Merge pull request #19 from BeTheFlow95/add-classes-for-backup-config…

…uration

Add classes to configure backup policies on a storage account level

README.md

@@ -108,9 +108,15 @@ backends:  # Configuration for the different backends. Required fields are only
       vnets:  # List of vnets the storage account should allow access from. Each vnet listed here must have Microsoft.Storage added to the ServiceEndpoints collection of the subnet, optional
         - vnet: foobar-vnet  # Name of the virtual network, required
           subnet: default  # Name of the subnet, required
-    backup: # Configuration for use of Azure Backup Services. vault_name and policy_id are mandatory, if you want to use Azure Backup
+    backup: # Configuration for use of Azure Backup Services. vault_name and either policy_name or default_class with classes are mandatory, if you want to use Azure Backup
       vault_name: foobar-vault  # The name of the existing backup vault, make sure the Storage Account has the Role Assignment "Storage Account Backup Contributor" for the according vault
-      policy_id: 123123123  # The policy within the backup vault to use
+      policy_name: 123123123  # The policy within the backup vault to use
+      default_class: 60d  # The name of a class defined in classes
+      classes:  # List of classes the user can select from
+        60d:  # Name of the class
+          name: backup-policy-60d  # Name of the policy in the backup vault
+        90d:
+          name: backup-policy-90d
     parameters:  # Fields here define defaults for parameters also in the CRD and are used if the parameter is not set in the custom object supplied by the user
       network:
         public_access: false  # If set to true no network restrictions are placed on the storage account, if set to false access is only possible through vnet and firewall rules, optional
@@ -136,7 +142,7 @@ The azure backend also support a feature called `fake deletion` (via options `de
 
 For the azureblob backend there are several ways to protect the storage accounts from external access. One is on the network layer by disabling network access to the accounts from outside the cluster (via the `parameters.network.public_access` and `parameters.network.firewall_rules` and `network.vnets`) and the other is on the access layer by disallowing anonymous access (via `allow_anonymous_access`, this only gives the users the right to configure anonymous access, unless a user specifically does that only authenticated access is possible).
 
-The azureblob backend supports backups using [Azure Backup Vaults](https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview). To enable Azure backup, first set the two fields `backup.vault_name` (the existing backup vault to use) and `backup.policy_id` (the existing policy to use). Now you can either enable backups by default using the field `parameters.backup.enabled` or configure backup per manifest using the field `backup.enabled`. Note: the configuration in the manifest overrides the global operator configuration.
+The azureblob backend supports backups using [Azure Backup Vaults](https://learn.microsoft.com/en-us/azure/backup/backup-vault-overview). To enable Azure backup, first set the field `backup.vault_name` (the existing backup vault to use) and either `backup.policy_name` (the existing policy to use) or `backup.default_class` with `backup.classes` (the existing policies to use). Now you can either enable backups by default using the field `parameters.backup.enabled` or configure backup per manifest using the field `backup.enabled`. Note: the configuration in the manifest overrides the global operator configuration.
 
 For the operator to interact with Azure it needs credentials. For local testing it can pick up the token from the azure cli but for real deployments it needs a dedicated service principal. Supply the credentials for the service principal using the environment variables `AZURE_SUBSCRIPTION_ID`, `AZURE_TENANT_ID`, `AZURE_CLIENT_ID` and `AZURE_CLIENT_SECRET` (if you deploy via the helm chart use the use `envSecret` value). Depending on the backend the operator requires the following azure permissions within the scope of the resource group it deploys to:
 

helm/hybrid-cloud-object-storage-operator-crds/templates/objectstorage.yaml

@@ -102,6 +102,8 @@ spec:
                   properties:
                     enabled:
                       type: boolean
+                    class:
+                      type: string
                 size:
                   type: object
                   properties:

hybridcloud/backends/azureblob.py

@@ -87,8 +87,9 @@ def bucket_spec_valid(self, namespace, name, spec):
         if backup_enabled:
             vault_name = _backend_config("backup.vault_name", default=None)
             policy_name = _backend_config("backup.policy_name", default=None)
+            default_class = _backend_config("backup.default_class", default=None)
 
-            if vault_name is None or policy_name is None:
+            if vault_name is None or (policy_name is None and default_class is None):
                 return (False, "Backup is requested for this bucket but has not been configured for this backend in the operator configuration")
         else:
             backup_lock = self._get_backup_lock(bucket_name)
@@ -225,7 +226,7 @@ def create_or_update_bucket(self, namespace, name, spec):
 
         if backup_enabled:
             vault_name = _backend_config("backup.vault_name", fail_if_missing=True)
-            policy_name = _backend_config("backup.policy_name", fail_if_missing=True)
+            policy_name = _determine_backup_policy(spec.get("backup", {}))
 
             policy_id = f"/subscriptions/{self._subscription_id}/resourceGroups/{self._resource_group}/providers/Microsoft.DataProtection/backupVaults/{vault_name}/backupPolicies/{policy_name}"
 
@@ -508,4 +509,19 @@ def _determine_sku(size_spec):
     if default_class in classes:
         return Sku(name=classes[default_class]["name"])
 
-    raise Exception(f"Default class '{default_class}' not found in classes.")
+    raise Exception(f"Default class '{default_class}' not found in classes.")
+
+def _determine_backup_policy(backup_spec):
+    classes = _backend_config("backup.classes")
+    backup_class = backup_spec.get("class")
+    default_class = _backend_config("backup.default_class")
+    policy_name = _backend_config("backup.policy_name")
+
+    if policy_name:
+        return policy_name
+    if backup_class and backup_class in classes:
+        return classes[backup_class]["name"]
+    if default_class in classes:
+        return classes[default_class]["name"]
+
+    raise Exception(f"No valid backup policy provided")