Remove last-applied-configuration annotation during restore

Add removal of kubectl.kubernetes.io/last-applied-configuration annotation
to all OADP restore operations. This annotation can become very large and
cause restore failures.

The Problem:
- kubectl.kubernetes.io/last-applied-configuration stores entire resource spec
- For large resources (OpenStackControlPlane with many services), this can exceed etcd limits
- OADP restore fails with "annotation too large" or API server errors
- Observed in production: annotation size issues during restore

The Solution:
- Use OADP resourceModifiers to remove the annotation during restore
- Applied to ALL restore orders (00, 10, 20, 30, 40, 60)
- Consistent pattern everywhere using conditions: {}

Implementation:
- Updated "OwnerReference Handling" section → "OwnerReference and Annotation Handling"
- Added explanation of last-applied-configuration size issue
- Updated all example Restore CRs to include both patches:
  1. Remove ownerReferences
  2. Remove kubectl.kubernetes.io/last-applied-configuration
- Updated Phase 3 manual restore examples (all orders)
- Updated Key Points section to mention metadata cleanup
- Created CURRENT_JQ_HANDLING.md documenting all current jq transformations

resourceModifiers pattern (used everywhere):
```yaml
resourceModifiers:
- conditions: {}  # Match all resources
  patches:
  - operation: remove
    path: "/metadata/ownerReferences"
  - operation: remove
    path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
```

Benefits:
- Prevents restore failures due to annotation size limits
- Removes stale client-side apply tracking
- Resource gets fresh annotation on next kubectl apply
- Consistent with current backup playbook behavior (already removes this)

Note:
- JSONPatch path escaping: kubectl.kubernetes.io/last-applied-configuration
  → /metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration
  (tilde followed by 1 escapes the forward slash)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: stuggi

docs/dev/CURRENT_JQ_HANDLING.md

@@ -0,0 +1,164 @@
+# Current jq-Based Backup/Restore Metadata Handling
+
+This document summarizes all metadata and field manipulations currently done via jq in the backup/restore playbooks.
+
+## 1. Metadata Fields Removed During Backup
+
+All resources have these fields removed during backup:
+
+```bash
+jq 'del(.items[].metadata.uid,
+        .items[].metadata.resourceVersion,
+        .items[].metadata.creationTimestamp,
+        .items[].metadata.managedFields,
+        .items[].metadata.annotations."kubectl.kubernetes.io/last-applied-configuration",
+        .metadata)'
+```
+
+**Fields:**
+- `.metadata.uid` - Cluster-unique identifier (auto-assigned by Kubernetes)
+- `.metadata.resourceVersion` - Optimistic concurrency control version
+- `.metadata.creationTimestamp` - Resource creation time
+- `.metadata.managedFields` - Server-side apply field tracking
+- `.metadata.annotations."kubectl.kubernetes.io/last-applied-configuration"` - Client-side apply annotation
+- `.metadata` (root level) - List metadata
+
+**Why:**
+- These are Kubernetes-managed fields that get new values on restore
+- Including them causes conflicts during restore
+
+## 2. ownerReferences Removal
+
+Most resources have ownerReferences removed:
+
+```bash
+jq 'del(.items[].metadata.ownerReferences, ...)'
+```
+
+**Why:**
+- UID mismatch: Backed-up ownerReferences contain OLD UIDs
+- Restored owners get NEW UIDs
+- Causes orphaned resources
+- **STATUS: ADDRESSED** in webhook design using OADP resourceModifiers
+
+**Exceptions:**
+- OpenStackControlPlane: ownerReferences NOT removed (has no owner)
+- NetworkAttachmentDefinitions: ownerReferences NOT removed (why?)
+- RabbitMQUser: ownerReferences NOT removed during backup, filtered during restore
+
+## 3. Status Field Removal
+
+GaleraBackup has status removed:
+
+```bash
+jq 'del(.items[].status, ...)'
+```
+
+**Why:**
+- Status is runtime state, not desired state
+- Velero strips status by default anyway
+
+## 4. Filtering by ownerReferences
+
+### DNSData (Backup)
+```bash
+jq '.items |= map(select(.metadata.ownerReferences == null or (.metadata.ownerReferences | length) == 0))'
+```
+**Why:** Only backup user-created DNSData (no ownerReferences)
+
+### Secrets (Restore)
+```bash
+jq '.items |= map(
+  select((.metadata.name | startswith("rabbitmq-")) | not) |
+  select(.metadata.labels."service-cert" | not) |
+  select(
+    (.metadata.ownerReferences == null) or
+    (.metadata.name | startswith("rootca-")) or
+    (.metadata.name | contains("-db-password")) or
+    (.metadata.name | contains("-dbpassword"))
+  )
+)'
+```
+
+**Includes:**
+- User-provided secrets (no ownerReferences)
+- CA certificates (rootca-*)
+- Database passwords (*-db-password, *-dbpassword)
+
+**Excludes:**
+- rabbitmq-* secrets
+- Secrets with label "service-cert"
+- Other operator-managed secrets
+
+### ConfigMaps (Restore)
+```bash
+jq '.items |= map(select(.metadata.ownerReferences == null))'
+```
+**Includes:** Only user-provided ConfigMaps (no ownerReferences)
+
+### RabbitMQUser (Restore)
+```bash
+jq '.items |= map(select(.metadata.ownerReferences == null))'
+```
+**Includes:** Only user-created RabbitMQUser (no ownerReferences)
+
+## 5. Secret Type Filtering (Backup)
+
+```bash
+jq '.items |= map(select(.type != "kubernetes.io/dockercfg" and .type != "kubernetes.io/service-account-token"))'
+```
+
+**Excludes:**
+- `kubernetes.io/dockercfg` - Image pull secrets (auto-generated)
+- `kubernetes.io/service-account-token` - Service account tokens (auto-generated)
+
+## 6. Apply Strategy (Restore)
+
+Resources are applied differently based on annotations:
+
+```bash
+if [ -n "${has_annotation}" ]; then
+  oc apply -f "${temp_file}"
+else
+  oc apply --server-side=true -f "${temp_file}"
+fi
+```
+
+**Logic:**
+- Has `kubectl.kubernetes.io/last-applied-configuration` → use `oc apply` (client-side)
+- No annotation → use `oc apply --server-side=true`
+
+**Why:**
+- Server-side apply for resources never applied with kubectl
+- Client-side apply for resources that have last-applied-configuration
+
+## 7. Staged Deployment Annotation (Restore)
+
+OpenStackControlPlane gets staged annotation added during restore:
+
+```bash
+jq '.items[0].metadata.annotations["core.openstack.org/deployment-stage"] = "infrastructure-only"'
+```
+
+**Why:** Prevents full deployment until database/RabbitMQ are restored
+
+**STATUS: ADDRESSED** in webhook design using OADP resourceModifiers
+
+---
+
+## Summary: What Needs Handling in OADP Design
+
+### ✅ Already Addressed
+1. **ownerReferences removal** - Using OADP resourceModifiers with `conditions: {}`
+2. **Staged deployment annotation** - Using OADP resourceModifiers
+3. **last-applied-configuration annotation** - Using OADP resourceModifiers to remove (can be too large and cause failures)
+
+### ⚠️ Needs Discussion
+1. **Secret type filtering** - Exclude dockercfg and service-account-token types
+2. **Apply strategy** - Can OADP handle server-side vs client-side apply?
+3. **Filtering by ownerReferences** - Handled by webhook labels, but need to verify coverage
+
+### ✅ OADP Handles Automatically
+1. **uid, resourceVersion, creationTimestamp, managedFields** - Kubernetes auto-assigns
+2. **status** - Velero strips by default
+3. **List metadata** - Velero handles

docs/dev/backup-restore-webhook-design.md

@@ -491,15 +491,19 @@ This means:
 - Operator-created ConfigMaps → Not labeled → Not restored, recreated by operator ✅
 - All CRs with annotations → Labeled by webhook → Restored ✅
 
-#### OwnerReference Handling
+#### OwnerReference and Annotation Handling
 
-**The Problem:**
+**The Problems:**
 
-When OADP restores resources, each resource gets a NEW UID (UIDs are cluster-unique identifiers). However, backed-up ownerReferences contain OLD UIDs from the original cluster. This causes:
+When OADP restores resources from backup, several metadata fields can cause issues:
 
-1. **Orphaned resources**: Restored resource has ownerReference with old UID that doesn't match the new owner's UID
-2. **Broken ownership chain**: Kubernetes doesn't recognize the ownership relationship
-3. **Potential data loss**: Operators might try to delete/recreate PVCs when they don't recognize them as owned resources
+**1. OwnerReferences with Stale UIDs:**
+
+Each resource gets a NEW UID on restore (UIDs are cluster-unique identifiers). However, backed-up ownerReferences contain OLD UIDs from the original cluster. This causes:
+
+- **Orphaned resources**: Restored resource has ownerReference with old UID that doesn't match the new owner's UID
+- **Broken ownership chain**: Kubernetes doesn't recognize the ownership relationship
+- **Potential data loss**: Operators might try to delete/recreate PVCs when they don't recognize them as owned resources
 
 **Example:**
 ```yaml
@@ -517,9 +521,29 @@ metadata:
 # - Operator might delete/recreate PVC → DATA LOSS!
 ```
 
+**2. last-applied-configuration Annotation Too Large:**
+
+The `kubectl.kubernetes.io/last-applied-configuration` annotation stores the entire resource specification from the last `kubectl apply`. This can:
+
+- **Exceed size limits**: Very large resources fail to restore due to annotation size
+- **Cause API server errors**: etcd has size limits on annotations
+- **Be unnecessary**: Resource will get new annotation on next apply
+
 **The Solution:**
 
-Use OADP `resourceModifiers` to **strip ALL ownerReferences** during restore. Operators will adopt resources during reconciliation and set correct ownerReferences with new UIDs.
+Use OADP `resourceModifiers` to **strip ownerReferences and large annotations** from ALL resources during restore:
+
+```yaml
+resourceModifiers:
+- conditions: {}  # Match all resources
+  patches:
+  # Remove ownerReferences (operators will adopt during reconciliation)
+  - operation: remove
+    path: "/metadata/ownerReferences"
+  # Remove last-applied-configuration (can be too large)
+  - operation: remove
+    path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
+```
 
 **Applied to ALL restore orders** for simplicity and safety - no need to think about which resources need it.
 
@@ -539,13 +563,15 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "10"
   restorePVs: false  # Don't restore PVCs in this order
-  # CRITICAL: Remove ownerReferences to prevent orphaned resources
+  # CRITICAL: Remove problematic metadata to prevent issues
   # Operators will adopt resources and set correct ownerReferences during reconciliation
   resourceModifiers:
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 ---
 # Restore Order 20: TLS Issuers
 apiVersion: velero.io/v1
@@ -560,21 +586,25 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "20"
   restorePVs: false
-  # Remove ownerReferences from all resources
+  # Remove problematic metadata from all resources
   resourceModifiers:
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 ---
 # And so on for each restore order...
-# NOTE: ALL restore orders use resourceModifiers to strip ownerReferences
+# NOTE: ALL restore orders use resourceModifiers to strip ownerReferences and large annotations
 ```
 
 **Key Points:**
 - **Backup**: All user resources in namespace (all Secrets, ConfigMaps, CRs) - complete snapshot
 - **Restore**: Only resources with `openstack.org/backup-restore: "true"` label - selective filtering
-- **OwnerReferences Removed**: All restore orders use `resourceModifiers` to strip ownerReferences (prevents orphaned resources, operators adopt during reconciliation)
+- **Metadata Cleanup**: All restore orders use `resourceModifiers` to remove:
+  - `ownerReferences` - Prevents orphaned resources (operators adopt during reconciliation)
+  - `kubectl.kubernetes.io/last-applied-configuration` - Can be too large and cause restore failures
 - **Webhooks**: Add restore labels to user-provided resources (no ownerReferences)
 - **Operators**: Recreate their own Secrets/ConfigMaps on reconciliation (not restored from backup)
 
@@ -1152,12 +1182,14 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "00"
   restorePVs: true  # CSI snapshots
-  # Remove ownerReferences to prevent orphaned resources (operators will adopt during reconciliation)
+  # Remove problematic metadata (operators will adopt during reconciliation)
   resourceModifiers:
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 EOF
 
 # Wait for completion (CSI snapshot restore may take time)
@@ -1178,12 +1210,14 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "10"
   restorePVs: false
-  # Remove ownerReferences to prevent orphaned resources
+  # Remove problematic metadata
   resourceModifiers:
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 EOF
 
 # Wait for completion
@@ -1204,6 +1238,14 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "20"
   restorePVs: false
+  # Remove problematic metadata
+  resourceModifiers:
+  - conditions: {}  # Match all resources
+    patches:
+    - operation: remove
+      path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 EOF
 
 # Wait for completion
@@ -1225,11 +1267,13 @@ spec:
       openstack.org/backup-restore-order: "30"
   restorePVs: false
   resourceModifiers:
-  # Remove ownerReferences from all resources
+  # Remove problematic metadata from all resources
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
   # Add staged deployment annotation to OpenStackControlPlane
   - conditions:
       groupResource: openstackcontrolplanes.core.openstack.org
@@ -1261,12 +1305,14 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "40"
   restorePVs: false
-  # Remove ownerReferences from all resources
+  # Remove problematic metadata
   resourceModifiers:
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 EOF
 
 oc wait --for=jsonpath='{.status.phase}'=Completed \
@@ -1314,12 +1360,14 @@ spec:
       openstack.org/backup-restore: "true"
       openstack.org/backup-restore-order: "60"
   restorePVs: false
-  # Remove ownerReferences from all resources
+  # Remove problematic metadata
   resourceModifiers:
   - conditions: {}  # Match all resources
     patches:
     - operation: remove
       path: "/metadata/ownerReferences"
+    - operation: remove
+      path: "/metadata/annotations/kubectl.kubernetes.io~1last-applied-configuration"
 EOF
 
 oc wait --for=jsonpath='{.status.phase}'=Completed \