During backup and restore, a tenant can be duplicated. 

Steps to Reproduce:

1. Create an API Manager using the Operator CRD
2. Create an Tenant using the Operator CRD
3. Backup 3scale using Backup-Procedures 
4. Delete 3scale API Manager + Tenant CRD
5. Restore 3scale using the restoring-operator-based-deployment
   1. Restore secrets
   2. Restore configmaps
6. Create API Manager ( oc apply -f apimanager.yaml ) . This is required since restoring the backup requires 3scale pods should be up and running . Wait until API Manager is created. Tenants are not restored from backup.
7. Restore following the rest of the steps from restoring-operator-based-deployment .  Tenants backed up are restored here.
8. Create  a tenant that was backed up  using tenant CRD  used to create the tenant ( oc apply -f tenant.yaml ) 
9. In the master under the audience, there is a duplicate tenant created. It is not reconciled.

3scale operator check the CR tenant.status to know if it created or not the tenant. The issue is after a fresh reinstall, that status is gone.

Workaround:

During the restore process, patch the status manually: 

apiserver=https://kubernetes.default.svc
serviceaccount=/var/run/secrets/kubernetes.io/serviceaccount
namespace=$(cat ${serviceaccount}/namespace)
token=$(cat ${serviceaccount}/token)
cacert=${serviceaccount}/ca.crt

for x in $(cat tenants.json.gpg | jq -c '.items[] | .'); do
    tenant_name=$(echo $x | jq -r '.metadata.name')
    tenant_status=$(echo $x | jq -c '.status')

    curl -k -s -X PATCH -H "Accept: application/json, /" \
        -H "Content-Type: application/merge-patch+json" \
        ${apiserver}/apis/capabilities.3scale.net/v1alpha1/namespaces/${namespace}/tenants/${tenant_name}/status \
        --data "{\"status\":${tenant_status}}" \
        --cacert ${cacert} \
        --header "Authorization: Bearer ${token}" \
        --fail
done