ERROR Reconciler error, bsl not found when using default DPA bsl and default bsl is in enforcedBackupSpec

[weshayutin]

We require a validation to ensure that cluster admins do NOT set the default BSL in the enforceBackupSpec.
The default BSL is not allowed.

Recreate:

• Using install of oadp-operator master commit bb0c25a9c6af2bcd334423be1784d436d71e6869 (HEAD -> master, origin/master, origin/HEAD)
• make deploy-olm

DPA SNIP

  nonAdmin:
    enable: true
    enforceBackupSpec:
      storageLocation: dpa-sample-1
  snapshotLocations:
  - velero:
      config:
        profile: default
        region: us-west-2
      provider: aws
  unsupportedOverrides:
    tech-preview-ack: "true"
status:
  conditions:
  - lastTransitionTime: "2025-02-07T15:29:18Z"
    message: Reconcile complete
    reason: Complete
    status: "True"
    type: Reconciled

oc get bsl
NAME           PHASE       LAST VALIDATED   AGE   DEFAULT
dpa-sample-1   Available   4s               66m   true

whayutin@thinkdoe:~/OADP/SETUP/OADP_1.5$ oc get bsl -o yaml
apiVersion: v1
items:
- apiVersion: velero.io/v1
  kind: BackupStorageLocation
  metadata:
    creationTimestamp: "2025-02-07T15:29:18Z"
    generation: 135
    labels:
      app.kubernetes.io/component: bsl
      app.kubernetes.io/instance: dpa-sample-1
      app.kubernetes.io/managed-by: oadp-operator
      app.kubernetes.io/name: oadp-operator-velero
      openshift.io/oadp: "True"
      openshift.io/oadp-registry: "True"
    name: dpa-sample-1
    namespace: openshift-adp
    ownerReferences:
    - apiVersion: oadp.openshift.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: DataProtectionApplication
      name: dpa-sample
      uid: a8bbe4bb-13ee-4caa-a4b4-0f9eefbdaa0a
    resourceVersion: "14026484"
    uid: ad38dab3-425d-4a47-895f-8fed22aea893
  spec:
    config:
      checksumAlgorithm: ""
      profile: default
      region: us-west-2
    credential:
      key: cloud
      name: cloud-credentials
    default: true
    objectStorage:
      bucket: cvpbucketuswest2
      prefix: velero
    provider: aws
  status:
    lastSyncedTime: "2025-02-07T16:35:31Z"
    lastValidationTime: "2025-02-07T16:35:31Z"
    phase: Available

non-admin-controller logs / error

dbbd-c288-4849-a459-e7f6f3cf34ab"}
2025-02-07T16:32:53Z	DEBUG	NonAdminBackup already contains VeleroBackup UUID reference	{"controller": "nonadminbackup", "controllerGroup": "oadp.openshift.io", "controllerKind": "NonAdminBackup", "NonAdminBackup": {"name":"nacuser1-backup-7","namespace":"nacuser1"}, "namespace": "nacuser1", "name": "nacuser1-backup-7", "reconcileID": "5995dbbd-c288-4849-a459-e7f6f3cf34ab"}
2025-02-07T16:32:53Z	DEBUG	Finalizer exists on the NonAdminBackup object	{"controller": "nonadminbackup", "controllerGroup": "oadp.openshift.io", "controllerKind": "NonAdminBackup", "NonAdminBackup": {"name":"nacuser1-backup-7","namespace":"nacuser1"}, "namespace": "nacuser1", "name": "nacuser1-backup-7", "reconcileID": "5995dbbd-c288-4849-a459-e7f6f3cf34ab", "finalizer": "nonadminbackup.oadp.openshift.io/finalizer"}
2025-02-07T16:32:53Z	INFO	VeleroBackup with label not found, creating one	{"controller": "nonadminbackup", "controllerGroup": "oadp.openshift.io", "controllerKind": "NonAdminBackup", "NonAdminBackup": {"name":"nacuser1-backup-7","namespace":"nacuser1"}, "namespace": "nacuser1", "name": "nacuser1-backup-7", "reconcileID": "5995dbbd-c288-4849-a459-e7f6f3cf34ab", "UUID": "nacuser1-nacuser1-backup-7-6fec3878-3fbf-4c4a-b4a9-0d4170939ce2"}
2025-02-07T16:32:53Z	ERROR	Reconciler error	{"controller": "nonadminbackup", "controllerGroup": "oadp.openshift.io", "controllerKind": "NonAdminBackup", "NonAdminBackup": {"name":"nacuser1-backup-7","namespace":"nacuser1"}, "namespace": "nacuser1", "name": "nacuser1-backup-7", "reconcileID": "5995dbbd-c288-4849-a459-e7f6f3cf34ab", "error": "NonAdminBackupStorageLocation.oadp.openshift.io \"dpa-sample-1\" not found"}
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).reconcileHandler
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.5/pkg/internal/controller/controller.go:324
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).processNextWorkItem
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.5/pkg/internal/controller/controller.go:261
sigs.k8s.io/controller-runtime/pkg/internal/controller.(*Controller).Start.func2.2
	/go/pkg/mod/sigs.k8s.io/controller-runtime@v0.18.5/pkg/internal/controller/controller.go:222

apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackup
metadata:
  name: nacuser1-backup-2
  namespace: nacuser1
spec: 
  backupSpec:
    includedNamespaces:
    - nacuser1
    ttl: 720h0m0s

[shubham-pampattiwar]

Just to sum things up(VBSL: Velero BSL, NaBSL: Non-Admin BSL):

• User specifies a NaBSL to be used in enforcedBackupSpec via DPA
• The name specified here in DPA is a VBSL name and not a NaBSL name
• According to our design we need the users to specify NaBSL name in NAB spec or they can leave it empty to use the default VBSL
• The Reconcile error that we see in logs is because the NAB controller is trying a Get call on NaBSL (under the false impression that it is a NaBSL)

Proposed fix:

• Add a validation on DPA enforcedBackup Spec to clarify that NaBSL name cannot be enforced