Open chencivalue opened 3 years ago
This is probably a limitation right now and we should clarify if we can cover that in itemsnapshotter.
We should also check if CSI snapshotter can support multiple subscription ID.
The multiple subscription ID probably never worked in azure plugin.
@chencivalue Per my understanding, you are trying to do restore across subscriptions, your use case is as following:
backup-on-bbb
.backup-on-bbb
to the cluster Abackup-on-bbb
after the first round of sync.velero restore create restore-name --from-backup backup-on-bbb
and get the failureWhen doing the restoring, Velero always use the same name VSL specified during the backup.
If you don't specify the VSL during the backup on subscription BBB, Velero uses the default VSL as the target of snapshot.
So during the restore on subscription AAA, Velero still uses the VSL named default
while subscription of the default VSL on AAA is AAA rather than BBB. So you get the failure.
So when doing the restore across subscriptions, the VSL on the restore-target cluster should be the same name and configuration with the one specified during the backup.
And if Velero supports specifying VSL when doing the restore, your case will be easier, but Velero doesn't support that at this moment
What steps did you take and what happened: [A clear and concise description of what the bug is and what commands you ran.)
error executing PVAction for persistentvolumes/pvc-398a2563-60e2-4663-9ca9-8eae681569f5: rpc error: code = Unknown desc = compute.SnapshotsClient#Get: Failure responding to request: StatusCode=403 -- Original Error: autorest/azure: Service returned an error. Status=403 Code="AuthorizationFailed" Message="The client 'xxx' with object id 'xxx' does not have authorization to perform action 'Microsoft.Compute/snapshots/read' over scope '/subscriptions/AAA/resourceGroups/shared-validation/providers/Microsoft.Compute/snapshots/kubernetes-dynamic-pvc-398a2563-60e2-4663-9-8c00c66d-845b-4640-872b-c8efea0a87c8' or the scope is invalid. If access was recently granted, please refresh your credentials."
What did you expect to happen: The snapshot object ID should be created with the correct subscription ID rather than the default one.
The output of the following commands will help us better understand what's going on: (Pasting long output into a GitHub gist or other pastebin is fine.)
Anything else you would like to add: After manually editing the default snapshot-location subscription id from AAA to BBB I managed to restore from subscription BBB (then I changed it back to AAA)
I took a quick look at the plugin code, and it seems that there is only one snapshot client that is initialized with the subscription id provided in the default location. When trying to restore a snapshot from a different subscription with this snapshot client, the problem occurs.
The snapshot client init (https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/velero-plugin-for-microsoft-azure/volume_snapshotter.go#L159)
The failed lookup due to wrong subscription id (https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/velero-plugin-for-microsoft-azure/volume_snapshotter.go#L186)
Environment:
Vote on this issue!
This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.