Installation Manual - 50 OADP credential and DPA blocker
Why the OADP credential and DPA gate was rolled back and what must be fixed before re-applying it.
This gate attempted to add OADP credential delivery and one
DataProtectionApplication on hub-dc-v7 and spoke-dc-v7. The manifests
were valid, but live reconciliation was blocked by Vault policy. The change
was rolled back, so both clusters are back to the healthy OADP operator-only
state.
Governance
| Field | Value |
|---|---|
| Issue | OP-GF-SPOKEDCV7-37 / #388 |
| Phase | OP-GF-SPOKEDCV7-37 |
| Attempted GitOps commit | 70cbc84a396570476817f52a38392b5cf3b6f4d1 |
| Rollback GitOps commit | ac0802fca3c0f1f0357e7c3d64f16bf28410a1ee |
| Scope | OADP credential delivery and DPA, no schedules |
| Live path | dl385-2 -> gf-ocp-bootstrap-01 -> v7 kubeconfigs |
Preflight Result
Both clusters were healthy before the attempted apply:
| Check | hub-dc-v7 | spoke-dc-v7 |
|---|---|---|
| OpenShift | 4.20.18 | 4.20.18 |
| Nodes | 3/3 Ready | 6/6 Ready |
| MCPs | updated, not degraded | updated, not degraded |
| ClusterOperators | no non-steady rows | no non-steady rows |
| OADP CSV | oadp-operator.v1.5.5 Succeeded | oadp-operator.v1.5.5 Succeeded |
| ESO store | vault-platform Ready | vault-platform Ready |
| MinIO health | HTTP 200 | HTTP 200 |
No DPA, BSL, VSL, Schedule, Backup, or Restore existed before the gate.
Intended Shape
The attempted commit added an ExternalSecret and one DPA per cluster.
Credential shape:
Vault path: secret/greenfield/object-storage/minio/users/oadp-backup
Kubernetes Secret: openshift-adp/cloud-credentials
Secret key: cloudDPA layout:
| Cluster | DPA | Bucket | Prefix | Endpoint |
|---|---|---|---|---|
hub-dc-v7 | hub-dc-v7 | ocp-oadp-backups | hub-dc-v7/general | http://30.30.200.1:9000 |
spoke-dc-v7 | spoke-dc-v7 | ocp-oadp-backups | spoke-dc-v7/general | http://30.30.200.1:9000 |
Common DPA settings:
defaultPlugins: openshift, aws, csi
featureFlags: EnableCSI
nodeAgent: enabled with Kopia
s3ForcePathStyle: "true"
region: default
Velero env: AWS_RETRY_MODE=standard, AWS_MAX_ATTEMPTS=10
Velero memory request: 512MiNo Schedule, Backup, Restore, BackupStorageLocation, or
VolumeSnapshotLocation resources were added directly.
Validation Failure
These checks passed:
oc kustomize clusters/hub-dc-v7
oc kustomize clusters/spoke-dc-v7
oc kustomize clusters/hub-dc-v7/platform/backup/oadp
oc kustomize clusters/spoke-dc-v7/platform/backup/oadp
server-side dry-run for both ExternalSecrets and both DPAsLive reconciliation then failed:
ExternalSecret/oadp-cloud-credentials: Ready=False, reason=SecretSyncedError
Secret/cloud-credentials: missing
DPA/hub-dc-v7: Reconciled=False, Secret "cloud-credentials" not foundThe blocking event was Vault HTTP 403 permission denied for:
secret/data/greenfield/object-storage/minio/users/oadp-backupThe locally available Vault administrator token custody was stale or invalid, so the Vault policy could not be fixed in this gate.
Token Custody Recheck
A follow-up recheck on 2026-05-17T19:15Z confirmed the Vault access blocker was still unresolved:
| Check | Result |
|---|---|
| Bootstrap runbook custody path | /home/ze/codex-opp-agent/secrets/greenfield-vault/ absent |
| Local shell Vault token | absent |
dl385-2 shell Vault token | absent |
| Bootstrap shell Vault token | absent |
| Bootstrap/Vault VM root or init material by filename | not found |
| Local Obsidian Vault token | v7 Vault returned HTTP 403 invalid token |
No Vault policy write, GitOps reapply, Kubernetes Secret creation, DPA creation, schedule creation, or MinIO credential read was performed during the recheck.
Vault VM Admin Token Attempt
A direct Vault VM recheck on 2026-05-17T19:31Z confirmed the VMs are reachable, but VM access alone cannot create a Vault administrator token.
| Check | Result |
|---|---|
dl385-2 DNS for v7 Vault VMs | resolves |
SSH via dl385-2 ProxyJump | works for seed and all three main VMs |
| OS sudo on Vault VMs | works |
| Main Vault | initialized, unsealed, Raft, HA active on gf-ocp-vault-02 |
| Seed Vault | initialized and unsealed |
vault operator generate-root -status | started=false, required=3 |
| Exact custody path | /home/ze/codex-opp-agent/secrets/greenfield-vault/ absent on local, dl385-2, bootstrap, and Vault VMs |
Adjacent dl385-2 custody locations | no Vault init JSON, token, recovery key, or unseal key found by filename |
No administrator token was created. Vault administrator-token creation still requires either an existing privileged Vault token or three valid main-Vault Shamir recovery key shares.
Rollback
The attempted commit was reverted:
ac0802fca3c0f1f0357e7c3d64f16bf28410a1eeFinal state after rollback:
| Application | State |
|---|---|
hub-dc-v7-bootstrap | Synced / Healthy |
hub parent spoke-dc-v7-cluster-config | Synced / Healthy |
spoke-local spoke-dc-v7-cluster-config | Synced / Healthy |
Runtime state:
DPA/BSL/VSL/Schedule/Backup/Restore: absent on both clusters
Secret/cloud-credentials: absent on both clusters
OADP operator: still installed and healthyRequired Fix
Use a valid Vault administrator token and grant ESO narrow read access to the OADP MinIO credential path.
Preferred policy:
path "secret/data/greenfield/object-storage/minio/users/oadp-backup" {
capabilities = ["read"]
}
path "secret/metadata/greenfield/object-storage/minio/users/oadp-backup" {
capabilities = ["read"]
}Attach that policy either to the existing hub/spoke Kubernetes auth roles used by ESO, or create a dedicated OADP Vault role and matching ClusterSecretStore.
After Vault access is fixed, re-apply by reverting rollback commit:
git revert ac0802fca3c0f1f0357e7c3d64f16bf28410a1eeThen validate:
oc -n openshift-adp get externalsecret,secret,dpa,bsl
oc -n openshift-adp get schedule,backup,restoreDo not print Secret/cloud-credentials data. Confirm only that the Secret has
the expected key name: cloud.