Closed kaovilai closed 1 year ago
TLDR we need to check each secret in the secretList has matching UID as the expected service accounts that will use them. https://github.com/openshift/openshift-velero-plugin/blob/4d55378a6c7d9f0df9aeba1a108af86b2816d46e/velero-plugins/common/util.go#L121-L132
This could be false positive if this was the secret restored from the backup. https://github.com/openshift/openshift-velero-plugin/blob/c934b2dae2706b5bf8b66bc0b46ac20341287efb/velero-plugins/pod/restore.go#L172-L176
It could be the secret with the right name but for a wrong serviceAccount UID.
Example scenario:
This namespace have two secrets
and
Only the first secret would actually work for the serviceaccount named default in the namespace mongo-persistent as it has the correct uid annotation.
kubernetes.io/service-account.uid: 527ee6d5-64f1-47fb-8746-1465db437f2b
Closing this issue may close https://github.com/openshift/oadp-operator/issues/925