Add design for the Backup Storage Location Server #1830
Conversation
Introduces the BSLS design to enable backup and restore operations through a proxy service managed by the OADP Operator. Signed-off-by: Michal Pryc <[email protected]>
|
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mpryc The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
openshift-ci
bot
added
the
approved
|
This looks great to me @mpryc |
|
@weshayutin certainly, I will actually combine the BSLR and BSLS designs into one more "usecase centric" and less implementation driven - this was a great offline comment from @kaovilai. |
@weshayutin how about "Virtual Machine Data Protection" (VMDP), The Disaster Recovery imo implies the ability to recover an entire virtual machine to a functional state which would first need a traditional block-level backup and then restore (from a CSI snapshot). This new feature won't be able to restore users actual VM on it's own. |
|
|
||
| The BSLS is a persistent server component deployed in the OpenShift cluster that proxies secure access to a shared Kopia repository. | ||
|
|
||
| The BSLS acts as a secure proxy, enabling users to connect to it via Kopia-compatible clients with per user individual credentials. These credentials are provisioned and managed as OpenShift `Secrets` and are synced to the Kopia repository by the BSLS controller to enforce user-level access control. |
There was a problem hiding this comment.
Could we use the OAuth tokens for this?
| * Verify that the spec.LocationRepository field references a valid and Ready BackupStorageLocationRepository (BSLR) in the same namespace. | ||
| * If invalid, mark the BSLS as NotReady and Requeue. | ||
| 2. **TLS Setup** | ||
| * Generate new or use a TLS certificate(s) from mounted from the OpenShift Secret for the BSLS service. |
There was a problem hiding this comment.
We will need to make sure that anything we do here is FIPS-compliant if we generate the certs. I don't see why that would be an immediate problem, but it's something to verify.
|
@mpryc: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
Introduces the BSLS design to enable backup and restore operations through a proxy service managed by the OADP Operator.
Why the changes were made
This is complementary design to the #1827
To enable backup and restore operations via a proxy service managed by the OADP Operator, improving flexibility and management of backup workflows.
How to test the changes made
Read the design.