Skip to content

Commit 45a16b6

Browse files
committed
Initial Non-Admin onboard to oadp-1.4
Signed-off-by: Michal Pryc <mpryc@redhat.com>
1 parent 04f9e2d commit 45a16b6

38 files changed

Lines changed: 5249 additions & 914 deletions

Makefile

Lines changed: 1 addition & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -441,7 +441,7 @@ endef
441441
bundle: manifests kustomize operator-sdk ## Generate bundle manifests and metadata, then validate generated files.
442442
GOFLAGS="-mod=mod" $(OPERATOR_SDK) generate kustomize manifests -q
443443
cd config/manager && GOFLAGS="-mod=mod" $(KUSTOMIZE) edit set image controller=$(IMG)
444-
GOFLAGS="-mod=mod" $(KUSTOMIZE) build config/manifests | GOFLAGS="-mod=mod" $(OPERATOR_SDK) generate bundle -q --extra-service-accounts "velero" --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
444+
GOFLAGS="-mod=mod" $(KUSTOMIZE) build config/manifests | GOFLAGS="-mod=mod" $(OPERATOR_SDK) generate bundle -q --extra-service-accounts "velero,non-admin-controller" --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
445445
@make nullables
446446
# Copy updated bundle.Dockerfile to CI's Dockerfile.bundle
447447
# TODO: update CI to use generated one

api/v1alpha1/oadp_types.go

Lines changed: 111 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -52,6 +52,12 @@ type CustomPlugin struct {
5252
Name string `json:"name"`
5353
Image string `json:"image"`
5454
}
55+
type LogFormat string
56+
57+
const (
58+
LogFormatText LogFormat = "text"
59+
LogFormatJSON LogFormat = "json"
60+
)
5561

5662
// Field does not have enum validation for development flexibility
5763
type UnsupportedImageKey string
@@ -65,6 +71,7 @@ const GCPPluginImageKey UnsupportedImageKey = "gcpPluginImageFqin"
6571
const ResticRestoreImageKey UnsupportedImageKey = "resticRestoreImageFqin"
6672
const KubeVirtPluginImageKey UnsupportedImageKey = "kubevirtPluginImageFqin"
6773
const HypershiftPluginImageKey UnsupportedImageKey = "hypershiftPluginImageFqin"
74+
const NonAdminControllerImageKey UnsupportedImageKey = "nonAdminControllerImageFqin"
6875
const OperatorTypeKey UnsupportedImageKey = "operator-type"
6976

7077
const OperatorTypeMTC = "mtc"
@@ -243,6 +250,102 @@ type SnapshotLocation struct {
243250
Velero *velero.VolumeSnapshotLocationSpec `json:"velero"`
244251
}
245252

253+
// We need to create enforcement structures for the BSL spec fields, because the Velero BSL spec
254+
// is requiring fields like bucket, provider which are allowed to be empty for the enforcement in the DPA.
255+
256+
// ObjectStorageLocation defines the enforced values for the Velero ObjectStorageLocation
257+
type ObjectStorageLocation struct {
258+
// Bucket is the bucket to use for object storage.
259+
// +optional
260+
Bucket string `json:"bucket,omitempty"`
261+
262+
// Prefix is the path inside a bucket to use for Velero storage. Optional.
263+
// +optional
264+
Prefix string `json:"prefix,omitempty"`
265+
266+
// CACert defines a CA bundle to use when verifying TLS connections to the provider.
267+
// +optional
268+
CACert []byte `json:"caCert,omitempty"`
269+
}
270+
271+
// StorageType defines the enforced values for the Velero StorageType
272+
type StorageType struct {
273+
// +optional
274+
// +nullable
275+
ObjectStorage *ObjectStorageLocation `json:"objectStorage,omitempty"`
276+
}
277+
278+
// EnforceBackupStorageLocationSpec defines the enforced values for the Velero BackupStorageLocationSpec
279+
type EnforceBackupStorageLocationSpec struct {
280+
// Provider is the provider of the backup storage.
281+
// +optional
282+
Provider string `json:"provider,omitempty"`
283+
284+
// Config is for provider-specific configuration fields.
285+
// +optional
286+
Config map[string]string `json:"config,omitempty"`
287+
288+
// Credential contains the credential information intended to be used with this location
289+
// +optional
290+
Credential *corev1.SecretKeySelector `json:"credential,omitempty"`
291+
292+
StorageType `json:",inline"`
293+
294+
// AccessMode defines the permissions for the backup storage location.
295+
// +optional
296+
AccessMode velero.BackupStorageLocationAccessMode `json:"accessMode,omitempty"`
297+
298+
// BackupSyncPeriod defines how frequently to sync backup API objects from object storage. A value of 0 disables sync.
299+
// +optional
300+
// +nullable
301+
BackupSyncPeriod *metav1.Duration `json:"backupSyncPeriod,omitempty"`
302+
303+
// ValidationFrequency defines how frequently to validate the corresponding object storage. A value of 0 disables validation.
304+
// +optional
305+
// +nullable
306+
ValidationFrequency *metav1.Duration `json:"validationFrequency,omitempty"`
307+
}
308+
309+
type NonAdmin struct {
310+
// Enables non admin feature, by default is disabled
311+
// +optional
312+
Enable *bool `json:"enable,omitempty"`
313+
314+
// which bakup spec field values to enforce
315+
// +optional
316+
EnforceBackupSpec *velero.BackupSpec `json:"enforceBackupSpec,omitempty"`
317+
318+
// which restore spec field values to enforce
319+
// +optional
320+
EnforceRestoreSpec *velero.RestoreSpec `json:"enforceRestoreSpec,omitempty"`
321+
322+
// which backupstoragelocation spec field values to enforce
323+
// +optional
324+
EnforceBSLSpec *EnforceBackupStorageLocationSpec `json:"enforceBSLSpec,omitempty"`
325+
326+
// RequireApprovalForBSL specifies whether cluster administrator approval is required
327+
// for creating Velero BackupStorageLocation (BSL) resources.
328+
// - If set to false, all NonAdminBackupStorageLocationApproval CRDs will be automatically approved,
329+
// including those that were previously pending or rejected.
330+
// - If set to true, any existing BackupStorageLocation CRDs that lack the necessary approvals may be deleted,
331+
// leaving the associated NonAdminBackup objects non-restorable until approval is granted.
332+
// Defaults to false
333+
// +optional
334+
RequireApprovalForBSL *bool `json:"requireApprovalForBSL,omitempty"`
335+
336+
// GarbageCollectionPeriod defines how frequently to look for possible leftover non admin related objects in OADP namespace.
337+
// A value of 0 disables garbage collection.
338+
// By default 24h
339+
// +optional
340+
GarbageCollectionPeriod *metav1.Duration `json:"garbageCollectionPeriod,omitempty"`
341+
342+
// BackupSyncPeriod specifies the interval at which backups from the OADP namespace are synchronized with non-admin namespaces.
343+
// A value of 0 disables sync.
344+
// By default 2m
345+
// +optional
346+
BackupSyncPeriod *metav1.Duration `json:"backupSyncPeriod,omitempty"`
347+
}
348+
246349
// DataMover defines the various config for DPA data mover
247350
type DataMover struct {
248351
// enable flag is used to specify whether you want to deploy the volume snapshot mover controller
@@ -384,6 +487,14 @@ type DataProtectionApplicationSpec struct {
384487
// +optional
385488
// +kubebuilder:validation:Enum=Always;IfNotPresent;Never
386489
ImagePullPolicy *corev1.PullPolicy `json:"imagePullPolicy,omitempty"`
490+
// nonAdmin defines the configuration for the DPA to enable backup and restore operations for non-admin users
491+
// +optional
492+
NonAdmin *NonAdmin `json:"nonAdmin,omitempty"`
493+
// The format for log output. Valid values are text, json. (default text)
494+
// +kubebuilder:validation:Enum=text;json
495+
// +kubebuilder:default=text
496+
// +optional
497+
LogFormat LogFormat `json:"logFormat,omitempty"`
387498
}
388499

389500
// DataProtectionApplicationStatus defines the observed state of DataProtectionApplication

api/v1alpha1/zz_generated.deepcopy.go

Lines changed: 133 additions & 0 deletions
Some generated files are not rendered by default. Learn more about customizing how changed files appear on GitHub.
Lines changed: 21 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,21 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
creationTimestamp: null
5+
labels:
6+
app.kubernetes.io/managed-by: kustomize
7+
app.kubernetes.io/name: oadp-nac
8+
name: nonadmindownloadrequest-admin-role
9+
rules:
10+
- apiGroups:
11+
- oadp.openshift.io
12+
resources:
13+
- nonadmindownloadrequests
14+
verbs:
15+
- '*'
16+
- apiGroups:
17+
- oadp.openshift.io
18+
resources:
19+
- nonadmindownloadrequests/status
20+
verbs:
21+
- get
Lines changed: 27 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,27 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
creationTimestamp: null
5+
labels:
6+
app.kubernetes.io/managed-by: kustomize
7+
app.kubernetes.io/name: oadp-nac
8+
name: nonadmindownloadrequest-editor-role
9+
rules:
10+
- apiGroups:
11+
- oadp.openshift.io
12+
resources:
13+
- nonadmindownloadrequests
14+
verbs:
15+
- create
16+
- delete
17+
- get
18+
- list
19+
- patch
20+
- update
21+
- watch
22+
- apiGroups:
23+
- oadp.openshift.io
24+
resources:
25+
- nonadmindownloadrequests/status
26+
verbs:
27+
- get
Lines changed: 23 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,23 @@
1+
apiVersion: rbac.authorization.k8s.io/v1
2+
kind: ClusterRole
3+
metadata:
4+
creationTimestamp: null
5+
labels:
6+
app.kubernetes.io/managed-by: kustomize
7+
app.kubernetes.io/name: oadp-nac
8+
name: nonadmindownloadrequest-viewer-role
9+
rules:
10+
- apiGroups:
11+
- oadp.openshift.io
12+
resources:
13+
- nonadmindownloadrequests
14+
verbs:
15+
- get
16+
- list
17+
- watch
18+
- apiGroups:
19+
- oadp.openshift.io
20+
resources:
21+
- nonadmindownloadrequests/status
22+
verbs:
23+
- get

0 commit comments

Comments
 (0)