Fix OADP-7562: handle wildcard in scoped excluded cluster resources

mpryc · claude · mpryc · commit 41e638570eff · 2026-03-26T15:24:42.000+01:00
When a user sets excludedClusterScopedResources or
excludedNamespaceScopedResources to '*', skip appending default
resources to avoid Velero FailedValidation.

add VolumeGroupSnapshotLabelKey to enforced backup spec tests
to allow tests passing.

Co-Authored-By: Claude &lt;noreply@anthropic.com&gt;
Signed-off-by: Michal Pryc &lt;mpryc@redhat.com&gt;
diff --git a/internal/controller/nonadminbackup_controller.go b/internal/controller/nonadminbackup_controller.go
@@ -21,6 +21,7 @@ import (
 	"context"
 	"errors"
 	"reflect"
+	"slices"
 
 	"github.com/go-logr/logr"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -705,11 +706,18 @@ func (r *NonAdminBackupReconciler) createVeleroBackupAndSyncWithNonAdminBackup(c
 
 		if haveNewResourceFilterParameters {
 			// Use the new-style exclusion list
-			backupSpec.ExcludedNamespaceScopedResources = append(backupSpec.ExcludedNamespaceScopedResources,
-				alwaysExcludedNamespacedResources...)
-			backupSpec.ExcludedClusterScopedResources = append(backupSpec.ExcludedClusterScopedResources,
-				alwaysExcludedClusterResources...)
-		} else {
+			// Skip appending when wildcard '*' is already present, as it already
+			// excludes everything and mixing '*' with specific items causes Velero
+			// FailedValidation.
+			if !slices.Contains(backupSpec.ExcludedNamespaceScopedResources, "*") {
+				backupSpec.ExcludedNamespaceScopedResources = append(backupSpec.ExcludedNamespaceScopedResources,
+					alwaysExcludedNamespacedResources...)
+			}
+			if !slices.Contains(backupSpec.ExcludedClusterScopedResources, "*") {
+				backupSpec.ExcludedClusterScopedResources = append(backupSpec.ExcludedClusterScopedResources,
+					alwaysExcludedClusterResources...)
+			}
+		} else if !slices.Contains(backupSpec.ExcludedResources, "*") {
 			// Fallback to the old-style exclusion list
 			backupSpec.ExcludedResources = append(backupSpec.ExcludedResources,
 				alwaysExcludedNamespacedResources...)
diff --git a/internal/controller/nonadminbackup_controller_test.go b/internal/controller/nonadminbackup_controller_test.go
@@ -1546,6 +1546,44 @@ var _ = ginkgo.Describe("Test full reconcile loop of NonAdminBackup Controller",
 			},
 			addSyncLabel: true,
 		}),
+		ginkgo.Entry("Should not append default excluded resources when wildcard is used in excludedClusterScopedResources", nonAdminBackupFullReconcileScenario{
+			spec: nacv1alpha1.NonAdminBackupSpec{
+				BackupSpec: &velerov1.BackupSpec{
+					ExcludedClusterScopedResources:   []string{"*"},
+					IncludedNamespaceScopedResources: []string{"pvc"},
+				},
+			},
+			status: nacv1alpha1.NonAdminBackupStatus{
+				Phase: nacv1alpha1.NonAdminPhaseCreated,
+				VeleroBackup: &nacv1alpha1.VeleroBackup{
+					Namespace: oadpNamespace,
+					Status:    nil,
+					Spec: &velerov1.BackupSpec{
+						ExcludedClusterScopedResources:   []string{"*"},
+						IncludedNamespaceScopedResources: []string{"pvc"},
+						ExcludedNamespaceScopedResources: []string{
+							nacv1alpha1.NonAdminBackups,
+							nacv1alpha1.NonAdminRestores,
+							nacv1alpha1.NonAdminBackupStorageLocations,
+						},
+					},
+				},
+				Conditions: []metav1.Condition{
+					{
+						Type:    "Accepted",
+						Status:  metav1.ConditionTrue,
+						Reason:  "BackupAccepted",
+						Message: "backup accepted",
+					},
+					{
+						Type:    "Queued",
+						Status:  metav1.ConditionTrue,
+						Reason:  "BackupScheduled",
+						Message: "Created Velero Backup object",
+					},
+				},
+			},
+		}),
 	)
 
 	ginkgo.DescribeTable("Reconcile triggered by NonAdminBackup sync event",
diff --git a/internal/controller/nonadminrestore_controller.go b/internal/controller/nonadminrestore_controller.go
@@ -20,6 +20,7 @@ import (
 	"context"
 	"errors"
 	"reflect"
+	"slices"
 
 	"github.com/go-logr/logr"
 	velerov1 "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
@@ -348,8 +349,10 @@ func (r *NonAdminRestoreReconciler) createVeleroRestore(ctx context.Context, log
 			}
 		}
 
-		restoreSpec.ExcludedResources = append(restoreSpec.ExcludedResources,
-			"volumesnapshotclasses")
+		if !slices.Contains(restoreSpec.ExcludedResources, "*") {
+			restoreSpec.ExcludedResources = append(restoreSpec.ExcludedResources,
+				"volumesnapshotclasses")
+		}
 
 		veleroRestore = &velerov1.Restore{
 			ObjectMeta: metav1.ObjectMeta{
