This article illustrates a workaround to overcome this issue and makes the backup success by Object Storage Extension.
Symptoms:
500 internal {"status":500,"code":"InternalError","message":"Rollback bucket tenant-tkg220-bk due to failing to enable cluster protection urn:vcloud:entity:vmware:capvcdCluster:########-####-####-####-########3997, please contact the system administrator.","resource":"/api/v1/k8s/clusters/urn:vcloud:entity:vmware:capvcdCluster:########-####-####-####-########3997/protection","requestId":"########-####-####-####-########75f2"}
"level": "error",
"timestamp": "2023-09-13T03:42:58.503-0400",
"caller": "service/cluster.go:69",
"msg": "Preparing cluster environments meet error with many times, give up.",
"times": 2,
"error": "can't find the secret name from the servie account"
> kubectl get ns | grep velero
velero-########-####-####-####-########10e7 Active 42m
> kubectl -n velero-########-####-####-####-########10e7 get sa
NAME SECRETS AGE
ose-k8s-br 0 60m
After the cluster protection failure from Object Storage Extension, the cluster owner can create a service account secret and add it to the service account by kubectl command-line tool.
Tip
1. Get the namespace for Velero which is in the format of velero-<uuid>, for instance velero-########-####-####-####-########10e7.
> kubectl get ns | grep velero
velero-########-####-####-####-########10e7 Active 42m
2. Print the service account to console in yaml format.
> kubectl -n <your-velero-ns> get sa ose-k8s-br -o yaml
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-09-13T07:58:17Z"
name: ose-k8s-br
namespace: <your-velero-ns>
resourceVersion: "656654"
uid: ########-####-####-####-########365b
3. Create a file secret.yaml with below content. The ServiceAccount part should be got from step 2.
apiVersion: v1
kind: Secret
metadata:
name: ose-k8s-br-secret
namespace: <your-velero-ns>
annotations:
kubernetes.io/service-account.name: "ose-k8s-br"
type: kubernetes.io/service-account-token
---
<<insert-ServiceAccount-part-here>>
secrets:
- name: ose-k8s-br-secret
A full sample is like this:
apiVersion: v1
kind: Secret
metadata:
name: ose-k8s-br-secret
namespace: <your-velero-ns>
annotations:
kubernetes.io/service-account.name: "ose-k8s-br"
type: kubernetes.io/service-account-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
creationTimestamp: "2023-09-13T07:58:17Z"
name: ose-k8s-br
namespace: <your-velero-ns>
resourceVersion: "656654"
uid: ########-####-####-####-########365b
secrets:
- name: ose-k8s-br-secret
4. Apply the service account secret
# > kubectl apply -f secret.yaml
5. Try to protect the Kubernetes cluster from Object Storage Extension UI again.
Impact/Risks:
This issue affects to VMware Cloud Director Object Storage Extension 2.2.2 and earlier versions.