From 4f06b6e1af90f835d6b05ed8ade24e46ca623cc5 Mon Sep 17 00:00:00 2001 From: Tiger Kaovilai Date: Wed, 9 Jul 2025 21:58:38 -0400 Subject: [PATCH] Clarify thirdparty label/annotations on the maintenance jobs (#8930) * Clarify thirdparty label/annotations on the maintenance jobs Signed-off-by: Tiger Kaovilai * Clarify that maintenance jobs do not inherit all labels/annotations - Address PR review feedback and issue #8974 - Make it explicit that only specific predefined third-party labels and annotations are propagated - Add Important note to prevent user confusion about label/annotation inheritance behavior - Currently only azure.workload.identity/use label and iam.amazonaws.com/role annotation are inherited Signed-off-by: Tiger Kaovilai --------- Signed-off-by: Tiger Kaovilai Co-authored-by: Xun Jiang/Bruce Jiang <59276555+blackpiglet@users.noreply.github.com> --- .../docs/main/repository-maintenance.md | 19 ++++++++++++++++++- .../docs/v1.16/repository-maintenance.md | 19 ++++++++++++++++++- 2 files changed, 36 insertions(+), 2 deletions(-) diff --git a/site/content/docs/main/repository-maintenance.md b/site/content/docs/main/repository-maintenance.md index 0841c9d22..10237de5c 100644 --- a/site/content/docs/main/repository-maintenance.md +++ b/site/content/docs/main/repository-maintenance.md @@ -155,9 +155,26 @@ Status: - `Recent Maintenance` keeps the status of the recent 3 maintenance jobs, including its start time, result (succeeded/failed), completion time (if the maintenance job succeeded), or error message (if the maintenance failed) ### Others -Maintenance jobs will inherit the labels, annotations, toleration, nodeSelector, service account, image, environment variables, cloud-credentials etc. from Velero deployment. +Maintenance jobs will inherit toleration, nodeSelector, service account, image, environment variables, cloud-credentials etc. from Velero deployment. + +For labels and annotations, maintenance jobs do NOT inherit all labels and annotations from the Velero deployment. Instead, they include: + +**Labels:** + +* `velero.io/repo-name: ` - automatically added to identify which repository they are maintaining +* Only specific [third-party labels][4] from the Velero server deployment that are in the predefined list, currently limited to: + * `azure.workload.identity/use` + +**Annotations:** + +* Only specific [third-party annotations][5] from the Velero server deployment that are in the predefined list, currently limited to: + * `iam.amazonaws.com/role` + +**Important:** Other labels and annotations from the Velero deployment are NOT inherited by maintenance jobs. This is by design to ensure only specific labels and annotations required for cloud provider identity systems are propagated. Maintenance jobs will not run for backup repositories whose backup storage location is set as readOnly. [1]: velero-install.md#usage [2]: node-agent-concurrency.md [3]: backup-repository-configuration.md#full-maintenance-interval-customization +[4]: https://github.com/vmware-tanzu/velero/blob/d5a2e7e6b9512e8ba52ec269ed5ce9a0fa23548c/pkg/util/third_party.go#L19-L21 +[5]: https://github.com/vmware-tanzu/velero/blob/d5a2e7e6b9512e8ba52ec269ed5ce9a0fa23548c/pkg/util/third_party.go#L23-L25 diff --git a/site/content/docs/v1.16/repository-maintenance.md b/site/content/docs/v1.16/repository-maintenance.md index 0841c9d22..10237de5c 100644 --- a/site/content/docs/v1.16/repository-maintenance.md +++ b/site/content/docs/v1.16/repository-maintenance.md @@ -155,9 +155,26 @@ Status: - `Recent Maintenance` keeps the status of the recent 3 maintenance jobs, including its start time, result (succeeded/failed), completion time (if the maintenance job succeeded), or error message (if the maintenance failed) ### Others -Maintenance jobs will inherit the labels, annotations, toleration, nodeSelector, service account, image, environment variables, cloud-credentials etc. from Velero deployment. +Maintenance jobs will inherit toleration, nodeSelector, service account, image, environment variables, cloud-credentials etc. from Velero deployment. + +For labels and annotations, maintenance jobs do NOT inherit all labels and annotations from the Velero deployment. Instead, they include: + +**Labels:** + +* `velero.io/repo-name: ` - automatically added to identify which repository they are maintaining +* Only specific [third-party labels][4] from the Velero server deployment that are in the predefined list, currently limited to: + * `azure.workload.identity/use` + +**Annotations:** + +* Only specific [third-party annotations][5] from the Velero server deployment that are in the predefined list, currently limited to: + * `iam.amazonaws.com/role` + +**Important:** Other labels and annotations from the Velero deployment are NOT inherited by maintenance jobs. This is by design to ensure only specific labels and annotations required for cloud provider identity systems are propagated. Maintenance jobs will not run for backup repositories whose backup storage location is set as readOnly. [1]: velero-install.md#usage [2]: node-agent-concurrency.md [3]: backup-repository-configuration.md#full-maintenance-interval-customization +[4]: https://github.com/vmware-tanzu/velero/blob/d5a2e7e6b9512e8ba52ec269ed5ce9a0fa23548c/pkg/util/third_party.go#L19-L21 +[5]: https://github.com/vmware-tanzu/velero/blob/d5a2e7e6b9512e8ba52ec269ed5ce9a0fa23548c/pkg/util/third_party.go#L23-L25