Merge pull request #53544 from RichardHoch/oadp_rosa_sts

OADP-1007: Documentation required for OADP on ROSA w/ STS

Author: skrthomas

_attributes/_attributes

@@ -0,0 +1 @@
+../_attributes/

_topic_maps/_topic_map_rosa.yml

@@ -355,6 +355,13 @@ Topics:
 # - Name: Using the internal registry
 #   File: rosa-using-internal-registry
 ---
+Name: Backing up and restoring applications
+Dir: rosa_backing_up_and_restoring_applications
+Distros: openshift-rosa
+Topics:
+- Name: Installing OADP on ROSA with STS
+  File: backing-up-applications
+---
 Name: Logging
 Dir: logging
 Distros: openshift-rosa

applications/deployments/osd-config-custom-domains-applications.adoc

@@ -6,4 +6,4 @@ include::_attributes/attributes-openshift-dedicated.adoc[]
 
 toc::[]
 
-include::modules/osd-applications-config-custom-domains.adoc[leveloffset=+1]
+include::modules/osd-applications-config-custom-domains.adoc[leveloffset=+1]

backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc

@@ -34,4 +34,4 @@ include::modules/oadp-self-signed-certificate.adoc[leveloffset=+2]
 include::modules/oadp-installing-dpa.adoc[leveloffset=+1]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
 
-:installing-oadp-aws!:
+:!installing-oadp-aws:

backup_and_restore/application_backup_and_restore/installing/installing-oadp-ocs.adoc

@@ -3,7 +3,6 @@
 = Installing and configuring the OpenShift API for Data Protection with OpenShift Data Foundation
 include::_attributes/common-attributes.adoc[]
 :context: installing-oadp-ocs
-:installing-oadp-ocs:
 :credentials: cloud-credentials
 :provider: gcp
 
@@ -39,4 +38,3 @@ include::modules/oadp-installing-dpa.adoc[leveloffset=+1]
 include::modules/oadp-configuring-noobaa-for-dr.adoc[leveloffset=+2]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
 
-:installing-oadp-ocs!:

backup_and_restore/application_backup_and_restore/oadp-api.adoc

@@ -3,7 +3,6 @@
 = APIs used with OADP
 include::_attributes/common-attributes.adoc[]
 :context: oadp-api
-:oadp-api:
 :namespace: openshift-adp
 :local-product: OADP
 :velero-domain: velero.io
@@ -250,4 +249,3 @@ link:https://pkg.go.dev/github.com/openshift/oadp-operator/api/v1alpha1#Features
 
 The OADP API is more fully detailed in link:https://pkg.go.dev/github.com/openshift/oadp-operator[OADP Operator].
 
-:!oadp-api:

backup_and_restore/application_backup_and_restore/oadp-features-plugins.adoc

@@ -24,5 +24,4 @@ OADP 1.1.0 was tested successfully against {product-title} 4.11 for both IBM Pow
 include::modules/oadp-ibm-power-test-support.adoc[leveloffset=+2]
 include::modules/oadp-ibm-z-test-support.adoc[leveloffset=+2]
 
-:oadp-features-plugins!:
-
+:!oadp-features-plugins:

modules/modules

@@ -0,0 +1 @@
+../modules/

modules/oadp-installing-oadp-rosa-sts.adoc

@@ -0,0 +1,127 @@
+// Module included in the following assemblies:
+//
+// * rosa_backing_up_and_restoring_applications/backing-up-applications.adoc
+
+:_content-type: PROCEDURE
+[id="oadp-installing-oadp-rosa-sts_{context}"]
+= Installing OADP on {product-title} with AWS STS
+
+AWS Security Token Service (AWS STS) is a global web service that provides short-term credentials for IAM or federated users. {product-title} (ROSA) with STS is the recommended credential mode for ROSA clusters. This document describes how to install OpenShift API for Data Protection (OADP) on (ROSA) with AWS STS.
+
+[IMPORTANT]
+====
+Restic is not supported in the OADP on ROSA with AWS STS environment. Ensure the Restic service is disabled. Use native snapshots to backup volumes. See _Known Issues_ for more information.
+====
+
+.Prerequisites
+
+* A ROSA OpenShift Cluster with the required access and tokens.
+* link:https://docs.openshift.com/container-platform/4.12/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.html#oadp-creating-default-secret_installing-oadp-aws[A default Secret], if your backup and snapshot locations use the same credentials, or if you do not require a snapshot location.
+
+.Procedure
+
+. Create an Openshift secret from your AWS token file by entering the following commands:
+
+.. Create the credentials file:
++
+[source, terminal]
+----
+$ cat <<EOF > ${SCRATCH}/credentials
+[default]
+role_arn = ${ROLE_ARN}
+web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
+EOF
+----
+
+.. Create the OpenShift secret:
++
+[source, terminal]
+----
+$ oc -n openshift-adp create secret generic cloud-credentials \
+  --from-file=${SCRATCH}/credentials
+----
+
+. Install the OADP Operator.
+.. In the {product-title} web console, navigate to Operators *->* OperatorHub.
+.. Search for the OADP Operator, then click *Install*.
+
+. Create AWS cloud storage using your AWS credentials:
++
+[source,terminal]
+----
+$ cat << EOF | oc create -f -
+apiVersion: oadp.openshift.io/v1alpha1
+kind: CloudStorage
+metadata:
+  name: ${CLUSTER_NAME}-oadp
+  namespace: openshift-adp
+spec:
+  creationSecret:
+    key: credentials
+    name: cloud-credentials
+  enableSharedConfig: true
+  name: ${CLUSTER_NAME}-oadp
+  provider: aws
+  region: $REGION
+EOF
+----
+
+. Create the `DataProtectionApplication resource`, which is used to configure the connection to the storage where the backups and volume snapshots will be stored:
++
+[source,terminal]
+----
+$ cat << EOF | oc create -f -
+apiVersion: oadp.openshift.io/v1alpha1
+kind: DataProtectionApplication
+metadata:
+  name: ${CLUSTER_NAME}-dpa
+  namespace: openshift-adp
+spec:
+  backupLocations:
+  - bucket:
+      cloudStorageRef:
+        name: ${CLUSTER_NAME}-oadp
+      credential:
+        key: credentials
+        name: cloud-credentials
+      default: true
+  configuration:
+    velero:
+      defaultPlugins:
+      - openshift
+      - aws
+      restic:
+        enable: false
+  volumeSnapshots:
+  - velero:
+      config:
+        credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials
+        enableSharedConfig: "true"
+        region: ${REGION}
+      provider: aws
+EOF
+----
++
+[NOTE]
+====
+The `enable` parameter of `restic` is set to `false` in this configuration because OADP does not support Restic in ROSA environments.
+====
++
+You are now ready to backup and restore OpenShift applications, as described in the link:https://docs.openshift.com/container-platform/4.11/backup_and_restore/application_backup_and_restore/backing_up_and_restoring/backing-up-applications.html[OADP documentation].
+
+== Known Issues
+.Restic is not supported or recommended
+
+* link:https://issues.redhat.com/browse/OADP-1054[CloudStorage: openshift-adp-controller-manager crashloop seg fault with Restic enabled]
+* link:https://issues.redhat.com/browse/OADP-1057[Cloudstorage API: CSI Backup of an app with internal images partially fails with plugin panicked error]
+* (Affects OADP 1.1.x_ only): link:https://issues.redhat.com/browse/OADP-1055[CloudStorage: bucket is removed on CS CR delete, although it doesn't have "oadp.openshift.io/cloudstorage-delete": "true"]
+
+[role="_additional-resources"]
+.Additional resources
+
+* link:https://docs.openshift.com/rosa/rosa_architecture/rosa-understanding.html[Understanding ROSA with STS]
+* link:https://docs.openshift.com/rosa/rosa_getting_started/rosa-sts-getting-started-workflow.html[Getting started with ROSA STS]
+* link:https://docs.openshift.com/rosa/rosa_install_access_delete_clusters/rosa-sts-creating-a-cluster-quickly.html[Creating a ROSA cluster with STS]
+* link:https://docs.openshift.com/container-platform/4.12/backup_and_restore/application_backup_and_restore/installing/about-installing-oadp.html[About installing OADP]
+* link:https://docs.openshift.com/container-platform/4.12/storage/container_storage_interface/persistent-storage-csi.html[Configuring CSI volumes]
+* link:https://docs.openshift.com/rosa/rosa_architecture/rosa_policy_service_definition/rosa-service-definition.html#rosa-sdpolicy-storage_rosa-service-definition[ROSA storage options]

rosa_backing_up_and_restoring_applications/_attributes

@@ -0,0 +1 @@
+../_attributes/