object has NAC labels, but no NAC annotations. What should we do?

This should not happen

but if for some reason it does I think it would be logged as warning or INFO not a DEBUG. Alternative if you want this to be visible in OpenShift’s Events tab, you can emit an Event from your controller. This will help cluster admins and users see what’s happening without digging into logs.

I think there is no warning level in this lib we use

what is the decision here?

Annotations are only to ensure ownership reference exists between NA* and Velero objects.
If labels are there it means that they are managed and created by the controller.
If annotations are missing it means that for some different update/patch to the Velero object the ownership reference was removed.

On a second thought I believe this is something that is going to be subject for GC removal.

Even if the Velero Syncs back objects from the S3 storage to the openshift-adp namespace, those annotations are preserved.

should also check for possible leftover secrets?

Correct, those should be cleaned up by the NABSL controller. On top of that now when I think about that we may want to add OwnerReference between Secret <-> Velero BSL object. This will cause Secret to be removed if the Velero BSL object is gone, so we don't have to implement this part in GC coontroller ?

that would be good

but secret is created prior to bsl, can be added independent of the creation order?

You are right. We can not add or patch the ownerReference on the Secret which already exists. What we could do is to add it vice-versa to the Velero BSL and make Velero BSL having ownerReference to the secret and then add blockOwnerDeletion on the Secret object. This should prevent secret to be removed independently from the BSL, but as always it's not 100% guarantee and there are edge cases where this still may happen.

TODO remove prior to merge