Uploaded image for project: 'OpenShift API for Data Protection'
  1. OpenShift API for Data Protection
  2. OADP-3960

OADP fails when its namespace name is longer than 37 characters

XMLWordPrintable

    • 4
    • False
    • Hide

      None

      Show
      None
    • False
    • oadp-operator-bundle-container-1.4.1-3
    • ToDo
    • Important
    • 8
    • 2.000
    • Very Likely
    • 0
    • Customer Escalated, Customer Facing
    • None
    • Unset
    • Unknown
    • No

      Description of problem:

      When installing the OADP Operator in a namespace with more than 37 characters and when creating a new DPA, labeling the "cloud-credentials" Secret fails and the DPA reports the following:

      status:
        conditions:
          - lastTransitionTime: '2024-05-01T11:57:38Z'
            message: 'Secret "cloud-credentials" is invalid: metadata.labels: Invalid value: "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication": name part must be no more than 63 characters'
            reason: Error
            status: 'False'
            type: Reconciled

      OADP wants to create the "<namespace>.dataprotectionapplication: <name>" label: https://github.com/openshift/oadp-operator/blob/master/docs/design/watches.md

      The generated label name is too long:

      $ str="bak-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication"
      $ echo ${#str}
      66

      The Controller reports this as well:

      1.7145646587150848e+09 ERROR Reconciler error {"controller": "dataprotectionapplication", "controllerGroup": "oadp.openshift.io", "controllerKind": "DataProtectionApplication", "dataProtectionApplication": {"name":"example-dpa","namespace":"backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df"}, "namespace": "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df", "name": "example-dpa", "reconcileID": "7c288371-f356-46c3-8cae-556e18f20988", "error": "Secret \"cloud-credentials\" is invalid: metadata.labels: Invalid value: \"backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication\": name part must be no more than 63 characters"}
      sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
      /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.2/pkg/internal/controller/controller.go:273
      sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
      /remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.2/pkg/internal/controller/controller.go:234

      This limitation should either be documented or the label should be named differently (for example hash the namespace name). Either OADP uses compressed version of the namespace name (e.g. hashed) OR it must not use the namespace name at all as part of the key.

      A workaround is to install the OADP Operator and DPA in a namespace with less than 34 characters.

      Version-Release number of selected component (if applicable):

      OADP Operator 1.3.1 (oadp-operator.v1.3.1)

      How reproducible:

      Always

      Steps to Reproduce:

      1. Create a namespace with more than 37 characters (example uses "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df")
      2. Install the OADP Operator in this namespace
      3. Create the necessary "cloud-credentials" Secret: `oc create secret generic cloud-credentials -n backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df --from-file cloud=credentials-velero`
      4. Create the DPA:
      apiVersion: oadp.openshift.io/v1alpha1
      kind: DataProtectionApplication
      metadata:
        name: example-dpa
        namespace: backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df
      spec:
        configuration:
          velero:
            defaultPlugins:
              - openshift
              - aws
            resourceTimeout: 10m
          nodeAgent:
            enable: true
            uploaderType: kopia
        backupLocations:
          - name: default
            velero:
              provider: aws
              default: true
              objectStorage:
                bucket: skrenger-oadp-example
                prefix: skrenger-bak
              config:
                region: eu-central-1
              credential:
                key: cloud
                name: cloud-credentials
        snapshotLocations:
          - velero:
              provider: aws
              config:
                region: eu-central-1

      Actual results:

      The Operator fails to label the Secret with the above error messages. The DPA fails with:

      status:
        conditions:
          - lastTransitionTime: '2024-05-01T11:57:38Z'
            message: 'Secret "cloud-credentials" is invalid: metadata.labels: Invalid value: "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication": name part must be no more than 63 characters'
            reason: Error
            status: 'False'
            type: Reconciled

      Expected results:

      Deploying a DPA does not fail in namespaces with more than 34 character in the name.

      Additional info:

      • Reproduced on 4.14.15

            wnstb Wes Hayutin
            rhn-support-skrenger Simon Krenger
            Prasad Joshi Prasad Joshi
            Votes:
            0 Vote for this issue
            Watchers:
            8 Start watching this issue

              Created:
              Updated: