BSL validation should require region when s3Url is set to a non-AWS endpoint

[kaovilai]

Summary

When a BackupStorageLocation uses provider: aws with a custom s3Url pointing to a non-AWS S3-compatible service (e.g., IBM Cloud Object Storage, MinIO, NooBaa), the BSL validation does not reliably require the region field. The DPA is accepted as valid, but Velero subsequently fails to connect.

Problem

The region validation in internal/controller/bsl.go:533-534 currently requires region only when:

1. s3ForcePathStyle is explicitly "true", OR
2. BucketRegionIsDiscoverable(bucket) returns false

if (bslSpec.Config == nil || len(bslSpec.Config[Region]) == 0) &&
    (bslSpec.Config != nil && bslSpec.Config[S3ForcePathStyle] == "true" || !aws.BucketRegionIsDiscoverable(bslSpec.ObjectStorage.Bucket)) {
    return fmt.Errorf("region for AWS backupstoragelocation not automatically discoverable...")
}

BucketRegionIsDiscoverable (pkg/storage/aws/s3.go:20-23) calls AWS's HeadBucket API against s3.us-east-1.amazonaws.com to auto-discover the bucket's region. This is incorrect when s3Url points to a non-AWS endpoint because:

• The bucket may not exist on AWS at all, so discovery fails (validation works by accident)
• A bucket with the same name may exist on AWS, so discovery succeeds with a wrong region — validation passes, but Velero fails to connect to the actual non-AWS endpoint
• The operator is querying AWS infrastructure for region information about a bucket that lives on a completely different service

Context: IBM Cloud Object Storage

Previously, IBM Cloud Object Storage users were required to set s3ForcePathStyle: true, which triggered the first validation branch (requiring region). IBM COS no longer requires s3ForcePathStyle. When users remove s3ForcePathStyle from their config, they lose the guaranteed region validation, and the operator falls through to the unreliable BucketRegionIsDiscoverable check against AWS.

Steps to Reproduce

1. Configure a DPA with provider: aws, a custom s3Url (e.g., IBM COS endpoint), a valid bucket name, but without region and without s3ForcePathStyle
2. DPA validation passes (operator reports the BSL is OK)
3. Velero fails to connect to the storage backend

Expected Behavior

When s3Url is set in BSL config, the operator should require region to be explicitly specified, since auto-discovery via AWS API is not valid for non-AWS S3 endpoints.

Suggested Fix

Add a check in validateAWSBackupStorageLocation that requires region whenever a custom s3Url is configured:

// When s3Url is set, the user is pointing to a non-AWS S3-compatible service.
// Region auto-discovery via AWS API is not valid in this case.
if bslSpec.Config != nil && len(bslSpec.Config[S3URL]) > 0 &&
    (len(bslSpec.Config[Region]) == 0) {
    return fmt.Errorf("region is required when s3Url is set for AWS backupstoragelocation. Region cannot be auto-discovered for non-AWS S3-compatible endpoints")
}

Affected Code

• internal/controller/bsl.go:509-541 — validateAWSBackupStorageLocation()
• pkg/storage/aws/s3.go:20-23 — BucketRegionIsDiscoverable() (calls AWS API regardless of configured endpoint)

Note

Responses generated with Claude