cert-manager resources (certificates, issuers and certificate requests) can't be backed up.

[insidepacket]

What steps did you take and what happened: I followed the [VMware official doc] and completed the installation of Velero. When I tried to back up a namespace in a TKG 1.3.1 workload cluster. The backup is partially failed. When I checked the backup log, I found the backup was failed for the following kinds of resources:

• issuers.cert-manager.io
• certificates.cert-manager.io
• certificaterequests.cert-manager.io

What did you expect to happen: All resources in a namespace will be backed up.

The output of the following commands will help us better understand what's going on:

https://gist.github.com/insidepacket/c03966999c994abcc5102dc144d42f6c

Anything else you would like to add: [Miscellaneous information that will assist in solving the issue.]

Environment:

• Velero version (use velero version): Client: Version: v1.5.4_vmware.1 Git commit: 525705bceb8895b9da2cf2a1d1a79b99d74723cb Server: Version: v1.5.4_vmware.1
• Velero features (use velero client config get features):
  [ ~ ]# velero client config get features features: <NOT SET>
• Kubernetes version (use kubectl version): Client Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.5+vmware.1", GitCommit:"f4553304874c3b89584280a5ac1b005d57c725a8", GitTreeState:"clean", BuildDate:"2021-03-22T17:00:59Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"} Server Version: version.Info{Major:"1", Minor:"20", GitVersion:"v1.20.5+vmware.1", GitCommit:"f4553304874c3b89584280a5ac1b005d57c725a8", GitTreeState:"clean", BuildDate:"2021-03-22T16:56:50Z", GoVersion:"go1.15.8", Compiler:"gc", Platform:"linux/amd64"}
• Kubernetes installer & version: TKG 1.3.1
• Cloud provider or hardware configuration: vSphere virtual machine
• OS (e.g. from /etc/os-release): Ubuntu 20.4

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

• :+1: for "I would like to see this bug fixed as soon as possible"
• :-1: for "There are more important bugs to focus on right now"

[zubron]

Hi @insidepacket. It looks like this error is coming from the vSphere plugin for Velero: https://github.com/vmware-tanzu/velero-plugin-for-vsphere/blob/main/pkg/plugin/backup_pvc_action_plugin.go#L55-L57

Looking at the docs for the plugin, it seems that certain resources are restricted during backup (https://github.com/vmware-tanzu/velero-plugin-for-vsphere/blob/main/docs/supervisor-notes.md#restricted-resources) however you stated that you were trying to backup a workload cluster?

@xing-yang Is it expected that resources would be blocked when running a backup for a workload cluster?

[xing-yang]

@zubron Yes, those Supervisor Cluster CRDs are skipped as we don't know how to restore them properly. It is documented here: https://github.com/vmware-tanzu/velero-plugin-for-vsphere/blob/main/docs/supervisor-notes.md#restricted-resources

The workaround is to exclude those CRDs.

[zubron]

I am going to transfer this issue to the vSphere plugin repo as @xing-yang suggested that the documentation should be updated to move the restricted resources details to a section that is not supervisor cluster specific.