-
Bug
-
Resolution: Unresolved
-
Normal
-
OADP 1.3.1
-
4
-
False
-
-
False
-
oadp-operator-bundle-container-1.4.1-3
-
ToDo
-
-
-
Important
-
8
-
2.000
-
Very Likely
-
0
-
Customer Escalated, Customer Facing
-
None
-
Unset
-
Unknown
-
No
Description of problem:
When installing the OADP Operator in a namespace with more than 37 characters and when creating a new DPA, labeling the "cloud-credentials" Secret fails and the DPA reports the following:
status: conditions: - lastTransitionTime: '2024-05-01T11:57:38Z' message: 'Secret "cloud-credentials" is invalid: metadata.labels: Invalid value: "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication": name part must be no more than 63 characters' reason: Error status: 'False' type: Reconciled
OADP wants to create the "<namespace>.dataprotectionapplication: <name>" label: https://github.com/openshift/oadp-operator/blob/master/docs/design/watches.md
The generated label name is too long:
$ str="bak-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication"
$ echo ${#str}
66
The Controller reports this as well:
1.7145646587150848e+09 ERROR Reconciler error {"controller": "dataprotectionapplication", "controllerGroup": "oadp.openshift.io", "controllerKind": "DataProtectionApplication", "dataProtectionApplication": {"name":"example-dpa","namespace":"backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df"}, "namespace": "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df", "name": "example-dpa", "reconcileID": "7c288371-f356-46c3-8cae-556e18f20988", "error": "Secret \"cloud-credentials\" is invalid: metadata.labels: Invalid value: \"backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication\": name part must be no more than 63 characters"} sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.2/pkg/internal/controller/controller.go:273 sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2 /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.2/pkg/internal/controller/controller.go:234
This limitation should either be documented or the label should be named differently (for example hash the namespace name). Either OADP uses compressed version of the namespace name (e.g. hashed) OR it must not use the namespace name at all as part of the key.
A workaround is to install the OADP Operator and DPA in a namespace with less than 34 characters.
Version-Release number of selected component (if applicable):
OADP Operator 1.3.1 (oadp-operator.v1.3.1)
How reproducible:
Always
Steps to Reproduce:
- Create a namespace with more than 37 characters (example uses "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df")
- Install the OADP Operator in this namespace
- Create the necessary "cloud-credentials" Secret: `oc create secret generic cloud-credentials -n backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df --from-file cloud=credentials-velero`
- Create the DPA:
apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: example-dpa namespace: backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df spec: configuration: velero: defaultPlugins: - openshift - aws resourceTimeout: 10m nodeAgent: enable: true uploaderType: kopia backupLocations: - name: default velero: provider: aws default: true objectStorage: bucket: skrenger-oadp-example prefix: skrenger-bak config: region: eu-central-1 credential: key: cloud name: cloud-credentials snapshotLocations: - velero: provider: aws config: region: eu-central-1
Actual results:
The Operator fails to label the Secret with the above error messages. The DPA fails with:
status: conditions: - lastTransitionTime: '2024-05-01T11:57:38Z' message: 'Secret "cloud-credentials" is invalid: metadata.labels: Invalid value: "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication": name part must be no more than 63 characters' reason: Error status: 'False' type: Reconciled
Expected results:
Deploying a DPA does not fail in namespaces with more than 34 character in the name.
Additional info:
- Reproduced on 4.14.15
- is cloned by
-
OADP-4211 OADP fails when its namespace name is longer than 37 characters
- Closed
- links to
-
RHBA-2024:132893 OpenShift API for Data Protection (OADP) 1.4.1 security and bug fix update
- mentioned on