Open alkdese opened 2 years ago
alkdese
commented
2 years ago Looks like itmay be possible in 1.24 https://itnext.io/big-change-in-k8s-1-24-about-serviceaccounts-and-their-secrets-4b909a4af4e0. Not clear if I can specify the value for a token but can request token creation,
ywk253100
commented
1 year ago This is impossible at this moment because during the restoration Velero recreates the service accounts, and new UIDs are generated for these restored service accounts, while the JWT tokens distributed to the external applications still hold the old UIDs of the backed-up service accounts, all these tokens are invalid.
So you need to get the new JWT tokens of the service accounts and distribute them to the applications.
I'm moving this issue out of 1.11 scope
What steps did you take and what happened: Create a kubernetes service account in a namespace. Get JWT and configure external application to use that SA to do some stuff in k8s Create a backup of a namespace Delete namespace Restore namespace The restored SA has a new secret with a new JWT.
What did you expect to happen: I expect after restore to get exactly the same state of a namespace and objects in that namespace. I mean I expect that I will be able to use same service account with the same JWT.
The following information will help us better understand what's going on:
velero version Client: Version: v1.9.2 Git commit: 82a100981cc66d119cf9b1d121f45c5c9dcf99e1 Server: Version: v1.9.2
I use Azure plugin 1.51 and velero 1.9.2. We use AKS and the k8s version is 1.23.8
To be honest I'm not sure if that's technically possible as I have never saw that it is possible to create SA with a concrete JWT. I hope it is possible.