Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add secret restore item action to handle service account token secret #5843

Merged
merged 1 commit into from Feb 13, 2023
Merged

Add secret restore item action to handle service account token secret #5843

merged 1 commit into from Feb 13, 2023

Conversation

ywk253100
Copy link
Contributor

Add secret restore item action to handle service account token secret:

  1. Skip the restoration for the default service account token secret
  2. Remove several fields for non-default service account token secret to make sure the secret can be restored

Signed-off-by: Wenkai Yin(尹文开) yinw@vmware.com

Thank you for contributing to Velero!

Please add a summary of your change

Does your change fix a particular issue?

Fixes #(issue)

Please indicate you've done the following:

  • Accepted the DCO. Commits without the DCO will delay acceptance.
  • Created a changelog file or added /kind changelog-not-required as a comment on this pull request.
  • Updated the corresponding documentation in site/content/docs/main.

@ywk253100 ywk253100 requested review from reasonerjt and blackpiglet and removed request for sseago and Lyndon-Li February 8, 2023 03:32
@ywk253100
Copy link
Contributor Author

ywk253100 commented Feb 8, 2023
edited

This change is required to address the issue #5580:
In order to restore the managedFields we will patch the object after it is created, but for the service account token secrets, although the creation operation reports success, but the following patch operation reports not found error.
This is because the secret contains outdated service account uid in annotation and token in data.

apiVersion: v1
data:
  ca.crt: ...
  token: ...
kind: Secret
metadata:
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: 4efe2bad-72a0-4083-9847-46f4f8ad0795
  creationTimestamp: "2023-02-07T07:51:19Z"
  name: default-token-wswwm
  namespace: test
  resourceVersion: "172361511"
  uid: f88c4cd9-a33a-44ce-946f-43614671c16d
type: kubernetes.io/service-account-token

The secret restore item action introduced in this PR handles the service account token secrets in two ways:

  • For the auto-created service account token secrets, as the secrets will be created automatically again by the kube controller, we just skip the restoration
  • For other service account token secrets, we remove several outdated fields and let the kube controller fill them later

@ywk253100
Add secret restore item action to handle service account token secret
731a484 
Add secret restore item action to handle service account token secret:
1. Skip the restoration for the auto-created service account token secret
2. Remove several fields for non-auto-created service account token secret to make sure the secret can be restored

Signed-off-by: Wenkai Yin(尹文开) <yinw@vmware.com>
@reasonerjt reasonerjt self-assigned this Feb 9, 2023
@blackpiglet blackpiglet merged commit 8f76907 into vmware-tanzu:main Feb 13, 2023
@ywk253100 ywk253100 mentioned this pull request Feb 14, 2023
Merged
3 tasks
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@reasonerjt reasonerjt reasonerjt approved these changes

@blackpiglet blackpiglet blackpiglet approved these changes

Assignees

@reasonerjt reasonerjt

@ywk253100 ywk253100

Labels
has-changelog has-unit-tests
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@ywk253100 @reasonerjt @blackpiglet