search

openshift / openshift-velero-plugin

General Velero plugin for backup and restore of openshift workloads.
Apache License 2.0
47 stars 37 forks source link

"Found new dockercfg" secret false positive #179

Closed kaovilai closed 1 year ago

kaovilai commented 1 year ago

This could be false positive if this was the secret restored from the backup. https://github.com/openshift/openshift-velero-plugin/blob/c934b2dae2706b5bf8b66bc0b46ac20341287efb/velero-plugins/pod/restore.go#L172-L176

It could be the secret with the right name but for a wrong serviceAccount UID.

Example scenario:

kind: ServiceAccount
apiVersion: v1
metadata:
  name: default
  namespace: mongo-persistent
  uid: 527ee6d5-64f1-47fb-8746-1465db437f2b
  resourceVersion: '25284909'
  creationTimestamp: '2023-03-17T22:01:06Z'
secrets:
  - name: default-dockercfg-8s22k
imagePullSecrets:
  - name: default-dockercfg-8s22k

This namespace have two secrets

kind: Secret
apiVersion: v1
metadata:
  name: default-dockercfg-8s22k
  namespace: mongo-persistent
  uid: ac1efa1b-9f48-43c9-a48d-fe74fa5e049a
  resourceVersion: '25284906'
  creationTimestamp: '2023-03-17T22:01:06Z'
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: 527ee6d5-64f1-47fb-8746-1465db437f2b
  ownerReferences:
    - apiVersion: v1
      kind: Secret
      name: default-token-ssbq8
      uid: 6b78a234-9ad1-4322-b7a4-8f8f6edc6de2
      controller: true
      blockOwnerDeletion: false

and

kind: Secret
apiVersion: v1
metadata:
  name: default-dockercfg-wnhzz
  namespace: mongo-persistent
  uid: 7c564686-1795-409c-b31c-cb0791c837d3
  resourceVersion: '25284956'
  creationTimestamp: '2023-03-17T22:01:06Z'
  labels:
    velero.io/backup-name: mongo-restic-e2e-e60359d6-c50e-11ed-9130-1acc26a6847f
    velero.io/restore-name: mongo-restic-e2e-e6035e7c-c50e-11ed-9130-1acc26a6847f
  annotations:
    kubernetes.io/service-account.name: default
    kubernetes.io/service-account.uid: c9219594-7956-4967-9234-4caaab2db8be

Only the first secret would actually work for the serviceaccount named default in the namespace mongo-persistent as it has the correct uid annotation. kubernetes.io/service-account.uid: 527ee6d5-64f1-47fb-8746-1465db437f2b

Closing this issue may close https://github.com/openshift/oadp-operator/issues/925

kaovilai commented 1 year ago

TLDR we need to check each secret in the secretList has matching UID as the expected service accounts that will use them. https://github.com/openshift/openshift-velero-plugin/blob/4d55378a6c7d9f0df9aeba1a108af86b2816d46e/velero-plugins/common/util.go#L121-L132