-
Bug
-
Resolution: Done-Errata
-
Normal
-
OADP 1.3.1
-
False
-
-
False
-
oadp-operator-bundle-container-1.3.3-2
-
ToDo
-
-
-
Important
-
0
-
Very Likely
-
0
-
Customer Escalated, Customer Facing
-
8
-
None
-
Unset
-
Unknown
-
No
Description of problem:
When installing the OADP Operator in a namespace with more than 37 characters and when creating a new DPA, labeling the "cloud-credentials" Secret fails and the DPA reports the following:
status:
conditions:
- lastTransitionTime: '2024-05-01T11:57:38Z'
message: 'Secret "cloud-credentials" is invalid: metadata.labels: Invalid value: "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication": name part must be no more than 63 characters'
reason: Error
status: 'False'
type: Reconciled
OADP wants to create the "<namespace>.dataprotectionapplication: <name>" label: https://github.com/openshift/oadp-operator/blob/master/docs/design/watches.md
The generated label name is too long:
$ str="bak-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication"
$ echo ${#str}
66
The Controller reports this as well:
1.7145646587150848e+09 ERROR Reconciler error {"controller": "dataprotectionapplication", "controllerGroup": "oadp.openshift.io", "controllerKind": "DataProtectionApplication", "dataProtectionApplication": {"name":"example-dpa","namespace":"backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df"}, "namespace": "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df", "name": "example-dpa", "reconcileID": "7c288371-f356-46c3-8cae-556e18f20988", "error": "Secret \"cloud-credentials\" is invalid: metadata.labels: Invalid value: \"backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication\": name part must be no more than 63 characters"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.2/pkg/internal/controller/controller.go:273
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
/remote-source/deps/gomod/pkg/mod/sigs.k8s.io/controller-runtime@v0.12.2/pkg/internal/controller/controller.go:234
This limitation should either be documented or the label should be named differently (for example hash the namespace name). Either OADP uses compressed version of the namespace name (e.g. hashed) OR it must not use the namespace name at all as part of the key.
A workaround is to install the OADP Operator and DPA in a namespace with less than 34 characters.
Version-Release number of selected component (if applicable):
OADP Operator 1.3.1 (oadp-operator.v1.3.1)
How reproducible:
Always
Steps to Reproduce:
- Create a namespace with more than 37 characters (example uses "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df")
- Install the OADP Operator in this namespace
- Create the necessary "cloud-credentials" Secret: `oc create secret generic cloud-credentials -n backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df --from-file cloud=credentials-velero`
- Create the DPA:
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: example-dpa
namespace: backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df
spec:
configuration:
velero:
defaultPlugins:
- openshift
- aws
resourceTimeout: 10m
nodeAgent:
enable: true
uploaderType: kopia
backupLocations:
- name: default
velero:
provider: aws
default: true
objectStorage:
bucket: skrenger-oadp-example
prefix: skrenger-bak
config:
region: eu-central-1
credential:
key: cloud
name: cloud-credentials
snapshotLocations:
- velero:
provider: aws
config:
region: eu-central-1
Actual results:
The Operator fails to label the Secret with the above error messages. The DPA fails with:
status:
conditions:
- lastTransitionTime: '2024-05-01T11:57:38Z'
message: 'Secret "cloud-credentials" is invalid: metadata.labels: Invalid value: "backup-1b4cafe8-8cd7-40a7-ba23-250d3fac23df.dataprotectionapplication": name part must be no more than 63 characters'
reason: Error
status: 'False'
type: Reconciled
Expected results:
Deploying a DPA does not fail in namespaces with more than 34 character in the name.
Additional info:
- Reproduced on 4.14.15
- clones
-
-
- Verified
-
- links to
-
RHSA-2024:133301
OpenShift API for Data Protection (OADP) 1.3.3 security and bug fix update
- mentioned on
[OADP-4211] OADP fails when its namespace name is longer than 37 characters
GitLab CEE Bot
added a comment - CPaaS Service Account mentioned this issue in merge request !551 of rhmt / OADP Midstream on branch OADP-1.3-rhel-9_upstream_ecc93c2b1eb8ba3bcc61de6faaddcdd9:
Updated US source to: a5da0ea [oadp-1.3] Fix
OADP-4211: Split labels avoiding label key exceed allowed 63 chars (#1404)
GitLab CEE Bot
added a comment - CPaaS Service Account mentioned this issue in merge request !551 of rhmt / OADP Midstream on branch OADP-1.3-rhel-9_ upstream _ecc93c2b1eb8ba3bcc61de6faaddcdd9 : Updated US source to: a5da0ea [oadp-1.3] Fix OADP-4211 : Split labels avoiding label key exceed allowed 63 chars (#1404)
Since the problem described in this issue should be resolved in a recent advisory, it has been closed.
For information on the advisory (Important: OpenShift API for Data Protection (OADP) 1.3.3 security and bug fix update), and where to find the updated files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHSA-2024:4982