openshift
diff --git a/‎docs/design/CLI-design.md
Lines changed: 105 additions & 0 deletions b/‎docs/design/CLI-design.md
Lines changed: 105 additions & 0 deletions
diff --git a/‎docs/design/VM-backup-and-restore-using-kopia-service.md
Lines changed: 258 additions & 0 deletions b/‎docs/design/VM-backup-and-restore-using-kopia-service.md
Lines changed: 258 additions & 0 deletions
@@ -0,0 +1,105 @@
+# `oc backup` and `oc restore` CLI Plugin
+
+## Overview
+
+This document outlines the, [human-first](https://clig.dev/) design for two separate OpenShift CLI plugins: `oc backup` and `oc restore`.
+
+This design resolves the ambiguity of handling admin vs. non-admin objects by moving away from implicit, permission-based "magic" and towards an explicit, intent-driven interface.
+
+### Core Design Philosophy
+
+1.  **Simple by Default:** For the most common developer task, the command should be as simple as possible. It defaults to operating on the user's current namespace context.
+2.  **Explicit Overrides:** While the default is simple, users can explicitly override the scope for multi-namespace or cluster-wide operations using clear, descriptive flags. Explicit flags always take precedence over the implicit context.
+3.  **Safety First:** The plugin includes guardrails to prevent users from accidentally performing dangerous operations, such as backing up the Velero control plane namespace itself.
+4.  **No Conflicts with `oc`:** The plugin's flags do not conflict with or create ambiguity around the standard global flags of the `oc` command.
+
+---
+
+## Plugin 1: `oc backup`
+
+### Summary
+
+Manages Velero backups using a smart, context-aware interface that aligns with the OADP (OpenShift API for Data Protection) operational model. The plugin **automatically detects the OADP installation namespace** and creates the correct backup resource (`Backup` vs. `NonAdminBackup`) based on where the command is executed.
+
+### How the Backup Object Type is Determined
+
+The plugin's core logic is both intelligent and predictable, using a combination of auto-discovery and user context.
+
+1.  **OADP Namespace Discovery (Automatic):**
+    *   On execution, the plugin first attempts to discover the namespace where the OADP operator is running. It does this by searching the cluster for a `Deployment` with a standard OADP label (e.g., `app.kubernetes.io/name=oadp-operator`).
+    *   This discovered namespace is considered the **Admin Namespace**.
+    *   If the plugin does not have option to access namespaces get/list then it's considered **Developer Mode**.
+
+2.  **Execution Mode Selection:**
+    *   **Administrator Mode (`Backup` object):** If the user's current project (`oc project`) is the same as the **Discovered Admin Namespace**, the plugin operates in "Admin Mode" and creates standard `velero.io/Backup` objects.
+    *   **Developer Mode (Default - `NonAdminBackup` object):** If the command is executed in **any other namespace**, the plugin operates in "Developer Mode" and creates an `NonAdminBackup` object.
+
+### Verbs
+
+| Verb       | Description                                  |
+| ---------- | -------------------------------------------- |
+| `create`   | Create a new backup.                         |
+| `get`      | List all existing backups (both scopes).     |
+| `describe` | Show detailed information about a backup.    |
+| `delete`   | Delete a backup and its data from storage.   |
+| `logs`     | Show the logs of a specific backup operation. |
+
+### Key Command: `oc backup create <backup-name>`
+
+This command creates a new backup(s). Its behavior changes based on the context described above.
+
+| Flag                   | Valid Context(s)         | Description                                                                                                                                                                    |
+| ---------------------- | ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
+| `--include-namespaces` | Admin & Developer        | Specifies which namespace(s) to include in the backup. For Developers, this defaults to the current namespace if not provided.                                                   |
+| `--all-namespaces`     | **Admin Only**           | Performs a full, cluster-scoped backup. This flag will fail with an error if used outside of the dynamically discovered Admin Namespace.                                         |
+| `--ttl`                | Admin & Developer        | Sets the time-to-live for the backup artifact (e.g., `24h`, `14d`).                                                                                                              |
+
+### Example Workflows
+
+*This design requires no changes to a user's typical workflow. The complexity of choosing the correct backup object is handled automatically by the plugin.*
+
+#### Developer Workflow: Backing Up the Current Project
+
+A developer wants to back up their application, which lives in its own project. This is the simplest and most common use case.
+
+```bash
+# 1. The developer works within their application's project.
+$ oc project my-shopping-app
+
+# 2. They run the backup command without any special flags.
+# The plugin detects it is NOT in the Admin Namespace.
+$ oc backup create my-app-snapshot-v3
+
+# Result: A `NonAdminBackup` object is created in the `my-shopping-app` namespace,
+# as this is a non-admin context.
+```
+
+#### Administrator Workflow: Full Cluster Backup
+
+An administrator needs to perform a complete, cluster-wide backup for disaster recovery.
+
+```bash
+# 1. The admin switches their context to the OADP installation namespace.
+# The plugin detects this is the Admin Namespace.
+$ oc project oadp-operator
+
+# 2. They create a backup using the --all-namespaces flag.
+$ oc backup create cluster-dr-backup-weekly --all-namespaces --ttl=14d
+
+# Result: A standard `Velero Backup` object is created directly in the `oadp-operator` namespace,
+# triggering a privileged, cluster-wide backup.
+```
+
+#### Administrator Workflow: Specific Namespace Backup
+
+An administrator needs to create a privileged backup of specific user projects, not the entire cluster.
+
+```bash
+# 1. The admin acts from within the OADP installation namespace by using the global '-n' flag.
+# The plugin detects this is the Admin Namespace and operates in "Admin Mode".
+$ oc backup -n oadp-operator create user-projects-backup --include-namespaces=ns1,ns2 --ttl=14d
+
+---
+
+## Plugin 2: `oc restore`
+
@@ -0,0 +1,258 @@
+# Design: In-Guest File-Level Backup for the OpenShift KubeVirt VMs via OADP
+
+## 1. Abstract
+
+OADP provides robust, snapshot-based backup and restore for OpenShift KubeVirt Virtual Machines (VMs). This is ideal for full disaster recovery but does not address the common need for granular, file-level backups initiated from within the guest OS (e.g., backing up application configurations, user data, or log directories).
+
+This design proposes a Kubernetes-native, client-server architecture to enable file-level backups directly from within VMs.
+
+We will introduce a new Custom Resource Definition (CRD), `BackupStorageLocationServer`, which deploys and manages a Kopia repository server within the OpenShift cluster. This server will use an existing Velero `BackupStorageLocation` (BSL) as its storage backend. 
+
+Users inside VMs can then use a standard Kopia client to connect to this managed server and perform self-service, path-level backups and restores.
+
+This approach shifts from an external, "pull" model (like `libguestfs` or `ssh`) to an internal, "push" model, empowering VM users and integrating seamlessly with existing cloud storage infrastructure and maintaining centralized storage governance by administrators.
+
+
+## 2. Background
+
+Current VM protection with OADP focuses on block-level consistency by snapshotting Persistent Volume Claims (PVCs). While this method is effective for full VM recovery, it is inefficient and overly complex for scenarios where operators or application owners need to restore a single corrupted configuration file or recover a specific user directory.
+
+This design introduces a persistent, long-running Kopia service that decouples the file-backup lifecycle from the VM snapshot lifecycle, offering greater flexibility, efficiency, and a better user experience for application owners and users within the VM.
+
+## 3. Goals
+
+- **Declarative Deployment:** Provide a Kubernetes-native Custom Resource Definition (CRD) (`BackupStorageLocationServer`) to automate the deployment and configuration of a multi-tenant Kopia repository server.
+- **Storage Re-use:** Leverage existing Velero `BackupStorageLocation` (BSL) resources to avoid credential duplication and simplify storage management.
+- **Self-Service for VM Users:** Enable users within a KubeVirt VM to use a standard Kopia client to back up and restore their own files on their own schedule.
+- **Centralized User Management:** Manage Kopia user credentials via OpenShift `Secrets` or `ConfigMaps`, allowing for GitOps-style management and easy user rotation.
+- **Secure by Default:** Ensure all communication between the in-guest client and the in-cluster server is secured with TLS.
+
+
+## 4. Non-Goals
+
+- **Replacing Velero:** This is a *complementary* solution for file-level backup, not a replacement for Velero's full VM snapshot capabilities.
+- **Automatic Backup Client Installation:** The installation and configuration of the Kopia client *inside* the guest OS is the responsibility of the VM owner.
+- **External File Access:** This design does not use `libguestfs`, `ssh`, or any other mechanism to access the VM from the outside. All connections are initiated by the client inside the VM.
+- **Application Consistency:** It is the responsibility of the VM user to ensure that the application’s data is in a consistent state before starting a backup (e.g., by flushing caches or pausing writes).
+
+## 5. High-Level Architecture
+
+The architecture consists of a `KopiaServer` controller that manages the Kopia server `Deployment` and `Service`. VM clients connect to this service to perform backups.
+
+```mermaid
+graph TD
+    %% User action
+    A[Admin] -->|kubectl apply| B(BackupStorageLocationServer CR)
+
+    %% Controller logic
+    C[Controller] -->|Watches| B
+    C -->|Reads| D[Velero BackupStorageLocation]
+    C -->|Reads| E[Storage Secret]
+    C -->|Reads| F[Kopia User Config]
+    C -->|Manages| G[Kopia Server Deployment]
+    C -->|Manages| H[Kubernetes Service]
+    C -->|Updates| I[CR Status]
+
+    %% Kopia Server Pod
+    G --> J[Kopia Server Process]
+    J -->|Uses| K[Repo Password & Storage Credentials]
+    J -->|Uses| L[User Config]
+
+    %% VM interaction
+    M[KubeVirt VM Kopia Client] -->|Connects| H
+
+    %% Storage backend
+    J -->|Reads/Writes| N[S3 Object Storage]
+    D --> N
+
+```
+
+**Workflow:**
+1.  An **Administrator** defines a `KopiaServer` CR, specifying the Velero BSL to use, a repository password secret, and a user management source.
+2.  The **KopiaServer Controller** reconciles the CR. It reads the BSL and its associated credential secret to configure the storage backend.
+3.  The controller creates a `Deployment` to run the Kopia server process and a `Service` (`ClusterIP` by default) to provide a stable endpoint (e.g., `my-kopia-server.backup-ns.svc.cluster.local`).
+4.  The controller updates the `KopiaServer` CR's `status` field with the connectable service URL.
+5.  A **VM User** installs the Kopia client in their VM. They obtain the server URL and their credentials (e.g., `user@hostname:password`) from the administrator.
+6.  The Kopia client inside the VM connects to the Kopia server's `Service` endpoint, authenticates, and can then "push" backups of any desired path (e.g., `kopia snapshot create /etc/app/config`).
+
+
+```mermaid
+sequenceDiagram
+    actor Cluster Admin
+    participant k8s as OpenShift API
+    participant op as OADP Operator
+    participant ks as Kopia Server Pod
+    participant s3 as S3 Bucket
+
+    Cluster Admin->>k8s: 1. Apply BackupStorageLocation CRD - **BSL**
+    note over op: Operator is watching for CRDs
+
+    Cluster Admin->>k8s: 2. Apply BackupStorageLocationServer CRD - **BSLS**
+    op->>k8s: 3. Read BSL & BSLS resources
+    
+    op->>op: 4. Process reconciliation loop
+    op->>k8s: 5. Read BSL config (for S3 secret and other config data)
+    op->>k8s: 6. Create Pod(Kopia Server) resource
+    
+    activate ks
+    k8s->>ks: 7. Start Pod (Kopia Server)
+    
+    ks->>s3: 8. Connect to repository
+    s3-->>ks: Connection successful
+    op->>op: 9. Process reconciliation loop (watching for Kopia Server pod)
+    deactivate ks
+    
+    op->>k8s: 10. Update BSLS status to 'Ready'
+    k8s-->>Cluster Admin: BSLS Status is now 'Ready'
+```
+
+## 6. Detailed Design
+
+### 6.1. `KopiaServer` CRD Definition
+
+**apiVersion:** `kopia.io/v1alpha1`
+**kind:** `KopiaServer`
+
+#### `spec`
+
+| Field | Type | Description | Required |
+| :--- | :--- | :--- | :--- |
+| **`storage`** | `StorageSpec` | Defines the backend storage by referencing a Velero BSL. | Yes |
+| **`repositoryPasswordSecretRef`** | `corev1.SecretKeySelector` | Reference to the Secret key containing the master password for the Kopia repository. | Yes |
+| **`userManagement`** | `UserManagementSpec` | Configuration for Kopia user credentials. | Yes |
+| **`service`** | `ServiceSpec` | Defines the Kubernetes Service used to expose the Kopia server. Defaults to `ClusterIP`. | No |
+| **`tls`**| `TLSSpec` | TLS configuration for the server endpoint. **Strongly Recommended.** | No |
+| **`image`** | `string` | Container image for the Kopia server. Defaults to `kopia/kopia:latest`. | No |
+| **`resources`** | `corev1.ResourceRequirements` | Kubernetes resource requests and limits for the Kopia server pod. | No |
+
+#### `StorageSpec`
+
+| Field | Type | Description | Required |
+| :--- | :--- | :--- | :--- |
+| **`velero`** | `VeleroStorageSpec` | Use an existing Velero `BackupStorageLocation` as the backend. | Yes |
+| **`prefix`** | `string` | An optional prefix within the bucket for Kopia data, e.g., `kopia-file-backups/`. | No |
+
+#### `VeleroStorageSpec`
+
+| Field | Type | Description | Required |
+| :--- | :--- | :--- | :--- |
+| **`backupStorageLocationName`**| `string` | Name of the `BackupStorageLocation` CR in the Velero namespace. | Yes |
+| **`veleroNamespace`** | `string` | The namespace where Velero is installed. Defaults to `velero`. | No |
+
+#### `UserManagementSpec`
+
+| Field | Type | Description | Required |
+| :--- | :--- | :--- | :--- |
+| **`source`** | `UserSource` | Source of the user list file (`username@hostname:passwordhash`). Only one can be set. | Yes |
+
+| `UserSource` Field | Type | Description |
+| :--- | :--- | :--- |
+| **`secret`** | `corev1.SecretKeySelector` | A Secret key containing the user list. |
+| **`configMap`**| `corev1.ConfigMapKeySelector`| A ConfigMap key containing the user list. |
+
+#### `TLSSpec`
+
+| Field | Type | Description |
+| :--- | :--- | :--- |
+| **`secretName`** | `string` | Name of a `kubernetes.io/tls` type secret with `tls.crt` and `tls.key`. If not provided, the server runs without TLS (not recommended). |
+
+#### `status`
+
+| Field | Type | Description |
+| :--- | :--- | :--- |
+| **`conditions`** | `[]metav1.Condition` | Standard conditions like `Available`, `Progressing`. |
+| **`serviceURL`** | `string` | The internal DNS address and port for clients (e.g., `my-kopia.default.svc:51515`). |
+| **`repositoryStatus`** | `string` | The status of the Kopia repository (`Initialized`, `NotInitialized`, `Error`). |
+
+### 6.2. Security Considerations
+
+-   **TLS Encryption:** Communication between the in-guest client and the server must be encrypted. The `tls.secretName` field is critical for production use.
+-   **Controller RBAC:** The controller requires read access to `Secrets` in the Velero namespace and `BackupStorageLocations`. This access must be tightly scoped. The controller should create a derived, temporary secret for the Kopia pod to consume, rather than mounting Velero's credentials directly.
+-   **Network Policies:** `NetworkPolicy` resources should be deployed to restrict access to the Kopia `Service`, allowing connections only from pods within namespaces that are designated to host VMs.
+-   **User Credential Management:** Passwords in the user list file are hashed by Kopia, not stored in plaintext. This file should be managed via a `Secret` for better security.
+
+## 7. Example Usage
+
+#### 1. Create Prerequisite Secrets
+
+```bash
+# 1. Secret for the repository master password
+kubectl create secret generic kopia-main-repo-pass \
+  --from-literal=password='a-very-strong-and-secret-password-for-the-repo'
+
+# 2. Secret for the user list (generate hashes with 'kopia user add' command)
+# userfile.txt should contain lines like:
+# web-vm-user@*:$2a$10$abcdefghijklmnopqrstuv.abcdefghijklmnopqrstuv.abcde
+kubectl create secret generic kopia-vm-users \
+  --from-file=users.txt=userfile.txt
+
+# 3. (Optional but Recommended) A TLS secret for the server
+kubectl create secret tls kopia-server-tls \
+  --cert=path/to/tls.crt \
+  --key=path/to/tls.key
+```
+
+#### 2. Define the `KopiaServer` Resource
+
+```yaml
+apiVersion: kopia.io/v1alpha1
+kind: KopiaServer
+metadata:
+  name: main-kopia-server
+  namespace: oadp-operator # Or another management namespace
+spec:
+  # Use the 'default' BSL from the 'velero' namespace as the backend
+  storage:
+    velero:
+      backupStorageLocationName: default
+      veleroNamespace: velero
+    prefix: guest-file-backups/
+
+  # Reference the secret for the repository password
+  repositoryPasswordSecretRef:
+    name: kopia-main-repo-pass
+    key: password
+
+  # Reference the secret containing the Kopia user list
+  userManagement:
+    source:
+      secret:
+        name: kopia-vm-users
+        key: users.txt
+
+  # Secure the server endpoint with a TLS certificate
+  tls:
+    secretName: kopia-server-tls
+
+  # Define resource limits for the server pod
+  resources:
+    requests:
+      cpu: "200m"
+      memory: "512Mi"
+    limits:
+      cpu: "1"
+      memory: "2Gi"
+```
+
+#### 3. In-VM Client Connection
+
+A user inside a VM would then connect with:
+
+```bash
+# First-time connection inside the VM
+# Server address is discovered from the KopiaServer status
+$ kopia repository connect server \
+    --url https://main-kopia-server.oadp-operator.svc:51515 \
+    --server-cert-fingerprint <FINGERPRINT_FROM_SERVER> \
+    --username web-vm-user@my-vm-hostname \
+    --password <provided-password>
+
+# Subsequent backups
+$ kopia snapshot create /var/www/html --tags app:my-webapp
+```
+
+
+# Other considered designs
+
+A previously considered approach using `libguestfs`, while technically feasible, tightly couples file-level operations to the cluster administrator's Velero backup schedule. It also introduces significant operational overhead for each backup operation, such as taking a snapshot, creating a PVC, mounting it, and launching a helper pod.
+