Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add secret restore item action to handle service account token secret #5843

Merged
merged 1 commit into from
Feb 13, 2023

Conversation

ywk253100
Copy link
Contributor

Add secret restore item action to handle service account token secret:

  1. Skip the restoration for the default service account token secret
  2. Remove several fields for non-default service account token secret to make sure the secret can be restored

Signed-off-by: Wenkai Yin(尹文开) [email protected]

Thank you for contributing to Velero!

Please add a summary of your change

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

  • Accepted the DCO. Commits without the DCO will delay acceptance.
  • Created a changelog file or added /kind changelog-not-required as a comment on this pull request.
  • Updated the corresponding documentation in site/content/docs/main.

@ywk253100
Copy link
Contributor Author

ywk253100 commented Feb 8, 2023

This change is required to address the issue #5580:
In order to restore the managedFields we will patch the object after it is created, but for the service account token secrets, although the creation operation reports success, but the following patch operation reports not found error.
This is because the secret contains outdated service account uid in annotation and token in data.

apiVersion: v1
data:
  ca.crt: ...
  token: ...
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: 4efe2bad-72a0-4083-9847-46f4f8ad0795
  creationTimestamp: "2023-02-07T07:51:19Z"
  name: default-token-wswwm
  namespace: test
  resourceVersion: "172361511"
  uid: f88c4cd9-a33a-44ce-946f-43614671c16d
type: kubernetes.io/service-account-token

The secret restore item action introduced in this PR handles the service account token secrets in two ways:

  • For the auto-created service account token secrets, as the secrets will be created automatically again by the kube controller, we just skip the restoration
  • For other service account token secrets, we remove several outdated fields and let the kube controller fill them later

Add secret restore item action to handle service account token secret:
1. Skip the restoration for the auto-created service account token secret
2. Remove several fields for non-auto-created service account token secret to make sure the secret can be restored

Signed-off-by: Wenkai Yin(尹文开) <[email protected]>
@reasonerjt reasonerjt self-assigned this Feb 9, 2023
@blackpiglet blackpiglet merged commit 8f76907 into vmware-tanzu:main Feb 13, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants