-3.2c4.1,0,6.3,1.7,8.2,3.2c1.8,1.4,3.5,2.8,7,2.8c3.5,0,5.2-1.4,7-2.8c1.9-1.5,4.1-3.2,8.2-3.2
+			c4.1,0,6.3,1.7,8.2,3.2c1.7,1.3,3.3,2.6,6.3,2.8c0.3-1.6,0.5-3.2,0.6-4.9c0-0.6,0.1-1.3,0.1-1.9v-4.1
+			C211.5,78.6,211.4,77.5,211.4,77.5z"/>
+		<path class="st2" d="M196.3,86.1c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8
+			c-3.5,0-5.2,1.4-7,2.8c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.8-1.4-3.5-2.8-7-2.8c-3.5,0-5.2,1.4-7,2.8
+			c-1.9,1.5-4.1,3.2-8.2,3.2c-4.1,0-6.3-1.7-8.2-3.2c-1.6-1.3-3.1-2.5-5.8-2.8c0.4,4.5,1.4,8.7,2.8,12.8c1.9,0.6,3.2,1.7,4.4,2.7
+			c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8
+			c3.4,0,5-1.3,6.8-2.8c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c1.9,1.5,3.5,2.8,6.8,2.8c3.4,0,5-1.3,6.8-2.8
+			c1.9-1.5,4.1-3.3,8.4-3.3c4.2,0,6.4,1.7,8.4,3.3c0.7,0.6,1.4,1.1,2.2,1.6c1.6-3.5,2.8-7.2,3.6-11.1c-3.5-0.3-5.4-1.8-7.2-3.2
+			C201.5,87.5,199.7,86.1,196.3,86.1z"/>
+		<path class="st0" d="M187.7,115.9c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4
+			c-4.3,0-6.6,1.8-8.6,3.4c-1.8,1.4-3.4,2.7-6.7,2.7c-3.3,0-4.9-1.2-6.7-2.7c-2-1.6-4.2-3.4-8.6-3.4c-4.3,0-6.6,1.8-8.6,3.4
+			c-1.6,1.3-3,2.4-5.6,2.6c0.9,0.9,1.8,1.7,2.7,2.5c2.1-0.6,3.5-1.8,4.8-2.8c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7
+			c2,1.6,4.2,3.4,8.6,3.4c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c3.3,0,4.9,1.2,6.7,2.7c2,1.6,4.2,3.4,8.6,3.4
+			c4.3,0,6.6-1.8,8.6-3.4c1.8-1.4,3.4-2.7,6.7-2.7c0.9,0,1.7,0.1,2.4,0.3c0.7-0.8,1.4-1.7,2-2.5c-1.2-0.5-2.7-0.8-4.5-0.8
+			C191.9,112.5,189.7,114.3,187.7,115.9z"/>
+		<path class="st0" d="M196.3,98.4c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3
+			c-4.2,0-6.4,1.7-8.4,3.3c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.9-1.5-4.1-3.3-8.4-3.3c-4.2,0-6.4,1.7-8.4,3.3
+			c-1.9,1.5-3.5,2.8-6.8,2.8c-3.4,0-5-1.3-6.8-2.8c-1.2-1-2.5-2-4.4-2.7c0.4,1.2,0.9,2.3,1.4,3.5c0.5,0.3,1,0.7,1.5,1.1
+			c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3
+			c4.2,0,6.4-1.7,8.4-3.3c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c1.9,1.5,4.1,3.3,8.4,3.3c4.2,0,6.4-1.7,8.4-3.3
+			c1.9-1.5,3.5-2.8,6.8-2.8c3.4,0,5,1.3,6.8,2.8c0.8,0.6,1.6,1.3,2.6,1.8c0.4-0.7,0.7-1.5,1.1-2.2c-0.8-0.4-1.4-1-2.2-1.6
+			C202.7,100.1,200.5,98.4,196.3,98.4z"/>
+		<path class="st0" d="M196.3,84.2c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2
+			c-4.1,0-6.3,1.7-8.2,3.2c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.9-1.5-4.1-3.2-8.2-3.2c-4.1,0-6.3,1.7-8.2,3.2
+			c-1.8,1.4-3.5,2.8-7,2.8c-3.5,0-5.2-1.4-7-2.8c-1.7-1.4-3.7-2.9-7.2-3.2c0,0.6,0.1,1.3,0.1,1.9c2.7,0.3,4.2,1.5,5.8,2.8
+			c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2
+			c4.1,0,6.3-1.7,8.2-3.2c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.9,1.5,4.1,3.2,8.2,3.2c4.1,0,6.3-1.7,8.2-3.2
+			c1.8-1.4,3.5-2.8,7-2.8c3.5,0,5.2,1.4,7,2.8c1.7,1.4,3.7,2.9,7.2,3.2c0.1-0.6,0.2-1.3,0.3-1.9c-3-0.2-4.6-1.4-6.3-2.8
+			C202.6,85.9,200.4,84.2,196.3,84.2z"/>
+		<path class="st0" d="M120.1,77.5c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2
+			c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9c3.6,0,5.3,1.4,7.2,2.9c2,1.6,4,3.2,8,3.2c4,0,6.1-1.6,8-3.2c1.9-1.5,3.6-2.9,7.2-2.9
+			c3.6,0,5.3,1.4,7.2,2.9c1.9,1.5,4,3.1,8,3.2l0-0.1c0-0.4-0.1-0.8-0.1-1.3c-3.4-0.1-5.2-1.4-7-2.9c-2-1.6-4-3.2-8-3.2
+			c-4,0-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2c-4,0-6.1,1.6-8,3.2
+			c-1.9,1.5-3.6,2.9-7.2,2.9c-3.6,0-5.3-1.4-7.2-2.9c-2-1.6-4-3.2-8-3.2c-4,0-6.1,1.6-8,3.2c-1.9,1.5-3.6,2.9-7.2,2.9
+			c-3.6,0-5.3-1.4-7.2-2.9c-1.6-1.3-3.2-2.5-5.9-3c-0.1,0.4-0.2,0.9-0.3,1.3c2.4,0.4,3.8,1.5,5.3,2.7C114,75.9,116,77.5,120.1,77.5z
+			"/>
+		<path class="st0" d="M120.1,62.8c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9s5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1
+			c4,0,5.9-1.6,7.9-3.1c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.9,1.5,3.9,3.1,7.9,3.1c4,0,5.9-1.6,7.9-3.1
+			c1.9-1.5,3.7-2.9,7.4-2.9c3.7,0,5.5,1.4,7.4,2.9c1.3,1,2.5,2,4.4,2.6c-0.1-0.3-0.3-0.7-0.4-1c-1.3-0.6-2.4-1.4-3.4-2.2
+			c-1.9-1.5-3.9-3.1-7.9-3.1c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-1.9-1.5-3.9-3.1-7.9-3.1
+			c-4,0-5.9,1.6-7.9,3.1c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-1.9-1.5-3.9-3.1-7.9-3.1c-4,0-5.9,1.6-7.9,3.1
+			c-1.9,1.5-3.7,2.9-7.4,2.9c-3.7,0-5.5-1.4-7.4-2.9c-0.5-0.4-0.9-0.7-1.4-1.1c-0.1,0.2-0.3,0.5-0.4,0.8c0.4,0.3,0.9,0.6,1.3,1
+			C114.1,61.2,116.1,62.8,120.1,62.8z"/>
+	</g>
+</g>
+<g>
+	<g>
+		<path class="st0" d="M81.7,161.9l-18.2,41.2h-5.1l-18.2-41.2h5.1L61,197.4l15.6-35.5H81.7z"/>
+		<path class="st0" d="M91.7,166.3v13.6h22.4v4.4H91.7v14.3h24.8v4.4H87v-41.2h29.6v4.4H91.7z"/>
+		<path class="st0" d="M150.9,198.7v4.4h-27.2v-41.2h4.7v36.8H150.9z"/>
+		<path class="st0" d="M160.9,166.3v13.6h22.4v4.4h-22.4v14.3h24.8v4.4h-29.6v-41.2h29.6v4.4H160.9z"/>
+		<path class="st0" d="M223.1,181.3c-1.1,1.9-2.6,3.4-4.6,4.6c-2,1.2-4.2,1.9-6.6,2.2l10.5,14.9h-5.3l-10.4-14.8h-9.1v14.8h-4.7
+			v-41.2h16.7c2.8,0,5.4,0.6,7.7,1.7c2.3,1.1,4.1,2.7,5.5,4.7c1.3,2,2,4.3,2,6.8C224.8,177.4,224.2,179.5,223.1,181.3z M197.5,183.9
+			h11.2c3.4,0,6.1-0.8,8.2-2.3c2.1-1.6,3.1-3.7,3.1-6.4c0-2.7-1-4.9-3.1-6.4c-2.1-1.6-4.8-2.3-8.2-2.3h-11.2V183.9z"/>
+		<path class="st0" d="M239.6,200.9c-3.3-1.9-5.8-4.5-7.8-7.8c-1.9-3.3-2.9-6.8-2.9-10.6c0-3.8,1-7.3,2.9-10.6
+			c1.9-3.3,4.5-5.9,7.8-7.8c3.3-1.9,6.8-2.9,10.5-2.9c3.8,0,7.2,1,10.5,2.9c3.2,1.9,5.8,4.5,7.7,7.8c1.9,3.3,2.9,6.8,2.9,10.6
+			c0,3.8-1,7.3-2.9,10.6c-1.9,3.3-4.5,5.9-7.7,7.8c-3.2,1.9-6.7,2.9-10.5,2.9C246.3,203.8,242.8,202.9,239.6,200.9z M258.2,197.2
+			c2.5-1.6,4.5-3.6,6-6.2c1.5-2.6,2.2-5.4,2.2-8.5c0-3-0.7-5.8-2.2-8.4c-1.5-2.6-3.5-4.7-6-6.2c-2.5-1.5-5.2-2.3-8.1-2.3
+			c-2.9,0-5.6,0.8-8.1,2.3s-4.5,3.6-6,6.2s-2.2,5.4-2.2,8.4c0,3,0.8,5.9,2.2,8.5c1.5,2.6,3.5,4.7,6,6.2c2.5,1.6,5.2,2.3,8.1,2.3
+			C253,199.5,255.7,198.7,258.2,197.2z"/>
+	</g>
+</g>
+</svg>

changelogs/CHANGELOG-1.7.md

@@ -0,0 +1,80 @@
+## v1.7.0
+### 2021-09-07
+
+### Download
+https://github.com/vmware-tanzu/velero/releases/tag/v1.7.0
+
+### Container Image
+`velero/velero:v1.7.0`
+
+### Documentation
+https://velero.io/docs/v1.7/
+
+### Upgrading
+https://velero.io/docs/v1.7/upgrade-to-1.7/
+
+### Highlights
+
+#### Distroless images
+
+The Velero container images now use [distroless base images](https://github.com/GoogleContainerTools/distroless).
+Using distroless images as the base ensures that only the packages and programs necessary for running Velero are included.
+Unrelated libraries and OS packages, that often contain security vulnerabilities, are now excluded.
+This change reduces the size of both the server and restic restore helper image by approximately 62MB.
+
+As the [distroless](https://github.com/GoogleContainerTools/distroless) images do not contain a shell, it will no longer be possible to exec into Velero containers using these images.
+
+#### New "debug" command
+
+This release introduces the new `velero debug` command.
+This command collects information about a Velero installation, such as pod logs and resources managed by Velero, in a tarball which can be provided to the Velero maintainer team to help diagnose issues.
+
+### All changes
+
+  * Distinguish between different unnamed node ports when preserving (#4026, @sseago)
+  * Validate namespace in Velero backup create command (#4057, @codegold79)
+  * Empty the "ClusterIPs" along with "ClusterIP" when "ClusterIP" isn't "None" (#4101, @ywk253100)
+  * Add a RestoreItemAction plugin (`velero.io/apiservice`) which skips the restore of any `APIService` which is managed by Kubernetes. These are identified using the `kube-aggregator.kubernetes.io/automanaged` label. (#4028, @zubron)
+  * Change the base image to distroless (#4055, @ywk253100)
+  * Updated the version of velero/velero-plugin-for-aws version from v1.2.0 to v1.2.1 (#4064, @kahirokunn)
+  * Skip the backup and restore of DownwardAPI volumes when using restic. (#4076, @zubron)
+  * Bump up Go to 1.16 (#3990, @reasonerjt)
+  * Fix restic error when volume is emptyDir and Pod not running (#3993, @mahaupt)
+  * Select the velero deployment with both label and container name (#3996, @ywk253100)
+  * Wait for the namespace to be deleted before removing the CRDs during uninstall. This deprecates the `--wait` flag of the `uninstall` command (#4007, @ywk253100)
+  * Use the cluster preferred CRD API version when polling for Velero CRD readiness. (#4015, @zubron)
+  * Implement velero debug (#4022, @reasonerjt)
+  * Skip the restore of volumes that originally came from a projected volume when using restic. (#3877, @zubron)
+  * Run the E2E test with kind(provision various versions of k8s cluster) and MinIO on Github Action (#3912, @ywk253100)
+  * Fix -install-velero flag for e2e tests (#3919, @jaidevmane)
+  * Upgrade Velero ClusterRoleBinding to use v1 API (#3926, @jenting)
+  * enable e2e tests to choose crd apiVersion (#3941, @sseago)
+  * Fixing multipleNamespaceTest bug - Missing expect statement in test (#3983, @jaidevmane)
+  * Add --client-page-size flag to server to allow chunking Kubernetes API LIST calls across multiple requests on large clusters (#3823, @dharmab)
+  * Fix CR restore regression introduced in 1.6 restore progress. (#3845, @sseago)
+  * Use region specified in the BackupStorageLocation spec when getting restic repo identifier. Originally fixed by @jala-dx in #3617. (#3857, @zubron)
+  * skip backuping projected volume when using restic (#3866, @alaypatel07)
+  * Install Kubernetes preferred CRDs API version (v1beta1/v1). (#3614, @jenting)
+  * Add Label to BackupSpec so that labels can explicitly be provided to Schedule.Spec.Template.Metadata.Labels which will be reflected on the backups created. (#3641, @arush-sal)
+  * Add PVC UID label to PodVolumeRestore (#3792, @sseago)
+  * Support pulling plugin images by digest (#3803, @2uasimojo)
+  * Added BackupPhaseUploading and BackupPhaseUploadingPartialFailure backup phases as part of Upload Progress Monitoring. (#3805, @dsmithuchida)
+
+    Uploading (new)
+    The "Uploading" phase signifies that the main part of the backup, including 
+    snapshotting has completed successfully and uploading is continuing. In 
+    the event of an error during uploading, the phase will change to 
+    UploadingPartialFailure. On success, the phase changes to Completed. The 
+    backup cannot be restored from when it is in the Uploading state.
+
+    UploadingPartialFailure (new)
+    The "UploadingPartialFailure" phase signifies that the main part of the backup,
+    including snapshotting has completed, but there were partial failures either 
+    during the main part or during the uploading. The backup cannot be restored 
+    from when it is in the UploadingPartialFailure state.
+  * 🐛 Fix plugin name derivation from image name (#3711, @ashish-amarnath)
+  * ✨ ⚠️ Remove CSI volumesnapshot artifact deletion
+
+This change requires https://github.com/vmware-tanzu/velero-plugin-for-csi/pull/86 for Velero to continue
+deleting of CSI volumesnapshots when the corresponding backups are deleted. (#3734, @ashish-amarnath)
+  * use unstructured to marshal selective fields for service restore action (#3789, @alaypatel07)

changelogs/unreleased/4058-danfengliu

@@ -0,0 +1 @@
+Add upgrade test in E2E test

changelogs/unreleased/4126-sseago

@@ -0,0 +1 @@
+Verify group before treating resource as cohabitating

changelogs/unreleased/4141-danfengliu

@@ -0,0 +1 @@
+Fix plugins incompatible issue in upgrade test

changelogs/unreleased/4185-reasonerjt

@@ -0,0 +1 @@
+Refine tag-release.sh to align with change in release process

changelogs/unreleased/4274-ywk253100

@@ -0,0 +1 @@
+Fix CVE-2020-29652 and CVE-2020-26160

changelogs/unreleased/4281-ywk253100

@@ -0,0 +1 @@
+Don't create a backup immediately after creating a schedule

config/crd/v1/bases/velero.io_backups.yaml

@@ -0,0 +1,440 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: backups.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: Backup
+    listKind: BackupList
+    plural: backups
+    singular: backup
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Backup is a Velero resource that represents the capture of Kubernetes
+          cluster state at a point in time (API objects and associated volume state).
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BackupSpec defines the specification for a Velero backup.
+            properties:
+              defaultVolumesToRestic:
+                description: DefaultVolumesToRestic specifies whether restic should
+                  be used to take a backup of all pod volumes by default.
+                type: boolean
+              excludedNamespaces:
+                description: ExcludedNamespaces contains a list of namespaces that
+                  are not included in the backup.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              excludedResources:
+                description: ExcludedResources is a slice of resource names that are
+                  not included in the backup.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              hooks:
+                description: Hooks represent custom behaviors that should be executed
+                  at different phases of the backup.
+                properties:
+                  resources:
+                    description: Resources are hooks that should be executed when
+                      backing up individual instances of a resource.
+                    items:
+                      description: BackupResourceHookSpec defines one or more BackupResourceHooks
+                        that should be executed based on the rules defined for namespaces,
+                        resources, and label selector.
+                      properties:
+                        excludedNamespaces:
+                          description: ExcludedNamespaces specifies the namespaces
+                            to which this hook spec does not apply.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        excludedResources:
+                          description: ExcludedResources specifies the resources to
+                            which this hook spec does not apply.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        includedNamespaces:
+                          description: IncludedNamespaces specifies the namespaces
+                            to which this hook spec applies. If empty, it applies
+                            to all namespaces.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        includedResources:
+                          description: IncludedResources specifies the resources to
+                            which this hook spec applies. If empty, it applies to
+                            all resources.
+                          items:
+                            type: string
+                          nullable: true
+                          type: array
+                        labelSelector:
+                          description: LabelSelector, if specified, filters the resources
+                            to which this hook spec applies.
+                          nullable: true
+                          properties:
+                            matchExpressions:
+                              description: matchExpressions is a list of label selector
+                                requirements. The requirements are ANDed.
+                              items:
+                                description: A label selector requirement is a selector
+                                  that contains values, a key, and an operator that
+                                  relates the key and values.
+                                properties:
+                                  key:
+                                    description: key is the label key that the selector
+                                      applies to.
+                                    type: string
+                                  operator:
+                                    description: operator represents a key's relationship
+                                      to a set of values. Valid operators are In,
+                                      NotIn, Exists and DoesNotExist.
+                                    type: string
+                                  values:
+                                    description: values is an array of string values.
+                                      If the operator is In or NotIn, the values array
+                                      must be non-empty. If the operator is Exists
+                                      or DoesNotExist, the values array must be empty.
+                                      This array is replaced during a strategic merge
+                                      patch.
+                                    items:
+                                      type: string
+                                    type: array
+                                required:
+                                - key
+                                - operator
+                                type: object
+                              type: array
+                            matchLabels:
+                              additionalProperties:
+                                type: string
+                              description: matchLabels is a map of {key,value} pairs.
+                                A single {key,value} in the matchLabels map is equivalent
+                                to an element of matchExpressions, whose key field
+                                is "key", the operator is "In", and the values array
+                                contains only "value". The requirements are ANDed.
+                              type: object
+                          type: object
+                        name:
+                          description: Name is the name of this hook.
+                          type: string
+                        post:
+                          description: PostHooks is a list of BackupResourceHooks
+                            to execute after storing the item in the backup. These
+                            are executed after all "additional items" from item actions
+                            are processed.
+                          items:
+                            description: BackupResourceHook defines a hook for a resource.
+                            properties:
+                              exec:
+                                description: Exec defines an exec hook.
+                                properties:
+                                  command:
+                                    description: Command is the command and arguments
+                                      to execute.
+                                    items:
+                                      type: string
+                                    minItems: 1
+                                    type: array
+                                  container:
+                                    description: Container is the container in the
+                                      pod where the command should be executed. If
+                                      not specified, the pod's first container is
+                                      used.
+                                    type: string
+                                  onError:
+                                    description: OnError specifies how Velero should
+                                      behave if it encounters an error executing this
+                                      hook.
+                                    enum:
+                                    - Continue
+                                    - Fail
+                                    type: string
+                                  timeout:
+                                    description: Timeout defines the maximum amount
+                                      of time Velero should wait for the hook to complete
+                                      before considering the execution a failure.
+                                    type: string
+                                required:
+                                - command
+                                type: object
+                            required:
+                            - exec
+                            type: object
+                          type: array
+                        pre:
+                          description: PreHooks is a list of BackupResourceHooks to
+                            execute prior to storing the item in the backup. These
+                            are executed before any "additional items" from item actions
+                            are processed.
+                          items:
+                            description: BackupResourceHook defines a hook for a resource.
+                            properties:
+                              exec:
+                                description: Exec defines an exec hook.
+                                properties:
+                                  command:
+                                    description: Command is the command and arguments
+                                      to execute.
+                                    items:
+                                      type: string
+                                    minItems: 1
+                                    type: array
+                                  container:
+                                    description: Container is the container in the
+                                      pod where the command should be executed. If
+                                      not specified, the pod's first container is
+                                      used.
+                                    type: string
+                                  onError:
+                                    description: OnError specifies how Velero should
+                                      behave if it encounters an error executing this
+                                      hook.
+                                    enum:
+                                    - Continue
+                                    - Fail
+                                    type: string
+                                  timeout:
+                                    description: Timeout defines the maximum amount
+                                      of time Velero should wait for the hook to complete
+                                      before considering the execution a failure.
+                                    type: string
+                                required:
+                                - command
+                                type: object
+                            required:
+                            - exec
+                            type: object
+                          type: array
+                      required:
+                      - name
+                      type: object
+                    nullable: true
+                    type: array
+                type: object
+              includeClusterResources:
+                description: IncludeClusterResources specifies whether cluster-scoped
+                  resources should be included for consideration in the backup.
+                nullable: true
+                type: boolean
+              includedNamespaces:
+                description: IncludedNamespaces is a slice of namespace names to include
+                  objects from. If empty, all namespaces are included.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              includedResources:
+                description: IncludedResources is a slice of resource names to include
+                  in the backup. If empty, all resources are included.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              labelSelector:
+                description: LabelSelector is a metav1.LabelSelector to filter with
+                  when adding individual objects to the backup. If empty or nil, all
+                  objects are included. Optional.
+                nullable: true
+                properties:
+                  matchExpressions:
+                    description: matchExpressions is a list of label selector requirements.
+                      The requirements are ANDed.
+                    items:
+                      description: A label selector requirement is a selector that
+                        contains values, a key, and an operator that relates the key
+                        and values.
+                      properties:
+                        key:
+                          description: key is the label key that the selector applies
+                            to.
+                          type: string
+                        operator:
+                          description: operator represents a key's relationship to
+                            a set of values. Valid operators are In, NotIn, Exists
+                            and DoesNotExist.
+                          type: string
+                        values:
+                          description: values is an array of string values. If the
+                            operator is In or NotIn, the values array must be non-empty.
+                            If the operator is Exists or DoesNotExist, the values
+                            array must be empty. This array is replaced during a strategic
+                            merge patch.
+                          items:
+                            type: string
+                          type: array
+                      required:
+                      - key
+                      - operator
+                      type: object
+                    type: array
+                  matchLabels:
+                    additionalProperties:
+                      type: string
+                    description: matchLabels is a map of {key,value} pairs. A single
+                      {key,value} in the matchLabels map is equivalent to an element
+                      of matchExpressions, whose key field is "key", the operator
+                      is "In", and the values array contains only "value". The requirements
+                      are ANDed.
+                    type: object
+                type: object
+              metadata:
+                properties:
+                  labels:
+                    additionalProperties:
+                      type: string
+                    type: object
+                type: object
+              orderedResources:
+                additionalProperties:
+                  type: string
+                description: OrderedResources specifies the backup order of resources
+                  of specific Kind. The map key is the Kind name and value is a list
+                  of resource names separated by commas. Each resource name has format
+                  "namespace/resourcename".  For cluster resources, simply use "resourcename".
+                nullable: true
+                type: object
+              snapshotVolumes:
+                description: SnapshotVolumes specifies whether to take cloud snapshots
+                  of any PV's referenced in the set of objects included in the Backup.
+                nullable: true
+                type: boolean
+              storageLocation:
+                description: StorageLocation is a string containing the name of a
+                  BackupStorageLocation where the backup should be stored.
+                type: string
+              ttl:
+                description: TTL is a time.Duration-parseable string describing how
+                  long the Backup should be retained for.
+                type: string
+              volumeSnapshotLocations:
+                description: VolumeSnapshotLocations is a list containing names of
+                  VolumeSnapshotLocations associated with this backup.
+                items:
+                  type: string
+                type: array
+            type: object
+          status:
+            description: BackupStatus captures the current status of a Velero backup.
+            properties:
+              completionTimestamp:
+                description: CompletionTimestamp records the time a backup was completed.
+                  Completion time is recorded even on failed backups. Completion time
+                  is recorded before uploading the backup object. The server's time
+                  is used for CompletionTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              errors:
+                description: Errors is a count of all error messages that were generated
+                  during execution of the backup.  The actual errors are in the backup's
+                  log file in object storage.
+                type: integer
+              expiration:
+                description: Expiration is when this Backup is eligible for garbage-collection.
+                format: date-time
+                nullable: true
+                type: string
+              formatVersion:
+                description: FormatVersion is the backup format version, including
+                  major, minor, and patch version.
+                type: string
+              phase:
+                description: Phase is the current state of the Backup.
+                enum:
+                - New
+                - FailedValidation
+                - InProgress
+                - Completed
+                - PartiallyFailed
+                - Failed
+                - Deleting
+                type: string
+              progress:
+                description: Progress contains information about the backup's execution
+                  progress. Note that this information is best-effort only -- if Velero
+                  fails to update it during a backup for any reason, it may be inaccurate/stale.
+                nullable: true
+                properties:
+                  itemsBackedUp:
+                    description: ItemsBackedUp is the number of items that have actually
+                      been written to the backup tarball so far.
+                    type: integer
+                  totalItems:
+                    description: TotalItems is the total number of items to be backed
+                      up. This number may change throughout the execution of the backup
+                      due to plugins that return additional related items to back
+                      up, the velero.io/exclude-from-backup label, and various other
+                      filters that happen as items are processed.
+                    type: integer
+                type: object
+              startTimestamp:
+                description: StartTimestamp records the time a backup was started.
+                  Separate from CreationTimestamp, since that value changes on restores.
+                  The server's time is used for StartTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              validationErrors:
+                description: ValidationErrors is a slice of all validation errors
+                  (if applicable).
+                items:
+                  type: string
+                nullable: true
+                type: array
+              version:
+                description: 'Version is the backup format major version. Deprecated:
+                  Please see FormatVersion'
+                type: integer
+              volumeSnapshotsAttempted:
+                description: VolumeSnapshotsAttempted is the total number of attempted
+                  volume snapshots for this backup.
+                type: integer
+              volumeSnapshotsCompleted:
+                description: VolumeSnapshotsCompleted is the total number of successfully
+                  completed volume snapshots for this backup.
+                type: integer
+              warnings:
+                description: Warnings is a count of all warning messages that were
+                  generated during execution of the backup. The actual warnings are
+                  in the backup's log file in object storage.
+                type: integer
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_backupstoragelocations.yaml

@@ -0,0 +1,178 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: backupstoragelocations.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: BackupStorageLocation
+    listKind: BackupStorageLocationList
+    plural: backupstoragelocations
+    shortNames:
+    - bsl
+    singular: backupstoragelocation
+  scope: Namespaced
+  versions:
+  - additionalPrinterColumns:
+    - description: Backup Storage Location status such as Available/Unavailable
+      jsonPath: .status.phase
+      name: Phase
+      type: string
+    - description: LastValidationTime is the last time the backup store location was
+        validated
+      jsonPath: .status.lastValidationTime
+      name: Last Validated
+      type: date
+    - jsonPath: .metadata.creationTimestamp
+      name: Age
+      type: date
+    - description: Default backup storage location
+      jsonPath: .spec.default
+      name: Default
+      type: boolean
+    name: v1
+    schema:
+      openAPIV3Schema:
+        description: BackupStorageLocation is a location where Velero stores backup
+          objects
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: BackupStorageLocationSpec defines the desired state of a
+              Velero BackupStorageLocation
+            properties:
+              accessMode:
+                description: AccessMode defines the permissions for the backup storage
+                  location.
+                enum:
+                - ReadOnly
+                - ReadWrite
+                type: string
+              backupSyncPeriod:
+                description: BackupSyncPeriod defines how frequently to sync backup
+                  API objects from object storage. A value of 0 disables sync.
+                nullable: true
+                type: string
+              config:
+                additionalProperties:
+                  type: string
+                description: Config is for provider-specific configuration fields.
+                type: object
+              credential:
+                description: Credential contains the credential information intended
+                  to be used with this location
+                properties:
+                  key:
+                    description: The key of the secret to select from.  Must be a
+                      valid secret key.
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names
+                      TODO: Add other useful fields. apiVersion, kind, uid?'
+                    type: string
+                  optional:
+                    description: Specify whether the Secret or its key must be defined
+                    type: boolean
+                required:
+                - key
+                type: object
+              default:
+                description: Default indicates this location is the default backup
+                  storage location.
+                type: boolean
+              objectStorage:
+                description: ObjectStorageLocation specifies the settings necessary
+                  to connect to a provider's object storage.
+                properties:
+                  bucket:
+                    description: Bucket is the bucket to use for object storage.
+                    type: string
+                  caCert:
+                    description: CACert defines a CA bundle to use when verifying
+                      TLS connections to the provider.
+                    format: byte
+                    type: string
+                  prefix:
+                    description: Prefix is the path inside a bucket to use for Velero
+                      storage. Optional.
+                    type: string
+                required:
+                - bucket
+                type: object
+              provider:
+                description: Provider is the provider of the backup storage.
+                type: string
+              validationFrequency:
+                description: ValidationFrequency defines how frequently to validate
+                  the corresponding object storage. A value of 0 disables validation.
+                nullable: true
+                type: string
+            required:
+            - objectStorage
+            - provider
+            type: object
+          status:
+            description: BackupStorageLocationStatus defines the observed state of
+              BackupStorageLocation
+            properties:
+              accessMode:
+                description: "AccessMode is an unused field. \n Deprecated: there
+                  is now an AccessMode field on the Spec and this field will be removed
+                  entirely as of v2.0."
+                enum:
+                - ReadOnly
+                - ReadWrite
+                type: string
+              lastSyncedRevision:
+                description: "LastSyncedRevision is the value of the `metadata/revision`
+                  file in the backup storage location the last time the BSL's contents
+                  were synced into the cluster. \n Deprecated: this field is no longer
+                  updated or used for detecting changes to the location's contents
+                  and will be removed entirely in v2.0."
+                type: string
+              lastSyncedTime:
+                description: LastSyncedTime is the last time the contents of the location
+                  were synced into the cluster.
+                format: date-time
+                nullable: true
+                type: string
+              lastValidationTime:
+                description: LastValidationTime is the last time the backup store
+                  location was validated the cluster.
+                format: date-time
+                nullable: true
+                type: string
+              phase:
+                description: Phase is the current state of the BackupStorageLocation.
+                enum:
+                - Available
+                - Unavailable
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_deletebackuprequests.yaml

@@ -0,0 +1,71 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: deletebackuprequests.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: DeleteBackupRequest
+    listKind: DeleteBackupRequestList
+    plural: deletebackuprequests
+    singular: deletebackuprequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: DeleteBackupRequest is a request to delete one or more backups.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DeleteBackupRequestSpec is the specification for which backups
+              to delete.
+            properties:
+              backupName:
+                type: string
+            required:
+            - backupName
+            type: object
+          status:
+            description: DeleteBackupRequestStatus is the current status of a DeleteBackupRequest.
+            properties:
+              errors:
+                description: Errors contains any errors that were encountered during
+                  the deletion process.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              phase:
+                description: Phase is the current state of the DeleteBackupRequest.
+                enum:
+                - New
+                - InProgress
+                - Processed
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_downloadrequests.yaml

@@ -0,0 +1,94 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: downloadrequests.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: DownloadRequest
+    listKind: DownloadRequestList
+    plural: downloadrequests
+    singular: downloadrequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: DownloadRequest is a request to download an artifact from backup
+          object storage, such as a backup log file.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: DownloadRequestSpec is the specification for a download request.
+            properties:
+              target:
+                description: Target is what to download (e.g. logs for a backup).
+                properties:
+                  kind:
+                    description: Kind is the type of file to download.
+                    enum:
+                    - BackupLog
+                    - BackupContents
+                    - BackupVolumeSnapshots
+                    - BackupResourceList
+                    - RestoreLog
+                    - RestoreResults
+                    type: string
+                  name:
+                    description: Name is the name of the kubernetes resource with
+                      which the file is associated.
+                    type: string
+                required:
+                - kind
+                - name
+                type: object
+            required:
+            - target
+            type: object
+          status:
+            description: DownloadRequestStatus is the current status of a DownloadRequest.
+            properties:
+              downloadURL:
+                description: DownloadURL contains the pre-signed URL for the target
+                  file.
+                type: string
+              expiration:
+                description: Expiration is when this DownloadRequest expires and can
+                  be deleted by the system.
+                format: date-time
+                nullable: true
+                type: string
+              phase:
+                description: Phase is the current state of the DownloadRequest.
+                enum:
+                - New
+                - Processed
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_podvolumebackups.yaml

@@ -0,0 +1,161 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: podvolumebackups.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: PodVolumeBackup
+    listKind: PodVolumeBackupList
+    plural: podvolumebackups
+    singular: podvolumebackup
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PodVolumeBackupSpec is the specification for a PodVolumeBackup.
+            properties:
+              backupStorageLocation:
+                description: BackupStorageLocation is the name of the backup storage
+                  location where the restic repository is stored.
+                type: string
+              node:
+                description: Node is the name of the node that the Pod is running
+                  on.
+                type: string
+              pod:
+                description: Pod is a reference to the pod containing the volume to
+                  be backed up.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              repoIdentifier:
+                description: RepoIdentifier is the restic repository identifier.
+                type: string
+              tags:
+                additionalProperties:
+                  type: string
+                description: Tags are a map of key-value pairs that should be applied
+                  to the volume backup as tags.
+                type: object
+              volume:
+                description: Volume is the name of the volume within the Pod to be
+                  backed up.
+                type: string
+            required:
+            - backupStorageLocation
+            - node
+            - pod
+            - repoIdentifier
+            - volume
+            type: object
+          status:
+            description: PodVolumeBackupStatus is the current status of a PodVolumeBackup.
+            properties:
+              completionTimestamp:
+                description: CompletionTimestamp records the time a backup was completed.
+                  Completion time is recorded even on failed backups. Completion time
+                  is recorded before uploading the backup object. The server's time
+                  is used for CompletionTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              message:
+                description: Message is a message about the pod volume backup's status.
+                type: string
+              path:
+                description: Path is the full path within the controller pod being
+                  backed up.
+                type: string
+              phase:
+                description: Phase is the current state of the PodVolumeBackup.
+                enum:
+                - New
+                - InProgress
+                - Completed
+                - Failed
+                type: string
+              progress:
+                description: Progress holds the total number of bytes of the volume
+                  and the current number of backed up bytes. This can be used to display
+                  progress information about the backup operation.
+                properties:
+                  bytesDone:
+                    format: int64
+                    type: integer
+                  totalBytes:
+                    format: int64
+                    type: integer
+                type: object
+              snapshotID:
+                description: SnapshotID is the identifier for the snapshot of the
+                  pod volume.
+                type: string
+              startTimestamp:
+                description: StartTimestamp records the time a backup was started.
+                  Separate from CreationTimestamp, since that value changes on restores.
+                  The server's time is used for StartTimestamps
+                format: date-time
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_podvolumerestores.yaml

@@ -0,0 +1,144 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: podvolumerestores.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: PodVolumeRestore
+    listKind: PodVolumeRestoreList
+    plural: podvolumerestores
+    singular: podvolumerestore
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: PodVolumeRestoreSpec is the specification for a PodVolumeRestore.
+            properties:
+              backupStorageLocation:
+                description: BackupStorageLocation is the name of the backup storage
+                  location where the restic repository is stored.
+                type: string
+              pod:
+                description: Pod is a reference to the pod containing the volume to
+                  be restored.
+                properties:
+                  apiVersion:
+                    description: API version of the referent.
+                    type: string
+                  fieldPath:
+                    description: 'If referring to a piece of an object instead of
+                      an entire object, this string should contain a valid JSON/Go
+                      field access statement, such as desiredState.manifest.containers[2].
+                      For example, if the object reference is to a container within
+                      a pod, this would take on a value like: "spec.containers{name}"
+                      (where "name" refers to the name of the container that triggered
+                      the event) or if no container name is specified "spec.containers[2]"
+                      (container with index 2 in this pod). This syntax is chosen
+                      only to have some well-defined way of referencing a part of
+                      an object. TODO: this design is not final and this field is
+                      subject to change in the future.'
+                    type: string
+                  kind:
+                    description: 'Kind of the referent. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+                    type: string
+                  name:
+                    description: 'Name of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#names'
+                    type: string
+                  namespace:
+                    description: 'Namespace of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/namespaces/'
+                    type: string
+                  resourceVersion:
+                    description: 'Specific resourceVersion to which this reference
+                      is made, if any. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#concurrency-control-and-consistency'
+                    type: string
+                  uid:
+                    description: 'UID of the referent. More info: https://kubernetes.io/docs/concepts/overview/working-with-objects/names/#uids'
+                    type: string
+                type: object
+              repoIdentifier:
+                description: RepoIdentifier is the restic repository identifier.
+                type: string
+              snapshotID:
+                description: SnapshotID is the ID of the volume snapshot to be restored.
+                type: string
+              volume:
+                description: Volume is the name of the volume within the Pod to be
+                  restored.
+                type: string
+            required:
+            - backupStorageLocation
+            - pod
+            - repoIdentifier
+            - snapshotID
+            - volume
+            type: object
+          status:
+            description: PodVolumeRestoreStatus is the current status of a PodVolumeRestore.
+            properties:
+              completionTimestamp:
+                description: CompletionTimestamp records the time a restore was completed.
+                  Completion time is recorded even on failed restores. The server's
+                  time is used for CompletionTimestamps
+                format: date-time
+                nullable: true
+                type: string
+              message:
+                description: Message is a message about the pod volume restore's status.
+                type: string
+              phase:
+                description: Phase is the current state of the PodVolumeRestore.
+                enum:
+                - New
+                - InProgress
+                - Completed
+                - Failed
+                type: string
+              progress:
+                description: Progress holds the total number of bytes of the snapshot
+                  and the current number of restored bytes. This can be used to display
+                  progress information about the restore operation.
+                properties:
+                  bytesDone:
+                    format: int64
+                    type: integer
+                  totalBytes:
+                    format: int64
+                    type: integer
+                type: object
+              startTimestamp:
+                description: StartTimestamp records the time a restore was started.
+                  The server's time is used for StartTimestamps
+                format: date-time
+                nullable: true
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_resticrepositories.yaml

@@ -0,0 +1,89 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: resticrepositories.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: ResticRepository
+    listKind: ResticRepositoryList
+    plural: resticrepositories
+    singular: resticrepository
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ResticRepositorySpec is the specification for a ResticRepository.
+            properties:
+              backupStorageLocation:
+                description: BackupStorageLocation is the name of the BackupStorageLocation
+                  that should contain this repository.
+                type: string
+              maintenanceFrequency:
+                description: MaintenanceFrequency is how often maintenance should
+                  be run.
+                type: string
+              resticIdentifier:
+                description: ResticIdentifier is the full restic-compatible string
+                  for identifying this repository.
+                type: string
+              volumeNamespace:
+                description: VolumeNamespace is the namespace this restic repository
+                  contains pod volume backups for.
+                type: string
+            required:
+            - backupStorageLocation
+            - maintenanceFrequency
+            - resticIdentifier
+            - volumeNamespace
+            type: object
+          status:
+            description: ResticRepositoryStatus is the current status of a ResticRepository.
+            properties:
+              lastMaintenanceTime:
+                description: LastMaintenanceTime is the last time maintenance was
+                  run.
+                format: date-time
+                nullable: true
+                type: string
+              message:
+                description: Message is a message about the current status of the
+                  ResticRepository.
+                type: string
+              phase:
+                description: Phase is the current state of the ResticRepository.
+                enum:
+                - New
+                - Ready
+                - NotReady
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_schedules.yaml

@@ -0,0 +1,401 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: schedules.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: Schedule
+    listKind: ScheduleList
+    plural: schedules
+    singular: schedule
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: Schedule is a Velero resource that represents a pre-scheduled
+          or periodic Backup that should be run.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ScheduleSpec defines the specification for a Velero schedule
+            properties:
+              schedule:
+                description: Schedule is a Cron expression defining when to run the
+                  Backup.
+                type: string
+              template:
+                description: Template is the definition of the Backup to be run on
+                  the provided schedule
+                properties:
+                  defaultVolumesToRestic:
+                    description: DefaultVolumesToRestic specifies whether restic should
+                      be used to take a backup of all pod volumes by default.
+                    type: boolean
+                  excludedNamespaces:
+                    description: ExcludedNamespaces contains a list of namespaces
+                      that are not included in the backup.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  excludedResources:
+                    description: ExcludedResources is a slice of resource names that
+                      are not included in the backup.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  hooks:
+                    description: Hooks represent custom behaviors that should be executed
+                      at different phases of the backup.
+                    properties:
+                      resources:
+                        description: Resources are hooks that should be executed when
+                          backing up individual instances of a resource.
+                        items:
+                          description: BackupResourceHookSpec defines one or more
+                            BackupResourceHooks that should be executed based on the
+                            rules defined for namespaces, resources, and label selector.
+                          properties:
+                            excludedNamespaces:
+                              description: ExcludedNamespaces specifies the namespaces
+                                to which this hook spec does not apply.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            excludedResources:
+                              description: ExcludedResources specifies the resources
+                                to which this hook spec does not apply.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            includedNamespaces:
+                              description: IncludedNamespaces specifies the namespaces
+                                to which this hook spec applies. If empty, it applies
+                                to all namespaces.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            includedResources:
+                              description: IncludedResources specifies the resources
+                                to which this hook spec applies. If empty, it applies
+                                to all resources.
+                              items:
+                                type: string
+                              nullable: true
+                              type: array
+                            labelSelector:
+                              description: LabelSelector, if specified, filters the
+                                resources to which this hook spec applies.
+                              nullable: true
+                              properties:
+                                matchExpressions:
+                                  description: matchExpressions is a list of label
+                                    selector requirements. The requirements are ANDed.
+                                  items:
+                                    description: A label selector requirement is a
+                                      selector that contains values, a key, and an
+                                      operator that relates the key and values.
+                                    properties:
+                                      key:
+                                        description: key is the label key that the
+                                          selector applies to.
+                                        type: string
+                                      operator:
+                                        description: operator represents a key's relationship
+                                          to a set of values. Valid operators are
+                                          In, NotIn, Exists and DoesNotExist.
+                                        type: string
+                                      values:
+                                        description: values is an array of string
+                                          values. If the operator is In or NotIn,
+                                          the values array must be non-empty. If the
+                                          operator is Exists or DoesNotExist, the
+                                          values array must be empty. This array is
+                                          replaced during a strategic merge patch.
+                                        items:
+                                          type: string
+                                        type: array
+                                    required:
+                                    - key
+                                    - operator
+                                    type: object
+                                  type: array
+                                matchLabels:
+                                  additionalProperties:
+                                    type: string
+                                  description: matchLabels is a map of {key,value}
+                                    pairs. A single {key,value} in the matchLabels
+                                    map is equivalent to an element of matchExpressions,
+                                    whose key field is "key", the operator is "In",
+                                    and the values array contains only "value". The
+                                    requirements are ANDed.
+                                  type: object
+                              type: object
+                            name:
+                              description: Name is the name of this hook.
+                              type: string
+                            post:
+                              description: PostHooks is a list of BackupResourceHooks
+                                to execute after storing the item in the backup. These
+                                are executed after all "additional items" from item
+                                actions are processed.
+                              items:
+                                description: BackupResourceHook defines a hook for
+                                  a resource.
+                                properties:
+                                  exec:
+                                    description: Exec defines an exec hook.
+                                    properties:
+                                      command:
+                                        description: Command is the command and arguments
+                                          to execute.
+                                        items:
+                                          type: string
+                                        minItems: 1
+                                        type: array
+                                      container:
+                                        description: Container is the container in
+                                          the pod where the command should be executed.
+                                          If not specified, the pod's first container
+                                          is used.
+                                        type: string
+                                      onError:
+                                        description: OnError specifies how Velero
+                                          should behave if it encounters an error
+                                          executing this hook.
+                                        enum:
+                                        - Continue
+                                        - Fail
+                                        type: string
+                                      timeout:
+                                        description: Timeout defines the maximum amount
+                                          of time Velero should wait for the hook
+                                          to complete before considering the execution
+                                          a failure.
+                                        type: string
+                                    required:
+                                    - command
+                                    type: object
+                                required:
+                                - exec
+                                type: object
+                              type: array
+                            pre:
+                              description: PreHooks is a list of BackupResourceHooks
+                                to execute prior to storing the item in the backup.
+                                These are executed before any "additional items" from
+                                item actions are processed.
+                              items:
+                                description: BackupResourceHook defines a hook for
+                                  a resource.
+                                properties:
+                                  exec:
+                                    description: Exec defines an exec hook.
+                                    properties:
+                                      command:
+                                        description: Command is the command and arguments
+                                          to execute.
+                                        items:
+                                          type: string
+                                        minItems: 1
+                                        type: array
+                                      container:
+                                        description: Container is the container in
+                                          the pod where the command should be executed.
+                                          If not specified, the pod's first container
+                                          is used.
+                                        type: string
+                                      onError:
+                                        description: OnError specifies how Velero
+                                          should behave if it encounters an error
+                                          executing this hook.
+                                        enum:
+                                        - Continue
+                                        - Fail
+                                        type: string
+                                      timeout:
+                                        description: Timeout defines the maximum amount
+                                          of time Velero should wait for the hook
+                                          to complete before considering the execution
+                                          a failure.
+                                        type: string
+                                    required:
+                                    - command
+                                    type: object
+                                required:
+                                - exec
+                                type: object
+                              type: array
+                          required:
+                          - name
+                          type: object
+                        nullable: true
+                        type: array
+                    type: object
+                  includeClusterResources:
+                    description: IncludeClusterResources specifies whether cluster-scoped
+                      resources should be included for consideration in the backup.
+                    nullable: true
+                    type: boolean
+                  includedNamespaces:
+                    description: IncludedNamespaces is a slice of namespace names
+                      to include objects from. If empty, all namespaces are included.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  includedResources:
+                    description: IncludedResources is a slice of resource names to
+                      include in the backup. If empty, all resources are included.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  labelSelector:
+                    description: LabelSelector is a metav1.LabelSelector to filter
+                      with when adding individual objects to the backup. If empty
+                      or nil, all objects are included. Optional.
+                    nullable: true
+                    properties:
+                      matchExpressions:
+                        description: matchExpressions is a list of label selector
+                          requirements. The requirements are ANDed.
+                        items:
+                          description: A label selector requirement is a selector
+                            that contains values, a key, and an operator that relates
+                            the key and values.
+                          properties:
+                            key:
+                              description: key is the label key that the selector
+                                applies to.
+                              type: string
+                            operator:
+                              description: operator represents a key's relationship
+                                to a set of values. Valid operators are In, NotIn,
+                                Exists and DoesNotExist.
+                              type: string
+                            values:
+                              description: values is an array of string values. If
+                                the operator is In or NotIn, the values array must
+                                be non-empty. If the operator is Exists or DoesNotExist,
+                                the values array must be empty. This array is replaced
+                                during a strategic merge patch.
+                              items:
+                                type: string
+                              type: array
+                          required:
+                          - key
+                          - operator
+                          type: object
+                        type: array
+                      matchLabels:
+                        additionalProperties:
+                          type: string
+                        description: matchLabels is a map of {key,value} pairs. A
+                          single {key,value} in the matchLabels map is equivalent
+                          to an element of matchExpressions, whose key field is "key",
+                          the operator is "In", and the values array contains only
+                          "value". The requirements are ANDed.
+                        type: object
+                    type: object
+                  metadata:
+                    properties:
+                      labels:
+                        additionalProperties:
+                          type: string
+                        type: object
+                    type: object
+                  orderedResources:
+                    additionalProperties:
+                      type: string
+                    description: OrderedResources specifies the backup order of resources
+                      of specific Kind. The map key is the Kind name and value is
+                      a list of resource names separated by commas. Each resource
+                      name has format "namespace/resourcename".  For cluster resources,
+                      simply use "resourcename".
+                    nullable: true
+                    type: object
+                  snapshotVolumes:
+                    description: SnapshotVolumes specifies whether to take cloud snapshots
+                      of any PV's referenced in the set of objects included in the
+                      Backup.
+                    nullable: true
+                    type: boolean
+                  storageLocation:
+                    description: StorageLocation is a string containing the name of
+                      a BackupStorageLocation where the backup should be stored.
+                    type: string
+                  ttl:
+                    description: TTL is a time.Duration-parseable string describing
+                      how long the Backup should be retained for.
+                    type: string
+                  volumeSnapshotLocations:
+                    description: VolumeSnapshotLocations is a list containing names
+                      of VolumeSnapshotLocations associated with this backup.
+                    items:
+                      type: string
+                    type: array
+                type: object
+              useOwnerReferencesInBackup:
+                description: UseOwnerReferencesBackup specifies whether to use OwnerReferences
+                  on backups created by this Schedule.
+                nullable: true
+                type: boolean
+            required:
+            - schedule
+            - template
+            type: object
+          status:
+            description: ScheduleStatus captures the current state of a Velero schedule
+            properties:
+              lastBackup:
+                description: LastBackup is the last time a Backup was run for this
+                  Schedule schedule
+                format: date-time
+                nullable: true
+                type: string
+              phase:
+                description: Phase is the current phase of the Schedule
+                enum:
+                - New
+                - Enabled
+                - FailedValidation
+                type: string
+              validationErrors:
+                description: ValidationErrors is a slice of all validation errors
+                  (if applicable)
+                items:
+                  type: string
+                type: array
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_serverstatusrequests.yaml

@@ -0,0 +1,87 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: serverstatusrequests.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: ServerStatusRequest
+    listKind: ServerStatusRequestList
+    plural: serverstatusrequests
+    shortNames:
+    - ssr
+    singular: serverstatusrequest
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: ServerStatusRequest is a request to access current status information
+          about the Velero server.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: ServerStatusRequestSpec is the specification for a ServerStatusRequest.
+            type: object
+          status:
+            description: ServerStatusRequestStatus is the current status of a ServerStatusRequest.
+            properties:
+              phase:
+                description: Phase is the current lifecycle phase of the ServerStatusRequest.
+                enum:
+                - New
+                - Processed
+                type: string
+              plugins:
+                description: Plugins list information about the plugins running on
+                  the Velero server
+                items:
+                  description: PluginInfo contains attributes of a Velero plugin
+                  properties:
+                    kind:
+                      type: string
+                    name:
+                      type: string
+                  required:
+                  - kind
+                  - name
+                  type: object
+                nullable: true
+                type: array
+              processedTimestamp:
+                description: ProcessedTimestamp is when the ServerStatusRequest was
+                  processed by the ServerStatusRequestController.
+                format: date-time
+                nullable: true
+                type: string
+              serverVersion:
+                description: ServerVersion is the Velero server version.
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+    subresources:
+      status: {}
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/bases/velero.io_volumesnapshotlocations.yaml

@@ -0,0 +1,72 @@
+
+---
+apiVersion: apiextensions.k8s.io/v1
+kind: CustomResourceDefinition
+metadata:
+  annotations:
+    controller-gen.kubebuilder.io/version: v0.3.0
+  creationTimestamp: null
+  name: volumesnapshotlocations.velero.io
+spec:
+  group: velero.io
+  names:
+    kind: VolumeSnapshotLocation
+    listKind: VolumeSnapshotLocationList
+    plural: volumesnapshotlocations
+    singular: volumesnapshotlocation
+  scope: Namespaced
+  versions:
+  - name: v1
+    schema:
+      openAPIV3Schema:
+        description: VolumeSnapshotLocation is a location where Velero stores volume
+          snapshots.
+        properties:
+          apiVersion:
+            description: 'APIVersion defines the versioned schema of this representation
+              of an object. Servers should convert recognized schemas to the latest
+              internal value, and may reject unrecognized values. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#resources'
+            type: string
+          kind:
+            description: 'Kind is a string value representing the REST resource this
+              object represents. Servers may infer this from the endpoint the client
+              submits requests to. Cannot be updated. In CamelCase. More info: https://git.k8s.io/community/contributors/devel/sig-architecture/api-conventions.md#types-kinds'
+            type: string
+          metadata:
+            type: object
+          spec:
+            description: VolumeSnapshotLocationSpec defines the specification for
+              a Velero VolumeSnapshotLocation.
+            properties:
+              config:
+                additionalProperties:
+                  type: string
+                description: Config is for provider-specific configuration fields.
+                type: object
+              provider:
+                description: Provider is the provider of the volume storage.
+                type: string
+            required:
+            - provider
+            type: object
+          status:
+            description: VolumeSnapshotLocationStatus describes the current status
+              of a Velero VolumeSnapshotLocation.
+            properties:
+              phase:
+                description: VolumeSnapshotLocationPhase is the lifecycle phase of
+                  a Velero VolumeSnapshotLocation.
+                enum:
+                - Available
+                - Unavailable
+                type: string
+            type: object
+        type: object
+    served: true
+    storage: true
+status:
+  acceptedNames:
+    kind: ""
+    plural: ""
+  conditions: []
+  storedVersions: []

config/crd/v1/crds/doc.go

@@ -1,4 +1,4 @@
 // Package crds embeds the controller-tools generated CRD manifests
 package crds
 
-//go:generate go run ../../../hack/crd-gen/main.go
+//go:generate go run ../../../../hack/crd-gen/v1/main.go

config/crd/v1beta1/bases/velero.io_backups.yaml

@@ -303,6 +303,13 @@ spec:
                     are ANDed.
                   type: object
               type: object
+            metadata:
+              properties:
+                labels:
+                  additionalProperties:
+                    type: string
+                  type: object
+              type: object
             orderedResources:
               additionalProperties:
                 type: string

config/crd/v1beta1/bases/velero.io_restores.yaml

@@ -202,12 +202,14 @@ spec:
                                           is not provided. Variable references $(VAR_NAME)
                                           are expanded using the container''s environment.
                                           If a variable cannot be resolved, the reference
-                                          in the input string will be unchanged. The
-                                          $(VAR_NAME) syntax can be escaped with a
-                                          double $$, ie: $$(VAR_NAME). Escaped references
-                                          will never be expanded, regardless of whether
-                                          the variable exists or not. Cannot be updated.
-                                          More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
+                                          in the input string will be unchanged. Double
+                                          $$ are reduced to a single $, which allows
+                                          for escaping the $(VAR_NAME) syntax: i.e.
+                                          "$$(VAR_NAME)" will produce the string literal
+                                          "$(VAR_NAME)". Escaped references will never
+                                          be expanded, regardless of whether the variable
+                                          exists or not. Cannot be updated. More info:
+                                          https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
                                         items:
                                           type: string
                                         type: array
@@ -218,12 +220,14 @@ spec:
                                           references $(VAR_NAME) are expanded using
                                           the container''s environment. If a variable
                                           cannot be resolved, the reference in the
-                                          input string will be unchanged. The $(VAR_NAME)
-                                          syntax can be escaped with a double $$,
-                                          ie: $$(VAR_NAME). Escaped references will
-                                          never be expanded, regardless of whether
-                                          the variable exists or not. Cannot be updated.
-                                          More info: https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
+                                          input string will be unchanged. Double $$
+                                          are reduced to a single $, which allows
+                                          for escaping the $(VAR_NAME) syntax: i.e.
+                                          "$$(VAR_NAME)" will produce the string literal
+                                          "$(VAR_NAME)". Escaped references will never
+                                          be expanded, regardless of whether the variable
+                                          exists or not. Cannot be updated. More info:
+                                          https://kubernetes.io/docs/tasks/inject-data-application/define-command-argument-container/#running-a-command-in-a-shell'
                                         items:
                                           type: string
                                         type: array
@@ -240,17 +244,19 @@ spec:
                                               type: string
                                             value:
                                               description: 'Variable references $(VAR_NAME)
-                                                are expanded using the previous defined
-                                                environment variables in the container
-                                                and any service environment variables.
-                                                If a variable cannot be resolved,
-                                                the reference in the input string
-                                                will be unchanged. The $(VAR_NAME)
-                                                syntax can be escaped with a double
-                                                $$, ie: $$(VAR_NAME). Escaped references
-                                                will never be expanded, regardless
-                                                of whether the variable exists or
-                                                not. Defaults to "".'
+                                                are expanded using the previously
+                                                defined environment variables in the
+                                                container and any service environment
+                                                variables. If a variable cannot be
+                                                resolved, the reference in the input
+                                                string will be unchanged. Double $$
+                                                are reduced to a single $, which allows
+                                                for escaping the $(VAR_NAME) syntax:
+                                                i.e. "$$(VAR_NAME)" will produce the
+                                                string literal "$(VAR_NAME)". Escaped
+                                                references will never be expanded,
+                                                regardless of whether the variable
+                                                exists or not. Defaults to "".'
                                               type: string
                                             valueFrom:
                                               description: Source for the environment
@@ -792,6 +798,29 @@ spec:
                                             required:
                                             - port
                                             type: object
+                                          terminationGracePeriodSeconds:
+                                            description: Optional duration in seconds
+                                              the pod needs to terminate gracefully
+                                              upon probe failure. The grace period
+                                              is the duration in seconds after the
+                                              processes running in the pod are sent
+                                              a termination signal and the time when
+                                              the processes are forcibly halted with
+                                              a kill signal. Set this value longer
+                                              than the expected cleanup time for your
+                                              process. If this value is nil, the pod's
+                                              terminationGracePeriodSeconds will be
+                                              used. Otherwise, this value overrides
+                                              the value provided by the pod spec.
+                                              Value must be non-negative integer.
+                                              The value zero indicates stop immediately
+                                              via the kill signal (no opportunity
+                                              to shut down). This is a beta field
+                                              and requires enabling ProbeTerminationGracePeriod
+                                              feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
+                                              is used if unset.
+                                            format: int64
+                                            type: integer
                                           timeoutSeconds:
                                             description: 'Number of seconds after
                                               which the probe times out. Defaults
@@ -991,6 +1020,29 @@ spec:
                                             required:
                                             - port
                                             type: object
+                                          terminationGracePeriodSeconds:
+                                            description: Optional duration in seconds
+                                              the pod needs to terminate gracefully
+                                              upon probe failure. The grace period
+                                              is the duration in seconds after the
+                                              processes running in the pod are sent
+                                              a termination signal and the time when
+                                              the processes are forcibly halted with
+                                              a kill signal. Set this value longer
+                                              than the expected cleanup time for your
+                                              process. If this value is nil, the pod's
+                                              terminationGracePeriodSeconds will be
+                                              used. Otherwise, this value overrides
+                                              the value provided by the pod spec.
+                                              Value must be non-negative integer.
+                                              The value zero indicates stop immediately
+                                              via the kill signal (no opportunity
+                                              to shut down). This is a beta field
+                                              and requires enabling ProbeTerminationGracePeriod
+                                              feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
+                                              is used if unset.
+                                            format: int64
+                                            type: integer
                                           timeoutSeconds:
                                             description: 'Number of seconds after
                                               which the probe times out. Defaults
@@ -1002,7 +1054,7 @@ spec:
                                       resources:
                                         description: 'Compute Resources required by
                                           this container. Cannot be updated. More
-                                          info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
+                                          info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                         properties:
                                           limits:
                                             additionalProperties:
@@ -1013,7 +1065,7 @@ spec:
                                               x-kubernetes-int-or-string: true
                                             description: 'Limits describes the maximum
                                               amount of compute resources allowed.
-                                              More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
+                                              More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                             type: object
                                           requests:
                                             additionalProperties:
@@ -1027,12 +1079,14 @@ spec:
                                               If Requests is omitted for a container,
                                               it defaults to Limits if that is explicitly
                                               specified, otherwise to an implementation-defined
-                                              value. More info: https://kubernetes.io/docs/concepts/configuration/manage-compute-resources-container/'
+                                              value. More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/'
                                             type: object
                                         type: object
                                       securityContext:
-                                        description: 'Security options the pod should
-                                          run with. More info: https://kubernetes.io/docs/concepts/policy/security-context/
+                                        description: 'SecurityContext defines the
+                                          security options the container should be
+                                          run with. If set, the fields of SecurityContext
+                                          override the equivalent fields of PodSecurityContext.
                                           More info: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/'
                                         properties:
                                           allowPrivilegeEscalation:
@@ -1197,6 +1251,24 @@ spec:
                                                   is the name of the GMSA credential
                                                   spec to use.
                                                 type: string
+                                              hostProcess:
+                                                description: HostProcess determines
+                                                  if a container should be run as
+                                                  a 'Host Process' container. This
+                                                  field is alpha-level and will only
+                                                  be honored by components that enable
+                                                  the WindowsHostProcessContainers
+                                                  feature flag. Setting this field
+                                                  without the feature flag will result
+                                                  in errors when validating the Pod.
+                                                  All of a Pod's containers must have
+                                                  the same effective HostProcess value
+                                                  (it is not allowed to have a mix
+                                                  of HostProcess containers and non-HostProcess
+                                                  containers).  In addition, if HostProcess
+                                                  is true then HostNetwork must also
+                                                  be set to true.
+                                                type: boolean
                                               runAsUserName:
                                                 description: The UserName in Windows
                                                   to run the entrypoint of the container
@@ -1220,9 +1292,8 @@ spec:
                                           at the beginning of a Pod''s lifecycle,
                                           when it might take a long time to load data
                                           or warm a cache, than during steady-state
-                                          operation. This cannot be updated. This
-                                          is a beta feature enabled by the StartupProbe
-                                          feature flag. More info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
+                                          operation. This cannot be updated. More
+                                          info: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle#container-probes'
                                         properties:
                                           exec:
                                             description: One and only one of the following
@@ -1347,6 +1418,29 @@ spec:
                                             required:
                                             - port
                                             type: object
+                                          terminationGracePeriodSeconds:
+                                            description: Optional duration in seconds
+                                              the pod needs to terminate gracefully
+                                              upon probe failure. The grace period
+                                              is the duration in seconds after the
+                                              processes running in the pod are sent
+                                              a termination signal and the time when
+                                              the processes are forcibly halted with
+                                              a kill signal. Set this value longer
+                                              than the expected cleanup time for your
+                                              process. If this value is nil, the pod's
+                                              terminationGracePeriodSeconds will be
+                                              used. Otherwise, this value overrides
+                                              the value provided by the pod spec.
+                                              Value must be non-negative integer.
+                                              The value zero indicates stop immediately
+                                              via the kill signal (no opportunity
+                                              to shut down). This is a beta field
+                                              and requires enabling ProbeTerminationGracePeriod
+                                              feature gate. Minimum value is 1. spec.terminationGracePeriodSeconds
+                                              is used if unset.
+                                            format: int64
+                                            type: integer
                                           timeoutSeconds:
                                             description: 'Number of seconds after
                                               which the probe times out. Defaults

config/crd/v1beta1/bases/velero.io_schedules.yaml

@@ -318,6 +318,13 @@ spec:
                         are ANDed.
                       type: object
                   type: object
+                metadata:
+                  properties:
+                    labels:
+                      additionalProperties:
+                        type: string
+                      type: object
+                  type: object
                 orderedResources:
                   additionalProperties:
                     type: string

config/crd/v1beta1/crds/doc.go

@@ -0,0 +1,4 @@
+// Package crds embeds the controller-tools generated CRD manifests
+package crds
+
+//go:generate go run ../../../../hack/crd-gen/v1beta1/main.go

design/Implemented/velero-debug.md

@@ -0,0 +1,122 @@
+# `velero debug` command for gathering troubleshooting information
+
+## Abstract
+To simplify the communication between velero users and developers, this document proposes the `velero debug` command to generate a tarball including the logs needed for debugging.
+
+Github issue: https://github.com/vmware-tanzu/velero/issues/675
+
+## Background
+Gathering information to troubleshoot a Velero deployment is currently spread across multiple commands, and is not very efficient. Logs for the Velero server itself are accessed via a kubectl logs command, while information on specific backups or restores are accessed via a Velero subcommand. Restic logs are even more complicated to retrieve, since one must gather logs for every instance of the daemonset, and there’s currently no good mechanism to locate which node a particular restic backup ran against.  
+A dedicated subcommand can lower this effort and reduce back-and-forth between user and developer for collecting the logs.
+
+
+## Goals
+- Enable efficient log collection for Velero and associated components, like plugins and restic.
+
+## Non Goals
+- Collecting logs for components that do not belong to velero such as storage service.
+- Automated log analysis.
+
+## High-Level Design
+With the introduction of the new command `velero debug`, the command would download all of the following information:
+- velero deployment logs
+- restic DaemonSet logs
+- plugin logs 
+- All the resources in the group `velero.io` that are created such as:
+    - Backup
+    - Restore
+    - BackupStorageLocation
+    - PodVolumeBackup
+    - PodVolumeRestore
+    - *etc ...*
+- Log of the backup and restore, if specified in the param
+
+A project called `crash-diagnostics` (or `crashd`) (https://github.com/vmware-tanzu/crash-diagnostics)  implements the Kubernetes API queries and provides Starlark scripting language to abstract details, and collect the information into a local copy.   It can be used as a standalone CLI executing a Starlark script file.
+With the capabilities of embedding files in Go 1.16, we can define a Starlark script gathering the necessary information, embed the script at build time, then the velero debug command will invoke `crashd`, passing in the script’s text contents.
+
+## Detailed Design
+### Triggering the script
+The Starlark script to be called by crashd:
+
+```python
+def capture_backup_logs(cmd, namespace):
+    if args.backup:
+        log("Collecting log and information for backup: {}".format(args.backup))
+        backupDescCmd = "{} --namespace={} backup describe {} --details".format(cmd, namespace, args.backup)
+        capture_local(cmd=backupDescCmd, file_name="backup_describe_{}.txt".format(args.backup))
+        backupLogsCmd = "{} --namespace={} backup logs {}".format(cmd, namespace, args.backup)
+        capture_local(cmd=backupLogsCmd, file_name="backup_{}.log".format(args.backup))
+def capture_restore_logs(cmd, namespace):
+    if args.restore:
+        log("Collecting log and information for restore: {}".format(args.restore))
+        restoreDescCmd = "{} --namespace={} restore describe {} --details".format(cmd, namespace, args.restore)
+        capture_local(cmd=restoreDescCmd, file_name="restore_describe_{}.txt".format(args.restore))
+        restoreLogsCmd = "{} --namespace={} restore logs {}".format(cmd, namespace, args.restore)
+        capture_local(cmd=restoreLogsCmd, file_name="restore_{}.log".format(args.restore))
+
+ns = args.namespace if args.namespace else "velero"
+output = args.output if args.output else "bundle.tar.gz"
+cmd = args.cmd if args.cmd else "velero"
+# Working dir for writing during script execution
+crshd = crashd_config(workdir="./velero-bundle")
+set_defaults(kube_config(path=args.kubeconfig, cluster_context=args.kubecontext))
+log("Collecting velero resources in namespace: {}". format(ns))
+kube_capture(what="objects", namespaces=[ns], groups=['velero.io'])
+capture_local(cmd="{} version -n {}".format(cmd, ns), file_name="version.txt")
+log("Collecting velero deployment logs in namespace: {}". format(ns))
+kube_capture(what="logs", namespaces=[ns])
+capture_backup_logs(cmd, ns)
+capture_restore_logs(cmd, ns)
+archive(output_file=output, source_paths=[crshd.workdir])
+log("Generated debug information bundle: {}".format(output))
+```
+The sample command to trigger the script via crashd:
+```shell
+./crashd run ./velero.cshd --args 
+'backup=harbor-backup-2nd,namespace=velero,basedir=,restore=,kubeconfig=/home/.kube/minikube-250-224/config,output='
+```
+To trigger the script in `velero debug`, in the package `pkg/cmd/cli/debug` a struct `option` will be introduced
+```go
+type option struct {
+	// currCmd the velero command
+	currCmd string
+	// workdir for crashd will be $baseDir/velero-debug
+	baseDir string
+	// the namespace where velero server is installed
+	namespace string
+	// the absolute path for the log bundle to be generated
+	outputPath string
+	// the absolute path for the kubeconfig file that will be read by crashd for calling K8S API
+	kubeconfigPath string
+	// the kubecontext to be used for calling K8S API
+	kubeContext string
+	// optional, the name of the backup resource whose log will be packaged into the debug bundle
+	backup string
+	// optional, the name of the restore resource whose log will be packaged into the debug bundle
+	restore string
+	// optional, it controls whether to print the debug log messages when calling crashd
+	verbose bool
+}
+```
+The code will consolidate the input parameters and execution context of the `velero` CLI to form the option struct, which can be transformed into the `argsMap` that can be used when calling the func `exec.Execute` in `crashd`:
+https://github.com/vmware-tanzu/crash-diagnostics/blob/v0.3.4/exec/executor.go#L17
+
+## Alternatives Considered
+The collection could be done via the kubernetes client-go API, but such integration is not necessarily trivial to implement, therefore, `crashd` is preferred approach
+
+## Security Considerations
+- The starlark script will be embedded into the velero binary, and the byte slice will be passed to the `exec.Execute` func directly, so there’s little risk that the script will be modified before being executed.
+
+## Compatibility
+As the `crashd` project evolves the behavior of the internal functions used in the Starlark script may change.  We’ll ensure the correctness of the script via regular E2E tests.
+
+
+## Implementation
+1. Bump up to use Go v1.16 to compile velero
+2. Embed the starlark script
+3. Implement the `velero debug` sub-command to call the script
+4. Add E2E test case
+
+## Open Questions
+- **Command dependencies:** In the Starlark script, for collecting version info and backup logs, it calls the `velero backup logs` and `velero version`, which makes the call stack like velero debug -> crashd -> velero xxx.  We need to make sure this works under different PATH settings.
+- **Progress and error handling:** The log collection may take a relatively long time, log messages should be printed to indicate the progress when different items are being downloaded and packaged.  Additionally, when an error happens, `crashd` may omit some errors, so before the script is executed we'll do some validation and make sure the `debug` command fail early if some parameters are incorrect.

design/graph-manifest.md

@@ -0,0 +1,219 @@
+# Object Graph Manifest for Velero
+
+## Abstract
+
+One to two sentences that describes the goal of this proposal and the problem being solved by the proposed change.
+The reader should be able to tell by the title, and the opening paragraph, if this document is relevant to them.
+
+Currently, Velero does not have a complete manifest of everything in the backup, aside from the backup tarball itself.
+This change introduces a new data structure to be stored with a backup in object storage which will allow for more efficient operations in reporting of what a backup contains.
+Additionally, this manifest should enable advancements in Velero's features and architecture, enabling dry-run support, concurrent backup and restore operations, and reliable restoration of complex applications.
+
+## Background
+
+Right now, Velero backs up items one at a time, sorted by API Group and namespace.
+It also restores items one at a time, using the restoreResourcePriorities flag to indicate which order API Groups should have their objects restored first.
+While this does work currently, it presents challenges for more complex applications that have their dependencies in the form of a graph rather than strictly linear.
+
+For example, Cluster API clusters are a set of complex Kubernetes objects that require that the "root" objects are restored first, before their "leaf" objects.
+If a Cluster that a ClusterResourceSetBinding refers to does not exist, then a restore of the CAPI cluster will fail.
+
+Additionally, Velero does not have a reliable way to communicate what objects will be affected in a backup or restore operation without actually performing the operation.
+This complicates dry-run tasks, because a user must simply perform the action without knowing what will be touched.
+It also complicates allowing backups and restores to run in parallel, because there is currently no way to know if a single Kubernetes object is included in multiple backups or restores, which can lead to unreliability, deadlocking, and race conditions were Velero made to be more concurrent today.
+
+## Goals
+
+- Introduce a manifest data structure that defines the contents of a backup.
+- Store the manifest data into object storage alongside existing backup data.
+
+## Non Goals
+
+This proposal seeks to enable, but not define, the following.
+
+- Implementing concurrency beyond what already exists in Velero.
+- Implementing a dry-run feature.
+- Implementing a new restore ordering procedure.
+
+While the data structure should take these scenarios into account, they will not be implemented alongside it.
+
+## High-Level Design
+
+To uniquely identify a Kubernetes object within a cluster or backup, the following fields are sufficient:
+
+- API Group and Version (example: backup.velero.io/v1)
+- Namespace 
+- Name
+- Labels
+
+This criteria covers the majority of Velero's inclusion or exclusion logic.
+However, some additional fields enable further use cases.
+
+- Owners, which are other Kubernetes objects that have some relationship to this object. They may be strict or soft dependencies.
+- Annotations, which provide extra metadata about the object that might be useful for other programs to consume.
+- UUID generated by Kubernetes. This is useful in defining Owner relationships, providing a single, immutable key to find an object. This is _not_ considered at restore time, only internally for defining links.
+
+All of this information already exists within a Velero backup's tarball of resources, but extracting such data is inefficient.
+The entire tarball must be downloaded and extracted, and then JSON within parsed to read labels, owners, annotations, and a UUID.
+The rest of the information is encoded in the file system structure within the Velero backup tarball.
+While doable, this is heavyweight in terms of time and potentially memory.
+
+Instead, this proposal suggests adding a new manifest structure that is kept alongside the backup tarball.
+This structure would contain the above fields only, and could be used to perform inclusion/exclusion logic on a backup, select a resource from within a backup, and do set operations over backup or restore contents to identify overlapping resources.
+
+Here are some use cases that this data structure should enable, that have been difficult to implement prior to its existence:
+
+- A dry-run operation on backup, informing the user what would be selected if they were to perform the operation.
+ A manifest could be created and saved, allowing for a user to do a dry-run, then accept it to perform the backup.
+ Restore operations can be treated similarly.
+- Efficient, non-overlapping parallelization of backup and restore operations.
+ By building or reading a manifest before performing a backup or restore, Velero can determine if there are overlapping resources.
+ If there are no overlaps, the operations can proceed in parallel.
+ If there are overlaps, the operations can proveed serially.
+- Graph-based restores for non-linear dependencies.
+ Not all resources in a Kubernetes cluster can be defined in a strict, linear way.
+ They may have multiple owners, and writing BackupItemActions or RestoreItemActions to simply return a chain of owners is not an efficient way to support the many Kubernetes operators/controllers being written.
+ Instead, by having a manifest with enough information, Velero can build a discrete list that ensures dependencies are restored before their dependents, with less input from plugin authors.
+
+## Detailed Design
+
+The Manifest data structure would look like this, in Go type structure:
+
+```golang
+// NamespacedItems maps a given namespace to all of its contained items.
+type NamespacedItems map[string]*Item
+
+// APIGroupNamespaces maps an API group/version to a map of namespaces and their items.
+type KindNamespaces map[string]NamespacedItems
+
+type Manifest struct {
+    // Kinds holds the top level map of all resources in a manifest.
+    Kinds KindNamespaces
+
+    // Index is used to look up an individual item quickly based on UUID.
+    // This enables fetching owners out of the maps more efficiently at the cost of memory space.
+    Index map[string]*Item
+}
+
+
+// Item represents a Kubernetes resource within a backup based on it's selectable criteria.
+// It is not the whole Kubernetes resource as retrieved from the API server, but rather a collection of important fields needed for filtering.
+type Item struct {
+    // Kubernetes API group which this Item belongs to.
+    // Could be a core resource, or a CustomResourceDefinition.
+    APIGroup string
+
+    // Version of the APIGroup that the Item belongs to.
+    APIVersion string
+
+    // Kubernetes namespace which contains this item.
+    // Empty string for cluster-level resource.
+    Namespace string
+
+    // Item's given name.
+    Name string
+
+    // Map of labels that the Item had at backup time.
+    Labels map[string]string
+
+    // Map of annotations that the Item had at Backup time.
+    // Useful for plugins that may decide to process only Items with specific annotations.
+    Annotations map[string]string
+
+    // Owners is a list of UUIDs to other items that own or refer to this item.
+    Owners []string
+
+    // Manifest is a pointer to the Manifest in which this object is contained.
+    // Useful for getting access to things like the Manifest.Index map.
+    Manifest *Manifest
+}
+```
+
+In addition to the new types, the following Go interfaces would be provided for convenience.
+
+```golang
+type Itermer interface {
+    // Returns the Item as a string, following the current Velero backup version 1.1.0 tarball structure format.
+    // <APIGroup>/<Namespace>/<APIVersion>/<name>.json
+    String() string
+
+    // Owners returns a slice of realized Items that own or refer to the current Item.
+    // Useful for building out a full graph of Items to restore.
+    // Will use the UUIDs in Item.Owners to look up the owner Items in the Manifest.
+    Owners() []*Item
+
+    // Kind returns the Kind of an object, which is a combination of the APIGroup and APIVersion.
+    // Useful for verifying the needed CustomResourceDefinition exists before actually restoring this Item.
+    Kind() *Item
+
+    // Children returns a slice of all Items that refer to this item as an Owner.
+    Children() []*Items
+}
+
+// This error type is being created in order to make reliable sentinel errors.
+// See https://dave.cheney.net/2019/06/10/constant-time for more details.
+type ManifestError string
+
+func (e ManifestError) Error() string {
+    return string(e)
+}
+
+const ItemAlreadyExists = ManifestError("item already exists in manifest")
+
+type Manifester interface {
+    // Set returns the entire list of resources as a set of strings (using Itemer.String).
+    // This is useful for comparing two manifests and determining if they have any overlapping resources.
+    // In the future, when implementing concurrent operations, this can be used as a sanity check to ensure resources aren't being backed up or restored by two operations at once.
+    Set() sets.String
+
+    // Adds an item to the appropriate APIGroup and Namespace within a Manifest
+    // Returns (true, nil) if the Item is successfully added to the Manifest,
+    // Returns (false, ItemAlreadyExists) if the Item is already in the Manifest.
+    Add(*Item) (bool, error)
+}
+```
+
+### Serialization
+
+The entire `Manifest` should be serialized into the `manifest.json` file within the object storage for a single backup.
+It is possible that this file could also be compressed for space efficiency.
+
+### Memory Concerns
+
+Because the `Manifest` is holding a minimal amount of data, memory sizes should not be a concern for most clusters.
+TODO: Document known limits on API group name, resource name, and kind name character limits.
+
+## Security Considerations
+
+Introducing this manifest does not increase the attack surface of Velero, as this data is already present in the existing backups.
+Storing the manifest.json file next to the existing backup data in the object storage does not change access patterns.
+
+## Compatibility
+
+The introduction of this file should trigger Velero backup version 1.2.0, but it will not interfere with Velero versions that do not support the `Manifest` as the file will be additive.
+In time, this file will replace the `<backupname>-resource-list.json.gz` file, but for compatibility the two will appear side by side.
+
+When first implemented, Velero should simply build the `Manifest` as it backs up items, and serialize it at the end.
+Any logic changes that rely on the `Manifest` file must be introduced with their own design document, with their own compatibility concerns.
+
+## Implementation
+
+The `Manifest` object will _not_ be implemented as a Kubernetes CustomResourceDefinition, but rather one of Velero's own internal constructs.
+
+Implementation for the data structure alone should be minimal - the types will need to be defined in a `manifest` package.
+Then, the backup process should create a `Manifest`, passing it to the various `*Backuppers` in the `backup` package.
+These methods will insert individual `Items` into the `Manifest`.
+Finally, logic should be added to the `persistence` package to ensure that the new `manifest.json` file is uploadable and allowed.
+
+## Alternatives Considered
+
+None so far.
+
+## Open Issues
+
+- When should compatibility with the `<backupname>-resource-list.json.gz` file be dropped?
+- What are some good test case Kubernetes resources and controllers to try this out with?
+Cluster API seems like an obvious choice, but are there others?
+- Since it is not implemented as a CustomResourceDefinition, how can a `Manifest` be retained so that users could issue a dry-run command, then perform their actual desire operation?
+Could it be stored in Velero's temp directories?
+Note that this is making Velero itself more stateful.

design/secrets.md

@@ -8,15 +8,19 @@ This makes it so switching from one plugin to another necessitates overriding th
 
 - To allow Velero to create and store multiple secrets for provider credentials, even multiple credentials for the same provider
 - To improve the UX for configuring the velero deployment with multiple plugins/providers.
+- Enable use cases such as AWS volume snapshots w/Minio as the object storage
+- Continue to support use cases where multiple Backup Storage Locations are in use simultaneously 
+    - `velero backup logs` while backup/restore is running
+- Handle changes in configuration while operations are happening as well as they currently are
 
 ## Non Goals
 
 - To make any change except what's necessary to handle multiple credentials
-- To allow multiple credentials for or change the UX for node-based authentication (e.g. AWS IAM, GCP Workload Identity, Azure AAD Pod Identity).
+- To allow multiple credentials for or change the UX for node-based authentication (e.g. AWS IAM, GCP Workload Identity, Azure AAD Pod Identity).  Node-based authentication will not allow cases such as a mix of AWS snapshots with Minio object storage.
 
 ## Design overview
 
-Instead of one credential per Velero deployment, multiple credentials can be added and used with different BSLs VSLs.
+Instead of one credential per Velero deployment, multiple credentials can be added and used with different BSLs.
   
 There are two aspects to handling multiple credentials:
 
@@ -30,36 +34,98 @@ Each of these aspects will be discussed in turn.
 Currently, Velero creates a secret (`cloud-credentials`) during install with a single entry that contains the contents of the credentials file passed by the user.
 
 Instead of adding new CLI options to Velero to create and manage credentials, users will create their own Kubernetes secrets within the Velero namespace and reference these.
-This approach is being chosen as it allows users to directly manage Kubernetes secrets objects as they wish and it removes the need for wrapper functions to be created within Velero to manage the creation of secrets.
-An initial approach to this problem included modifying the existing `cloud-credentials` secret to add a new entry with each new set of credentials.
-It is likely that this approach would encounter problems as users added more credentials as the maximum size of Secret in Kubernetes is 1MB.
-By allowing users to create Secrets as they need to, we remove these potential limitations.
+This approach is being chosen as it allows users to directly manage Kubernetes secrets objects as they wish and it removes the need for wrapper functions to be created within Velero to manage the creation of secrets.  Separate credentials rather than combining credentials in a single secret also avoids issues with maximum size of credentials as well as update in place issues. 
 
-To enable the use of existing Kubernetes secrets, BSLs and VSLs will be modified to have a new field `Credential`.
-This field will be a [`SecretKeySelector`](https://godoc.org/k8s.io/api/core/v1#SecretKeySelector) which will enable the user to specify which key within a particular secret the BSL/VSL should use.
+To enable the use of existing Kubernetes secrets, BSLs will be modified to have a new field `Credential`.
+This field will be a [`SecretKeySelector`](https://godoc.org/k8s.io/api/core/v1#SecretKeySelector) which will enable the user to specify which key within a particular secret the BSL should use.
 
-The CLI for managing BSLs and VSLs will be modified to allow the user to set these credentials.
-Both `velero backup-location (create|set)` and `velero snapshot-location (create|set)` will have a new flag (`--credential`) to specify the secret and key within the secret to use.
+Existing BackupStorageLocationSpec definition:
+
+	// BackupStorageLocationSpec defines the desired state of a Velero BackupStorageLocation
+	type BackupStorageLocationSpec struct {
+		// Provider is the provider of the backup storage.
+		Provider string `json:"provider"`
+	
+		// Config is for provider-specific configuration fields.
+		// +optional
+		Config map[string]string `json:"config,omitempty"`
+	
+		StorageType `json:",inline"`
+	
+		// Default indicates this location is the default backup storage location.
+		// +optional
+		Default bool `json:"default,omitempty"`
+	
+		// AccessMode defines the permissions for the backup storage location.
+		// +optional
+		AccessMode BackupStorageLocationAccessMode `json:"accessMode,omitempty"`
+	
+		// BackupSyncPeriod defines how frequently to sync backup API objects from object storage. A value of 0 disables sync.
+		// +optional
+		// +nullable
+		BackupSyncPeriod *metav1.Duration `json:"backupSyncPeriod,omitempty"`
+	
+		// ValidationFrequency defines how frequently to validate the corresponding object storage. A value of 0 disables validation.
+		// +optional
+		// +nullable
+		ValidationFrequency *metav1.Duration `json:"validationFrequency,omitempty"`
+	}
+
+The following field will be added:
+
+	Credential *corev1api.SecretKeySelector `json:"credential,omitempty"`
+
+The resulting BackupStorageLocationSpec will be this:
+
+	// BackupStorageLocationSpec defines the desired state of a Velero BackupStorageLocation
+	type BackupStorageLocationSpec struct {
+		// Provider is the provider of the backup storage.
+		Provider string `json:"provider"`
+	
+		// Config is for provider-specific configuration fields.
+		// +optional
+		Config map[string]string `json:"config,omitempty"`
+	
+		// Credential contains the credential information intended to be used with this location
+		// +optional
+		Credential *corev1api.SecretKeySelector `json:"credential,omitempty"`
+	
+		StorageType `json:",inline"`
+	
+		// Default indicates this location is the default backup storage location.
+		// +optional
+		Default bool `json:"default,omitempty"`
+	
+		// AccessMode defines the permissions for the backup storage location.
+		// +optional
+		AccessMode BackupStorageLocationAccessMode `json:"accessMode,omitempty"`
+	
+		// BackupSyncPeriod defines how frequently to sync backup API objects from object storage. A value of 0 disables sync.
+		// +optional
+		// +nullable
+		BackupSyncPeriod *metav1.Duration `json:"backupSyncPeriod,omitempty"`
+	
+		// ValidationFrequency defines how frequently to validate the corresponding object storage. A value of 0 disables validation.
+		// +optional
+		// +nullable
+		ValidationFrequency *metav1.Duration `json:"validationFrequency,omitempty"`
+	}
+	
+The CLI for managing Backup Storage Locations (BSLs) will be modified to allow the user to set these credentials.
+Both `velero backup-location (create|set)` will have a new flag (`--credential`) to specify the secret and key within the secret to use.
 This flag will take a key-value pair in the format `<secret-name>=<key-in-secret>`.
 The arguments will be validated to ensure that the secret exists in the Velero namespace.
+If the Credential field is empty in a BSL, the default credentials from `cloud-credentials` will be used as they
+are currently.
 
 ### Making credentials available to plugins
 
-There are three different approaches that can be taken to provide credentials to plugin processes:
-
-1. Providing the path to the credentials file as an environment variable per plugin. This is how credentials are currently passed.
-1. Include the path to the credentials file in the `config` map passed to a plugin.
-1. Include the details of the secret in the `config` map passed to a plugin.
-
-The last two options require changes to the plugin as the plugin will need to instantiate a client using the provided credentials.
-The client libraries used by the plugins will not be able to rely on the credentials details being available in the environment as they currently do.
-
-We have selected option 2 as the approach to take which will be described below.
+The approach we have chosen is to include the path to the credentials file in the `config` map passed to a plugin.
 
 ### Including the credentials file path in the `config` map
 
-Prior to using any secret for a BSL or VSL, it will need to be serialized to disk.
-Using the details in the `Credential` field in the BSL/VSL, the contents of the Secret will be read and serialized.
+Prior to using any secret for a BSL, it will need to be serialized to disk.
+Using the details in the `Credential` field in the BSL, the contents of the Secret will be read and serialized.
 To achieve this, we will create a new package, `credentials`, which will introduce new types and functions to manage the fetching of credentials based on a `SecretKeySelector`.
 This will also be responsible for serializing the fetched credentials to a temporary directory on the Velero pod filesystem.
 
@@ -71,8 +137,8 @@ This means that any time a `BackupStore`, or other type which requires credentia
 If we instead wanted to use an unique file each time, we could work around the of multiple files being written by cleaning up the temporary files upon completion of the plugin operations, if this information is known.
 
 Once the credentials have been serialized, this path will be made available to the plugins.
-Instead of setting the necessary environment variable for the plugin process, the `config` map for the BSL/VSL will be modified to include an addiitional entry with the path to the credentials file: `credentialsFile`.
-This will be passed through when [initializing the BSL/VSL](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/velero/object_store.go#L27-L30) and it will be the responsibility of the plugin to use the passed credentials when starting a session.
+Instead of setting the necessary environment variable for the plugin process, the `config` map for the BSL will be modified to include an addiitional entry with the path to the credentials file: `credentialsFile`.
+This will be passed through when [initializing the BSL](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/velero/object_store.go#L27-L30) and it will be the responsibility of the plugin to use the passed credentials when starting a session.
 For an example of how this would affect the AWS plugin, see [this PR](https://github.com/vmware-tanzu/velero-plugin-for-aws/pull/69).
 
 The restic controllers will also need to be updated to use the correct credentials.
@@ -84,6 +150,22 @@ Currently, GCP is the only provider that relies on the existing environment vari
 For GCP, the environment variable will be overwritten with the path of the serialized secret.
 
 
+## Split credentials between VolumeSnapshotter and ObjectStore plugins
+
+One of the use cases we wish to satisfy is the ability to specify a different object store than the cloud provider offers,
+for example, using a Minio S3 object store from within AWS.  Currently the VolumeSnapshotter and the ObjectStore plugin
+share the cloud credentials.  Each backup/restore has a BackupStorageLocation associated
+with it.  The BackupStorageLocation can optionally specify the credential used by the ObjectStorePlugin and Restic daemons 
+while the cloud credential will always be used for the VolumeSnapshotter.
+
+## Velero Plugin for vSphere compatibility
+
+The vSphere plugin is implemented as a BackupItemAction and shares the credentials of the AWS plug-in for S3 access.
+The backup storage location is passed in _Backup.Spec.StorageLocation_.  Currently the plugin retrieves the S3 bucket and
+server from the BSL and creates a BackupRespositoryClaim with that and the credentials retrieved from the cloud credential.
+The plug-in will need to be modified to retrieve the credentials field from the BSL and use that credential in the
+BackupRepositoryClaim.
+
 ## Backwards compatibility
 
 For now, regardless of the approaches used above, we will still support the existing workflow.
@@ -92,15 +174,33 @@ Users will be able to set credentials during install and a secret will be create
 This secret will still be mounted into the Velero pods and the appropriate environment variables set.
 This will allow users to use versions of plugins which haven't yet been updated to use credentials directly, such as with many community created plugins.
 
-Multiple credential handling will only be used in the case where a particular BSL/VSL has been modified to use an existing secret.
+Multiple credential handling will only be used in the case where a particular BSL has been modified to use an existing secret.
 
 ## Security Considerations
 
 Although the handling of secrets will be similar to how credentials are currently managed within Velero, care must be taken to ensure that any new code does not leak the contents of secrets, for example, including them within logs.
 
+## Parallelism
+In order to support parallelism, Velero will need to be able to use multiple credentials simultaneously with the
+ObjectStore.  Currently backups are single threaded and a single BSL will be used throughout the entire backup.  The only
+existing points of parallelism are when a user downloads logs for a backup or the BackupStorageLocationReconciler 
+reconciles while a backup or restore is running.  In the current code, `download_request_controller.go` and 
+`backup_storage_location_controller.go` create a new plug-in manager and hence another ObjectStore plugin in 
+parallel with the ObjectStore plugin servicing a backup or restore (if one is running).
+
 ## Alternatives Considered
 
-As mentioned above, there were three potential approaches for providing this support.
+Three different approaches can be taken to provide credentials to plugin processes:
+
+1. Providing the path to the credentials file as an environment variable per plugin. This is how credentials are currently passed.
+1. Include the path to the credentials file in the `config` map passed to a plugin.
+1. Include the details of the secret in the `config` map passed to a plugin.
+
+The last two options require changes to the plugin as the plugin will need to instantiate a client using the provided credentials.
+The client libraries used by the plugins will not be able to rely on the credentials details being available in the environment as they currently do.
+
+We have selected option 2 as the approach to take.
+
 The approaches that were not selected are detailed below for reference.
 
 #### Providing the credentials via environment variables
@@ -110,11 +210,11 @@ Currently, there is a single secret, which is mounted into every pod deployed by
 This path is made known to all plugins through provider specific environment variables and all possible provider environment variables are set to this path.
 
 Instead of setting the environment variables for all the pods, we can modify plugin processes are created so that the environment variables are set on a per plugin process basis.
-Prior to using any secret for a BSL or VSL, it will need to be serialized to disk.
-Using the details in the `Credential` field in the BSL/VSL, the contents of the Secret will be read and serialized to a file.
+Prior to using any secret for a BSL, it will need to be serialized to disk.
+Using the details in the `Credential` field in the BSL, the contents of the Secret will be read and serialized to a file.
 Each plugin process would still have the same set of environment variables set, however the value used for each of these variables would instead be the path to the serialized secret.
 
-To set the environment variables for a plugin process, the plugin manager must be modified so that when creating an ObjectStore or VolumeSnapshotter, we pass in the entire BSL/VSL object, rather than [just the provider](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L132-L158).
+To set the environment variables for a plugin process, the plugin manager must be modified so that when creating an ObjectStore, we pass in the entire BSL object, rather than [just the provider](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L132-L158).
 The plugin manager currently stores a map of [plugin executables to an associated `RestartableProcess`](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L59-L70).
 New restartable processes are created only [with the executable that the process would run](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/manager.go#L122).
 This could be modified to also take the necessary environment variables so that when [underlying go-plugin process is created](https://github.com/vmware-tanzu/velero/blob/main/pkg/plugin/clientmgmt/client_builder.go#L78), these environment variables could be provided and would be set on the plugin process.

design/upload-progress.md

@@ -0,0 +1,311 @@
+# Upload Progress Monitoring
+
+Volume snapshotter plug-in are used by Velero to take snapshots of persistent volume contents. 
+Depending on the underlying storage system, those snapshots may be available to use immediately, 
+they may be uploaded to stable storage internally by the plug-in or they may need to be uploaded after
+the snapshot has been taken. We would like for Velero to continue on to the next part of the backup as quickly
+as possible but we would also like the backup to not be marked as complete until it is a usable backup.  We'd also
+eventually like to bring the control of upload under the control of Velero and allow the user to make decisions
+about the ultimate destination of backup data independent of the storage system they're using.
+
+
+
+## Examples
+AWS - AWS snapshots return quickly, but are then uploaded in the background and cannot be used until EBS moves
+the data into S3 internally.
+
+vSphere - The vSphere plugin takes a local snapshot and then the vSphere plugin uploads the data to S3.  The local
+snapshot is usable before the upload completes.
+
+Restic - Does not go through the volume snapshot path.  Restic backups will block Velero progress until completed.
+
+## Goals
+
+- Enable monitoring of operations that continue after snapshotting operations have completed
+- Keep non-usable backups (upload/persistence has not finished) from appearing as completed
+- Minimize change to volume snapshot and BackupItemAction plug-ins
+
+## Non-goals
+- Unification of BackupItemActions and VolumeSnapshotters
+
+## Models
+
+### Internal configuration and management
+In this model, movement of the snapshot to stable storage is under the control of the snapshot
+plug-in.  Decisions about where and when the snapshot gets moved to stable storage are not
+directly controlled by Velero.  This is the model for the current VolumeSnapshot plugins.
+
+### Velero controlled management
+In this model, the snapshot is moved to external storage under the control of Velero.  This
+enables Velero to move data between storage systems.  This also allows backup partners to use
+Velero to snapshot data and then move the data into their backup repository.
+
+## Backup phases
+
+Velero currently has backup phases "InProgress" and "Completed".  The backup moves to the Completed
+phase when all of the volume snapshots have completed and the Kubernetes metadata has been written
+into the object store.  However, the actual data movement may be happening in the background
+after the backup has been marked "Completed".  The backup is not actually a stable backup until
+the data has been persisted properly.  In some cases (e.g. AWS) the backup cannot be restored from
+until the snapshots have been persisted.
+
+Once the snapshots have been taken, however, it is possible for additional backups to be made without
+interference.  Waiting until all data has been moved before starting the next backup will
+slow the progress of the system without adding any actual benefit to the user.
+
+A new backup phase, "Uploading" will be introduced.  When a backup has entered this phase, Velero
+is free to start another backup.  The backup will remain in the "Uploading" phase until all data
+has been successfully moved to persistent storage.  The backup will not fail once it reaches
+this phase, it will continuously retry moving the data.  If the backup is deleted (cancelled), the plug-ins will
+attempt to delete the snapshots and stop the data movement - this may not be possible with all
+storage systems.
+
+### State progression
+
+![image](UploadFSM.png)
+### New
+When a backup request is initially created, it is in the "New" phase.  
+
+The next state is either "InProgress" or "FailedValidation"
+
+### FailedValidation
+If the backup request is incorrectly formed, it goes to the "FailedValidation" phase and terminates
+
+### InProgress
+When work on the backup begins, it moves to the "InProgress" phase.  It remains in the "InProgress"
+phase until all pre/post execution hooks have been executed, all snapshots have been taken and the
+Kubernetes metadata and backup info is safely written to the object store plug-in.
+
+In the current implementation, Restic backups will move data during the "InProgress" phase.
+In the future, it may be possible to combine a snapshot with a Restic (or equivalent) backup which
+would allow for data movement to be handled in the "Uploading" phase,
+
+The next phase is either "Completed", "Uploading", "Failed" or "PartiallyFailed".  Backups which 
+would have a final phase of "Completed" or "PartiallyFailed" may move to the "Uploading" state.
+A backup which will be marked "Failed" will go directly to
+the "Failed" phase.  Uploads may continue in the background for snapshots that were taken by a "Failed"
+backup, but no progress will not be monitored or updated.  When a "Failed" backup is deleted, all snapshots
+will be deleted and at that point any uploads still in progress should be aborted.
+
+### Uploading (new)
+The "Uploading" phase signifies that the main part of the backup, including snapshotting has completed successfully
+and and uploading is continuing.  In the event of an error during uploading, the phase will change to 
+UploadingPartialFailure.  On success, the phase changes to Completed.  The backup cannot be
+restored from when it is in the Uploading state.
+
+### UploadingPartialFailure (new)
+The "UploadingPartialFailure" phase signifies that the main part of the backup, including snapshotting has completed,
+but there were partial failures either during the main part or during the uploading.  The backup cannot be
+restored from when it is in the UploadingPartialFailure state.
+
+### Failed
+When a backup has had fatal errors it is marked as "Failed"  This backup cannot be restored from.
+
+### Completed
+The "Completed" phase signifies that the backup has completed, all data has been transferred to stable storage
+and the backup is ready to be used in a restore.  When the Completed phase has been reached it is safe
+to remove any of the items that were backed up.
+
+### PartiallyFailed
+The "PartiallyFailed" phase signifies that the backup has completed and at least part of the backup is usable.
+Restoration from a PartiallyFailed backup will not result in a complete restoration but pieces may be available.
+
+## Workflow
+
+When a BackupAction is executed, any SnapshotItemAction or VolumeSnapshot plugins will return snapshot IDs.
+The plugin should be able to provide status on
+the progress for the snapshot and handle cancellation of the upload if the snapshot is deleted.
+If the plugin is restarted, the snapshot ID should remain valid.
+
+When all snapshots have been taken and Kubernetes resources have been persisted to the ObjectStorePlugin
+the backup will either have fatal errors or will be at least partially usable.
+
+If the backup has fatal errors it will move to the "Failed" state and finish. If a backup fails, the upload will not be
+cancelled but it will not be monitored either.  For backups in any phase, all snapshots will be deleted when the backup
+is deleted.  Plugins will cancel any data movement and
+remove snapshots and other associated resources when the VolumeSnapshotter DeleteSnapshot method or 
+DeleteItemAction Execute method is called.
+
+Velero will poll the plugins for status on the snapshots when the backup exits the "InProgress" phase and
+has no fatal errors.
+
+If any snapshots are not complete, the backup will move to either Uploading or UploadingPartialFailure or Failed.
+
+Post-snapshot operations may take a long time and Velero and its plugins may be restarted during 
+this time.  Once a backup has moved into the Uploading or UploadingPartialFailure phase, another 
+backup may be started.
+
+While in the Uploading or UploadingPartialFailure phase, the snapshots and backup items will be periodically polled.
+When all of the snapshots and backup items have reported success, the backup will move to the Completed or 
+PartiallyFailed phase, depending on whether the backup was in the Uploading or UploadingPartialFailure phase.
+
+The Backup resources will not be written to object storage until the backup has entered a final phase: 
+Completed, Failed or PartialFailure
+## Reconciliation of InProgress backups
+
+InProgress backups will not have a `velero-backup.json` present in the object store.  During reconciliation, backups which
+do not have a `velero-backup.json` object in the object store will be ignored.
+
+## Plug-in API changes
+
+### UploadProgress struct
+
+    type UploadProgress struct {
+        completed bool                          // True when the operation has completed, either successfully or with a failure
+        err error                               // Set when the operation has failed
+        itemsCompleted, itemsToComplete int64   // The number of items that have been completed and the items to complete
+                                                // For a disk, an item would be a byte and itemsToComplete would be the
+                                                // total size to transfer (may be less than the size of a volume if
+                                                // performing an incremental) and itemsCompleted is the number of bytes
+                                                // transferred.  On successful completion, itemsCompleted and itemsToComplete
+                                                // should be the same
+        started, updated time.Time              // When the upload was started and when the last update was seen.  Not all
+                                                // systems retain when the upload was begun, return Time 0 (time.Unix(0, 0))
+                                                // if unknown.
+    }
+
+### VolumeSnapshotter changes
+
+A new method will be added to the VolumeSnapshotter interface (details depending on plug-in versioning spec)
+
+    UploadProgress(snapshotID string) (UploadProgress, error)
+
+UploadProgress will report the current status of a snapshot upload.  This should be callable at any time after the snapshot
+has been taken.  In the event a plug-in is restarted, if the snapshotID continues to be valid it should be possible to
+retrieve the progress.
+
+`error` is set if there is an issue retrieving progress.  If the snapshot is has encountered an error during the upload,
+the error should be return in UploadProgress and error should be nil.
+
+### SnapshotItemAction plug-in
+
+Currently CSI snapshots and the Velero Plug-in for vSphere are implemented as BackupItemAction plugins.  The majority of
+BackupItemAction plugins do not take snapshots or upload data so rather than modify BackupItemAction we introduce a new
+plug-ins, SnapshotItemAction.  SnapshotItemAction will be used in place of BackupItemAction for
+the CSI snapshots and the Velero Plug-in for vSphere and will return a snapshot ID in addition to the item itself.
+
+The SnapshotItemAction plugin identifier as well as the Item and Snapshot ID will be stored in the 
+`<backup-name>-itemsnapshots.json.gz`.  When checking for progress, this info will be used to select the appropriate
+SnapshotItemAction plugin to query for progress.
+
+_NotApplicable_ should only be returned if the SnapshotItemAction plugin should not be handling the item.  If the
+SnapshotItemAction plugin should handle the item but, for example, the item/snapshot ID cannot be found to report progress, a
+UploadProgress struct with the error set appropriately (in this case _NotFound_) should be returned.
+
+    // SnapshotItemAction is an actor that snapshots an individual item being backed up (it may also do other
+    operations on the item that is returned).
+    
+    type SnapshotItemAction interface {
+    	// AppliesTo returns information about which resources this action should be invoked for.
+    	// A BackupItemAction's Execute function will only be invoked on items that match the returned
+    	// selector. A zero-valued ResourceSelector matches all resources.
+    	AppliesTo() (ResourceSelector, error)
+    
+    	// Execute allows the ItemAction to perform arbitrary logic with the item being backed up,
+    	// including mutating the item itself prior to backup. The item (unmodified or modified)
+    	// should be returned, along with an optional slice of ResourceIdentifiers specifying
+    	// additional related items that should be backed up.
+    	Execute(item runtime.Unstructured, backup *api.Backup) (runtime.Unstructured, snapshotID string,
+    	    []ResourceIdentifier, error)
+    	
+    	// Progress  
+    	Progress(input *SnapshotItemProgressInput) (UploadProgress, error)
+    }
+    
+    // SnapshotItemProgressInput contains the input parameters for the SnapshotItemAction's Progress function.
+    type SnapshotItemProgressInput struct {
+    	// Item is the item that was stored in the backup
+    	Item runtime.Unstructured
+    	// SnapshotID is the snapshot ID returned by SnapshotItemAction
+    	SnapshotID string
+    	// Backup is the representation of the restore resource processed by Velero.
+    	Backup *velerov1api.Backup
+    }
+
+
+## Changes in Velero backup format
+
+No changes to the existing format are introduced by this change.  A `<backup-name>-itemsnapshots.json.gz` file will be 
+added that contains the items and snapshot IDs returned by ItemSnapshotAction.  Also, the creation of the 
+`velero-backup.json` object will not occur until the backup moves to one of the terminal phases (_Completed_, 
+_PartiallyFailed_, or _Failed_).  Reconciliation should ignore backups that do not have a `velero-backup.json` object.
+
+The cluster that is creating the backup will have the Backup resource present and will be able to manage the backup
+before the backup completes.
+
+If the Backup resource is removed (e.g. Velero is uninstalled) before a backup completes and writes its 
+`velero-backup.json` object, the other objects in the object store for the backup will be effectively orphaned.  This 
+can currently happen but the current window is much smaller.
+
+### `<backup-name>-itemsnapshots.json.gz`
+The itemsnapshots file is similar to the existing `<backup-name>-itemsnapshots.json.gz`  Each snapshot taken via
+SnapshotItemAction will have a JSON record in the file.  Exact format TBD.
+
+## CSI snapshots
+
+For systems such as EBS, a snapshot is not available until the storage system has transferred the snapshot to
+stable storage.  CSI snapshots expose the _readyToUse_ state that, in the case of EBS, indicates that the snapshot
+has been transferred to durable storage and is ready to be used.  The CSI BackupItemProgress.Progress method will
+poll that field and when completed, return completion.
+
+## vSphere plug-in
+
+The vSphere Plug-in for Velero uploads snapshots to S3 in the background.  This is also a BackupItemAction plug-in,
+it will check the status of the Upload records for the snapshot and return progress.
+
+## Backup workflow changes
+
+The backup workflow remains the same until we get to the point where the `velero-backup.json` object is written.
+At this point, we will queue the backup to a finalization go-routine.  The next backup may then begin.  The finalization
+routine will run across all of the volume snapshots and call the _UploadProgress_ method on each of them.  It will
+then run across all items and call _BackupItemProgress.Progress_ for any that match with a BackupItemProgress.
+
+If all snapshots and backup items have finished uploading (either successfully or failed), the backup will be completed
+and the backup will move to the appropriate terminal phase and upload the `velero-backup.json` object to the object store
+and the backup will be complete.
+
+If any of the snapshots or backup items are still being processed, the phase of the backup will be set to the appropriate
+phase (_Uploading_ or _UploadingPartialFailure_).  In the event of any of the upload progress checks return an error, the 
+phase will move to _UploadingPartialFailure_.  The backup will then be requeued and will be rechecked again after some 
+time has passed.
+
+## Restart workflow
+On restart, the Velero server will scan all Backup resources.  Any Backup resources which are in the _InProgress_ phase
+will be moved to the _Failed_ phase.  Any Backup resources in the _Oploading_ or _OploadingPartialFailure_ phase will
+be treated as if they have been requeued and progress checked and the backup will be requeued or moved to a terminal
+phase as appropriate.
+
+# Implementation tasks
+
+VolumeSnapshotter new plugin APIs  
+BackupItemProgress new plugin interface  
+New backup phases  
+Defer uploading `velero-backup.json`  
+AWS EBS plug-in UploadProgress implementation  
+Upload monitoring  
+Implementation of `<backup-name>-itemsnapshots.json.gz` file  
+Restart logic  
+Change in reconciliation logic to ignore backups that have not completed  
+CSI plug-in BackupItemProgress implementation  
+vSphere plug-in BackupItemProgress implementation (vSphere plug-in team)  
+
+# Future Fragile/Durable snapshot tracking
+Futures are here for reference, they may change radically when actually implemented.
+
+Some storage systems have the ability to provide different levels of protection for snapshots.  These are termed "Fragile"
+and "Durable".  Currently, Velero expects snapshots to be Durable (they should be able to survive the destruction of the
+cluster and the storage it is using).  In the future we would like the ability to take advantage of snapshots that are
+Fragile.  For example, vSphere snapshots are Fragile (they reside in the same datastore as the virtual disk).  The Velero
+Plug-in for vSphere uses a vSphere local/fragile snapshot to get a consistent snapshot, then uploads the data to S3 to
+make it Durable.  In the current design, upload progress will not be complete until the snapshot is ready to use and
+Durable.  It is possible, however, to restore data from a vSphere snapshot before it has been made Durable, and this is a
+capability we'd like to expose in the future.  Other storage systems implement this functionality as well.  We will be moving
+the control of the data movement from the vSphere plug-in into Velero.
+
+Some storage system, such as EBS, are only capable of creating Durable snapshots.  There is no usable intermediate Fragile stage.
+
+For a Velero backup, users should be able to specify whether they want a Durable backup or a Fragile backup (Fragile backups
+may consume less resources, be quicker to restore from and are suitable for things like backing up a cluster before upgrading
+software).  We can introduce three snapshot states - Creating, Fragile and Durable.  A snapshot would be created with a
+desired state, Fragile or Durable.  When the snapshot reaches the desired or higher state (e.g. request was for Fragile but
+snapshot went to Durable as on EBS), then the snapshot would be completed.

design/wait-for-additional-items.md

@@ -50,54 +50,82 @@ we still have a reference to the additional items (`GroupResource` and
 namespaced name), as well as a reference to the `RestoreItemAction`
 plugin which required it.
 
-At this point, if the `RestoreItemActionExecuteOutput` includes a
-non-nil `AdditionalItemsReadyFunc` we need to call a func similar to
-`crdAvailable` which we will call `itemsAvailable`
+At this point, if the `RestoreItemActionExecuteOutput`
+`WaitForAdditionalItems` field is set to `true` we need to call a func
+similar to `crdAvailable` which we will call `itemsAvailable`
 https://github.com/vmware-tanzu/velero/blob/main/pkg/restore/restore.go#L623
 This func should also be defined within restore.go
 
 Instead of the one minute CRD timeout, we'll use a timeout specific to
 waiting for additional items. There will be a new field added to
 serverConfig, `additionalItemsReadyTimeout`, with a
-`defaultAdditionalItemsReadyTimeout` const set to 10 minutes. In addition,
-each plugin will be able to define an override for the global
-server-level value, which will be added as another optional field in
-the `RestoreItemActionExecuteOutput` struct. Instead of the
-`IsUnstructuredCRDReady` call, we'll call the returned
-`AdditionalItemsReadyFunc` passing in the same `AdditionalItems` slice
-as an argument (with items which failed to restore filtered out). If
-this func returns an error, then `itemsAvailable` will
-propagate the error, and `restoreItem` will handle it the same way it
-handles an error return on restoring an additional item. If the
-timeout is reached without ready returning true, velero will continue
-on to attempt restore of the current item.
+`defaultAdditionalItemsReadyTimeout` const set to 10 minutes. In
+addition, each plugin will be able to define an override for the
+global server-level value, which will be added as another optional
+field in the `RestoreItemActionExecuteOutput` struct. Instead of the
+`IsUnstructuredCRDReady` call, we'll call `AreAdditionalItemsReady` on
+the plugin, passing in the same `AdditionalItems` slice as an argument
+(with items which failed to restore filtered out). If this func
+returns an error, then `itemsAvailable` will propagate the error, and
+`restoreItem` will handle it the same way it handles an error return
+on restoring an additional item. If the timeout is reached without
+ready returning true, velero will continue on to attempt restore of
+the current item.
+
+### `RestoreItemAction` plugin interface changes
+
+In order to implement the `AreAdditionalItemsReady` plugin func, a new
+function will be added to the `RestoreItemAction` interface.
+```
+type RestoreItemAction interface {
+        // AppliesTo returns information about which resources this action should be invoked for.
+        // A RestoreItemAction's Execute function will only be invoked on items that match the returned
+        // selector. A zero-valued ResourceSelector matches all resources.
+        AppliesTo() (ResourceSelector, error)
+
+        // Execute allows the ItemAction to perform arbitrary logic with the item being restored,
+        // including mutating the item itself prior to restore. The item (unmodified or modified)
+        // should be returned, along with an optional slice of ResourceIdentifiers specifying additional
+        // related items that should be restored, a warning (which will be logged but will not prevent
+        // the item from being restored) or error (which will be logged and will prevent the item
+        // from being restored) if applicable.
+        Execute(input *RestoreItemActionExecuteInput) (*RestoreItemActionExecuteOutput, error)
+
+	// AreAdditionalItemsReady allows the ItemAction to communicate whether the passed-in
+	// slice of AdditionalItems (previously returned by Execute())
+	// are ready. Returns true if all items are ready, and false
+	// otherwise. The second return value is an error string if an
+	// error occurred.
+	AreAdditionalItemsReady(restore *api.Restore, AdditionalItems []ResourceIdentifier) (bool, string)
+}
+```
 
 ### `RestoreItemActionExecuteOutput` changes
 
 Two new fields will be added to `RestoreItemActionExecuteOutput`, both
-optional. `AdditionalItemsReadyTimeout`, if specified, will override
-`serverConfig.additionalItemsReadyTimeout`. If the new func field
-`AdditionalItemsReadyFunc` is non-nil, then `restoreItem` will call
+optional. `AdditionalItemsReadyTimeout`, if non-zero, will override
+`serverConfig.additionalItemsReadyTimeout`. If
+`WaitForAdditionalItems` is true, then `restoreItem` will call
 `itemsAvailable` which will invoke the plugin func
-`AdditionalItemsReadyFunc` and wait until the func returns true or the
-timeout is reached. If `AdditionalItemsReadyFunc` is nil (the default
+`AreAdditionalItemsReady` and wait until the func returns true or the
+timeout is reached. If `WaitForAdditionalItems` is false (the default
 case), then current velero behavior will be followed. Existing plugins
 which do not need to signal to wait for `AdditionalItems` won't need
 to change their `Execute()` functions.
 
-In addition, a new func, `WithItemsWait(readyFunc *func)` will
+In addition, a new func, `WithItemsWait()` will
 be added to `RestoreItemActionExecuteOutput` similar to
-`WithoutRestore()` which will set `AdditionalItemsReadyFunc` to
-`readyfunc`. This will allow a plugin to include waiting for
+`WithoutRestore()` which will set `WaitForAdditionalItems` to
+true. This will allow a plugin to include waiting for
 AdditionalItems like this:
 ```
-func AreItemsReady (restore *api.Restore, additionalItems []ResourceIdentifier) (bool, error) {
+func AreAdditionalItemsReady (restore *api.Restore, additionalItems []ResourceIdentifier) (bool, string) {
 	...
-	return true, nil
+	return true, ""
 }
 func (p *RestorePlugin) Execute(input *velero.RestoreItemActionExecuteInput) (*velero.RestoreItemActionExecuteOutput, error) {
 	...
-	return velero.NewRestoreItemActionExecuteOutput(input.Item).WithItemsWait(AreItemsReady), nil
+	return velero.NewRestoreItemActionExecuteOutput(input.Item).WithItemsWait(), nil
 }
 
 ```
@@ -118,68 +146,6 @@ type RestoreItemActionExecuteOutput struct {
 	// value is true, AdditionalItems will be ignored.
 	SkipRestore bool
 
-	// AdditionalItemsReadyFunc is a func which returns true if
-	// the additionalItems passed into the func are
-	// ready/available. A nil value for this func means that
-	// velero will not wait for the items to be ready before
-	// attempting to restore the current item.
-	AdditionalItemsReadyFunc func(restore *api.Restore, []ResourceIdentifier) (bool, error)
-
-	// AdditionalItemsReadyTimeout will override serverConfig.additionalItemsReadyTimeout
-	// if specified. This value specifies how long velero will wait
-	// for additional items to be ready before moving on.
-	AdditionalItemsReadyTimeout *time.Duration
-}
-
-// WithoutRestore returns SkipRestore for RestoreItemActionExecuteOutput
-func (r *RestoreItemActionExecuteOutput) WithItemsWait(
-	readyFunc func(*api.Restore, []ResourceIdentifier)
-) *RestoreItemActionExecuteOutput {
-	r.AdditionalItemsReadyFunc = readyFunc
-	return r
-}
-
-```
-
-### Earlier iteration (no longer the current implementation plan)
-
-What follows is the first iteration of the design. Everything from
-here is superseded by the content above. The options below require
-either breaking backwards compatibility or dealing with runtime
-casting and optional interfaces. Adding the func pointer to
-`RestoreItemActionExecuteOutput` resolves the problem without
-requiring either.
-
-#### `RestoreItemActionExecuteOutput` changes
-
-A new boolean field will be added to
-`RestoreItemActionExecuteOutput`. If `WaitForAdditionalItems` is true,
-then `restoreItem` will call `itemsAvailable` which will invoke the
-plugin func `AreAdditionalItemsReady` and wait until the func returns
-true or the timeout is reached. If `WaitForAdditionalItems` is false
-(the default case), then current velero behavior will be
-followed. Existing plugins which do not need to signal to wait for
-`AdditionalItems` won't need to change their `Execute()` functions.
-
-In addition, a new func, `WithItemsWait()` will be added to
-`RestoreItemActionExecuteOutput` similar to `WithoutRestore()` which
-will set the `WaitForAdditionalItems` bool to `true`.
-
-```
-// RestoreItemActionExecuteOutput contains the output variables for the ItemAction's Execution function.
-type RestoreItemActionExecuteOutput struct {
-        // UpdatedItem is the item being restored mutated by ItemAction.
-        UpdatedItem runtime.Unstructured
-
-        // AdditionalItems is a list of additional related items that should
-        // be restored.
-        AdditionalItems []ResourceIdentifier
-
-        // SkipRestore tells velero to stop executing further actions
-        // on this item, and skip the restore step. When this field's
-        // value is true, AdditionalItems will be ignored.
-        SkipRestore bool
-
         // WaitForAdditionalItems determines whether velero will wait
 	// until AreAdditionalItemsReady returns true before restoring
 	// this item. If this field's value is true, then after restoring
@@ -187,65 +153,55 @@ type RestoreItemActionExecuteOutput struct {
 	// until AreAdditionalItemsReady returns true or the timeout is
         // reached. Otherwise, AreAdditionalItemsReady is not called.
         WaitForAdditionalItems bool
+
+	// AdditionalItemsReadyTimeout will override serverConfig.additionalItemsReadyTimeout
+	// if specified. This value specifies how long velero will wait
+	// for additional items to be ready before moving on.
+	AdditionalItemsReadyTimeout time.Duration
 }
-```
 
-#### `RestoreItemAction` plugin interface changes
-
-In order to implement the `AreAdditionalItemsReady` plugin func, there
-are two different approaches we could take.
-
-The first would be to simply add another entry to the
-`RestoreItemAction` interface:
-```
-type RestoreItemAction interface {
-        // AppliesTo returns information about which resources this action should be invoked for.
-        // A RestoreItemAction's Execute function will only be invoked on items that match the returned
-        // selector. A zero-valued ResourceSelector matches all resources.
-        AppliesTo() (ResourceSelector, error)
-
-        // Execute allows the ItemAction to perform arbitrary logic with the item being restored,
-        // including mutating the item itself prior to restore. The item (unmodified or modified)
-        // should be returned, along with an optional slice of ResourceIdentifiers specifying additional
-        // related items that should be restored, a warning (which will be logged but will not prevent
-        // the item from being restored) or error (which will be logged and will prevent the item
-        // from being restored) if applicable.
-        Execute(input *RestoreItemActionExecuteInput) (*RestoreItemActionExecuteOutput, error)
-
-	// AreAdditionalItemsReady allows the ItemAction to communicate whether the passed-in 
-	// slice of AdditionalItems (previously returned by Execute())
-	// are ready. Returns true if all items are ready, and false otherwise
-	AreAdditionalItemsReady(restore *api.Restore, AdditionalItems []ResourceIdentifier) (bool, error)
-}
-```
-
-The downside of this approach is that it is not backwards compatible,
-and every `RestoreItemAction` plugin will have to implement the new
-func, simply to return `true` in most cases, since the plugin will
-either never return `AdditionalItems` from Execute or not have any
-special readiness requirements.
-
-The alternative to this would be to define an additional interface for
-the optional func, leaving the `RestoreItemAction` interface alone.
-```
-type RestoreItemActionReadyCheck interface {
-	// AreAdditionalItemsReady allows the ItemAction to communicate whether the passed-in 
-	// slice of AdditionalItems (previously returned by Execute())
-	// are ready. Returns true if all items are ready, and false otherwise
-	AreAdditionalItemsReady(restore *api.Restore, AdditionalItems []ResourceIdentifier) (bool, error)
+// WithItemsWait returns RestoreItemActionExecuteOutput with WaitForAdditionalItems set to true.
+func (r *RestoreItemActionExecuteOutput) WithItemsWait()
+) *RestoreItemActionExecuteOutput {
+	r.WaitForAdditionalItems = true
+	return r
 }
 
 ```
-In this case, existing plugins which do not need this functionality
-can remain as-is, while plugins which want to make use of this
-functionality will just need to implement the optional func. With the
-optional interface approach, `itemsAvailable` will only wait if the
-plugin can be type-asserted to the new interface:
+
+## New design iteration (Feb 2021)
+
+In starting the implementation based on the originally approved
+design, I've run into an unexpected snag. When adding the wait func
+pointer to the `RestoreItemActionExecuteOutput` struct, I had
+forgotten about the protocol buffer message format that's used for
+passing args to the plugin methods. Funcs are predefined RPC calls
+with autogenerated go code, so we can't just pass a regular golang
+func pointer in the struct. I've modified the above design to instead
+use an explicit `AreAdditionalItemsReady` func. Since this will break
+backwards compatibility with current `RestoreItemAction` plugins,
+implementation of this feature should wait until Velero plugin
+versioning, as described in
+https://github.com/vmware-tanzu/velero/issues/3285 is
+implemented. With plugin versioning in place, existing (non-versioned
+or 1.0-versioned) `RestoreItemAction` plugins which do not define
+`AreAdditionalItemsReady` would be able to coexist with a
+to-be-implemented `RestoreItemAction` plugin version 2.0 (or 1.1,
+etc.) which defines this new interface method. Without plugin
+versioning, implementing this feature would break all existing plugins
+until they define `AreAdditionalItemsReady`.
+
+Also note that when moving to the new plugin version, the vast
+majority of plugins will probably not need to wait for additional
+items. All they will need to do to react to this plugin interface
+change would be to define the following in the plugin:
+
 ```
-	if actionWithReadyCheck, ok := action.(RestoreItemActionReadyCheck); ok {
-		// wait for ready/timeout
-	} else {
-		return true, nil
-	}
+func AreAdditionalItemsReady (restore *api.Restore, additionalItems []ResourceIdentifier) (bool, string) {
+	return true, ""
+}
 ```
 
+As long as they never set `WaitForAdditionalItems` to true, this
+function won't be called anyway, but if it is called, there will be no
+waiting, since it will always return true.

go.mod

@@ -1,46 +1,47 @@
 module github.com/vmware-tanzu/velero
 
-go 1.15
+go 1.16
 
 require (
 	github.com/Azure/azure-sdk-for-go v42.0.0+incompatible
-	github.com/Azure/go-autorest/autorest v0.9.6
-	github.com/Azure/go-autorest/autorest/azure/auth v0.4.2
+	github.com/Azure/go-autorest/autorest v0.11.21
+	github.com/Azure/go-autorest/autorest/azure/auth v0.5.8
 	github.com/Azure/go-autorest/autorest/to v0.3.0
 	github.com/Azure/go-autorest/autorest/validation v0.2.0 // indirect
 	github.com/aws/aws-sdk-go v1.28.2
-	github.com/docker/spdystream v0.0.0-20170912183627-bc6354cbbc29 // indirect
-	github.com/evanphx/json-patch v4.9.0+incompatible
-	github.com/fatih/color v1.10.0
+	github.com/evanphx/json-patch v4.11.0+incompatible
+	github.com/fatih/color v1.13.0
 	github.com/gobwas/glob v0.2.3
 	github.com/gofrs/uuid v3.2.0+incompatible
-	github.com/golang/protobuf v1.4.2
+	github.com/golang/protobuf v1.5.2
 	github.com/google/uuid v1.1.2
-	github.com/hashicorp/go-hclog v0.0.0-20180709165350-ff2cf002a8dd
+	github.com/hashicorp/go-hclog v0.12.0
 	github.com/hashicorp/go-plugin v0.0.0-20190610192547-a1bc61569a26
 	github.com/joho/godotenv v1.3.0
 	github.com/kubernetes-csi/external-snapshotter/client/v4 v4.0.0
-	github.com/onsi/ginkgo v1.15.2
-	github.com/onsi/gomega v1.10.2
+	github.com/onsi/ginkgo v1.16.4
+	github.com/onsi/gomega v1.16.0
 	github.com/pkg/errors v0.9.1
-	github.com/prometheus/client_golang v1.7.1
+	github.com/prometheus/client_golang v1.11.0
 	github.com/robfig/cron v1.1.0
-	github.com/sirupsen/logrus v1.6.0
-	github.com/spf13/afero v1.2.2
-	github.com/spf13/cobra v1.1.1
+	github.com/sirupsen/logrus v1.8.1
+	github.com/spf13/afero v1.6.0
+	github.com/spf13/cobra v1.2.1
 	github.com/spf13/pflag v1.0.5
-	github.com/stretchr/testify v1.5.1
-	golang.org/x/mod v0.3.0
-	golang.org/x/net v0.0.0-20201110031124-69a78807bb2b
-	google.golang.org/genproto v0.0.0-20200731012542-8145dea6a485 // indirect
-	google.golang.org/grpc v1.31.0
-	google.golang.org/protobuf v1.25.0 // indirect
-	k8s.io/api v0.19.7
-	k8s.io/apiextensions-apiserver v0.19.7
-	k8s.io/apimachinery v0.19.7
-	k8s.io/cli-runtime v0.19.7
-	k8s.io/client-go v0.19.7
+	github.com/stretchr/testify v1.7.0
+	github.com/vmware-tanzu/crash-diagnostics v0.3.7
+	golang.org/x/mod v0.4.2
+	golang.org/x/net v0.0.0-20210520170846-37e1c6afe023
+	google.golang.org/grpc v1.40.0
+	k8s.io/api v0.22.2
+	k8s.io/apiextensions-apiserver v0.22.2
+	k8s.io/apimachinery v0.22.2
+	k8s.io/cli-runtime v0.22.2
+	k8s.io/client-go v0.22.2
 	k8s.io/klog v1.0.0
-	sigs.k8s.io/cluster-api v0.3.11-0.20210106212952-b6c1b5b3db3d
-	sigs.k8s.io/controller-runtime v0.7.1-0.20201215171748-096b2e07c091
+	k8s.io/kube-aggregator v0.19.12
+	sigs.k8s.io/cluster-api v1.0.0
+	sigs.k8s.io/controller-runtime v0.10.2
 )
+
+replace github.com/gogo/protobuf => github.com/gogo/protobuf v1.3.2

hack/build-image/Dockerfile

@@ -12,7 +12,7 @@
 # See the License for the specific language governing permissions and
 # limitations under the License.
 
-FROM golang:1.15
+FROM golang:1.16
 
 ARG GOPROXY
 

hack/build.sh

@@ -41,6 +41,11 @@ if [[ -z "${VERSION}" ]]; then
     exit 1
 fi
 
+if [[ -z "${REGISTRY}" ]]; then
+    echo "REGISTRY must be set"
+    exit 1
+fi
+
 if [[ -z "${GIT_SHA}" ]]; then
     echo "GIT_SHA must be set"
     exit 1
@@ -59,6 +64,7 @@ fi
 export CGO_ENABLED=0
 
 LDFLAGS="-X ${PKG}/pkg/buildinfo.Version=${VERSION}"
+LDFLAGS="${LDFLAGS} -X ${PKG}/pkg/buildinfo.ImageRegistry=${REGISTRY}"
 LDFLAGS="${LDFLAGS} -X ${PKG}/pkg/buildinfo.GitSHA=${GIT_SHA}"
 LDFLAGS="${LDFLAGS} -X ${PKG}/pkg/buildinfo.GitTreeState=${GIT_TREE_STATE}"
 

hack/crd-gen/v1/main.go

@@ -0,0 +1,136 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// This code embeds the CRD manifests in config/crd/v1/bases in
+// config/crd/v1/crds/crds.go.
+
+package main
+
+import (
+	"bytes"
+	"compress/gzip"
+	"fmt"
+	"io"
+	"io/ioutil"
+	"log"
+	"os"
+	"text/template"
+)
+
+// This is relative to config/crd/crds
+const goHeaderFile = "../../../../hack/boilerplate.go.txt"
+
+const tpl = `{{.GoHeader}}
+// Code generated by crds_generate.go; DO NOT EDIT.
+
+package crds
+
+import (
+	"bytes"
+	"compress/gzip"
+	"io/ioutil"
+
+	apiextinstall "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/install"
+	apiextv1 "k8s.io/apiextensions-apiserver/pkg/apis/apiextensions/v1"
+	"k8s.io/client-go/kubernetes/scheme"
+)
+
+var rawCRDs = [][]byte{
+{{- range .RawCRDs }}
+	[]byte({{ . }}),
+{{- end }}
+}
+
+var CRDs = crds()
+
+func crds() []*apiextv1.CustomResourceDefinition {
+	apiextinstall.Install(scheme.Scheme)
+	decode := scheme.Codecs.UniversalDeserializer().Decode
+	var objs []*apiextv1.CustomResourceDefinition
+	for _, crd := range rawCRDs {
+		gzr, err := gzip.NewReader(bytes.NewReader(crd))
+		if err != nil {
+			panic(err)
+		}
+		bytes, err := ioutil.ReadAll(gzr)
+		if err != nil {
+			panic(err)
+		}
+		gzr.Close()
+
+		obj, _, err := decode(bytes, nil, nil)
+		if err != nil {
+			panic(err)
+		}
+		objs = append(objs, obj.(*apiextv1.CustomResourceDefinition))
+	}
+	return objs
+}
+`
+
+type templateData struct {
+	GoHeader string
+	RawCRDs  []string
+}
+
+func main() {
+	headerBytes, err := ioutil.ReadFile(goHeaderFile)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	data := templateData{
+		GoHeader: string(headerBytes),
+	}
+
+	// This is relative to config/crd/crds
+	manifests, err := ioutil.ReadDir("../bases")
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	for _, crd := range manifests {
+		file, err := os.Open("../bases/" + crd.Name())
+		if err != nil {
+			log.Fatalln(err)
+		}
+
+		// gzip compress manifest
+		var buf bytes.Buffer
+		gzw := gzip.NewWriter(&buf)
+		if _, err := io.Copy(gzw, file); err != nil {
+			log.Fatalln(err)
+		}
+		file.Close()
+		gzw.Close()
+
+		data.RawCRDs = append(data.RawCRDs, fmt.Sprintf("%q", buf.Bytes()))
+	}
+
+	t, err := template.New("crd").Parse(tpl)
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	out, err := os.Create("crds.go")
+	if err != nil {
+		log.Fatalln(err)
+	}
+
+	if err := t.Execute(out, data); err != nil {
+		log.Fatalln(err)
+	}
+}

hack/crd-gen/v1beta1/main.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2019 the Velero contributors.
+Copyright the Velero contributors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -14,8 +14,8 @@ See the License for the specific language governing permissions and
 limitations under the License.
 */
 
-// This code embeds the CRD manifests in config/crd/bases in
-// config/crd/crds/crds.go.
+// This code embeds the CRD manifests in config/crd/v1beta1/bases in
+// config/crd/v1beta1/crds/crds.go.
 
 package main
 
@@ -31,7 +31,7 @@ import (
 )
 
 // This is relative to config/crd/crds
-const goHeaderFile = "../../../hack/boilerplate.go.txt"
+const goHeaderFile = "../../../../hack/boilerplate.go.txt"
 
 const tpl = `{{.GoHeader}}
 // Code generated by crds_generate.go; DO NOT EDIT.

hack/docker-push.sh

@@ -91,6 +91,9 @@ echo "BUILDX_PLATFORMS: $BUILDX_PLATFORMS"
 
 echo "Building and pushing container images."
 
+# The use of "registry" as the buildx output type below instructs
+# Docker to push the image
+
 VERSION="$VERSION" \
 TAG_LATEST="$TAG_LATEST" \
 BUILDX_PLATFORMS="$BUILDX_PLATFORMS" \

hack/release-tools/goreleaser.sh

@@ -29,6 +29,11 @@ if [ -z "${RELEASE_NOTES_FILE}" ]; then
     exit 1
 fi
 
+if [ -z "${REGISTRY}" ]; then
+    echo "REGISTRY must be set"
+    exit 1
+fi
+
 GIT_DIRTY=$(git status --porcelain 2> /dev/null)
 if [[ -z "${GIT_DIRTY}" ]]; then
     export GIT_TREE_STATE=clean

hack/release-tools/tag-release.sh

@@ -89,18 +89,31 @@ fi
 # Since we're past the validation of the VELERO_VERSION, parse the version's individual components.
 eval $(go run $DIR/chk_version.go)
 
-
 printf "To clarify, you've provided a version string of $VELERO_VERSION.\n"
 printf "Based on this, the following assumptions have been made: \n"
 
-[[ "$VELERO_PATCH" != 0 ]] && printf "*\t This is a patch release.\n"
+# $VELERO_PATCH gets populated by the chk_version.go scrip that parses and verifies the given version format
+# If we've got a patch release, we assume the tag is on release branch.
+if [[ "$VELERO_PATCH" != 0 ]]; then
+    printf "*\t This is a patch release.\n"
+    ON_RELEASE_BRANCH=TRUE
+fi
 
-# $VELERO_PRERELEASE gets populated by the chk_version.go script that parses and verifies the given version format 
+# $VELERO_PRERELEASE gets populated by the chk_version.go script that parses and verifies the given version format
+# If we've got a GA release, we assume the tag is on release branch.
 # -n is "string is non-empty"
 [[ -n $VELERO_PRERELEASE ]] && printf "*\t This is a pre-release.\n"
 
 # -z is "string is empty"
-[[ -z $VELERO_PRERELEASE ]] && printf "*\t This is a GA release.\n"
+if [[ -z $VELERO_PRERELEASE ]]; then
+    printf "*\t This is a GA release.\n"
+    ON_RELEASE_BRANCH=TRUE
+fi
+
+if [[ "$ON_RELEASE_BRANCH" == "TRUE" ]]; then
+   release_branch_name=release-$VELERO_MAJOR.$VELERO_MINOR
+   printf "*\t The commit to tag is on branch: %s.  Please make sure this branch has been created.\n" $release_branch_name
+fi
 
 if [[ $publish == "TRUE" ]]; then
     echo "If this is all correct, press enter/return to proceed to TAG THE RELEASE and UPLOAD THE TAG TO GITHUB."
@@ -117,55 +130,29 @@ echo "Alright, let's go."
 echo "Pulling down all git tags and branches before doing any work."
 git fetch "$remote" --tags
 
-# $VELERO_PATCH gets populated by the chk_version.go scrip that parses and verifies the given version format 
-# If we've got a patch release, we'll need to create a release branch for it.
-if [[ "$VELERO_PATCH" > 0 ]]; then
-    release_branch_name=release-$VELERO_MAJOR.$VELERO_MINOR
+if [[ -n $release_branch_name ]]; then
+    # Tag on release branch
     remote_release_branch_name="$remote/$release_branch_name"
 
     # Determine whether the local and remote release branches already exist
     local_branch=$(git branch | grep "$release_branch_name")
     remote_branch=$(git branch -r | grep "$remote_release_branch_name")
-
-    if [[ -n $remote_branch ]]; then
-      if [[ -z $local_branch ]]; then
+    if [[ -z $remote_branch ]]; then
+        echo "The branch $remote_release_branch_name must be created before you tag the release."
+        exit 1
+    fi
+    if [[ -z $local_branch ]]; then
         # Remote branch exists, but does not exist locally. Checkout and track the remote branch.
         git checkout --track "$remote_release_branch_name"
-      else
+    else
         # Checkout the local release branch and ensure it is up to date with the remote
         git checkout "$release_branch_name"
         git pull --set-upstream "$remote" "$release_branch_name"
-      fi
-    else
-      if [[ -z $local_branch ]]; then
-        # Neither the remote or local release branch exists, create it
-        git checkout -b $release_branch_name
-      else
-        # The local branch exists so check it out.
-        git checkout $release_branch_name
-      fi
     fi
-
-    echo "Now you'll need to cherry-pick any relevant git commits into this release branch."
-    echo "Either pause this script with ctrl-z, or open a new terminal window and do the cherry-picking."
-    if [[ $publish == "TRUE" ]]; then
-        read -p "Press enter when you're done cherry-picking. THIS WILL MAKE A TAG PUSH THE BRANCH TO $remote"
-    else
-        read -p "Press enter when you're done cherry-picking."
-    fi
-
-    # TODO can/should we add a way to review the cherry-picked commits before the push?
-
-    if [[ $publish == "TRUE" ]]; then
-        echo "Pushing $release_branch_name to \"$remote\" remote"
-        git push --set-upstream "$remote" $release_branch_name
-    fi
-
     tag_and_push
 else
     echo "Checking out $remote/main."
     git checkout "$remote"/main
-
     tag_and_push
 fi
 

hack/restore-crd-patch-v1.json

@@ -0,0 +1,3 @@
+[
+    { "op": "replace", "path": "/spec/versions/0/schema/openAPIV3Schema/properties/spec/properties/hooks/properties/resources/items/properties/postHooks/items/properties/init/properties/initContainers/items/properties/ports/items/required", "value": [ "containerPort", "protocol"] }
+]

hack/test.sh

@@ -38,5 +38,10 @@ if [[ -n "${GOFLAGS:-}" ]]; then
   echo "GOFLAGS: ${GOFLAGS}"
 fi
 
-go test -installsuffix "static" -short -timeout 60s "${TARGETS[@]}" 
+# After bumping up "sigs.k8s.io/controller-runtime" to v0.10.2, get the error "panic: mkdir /.cache/kubebuilder-envtest: permission denied"
+# when running this script with "make test" command. This is caused by that "make test" runs inside a container with user and group specified,
+# but the user and group don't exist inside the container, when the code(https://github.com/kubernetes-sigs/controller-runtime/blob/v0.10.2/pkg/internal/testing/addr/manager.go#L44)
+# tries to get the cache directory, it gets the directory "/" and then get the permission error when trying to create directory under "/".
+# Specifying the cache directory by environment variable "XDG_CACHE_HOME" to workaround it
+XDG_CACHE_HOME=/tmp/ go test -installsuffix "static" -short -timeout 60s "${TARGETS[@]}"
 echo "Success!"

hack/update-generated-crd-code.sh

@@ -1,6 +1,6 @@
 #!/bin/bash
 #
-# Copyright 2017 the Velero contributors.
+# Copyright the Velero contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -44,20 +44,24 @@ ${GOPATH}/src/k8s.io/code-generator/generate-groups.sh \
   --output-base ../../.. \
   $@
 
-# Generate manifests e.g. CRD, RBAC etc.
-controller-gen \
-  crd:crdVersions=v1beta1,preserveUnknownFields=false,trivialVersions=true \
-  paths=./pkg/apis/velero/v1/... \
-  paths=./pkg/controller/... \
-  output:crd:artifacts:config=config/crd/bases
+# Generate both apiextensions.k8s.io/v1beta1 and apiextensions.k8s.io/v1
+for version in v1beta1 v1
+do
+  # Generate manifests e.g. CRD, RBAC etc.
+  controller-gen \
+    crd:crdVersions=$version,preserveUnknownFields=false,trivialVersions=true \
+    paths=./pkg/apis/velero/v1/... \
+    paths=./pkg/controller/... \
+    output:crd:artifacts:config=config/crd/$version/bases
 
-# this is a super hacky workaround for https://github.com/kubernetes/kubernetes/issues/91395
-# which a result of fixing the validation on CRD objects. The validation ensures the fields that are list map keys, are either marked
-# as required or have default values to ensure merging of list map items work as expected.
-# With "containerPort" and "protocol" being considered as x-kubernetes-list-map-keys in the container ports, and "protocol" was not
-# a required field, the CRD would fail validation with errors similar to the one reported in https://github.com/kubernetes/kubernetes/issues/91395.
-# once controller-gen (above) is able to generate CRDs with `protocol` as a required field, this hack can be removed.
-kubectl patch -f config/crd/bases/velero.io_restores.yaml -p "$(cat hack/restore-crd-patch.json)" --type=json --local=true  -o yaml > /tmp/velero.io_restores-yaml.patched
-mv /tmp/velero.io_restores-yaml.patched config/crd/bases/velero.io_restores.yaml
+  # this is a super hacky workaround for https://github.com/kubernetes/kubernetes/issues/91395
+  # which a result of fixing the validation on CRD objects. The validation ensures the fields that are list map keys, are either marked
+  # as required or have default values to ensure merging of list map items work as expected.
+  # With "containerPort" and "protocol" being considered as x-kubernetes-list-map-keys in the container ports, and "protocol" was not
+  # a required field, the CRD would fail validation with errors similar to the one reported in https://github.com/kubernetes/kubernetes/issues/91395.
+  # once controller-gen (above) is able to generate CRDs with `protocol` as a required field, this hack can be removed.
+  kubectl patch -f config/crd/$version/bases/velero.io_restores.yaml -p "$(cat hack/restore-crd-patch-$version.json)" --type=json --local=true -o yaml > /tmp/velero.io_restores-yaml.patched
+  mv /tmp/velero.io_restores-yaml.patched config/crd/$version/bases/velero.io_restores.yaml
 
-go generate ./config/crd/crds
+  go generate ./config/crd/$version/crds
+done

hack/verify-generated-crd-code.sh

@@ -1,6 +1,6 @@
 #!/bin/bash -e
 #
-# Copyright 2017 the Velero contributors.
+# Copyright the Velero contributors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
@@ -19,11 +19,14 @@ HACK_DIR=$(dirname "${BASH_SOURCE}")
 ${HACK_DIR}/update-generated-crd-code.sh --verify-only
 
 # ensure no changes to generated CRDs
-if ! git diff --exit-code config/crd/crds/crds.go >/dev/null; then
-  # revert changes to state before running CRD generation to stay consistent
-  # with code-generator `--verify-only` option which discards generated changes
-  git checkout config/crd
+for version in v1beta1 v1
+do
+  if ! git diff --exit-code config/crd/$version/crds/crds.go >/dev/null; then
+    # revert changes to state before running CRD generation to stay consistent
+    # with code-generator `--verify-only` option which discards generated changes
+    git checkout config/crd
 
-  echo "CRD verification - failed! Generated CRDs are out-of-date, please run 'make update' and 'git add' the generated file(s)."
-  exit 1
-fi
+    echo "CRD verification - failed! Generated CRDs are out-of-date, please run 'make update' and 'git add' the generated file(s)."
+    exit 1
+  fi
+done

internal/delete/delete_item_action_handler.go

@@ -29,6 +29,7 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/archive"
 	"github.com/vmware-tanzu/velero/pkg/discovery"
 	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
+	deleteactionitemv2 "github.com/vmware-tanzu/velero/pkg/plugin/velero/deleteitemaction/v2"
 	"github.com/vmware-tanzu/velero/pkg/util/collections"
 	"github.com/vmware-tanzu/velero/pkg/util/filesystem"
 )
@@ -37,7 +38,7 @@ import (
 type Context struct {
 	Backup          *velerov1api.Backup
 	BackupReader    io.Reader
-	Actions         []velero.DeleteItemAction
+	Actions         []deleteactionitemv2.DeleteItemAction
 	Filesystem      filesystem.Interface
 	Log             logrus.FieldLogger
 	DiscoveryHelper discovery.Helper
@@ -68,6 +69,10 @@ func InvokeDeleteActions(ctx *Context) error {
 	ctx.Log.Debugf("Downloaded and extracted the backup file to: %s", dir)
 
 	backupResources, err := archive.NewParser(ctx.Log, ctx.Filesystem).Parse(dir)
+	if err != nil {
+		return errors.Wrapf(err, "error parsing backup %q", dir)
+	}
+
 	processdResources := sets.NewString()
 
 	ctx.Log.Debugf("Trying to reconcile resource names with Kube API server.")
@@ -159,7 +164,7 @@ func (ctx *Context) getApplicableActions(groupResource schema.GroupResource, nam
 
 // resolvedActions are DeleteItemActions decorated with resource/namespace include/exclude collections, as well as label selectors for easy comparison.
 type resolvedAction struct {
-	velero.DeleteItemAction
+	deleteactionitemv2.DeleteItemAction
 
 	resourceIncludesExcludes  *collections.IncludesExcludes
 	namespaceIncludesExcludes *collections.IncludesExcludes
@@ -167,7 +172,7 @@ type resolvedAction struct {
 }
 
 // resolveActions resolves the AppliesTo ResourceSelectors of DeleteItemActions plugins against the Kubernetes discovery API for fully-qualified names.
-func resolveActions(actions []velero.DeleteItemAction, helper discovery.Helper) ([]resolvedAction, error) {
+func resolveActions(actions []deleteactionitemv2.DeleteItemAction, helper discovery.Helper) ([]resolvedAction, error) {
 	var resolved []resolvedAction
 
 	for _, action := range actions {

internal/storage/storagelocation.go

@@ -53,7 +53,7 @@ func IsReadyToValidate(bslValidationFrequency *metav1.Duration, lastValidationTi
 	}
 
 	if validationFrequency < 0 {
-		log.Debugf("Validation period must be non-negative, changing from %d to %d", validationFrequency, validationFrequency)
+		log.Debugf("Validation period must be non-negative, changing from %d to %d", validationFrequency, serverValidationFrequency)
 		validationFrequency = serverValidationFrequency
 	}
 

internal/velero/images.go

@@ -0,0 +1,51 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package velero
+
+import (
+	"fmt"
+
+	"github.com/vmware-tanzu/velero/pkg/buildinfo"
+)
+
+// Use Dockerhub as the default registry if the build process didn't supply a registry
+func imageRegistry() string {
+	if buildinfo.ImageRegistry == "" {
+		return "velero"
+	}
+	return buildinfo.ImageRegistry
+}
+
+// ImageTag returns the image tag that should be used by Velero images.
+// It uses the Version from the buildinfo or "latest" if the build process didn't supply a version.
+func ImageTag() string {
+	if buildinfo.Version == "" {
+		return "latest"
+	}
+	return buildinfo.Version
+}
+
+// DefaultVeleroImage returns the default container image to use for this version of Velero.
+func DefaultVeleroImage() string {
+	return fmt.Sprintf("%s/%s:%s", imageRegistry(), "velero", ImageTag())
+}
+
+// DefaultResticRestoreHelperImage returns the default container image to use for the restic restore helper
+// for this version of Velero.
+func DefaultResticRestoreHelperImage() string {
+	return fmt.Sprintf("%s/%s:%s", imageRegistry(), "velero-restic-restore-helper", ImageTag())
+}

internal/velero/images_test.go

@@ -0,0 +1,140 @@
+/*
+Copyright the Velero contributors.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package velero
+
+import (
+	"fmt"
+	"testing"
+
+	"github.com/stretchr/testify/assert"
+
+	"github.com/vmware-tanzu/velero/pkg/buildinfo"
+)
+
+func TestImageTag(t *testing.T) {
+	testCases := []struct {
+		name             string
+		buildInfoVersion string
+		want             string
+	}{
+		{
+			name: "tag is latest when buildinfo.Version is empty",
+			want: "latest",
+		},
+		{
+			name:             "tag is buildinfo.Version when not empty",
+			buildInfoVersion: "custom-build-version",
+			want:             "custom-build-version",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			originalVersion := buildinfo.Version
+			buildinfo.Version = tc.buildInfoVersion
+			defer func() {
+				buildinfo.Version = originalVersion
+			}()
+
+			assert.Equal(t, tc.want, ImageTag())
+		})
+	}
+}
+
+func TestImageRegistry(t *testing.T) {
+	testCases := []struct {
+		name              string
+		buildInfoRegistry string
+		want              string
+	}{
+		{
+			name: "registry is velero when buildinfo.ImageRegistry is empty",
+			want: "velero",
+		},
+		{
+			name:              "registry is buildinfo.ImageRegistry when not empty",
+			buildInfoRegistry: "custom-build-image-registry",
+			want:              "custom-build-image-registry",
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			originalImageRegistry := buildinfo.ImageRegistry
+			buildinfo.ImageRegistry = tc.buildInfoRegistry
+			defer func() {
+				buildinfo.ImageRegistry = originalImageRegistry
+			}()
+
+			assert.Equal(t, tc.want, imageRegistry())
+		})
+	}
+}
+
+func testDefaultImage(t *testing.T, defaultImageFn func() string, imageName string) {
+	testCases := []struct {
+		name              string
+		buildInfoVersion  string
+		buildInfoRegistry string
+		want              string
+	}{
+		{
+			name: "image uses velero as registry and latest as tag when buildinfo.ImageRegistry and buildinfo.Version are empty",
+			want: fmt.Sprintf("velero/%s:latest", imageName),
+		},
+		{
+			name:              "image uses buildinfo.ImageRegistry as registry when not empty",
+			buildInfoRegistry: "custom-build-image-registry",
+			want:              fmt.Sprintf("custom-build-image-registry/%s:latest", imageName),
+		},
+		{
+			name:             "image uses buildinfo.Version as tag when not empty",
+			buildInfoVersion: "custom-build-version",
+			want:             fmt.Sprintf("velero/%s:custom-build-version", imageName),
+		},
+		{
+			name:              "image uses both buildinfo.ImageRegistry and buildinfo.Version when not empty",
+			buildInfoRegistry: "custom-build-image-registry",
+			buildInfoVersion:  "custom-build-version",
+			want:              fmt.Sprintf("custom-build-image-registry/%s:custom-build-version", imageName),
+		},
+	}
+
+	for _, tc := range testCases {
+		t.Run(tc.name, func(t *testing.T) {
+			originalImageRegistry := buildinfo.ImageRegistry
+			originalVersion := buildinfo.Version
+			buildinfo.ImageRegistry = tc.buildInfoRegistry
+			buildinfo.Version = tc.buildInfoVersion
+			defer func() {
+				buildinfo.ImageRegistry = originalImageRegistry
+				buildinfo.Version = originalVersion
+			}()
+
+			assert.Equal(t, tc.want, defaultImageFn())
+		})
+	}
+
+}
+
+func TestDefaultVeleroImage(t *testing.T) {
+	testDefaultImage(t, DefaultVeleroImage, "velero")
+}
+
+func TestDefaultResticRestoreHelperImage(t *testing.T) {
+	testDefaultImage(t, DefaultResticRestoreHelperImage, "velero-restic-restore-helper")
+}

pkg/apis/velero/v1/backup.go

@@ -20,8 +20,14 @@ import (
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 )
 
+type Metadata struct {
+	Labels map[string]string `json:"labels,omitempty"`
+}
+
 // BackupSpec defines the specification for a Velero backup.
 type BackupSpec struct {
+	// +optional
+	Metadata `json:"metadata,omitempty"`
 	// IncludedNamespaces is a slice of namespace names to include objects
 	// from. If empty, all namespaces are included.
 	// +optional
@@ -207,6 +213,17 @@ const (
 	// BackupPhaseInProgress means the backup is currently executing.
 	BackupPhaseInProgress BackupPhase = "InProgress"
 
+	// BackupPhaseUploading means the backups of Kubernetes resources
+	// and creation of snapshots was successful and snapshot data
+	// is currently uploading.  The backup is not usable yet.
+	BackupPhaseUploading BackupPhase = "Uploading"
+
+	// BackupPhaseUploadingPartialFailure means the backup of Kubernetes
+	// resources and creation of snapshots partially failed (final phase
+	// will be PartiallyFailed) and snapshot data is currently uploading.
+	// The backup is not usable yet.
+	BackupPhaseUploadingPartialFailure BackupPhase = "UploadingPartialFailure"
+
 	// BackupPhaseCompleted means the backup has run successfully without
 	// errors.
 	BackupPhaseCompleted BackupPhase = "Completed"

pkg/apis/velero/v1/zz_generated.deepcopy.go

@@ -205,6 +205,7 @@ func (in *BackupResourceHookSpec) DeepCopy() *BackupResourceHookSpec {
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *BackupSpec) DeepCopyInto(out *BackupSpec) {
 	*out = *in
+	in.Metadata.DeepCopyInto(&out.Metadata)
 	if in.IncludedNamespaces != nil {
 		in, out := &in.IncludedNamespaces, &out.IncludedNamespaces
 		*out = make([]string, len(*in))
@@ -715,6 +716,29 @@ func (in *InitRestoreHook) DeepCopy() *InitRestoreHook {
 	return out
 }
 
+// DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
+func (in *Metadata) DeepCopyInto(out *Metadata) {
+	*out = *in
+	if in.Labels != nil {
+		in, out := &in.Labels, &out.Labels
+		*out = make(map[string]string, len(*in))
+		for key, val := range *in {
+			(*out)[key] = val
+		}
+	}
+	return
+}
+
+// DeepCopy is an autogenerated deepcopy function, copying the receiver, creating a new Metadata.
+func (in *Metadata) DeepCopy() *Metadata {
+	if in == nil {
+		return nil
+	}
+	out := new(Metadata)
+	in.DeepCopyInto(out)
+	return out
+}
+
 // DeepCopyInto is an autogenerated deepcopy function, copying the receiver, writing into out. in must be non-nil.
 func (in *ObjectStorageLocation) DeepCopyInto(out *ObjectStorageLocation) {
 	*out = *in

pkg/backup/backup.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 the Velero contributors.
+Copyright the Velero contributors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -44,7 +44,8 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/discovery"
 	velerov1client "github.com/vmware-tanzu/velero/pkg/generated/clientset/versioned/typed/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/kuberesource"
-	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
+	backupitemactionv2 "github.com/vmware-tanzu/velero/pkg/plugin/velero/backupitemaction/v2"
+	volumesnapshotterv2 "github.com/vmware-tanzu/velero/pkg/plugin/velero/volumesnapshotter/v2"
 	"github.com/vmware-tanzu/velero/pkg/podexec"
 	"github.com/vmware-tanzu/velero/pkg/restic"
 	"github.com/vmware-tanzu/velero/pkg/util/collections"
@@ -61,7 +62,8 @@ const BackupFormatVersion = "1.1.0"
 type Backupper interface {
 	// Backup takes a backup using the specification in the velerov1api.Backup and writes backup and log data
 	// to the given writers.
-	Backup(logger logrus.FieldLogger, backup *Request, backupFile io.Writer, actions []velero.BackupItemAction, volumeSnapshotterGetter VolumeSnapshotterGetter) error
+	Backup(logger logrus.FieldLogger, backup *Request, backupFile io.Writer,
+		actions []backupitemactionv2.BackupItemAction, volumeSnapshotterGetter VolumeSnapshotterGetter) error
 }
 
 // kubernetesBackupper implements Backupper.
@@ -73,10 +75,11 @@ type kubernetesBackupper struct {
 	resticBackupperFactory restic.BackupperFactory
 	resticTimeout          time.Duration
 	defaultVolumesToRestic bool
+	clientPageSize         int
 }
 
 type resolvedAction struct {
-	velero.BackupItemAction
+	backupitemactionv2.BackupItemAction
 
 	resourceIncludesExcludes  *collections.IncludesExcludes
 	namespaceIncludesExcludes *collections.IncludesExcludes
@@ -106,6 +109,7 @@ func NewKubernetesBackupper(
 	resticBackupperFactory restic.BackupperFactory,
 	resticTimeout time.Duration,
 	defaultVolumesToRestic bool,
+	clientPageSize int,
 ) (Backupper, error) {
 	return &kubernetesBackupper{
 		backupClient:           backupClient,
@@ -115,10 +119,11 @@ func NewKubernetesBackupper(
 		resticBackupperFactory: resticBackupperFactory,
 		resticTimeout:          resticTimeout,
 		defaultVolumesToRestic: defaultVolumesToRestic,
+		clientPageSize:         clientPageSize,
 	}, nil
 }
 
-func resolveActions(actions []velero.BackupItemAction, helper discovery.Helper) ([]resolvedAction, error) {
+func resolveActions(actions []backupitemactionv2.BackupItemAction, helper discovery.Helper) ([]resolvedAction, error) {
 	var resolved []resolvedAction
 
 	for _, action := range actions {
@@ -194,7 +199,7 @@ func getResourceHook(hookSpec velerov1api.BackupResourceHookSpec, discoveryHelpe
 }
 
 type VolumeSnapshotterGetter interface {
-	GetVolumeSnapshotter(name string) (velero.VolumeSnapshotter, error)
+	GetVolumeSnapshotter(name string) (volumesnapshotterv2.VolumeSnapshotter, error)
 }
 
 // Backup backs up the items specified in the Backup, placing them in a gzip-compressed tar file
@@ -202,7 +207,8 @@ type VolumeSnapshotterGetter interface {
 // a complete backup failure is returned. Errors that constitute partial failures (i.e. failures to
 // back up individual resources that don't prevent the backup from continuing to be processed) are logged
 // to the backup log.
-func (kb *kubernetesBackupper) Backup(log logrus.FieldLogger, backupRequest *Request, backupFile io.Writer, actions []velero.BackupItemAction, volumeSnapshotterGetter VolumeSnapshotterGetter) error {
+func (kb *kubernetesBackupper) Backup(log logrus.FieldLogger, backupRequest *Request, backupFile io.Writer,
+	actions []backupitemactionv2.BackupItemAction, volumeSnapshotterGetter VolumeSnapshotterGetter) error {
 	gzippedData := gzip.NewWriter(backupFile)
 	defer gzippedData.Close()
 
@@ -272,6 +278,7 @@ func (kb *kubernetesBackupper) Backup(log logrus.FieldLogger, backupRequest *Req
 		dynamicFactory:        kb.dynamicFactory,
 		cohabitatingResources: cohabitatingResources(),
 		dir:                   tempDir,
+		pageSize:              kb.clientPageSize,
 	}
 
 	items := collector.getAllItems()

pkg/backup/backup_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 the Velero contributors.
+Copyright the Velero contributors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -47,6 +47,7 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/discovery"
 	"github.com/vmware-tanzu/velero/pkg/kuberesource"
 	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
+	backupitemactionv2 "github.com/vmware-tanzu/velero/pkg/plugin/velero/backupitemaction/v2"
 	"github.com/vmware-tanzu/velero/pkg/restic"
 	"github.com/vmware-tanzu/velero/pkg/test"
 	testutil "github.com/vmware-tanzu/velero/pkg/test"
@@ -767,9 +768,9 @@ func TestCRDInclusion(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.CRDs(
-					builder.ForCustomResourceDefinition("backups.velero.io").Result(),
-					builder.ForCustomResourceDefinition("volumesnapshotlocations.velero.io").Result(),
-					builder.ForCustomResourceDefinition("test.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
 				),
 				test.VSLs(
 					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
@@ -793,9 +794,9 @@ func TestCRDInclusion(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.CRDs(
-					builder.ForCustomResourceDefinition("backups.velero.io").Result(),
-					builder.ForCustomResourceDefinition("volumesnapshotlocations.velero.io").Result(),
-					builder.ForCustomResourceDefinition("test.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
 				),
 				test.VSLs(
 					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
@@ -813,9 +814,9 @@ func TestCRDInclusion(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.CRDs(
-					builder.ForCustomResourceDefinition("backups.velero.io").Result(),
-					builder.ForCustomResourceDefinition("volumesnapshotlocations.velero.io").Result(),
-					builder.ForCustomResourceDefinition("test.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
 				),
 				test.VSLs(
 					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
@@ -839,9 +840,9 @@ func TestCRDInclusion(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.CRDs(
-					builder.ForCustomResourceDefinition("backups.velero.io").Result(),
-					builder.ForCustomResourceDefinition("volumesnapshotlocations.velero.io").Result(),
-					builder.ForCustomResourceDefinition("test.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
 				),
 				test.VSLs(
 					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
@@ -862,9 +863,9 @@ func TestCRDInclusion(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.CRDs(
-					builder.ForCustomResourceDefinition("backups.velero.io").Result(),
-					builder.ForCustomResourceDefinition("volumesnapshotlocations.velero.io").Result(),
-					builder.ForCustomResourceDefinition("test.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
 				),
 				test.VSLs(
 					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
@@ -883,9 +884,9 @@ func TestCRDInclusion(t *testing.T) {
 				Result(),
 			apiResources: []*test.APIResource{
 				test.CRDs(
-					builder.ForCustomResourceDefinition("backups.velero.io").Result(),
-					builder.ForCustomResourceDefinition("volumesnapshotlocations.velero.io").Result(),
-					builder.ForCustomResourceDefinition("test.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("backups.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("volumesnapshotlocations.velero.io").Result(),
+					builder.ForCustomResourceDefinitionV1Beta1("test.velero.io").Result(),
 				),
 				test.VSLs(
 					builder.ForVolumeSnapshotLocation("foo", "vsl-1").Result(),
@@ -970,6 +971,30 @@ func TestBackupResourceCohabitation(t *testing.T) {
 				"resources/deployments.apps/v1-preferredversion/namespaces/zoo/raz.json",
 			},
 		},
+		{
+			name:   "when deployments exist that are not in the cohabitating groups those are backed up along with apps/deployments",
+			backup: defaultBackup().Result(),
+			apiResources: []*test.APIResource{
+				test.VeleroDeployments(
+					builder.ForTestCR("Deployment", "foo", "bar").Result(),
+					builder.ForTestCR("Deployment", "zoo", "raz").Result(),
+				),
+				test.Deployments(
+					builder.ForDeployment("foo", "bar").Result(),
+					builder.ForDeployment("zoo", "raz").Result(),
+				),
+			},
+			want: []string{
+				"resources/deployments.apps/namespaces/foo/bar.json",
+				"resources/deployments.apps/namespaces/zoo/raz.json",
+				"resources/deployments.apps/v1-preferredversion/namespaces/foo/bar.json",
+				"resources/deployments.apps/v1-preferredversion/namespaces/zoo/raz.json",
+				"resources/deployments.velero.io/namespaces/foo/bar.json",
+				"resources/deployments.velero.io/namespaces/zoo/raz.json",
+				"resources/deployments.velero.io/v1-preferredversion/namespaces/foo/bar.json",
+				"resources/deployments.velero.io/v1-preferredversion/namespaces/zoo/raz.json",
+			},
+		},
 	}
 
 	for _, tc := range tests {
@@ -1307,7 +1332,7 @@ func TestBackupActionsRunForCorrectItems(t *testing.T) {
 				h.addItems(t, resource)
 			}
 
-			actions := []velero.BackupItemAction{}
+			actions := []backupitemactionv2.BackupItemAction{}
 			for action := range tc.actions {
 				actions = append(actions, action)
 			}
@@ -1333,7 +1358,7 @@ func TestBackupWithInvalidActions(t *testing.T) {
 		name         string
 		backup       *velerov1.Backup
 		apiResources []*test.APIResource
-		actions      []velero.BackupItemAction
+		actions      []backupitemactionv2.BackupItemAction
 	}{
 		{
 			name: "action with invalid label selector results in an error",
@@ -1349,7 +1374,7 @@ func TestBackupWithInvalidActions(t *testing.T) {
 					builder.ForPersistentVolume("baz").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				new(recordResourcesAction).ForLabelSelector("=invalid-selector"),
 			},
 		},
@@ -1367,7 +1392,7 @@ func TestBackupWithInvalidActions(t *testing.T) {
 					builder.ForPersistentVolume("baz").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&appliesToErrorAction{},
 			},
 		},
@@ -1429,7 +1454,7 @@ func TestBackupActionModifications(t *testing.T) {
 		name         string
 		backup       *velerov1.Backup
 		apiResources []*test.APIResource
-		actions      []velero.BackupItemAction
+		actions      []backupitemactionv2.BackupItemAction
 		want         map[string]unstructuredObject
 	}{
 		{
@@ -1440,7 +1465,7 @@ func TestBackupActionModifications(t *testing.T) {
 					builder.ForPod("ns-1", "pod-1").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				modifyingActionGetter(func(item *unstructured.Unstructured) {
 					item.SetLabels(map[string]string{"updated": "true"})
 				}),
@@ -1457,7 +1482,7 @@ func TestBackupActionModifications(t *testing.T) {
 					builder.ForPod("ns-1", "pod-1").ObjectMeta(builder.WithLabels("should-be-removed", "true")).Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				modifyingActionGetter(func(item *unstructured.Unstructured) {
 					item.SetLabels(nil)
 				}),
@@ -1474,7 +1499,7 @@ func TestBackupActionModifications(t *testing.T) {
 					builder.ForPod("ns-1", "pod-1").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				modifyingActionGetter(func(item *unstructured.Unstructured) {
 					item.Object["spec"].(map[string]interface{})["nodeName"] = "foo"
 				}),
@@ -1492,7 +1517,7 @@ func TestBackupActionModifications(t *testing.T) {
 					builder.ForPod("ns-1", "pod-1").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				modifyingActionGetter(func(item *unstructured.Unstructured) {
 					item.SetName(item.GetName() + "-updated")
 					item.SetNamespace(item.GetNamespace() + "-updated")
@@ -1533,7 +1558,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 		name         string
 		backup       *velerov1.Backup
 		apiResources []*test.APIResource
-		actions      []velero.BackupItemAction
+		actions      []backupitemactionv2.BackupItemAction
 		want         []string
 	}{
 		{
@@ -1546,7 +1571,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPod("ns-3", "pod-3").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					selector: velero.ResourceSelector{IncludedNamespaces: []string{"ns-1"}},
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
@@ -1578,7 +1603,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPod("ns-3", "pod-3").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
 						additionalItems := []velero.ResourceIdentifier{
@@ -1608,7 +1633,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPersistentVolume("pv-2").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
 						additionalItems := []velero.ResourceIdentifier{
@@ -1641,7 +1666,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPersistentVolume("pv-2").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
 						additionalItems := []velero.ResourceIdentifier{
@@ -1671,7 +1696,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPersistentVolume("pv-2").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
 						additionalItems := []velero.ResourceIdentifier{
@@ -1702,7 +1727,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPersistentVolume("pv-2").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {
 						additionalItems := []velero.ResourceIdentifier{
@@ -1732,7 +1757,7 @@ func TestBackupActionAdditionalItems(t *testing.T) {
 					builder.ForPod("ns-3", "pod-3").Result(),
 				),
 			},
-			actions: []velero.BackupItemAction{
+			actions: []backupitemactionv2.BackupItemAction{
 				&pluggableAction{
 					selector: velero.ResourceSelector{IncludedNamespaces: []string{"ns-1"}},
 					executeFunc: func(item runtime.Unstructured, backup *velerov1.Backup) (runtime.Unstructured, []velero.ResourceIdentifier, error) {

pkg/backup/item_backupper.go

@@ -39,7 +39,7 @@ import (
 	"github.com/vmware-tanzu/velero/pkg/client"
 	"github.com/vmware-tanzu/velero/pkg/discovery"
 	"github.com/vmware-tanzu/velero/pkg/kuberesource"
-	"github.com/vmware-tanzu/velero/pkg/plugin/velero"
+	volumesnapshotterv2 "github.com/vmware-tanzu/velero/pkg/plugin/velero/volumesnapshotter/v2"
 	"github.com/vmware-tanzu/velero/pkg/restic"
 	"github.com/vmware-tanzu/velero/pkg/util/boolptr"
 	"github.com/vmware-tanzu/velero/pkg/volume"
@@ -56,7 +56,7 @@ type itemBackupper struct {
 	volumeSnapshotterGetter VolumeSnapshotterGetter
 
 	itemHookHandler                    hook.ItemHookHandler
-	snapshotLocationVolumeSnapshotters map[string]velero.VolumeSnapshotter
+	snapshotLocationVolumeSnapshotters map[string]volumesnapshotterv2.VolumeSnapshotter
 }
 
 // backupItem backs up an individual item to tarWriter. The item may be excluded based on the
@@ -367,7 +367,8 @@ func (ib *itemBackupper) executeActions(
 
 // volumeSnapshotter instantiates and initializes a VolumeSnapshotter given a VolumeSnapshotLocation,
 // or returns an existing one if one's already been initialized for the location.
-func (ib *itemBackupper) volumeSnapshotter(snapshotLocation *velerov1api.VolumeSnapshotLocation) (velero.VolumeSnapshotter, error) {
+func (ib *itemBackupper) volumeSnapshotter(snapshotLocation *velerov1api.VolumeSnapshotLocation) (
+	volumesnapshotterv2.VolumeSnapshotter, error) {
 	if bs, ok := ib.snapshotLocationVolumeSnapshotters[snapshotLocation.Name]; ok {
 		return bs, nil
 	}
@@ -382,7 +383,7 @@ func (ib *itemBackupper) volumeSnapshotter(snapshotLocation *velerov1api.VolumeS
 	}
 
 	if ib.snapshotLocationVolumeSnapshotters == nil {
-		ib.snapshotLocationVolumeSnapshotters = make(map[string]velero.VolumeSnapshotter)
+		ib.snapshotLocationVolumeSnapshotters = make(map[string]volumesnapshotterv2.VolumeSnapshotter)
 	}
 	ib.snapshotLocationVolumeSnapshotters[snapshotLocation.Name] = bs
 
@@ -438,7 +439,7 @@ func (ib *itemBackupper) takePVSnapshot(obj runtime.Unstructured, log logrus.Fie
 
 	var (
 		volumeID, location string
-		volumeSnapshotter  velero.VolumeSnapshotter
+		volumeSnapshotter  volumesnapshotterv2.VolumeSnapshotter
 	)
 
 	for _, snapshotLocation := range ib.backupRequest.SnapshotLocations {

pkg/backup/item_collector.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 the Velero contributors.
+Copyright the Velero contributors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -17,6 +17,7 @@ limitations under the License.
 package backup
 
 import (
+	"context"
 	"encoding/json"
 	"fmt"
 	"io/ioutil"
@@ -25,10 +26,13 @@ import (
 
 	"github.com/pkg/errors"
 	"github.com/sirupsen/logrus"
+	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
 	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
 	"k8s.io/apimachinery/pkg/labels"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
+	"k8s.io/client-go/tools/pager"
 
 	"github.com/vmware-tanzu/velero/pkg/client"
 	"github.com/vmware-tanzu/velero/pkg/discovery"
@@ -45,6 +49,7 @@ type itemCollector struct {
 	dynamicFactory        client.DynamicFactory
 	cohabitatingResources map[string]*cohabitatingResource
 	dir                   string
+	pageSize              int
 }
 
 type kubernetesResource struct {
@@ -204,16 +209,18 @@ func (r *itemCollector) getResourceItems(log logrus.FieldLogger, gv schema.Group
 	}
 
 	if cohabitator, found := r.cohabitatingResources[resource.Name]; found {
-		if cohabitator.seen {
-			log.WithFields(
-				logrus.Fields{
-					"cohabitatingResource1": cohabitator.groupResource1.String(),
-					"cohabitatingResource2": cohabitator.groupResource2.String(),
-				},
-			).Infof("Skipping resource because it cohabitates and we've already processed it")
-			return nil, nil
+		if gv.Group == cohabitator.groupResource1.Group || gv.Group == cohabitator.groupResource2.Group {
+			if cohabitator.seen {
+				log.WithFields(
+					logrus.Fields{
+						"cohabitatingResource1": cohabitator.groupResource1.String(),
+						"cohabitatingResource2": cohabitator.groupResource2.String(),
+					},
+				).Infof("Skipping resource because it cohabitates and we've already processed it")
+				return nil, nil
+			}
+			cohabitator.seen = true
 		}
-		cohabitator.seen = true
 	}
 
 	namespacesToList := getNamespacesToList(r.backupRequest.NamespaceIncludesExcludes)
@@ -275,6 +282,7 @@ func (r *itemCollector) getResourceItems(log logrus.FieldLogger, gv schema.Group
 	var items []*kubernetesResource
 
 	for _, namespace := range namespacesToList {
+		// List items from Kubernetes API
 		log = log.WithField("namespace", namespace)
 
 		resourceClient, err := r.dynamicFactory.ClientForGroupVersionResource(gv, resource, namespace)
@@ -287,18 +295,65 @@ func (r *itemCollector) getResourceItems(log logrus.FieldLogger, gv schema.Group
 		if selector := r.backupRequest.Spec.LabelSelector; selector != nil {
 			labelSelector = metav1.FormatLabelSelector(selector)
 		}
+		listOptions := metav1.ListOptions{LabelSelector: labelSelector}
 
 		log.Info("Listing items")
-		unstructuredList, err := resourceClient.List(metav1.ListOptions{LabelSelector: labelSelector})
-		if err != nil {
-			log.WithError(errors.WithStack(err)).Error("Error listing items")
-			continue
-		}
-		log.Infof("Retrieved %d items", len(unstructuredList.Items))
+		unstructuredItems := make([]unstructured.Unstructured, 0)
 
-		// collect the items
-		for i := range unstructuredList.Items {
-			item := &unstructuredList.Items[i]
+		if r.pageSize > 0 {
+			// If limit is positive, use a pager to split list over multiple requests
+			// Use Velero's dynamic list function instead of the default
+			listFunc := pager.SimplePageFunc(func(opts metav1.ListOptions) (runtime.Object, error) {
+				list, err := resourceClient.List(listOptions)
+				if err != nil {
+					return nil, err
+				}
+				return list, nil
+			})
+			listPager := pager.New(listFunc)
+			// Use the page size defined in the server config
+			// TODO allow configuration of page buffer size
+			listPager.PageSize = int64(r.pageSize)
+			// Add each item to temporary slice
+			var items []unstructured.Unstructured
+			err := listPager.EachListItem(context.Background(), listOptions, func(object runtime.Object) error {
+				item, isUnstructured := object.(*unstructured.Unstructured)
+				if !isUnstructured {
+					// We should never hit this
+					log.Error("Got type other than Unstructured from pager func")
+					return nil
+				}
+				items = append(items, *item)
+				return nil
+			})
+			if statusError, isStatusError := err.(*apierrors.StatusError); isStatusError && statusError.Status().Reason == metav1.StatusReasonExpired {
+				log.WithError(errors.WithStack(err)).Error("Error paging item list. Falling back on unpaginated list")
+				unstructuredList, err := resourceClient.List(listOptions)
+				if err != nil {
+					log.WithError(errors.WithStack(err)).Error("Error listing items")
+					continue
+				}
+				items = unstructuredList.Items
+			} else if err != nil {
+				log.WithError(errors.WithStack(err)).Error("Error paging item list")
+				continue
+			}
+			unstructuredItems = append(unstructuredItems, items...)
+		} else {
+			// If limit is not positive, do not use paging. Instead, request all items at once
+			unstructuredList, err := resourceClient.List(metav1.ListOptions{LabelSelector: labelSelector})
+			unstructuredItems = append(unstructuredItems, unstructuredList.Items...)
+			if err != nil {
+				log.WithError(errors.WithStack(err)).Error("Error listing items")
+				continue
+			}
+		}
+
+		log.Infof("Retrieved %d items", len(unstructuredItems))
+
+		// Collect items in included Namespaces
+		for i := range unstructuredItems {
+			item := &unstructuredItems[i]
 
 			if gr == kuberesource.Namespaces && !r.backupRequest.NamespaceIncludesExcludes.ShouldInclude(item.GetName()) {
 				log.WithField("name", item.GetName()).Info("Skipping namespace because it's excluded")

pkg/backup/remap_crd_version_action_test.go

@@ -1,5 +1,5 @@
 /*
-Copyright 2020 the Velero contributors.
+Copyright the Velero contributors.
 
 Licensed under the Apache License, Version 2.0 (the "License");
 you may not use this file except in compliance with the License.
@@ -44,7 +44,7 @@ func TestRemapCRDVersionAction(t *testing.T) {
 
 	// build a v1beta1 CRD with the same name and add it to the fake client that the plugin is going to call.
 	// keep the same one for all 3 tests, since there's little value in recreating it
-	b := builder.ForCustomResourceDefinition("test.velero.io")
+	b := builder.ForCustomResourceDefinitionV1Beta1("test.velero.io")
 	c := b.Result()
 	_, err := betaClient.Create(context.TODO(), c, metav1.CreateOptions{})
 	require.NoError(t, err)