Apply ResourceModifier rules during restore finalization for dynamic PVs

Fixes velero-io#9358. For FSB/CSI restores, PVs are dynamically provisioned after
the initial restore phase. The restore finalizer patches these PVs with
labels from the backup, but ResourceModifier rules were never applied
during this phase — leaving users unable to modify PV labels for
cross-cloud migrations or zone mismatch scenarios.

Load ResourceModifier rules from the restore spec's ConfigMap reference
in the finalizer controller and apply them to PVs after setting backup
labels but before patching. On failure, log a warning and fall through
to the original behavior.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
Signed-off-by: Joseph <jvaikath@redhat.com>

Author: Joeavaikath

pkg/controller/restore_finalizer_controller.go

@@ -19,6 +19,7 @@ package controller
 import (
 	"context"
 	"fmt"
+	"strings"
 	"sync"
 	"time"
 
@@ -30,13 +31,16 @@ import (
 	storagev1api "k8s.io/api/storage/v1"
 	apierrors "k8s.io/apimachinery/pkg/api/errors"
 	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+	"k8s.io/apimachinery/pkg/apis/meta/v1/unstructured"
+	"k8s.io/apimachinery/pkg/runtime"
 	"k8s.io/apimachinery/pkg/runtime/schema"
 	"k8s.io/apimachinery/pkg/util/wait"
 	"k8s.io/utils/clock"
 	ctrl "sigs.k8s.io/controller-runtime"
 	"sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/vmware-tanzu/velero/internal/hook"
+	"github.com/vmware-tanzu/velero/internal/resourcemodifiers"
 	"github.com/vmware-tanzu/velero/internal/volume"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/constant"
@@ -167,14 +171,32 @@ func (r *restoreFinalizerReconciler) Reconcile(ctx context.Context, req ctrl.Req
 		return ctrl.Result{}, errors.Wrap(err, "error getting itemOperationList")
 	}
 
+	var resModifiers *resourcemodifiers.ResourceModifiers
+	if restore.Spec.ResourceModifier != nil && strings.EqualFold(restore.Spec.ResourceModifier.Kind, resourcemodifiers.ConfigmapRefType) {
+		cm := &corev1api.ConfigMap{}
+		if err := r.crClient.Get(ctx, client.ObjectKey{Namespace: restore.Namespace, Name: restore.Spec.ResourceModifier.Name}, cm); err != nil {
+			log.WithError(err).Warnf("failed to get resource modifier configmap %s/%s, proceeding without resource modifiers", restore.Namespace, restore.Spec.ResourceModifier.Name)
+		} else {
+			resModifiers, err = resourcemodifiers.GetResourceModifiersFromConfig(cm)
+			if err != nil {
+				log.WithError(err).Warn("failed to parse resource modifier rules, proceeding without resource modifiers")
+				resModifiers = nil
+			} else if err = resModifiers.Validate(); err != nil {
+				log.WithError(err).Warn("resource modifier validation failed, proceeding without resource modifiers")
+				resModifiers = nil
+			}
+		}
+	}
+
 	finalizerCtx := &finalizerContext{
-		logger:           log,
-		restore:          restore,
-		crClient:         r.crClient,
-		volumeInfo:       volumeInfo,
-		restoredPVCList:  restoredPVCList,
-		multiHookTracker: r.multiHookTracker,
-		resourceTimeout:  r.resourceTimeout,
+		logger:            log,
+		restore:           restore,
+		crClient:          r.crClient,
+		volumeInfo:        volumeInfo,
+		restoredPVCList:   restoredPVCList,
+		multiHookTracker:  r.multiHookTracker,
+		resourceTimeout:   r.resourceTimeout,
+		resourceModifiers: resModifiers,
 		restoreItemOperationList: restoreItemOperationList{
 			items: restoreItemOperations,
 		},
@@ -292,6 +314,7 @@ type finalizerContext struct {
 	restoreItemOperationList restoreItemOperationList
 	multiHookTracker         *hook.MultiHookTracker
 	resourceTimeout          time.Duration
+	resourceModifiers        *resourcemodifiers.ResourceModifiers
 }
 
 func (ctx *finalizerContext) execute() (results.Result, results.Result) {
@@ -423,6 +446,13 @@ func (ctx *finalizerContext) patchDynamicPVWithVolumeInfo() (errs results.Result
 						updatedPV := pv.DeepCopy()
 						updatedPV.Labels = volInfo.PVInfo.Labels
 						updatedPV.Spec.PersistentVolumeReclaimPolicy = corev1api.PersistentVolumeReclaimPolicy(volInfo.PVInfo.ReclaimPolicy)
+
+						if ctx.resourceModifiers != nil {
+							if err := ctx.applyResourceModifiersToPV(updatedPV, log); err != nil {
+								log.WithError(err).Warn("failed to apply resource modifier rules to PV, patching without modifications")
+							}
+						}
+
 						if err := kubeutil.PatchResource(pv, updatedPV, ctx.crClient); err != nil {
 							return false, err
 						}
@@ -565,6 +595,25 @@ func needPatch(newPV *corev1api.PersistentVolume, pvInfo *volume.PVInfo) bool {
 	return false
 }
 
+func (ctx *finalizerContext) applyResourceModifiersToPV(pv *corev1api.PersistentVolume, log logrus.FieldLogger) error {
+	pvMap, err := runtime.DefaultUnstructuredConverter.ToUnstructured(pv)
+	if err != nil {
+		return errors.Wrap(err, "failed to convert PV to unstructured")
+	}
+	obj := &unstructured.Unstructured{Object: pvMap}
+	obj.SetAPIVersion("v1")
+	obj.SetKind("PersistentVolume")
+
+	if errList := ctx.resourceModifiers.ApplyResourceModifierRules(obj, "persistentvolumes", ctx.crClient.Scheme(), log); len(errList) > 0 {
+		return fmt.Errorf("resource modifier rule errors: %v", errList)
+	}
+
+	if err := runtime.DefaultUnstructuredConverter.FromUnstructured(obj.Object, pv); err != nil {
+		return errors.Wrap(err, "failed to convert unstructured back to PV")
+	}
+	return nil
+}
+
 // WaitRestoreExecHook waits for restore exec hooks to finish then update the hook execution results
 func (ctx *finalizerContext) WaitRestoreExecHook() (errs results.Result) {
 	log := ctx.logger.WithField("restore", ctx.restore.Name)

pkg/controller/restore_finalizer_controller_test.go

@@ -37,6 +37,7 @@ import (
 	crclient "sigs.k8s.io/controller-runtime/pkg/client"
 
 	"github.com/vmware-tanzu/velero/internal/hook"
+	"github.com/vmware-tanzu/velero/internal/resourcemodifiers"
 	"github.com/vmware-tanzu/velero/internal/volume"
 	velerov1api "github.com/vmware-tanzu/velero/pkg/apis/velero/v1"
 	"github.com/vmware-tanzu/velero/pkg/builder"
@@ -221,14 +222,15 @@ func TestUpdateResult(t *testing.T) {
 
 func TestPatchDynamicPVWithVolumeInfo(t *testing.T) {
 	tests := []struct {
-		name             string
-		volumeInfo       []*volume.BackupVolumeInfo
-		restoredPVCNames map[string]struct{}
-		restore          *velerov1api.Restore
-		restoredPVC      []*corev1api.PersistentVolumeClaim
-		restoredPV       []*corev1api.PersistentVolume
-		expectedPatch    map[string]volume.PVInfo
-		expectedErrNum   int
+		name              string
+		volumeInfo        []*volume.BackupVolumeInfo
+		restoredPVCNames  map[string]struct{}
+		restore           *velerov1api.Restore
+		restoredPVC       []*corev1api.PersistentVolumeClaim
+		restoredPV        []*corev1api.PersistentVolume
+		resourceModifiers *resourcemodifiers.ResourceModifiers
+		expectedPatch     map[string]volume.PVInfo
+		expectedErrNum    int
 	}{
 		{
 			name:           "no applicable volumeInfo",
@@ -429,6 +431,89 @@ func TestPatchDynamicPVWithVolumeInfo(t *testing.T) {
 			},
 			expectedErrNum: 1,
 		},
+		{
+			name: "resource modifier removes a label",
+			volumeInfo: []*volume.BackupVolumeInfo{{
+				BackupMethod: "PodVolumeBackup",
+				PVCName:      "pvc1",
+				PVName:       "pv1",
+				PVCNamespace: "ns1",
+				PVInfo: &volume.PVInfo{
+					ReclaimPolicy: string(corev1api.PersistentVolumeReclaimDelete),
+					Labels:        map[string]string{"label1": "label1-val", "zone": "us-east-1a"},
+				},
+			}},
+			restore:          builder.ForRestore(velerov1api.DefaultNamespace, "restore").Result(),
+			restoredPVCNames: map[string]struct{}{"ns1/pvc1": {}},
+			restoredPV: []*corev1api.PersistentVolume{
+				builder.ForPersistentVolume("new-pv1").ClaimRef("ns1", "pvc1").Phase(corev1api.VolumeBound).ReclaimPolicy(corev1api.PersistentVolumeReclaimRetain).Result()},
+			restoredPVC: []*corev1api.PersistentVolumeClaim{
+				builder.ForPersistentVolumeClaim("ns1", "pvc1").VolumeName("new-pv1").Phase(corev1api.ClaimBound).Result(),
+			},
+			resourceModifiers: &resourcemodifiers.ResourceModifiers{
+				Version: "v1",
+				ResourceModifierRules: []resourcemodifiers.ResourceModifierRule{
+					{
+						Conditions: resourcemodifiers.Conditions{
+							GroupResource: "persistentvolumes",
+						},
+						Patches: []resourcemodifiers.JSONPatch{
+							{
+								Operation: "remove",
+								Path:      "/metadata/labels/zone",
+							},
+						},
+					},
+				},
+			},
+			expectedPatch: map[string]volume.PVInfo{"new-pv1": {
+				ReclaimPolicy: string(corev1api.PersistentVolumeReclaimDelete),
+				Labels:        map[string]string{"label1": "label1-val"},
+			}},
+			expectedErrNum: 0,
+		},
+		{
+			name: "resource modifier replaces a label value",
+			volumeInfo: []*volume.BackupVolumeInfo{{
+				BackupMethod: "CSISnapshot",
+				PVCName:      "pvc1",
+				PVName:       "pv1",
+				PVCNamespace: "ns1",
+				PVInfo: &volume.PVInfo{
+					ReclaimPolicy: string(corev1api.PersistentVolumeReclaimDelete),
+					Labels:        map[string]string{"zone": "us-east-1a"},
+				},
+			}},
+			restore:          builder.ForRestore(velerov1api.DefaultNamespace, "restore").Result(),
+			restoredPVCNames: map[string]struct{}{"ns1/pvc1": {}},
+			restoredPV: []*corev1api.PersistentVolume{
+				builder.ForPersistentVolume("new-pv1").ClaimRef("ns1", "pvc1").Phase(corev1api.VolumeBound).ReclaimPolicy(corev1api.PersistentVolumeReclaimRetain).Result()},
+			restoredPVC: []*corev1api.PersistentVolumeClaim{
+				builder.ForPersistentVolumeClaim("ns1", "pvc1").VolumeName("new-pv1").Phase(corev1api.ClaimBound).Result(),
+			},
+			resourceModifiers: &resourcemodifiers.ResourceModifiers{
+				Version: "v1",
+				ResourceModifierRules: []resourcemodifiers.ResourceModifierRule{
+					{
+						Conditions: resourcemodifiers.Conditions{
+							GroupResource: "persistentvolumes",
+						},
+						Patches: []resourcemodifiers.JSONPatch{
+							{
+								Operation: "replace",
+								Path:      "/metadata/labels/zone",
+								Value:     "eastus-1",
+							},
+						},
+					},
+				},
+			},
+			expectedPatch: map[string]volume.PVInfo{"new-pv1": {
+				ReclaimPolicy: string(corev1api.PersistentVolumeReclaimDelete),
+				Labels:        map[string]string{"zone": "eastus-1"},
+			}},
+			expectedErrNum: 0,
+		},
 	}
 
 	for _, tc := range tests {
@@ -437,11 +522,12 @@ func TestPatchDynamicPVWithVolumeInfo(t *testing.T) {
 			logger     = velerotest.NewLogger()
 		)
 		ctx := &finalizerContext{
-			logger:          logger,
-			crClient:        fakeClient,
-			restore:         tc.restore,
-			restoredPVCList: tc.restoredPVCNames,
-			volumeInfo:      tc.volumeInfo,
+			logger:            logger,
+			crClient:          fakeClient,
+			restore:           tc.restore,
+			restoredPVCList:   tc.restoredPVCNames,
+			volumeInfo:        tc.volumeInfo,
+			resourceModifiers: tc.resourceModifiers,
 		}
 
 		for _, pv := range tc.restoredPV {