A working draft of self-service docs for the OADP docs team #234
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: weshayutin The full list of commands accepted by this bot can be found here.
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
weshayutin
changed the title
mpryc
requested changes
Feb 27, 2025
| ## OADP Self Service Details | ||
|
|
||
| OADP self-service introduces a significant change to backup and restore operations in OpenShift. Previously, only cluster administrators could perform these operations. | ||
| Now, regular OpenShift users can perform backup and restore operations within their authorized namespaces. This is achieved through custom resources that securely manage these operations while maintaining proper access controls and visibility. The self-service functionality is implemented in a way that ensures users can only operate within their assigned namespaces and permissions, while cluster administrators maintain overall control through templates and policies. |
There was a problem hiding this comment.
(Namespace Admin users)
There was a problem hiding this comment.
@shubham-pampattiwar so a regular user w/ the appropriate rbac could create nabs/nars right? I'm a little hesitant to doc "namespace admin". Yes namespace admin will work, but other combinations would as well iiuc.
There was a problem hiding this comment.
@weshayutin Please refer the tables and special case notes from #151 (comment)
Thank you !
There was a problem hiding this comment.
should it be like this?
i.e. When velero backup status updates, NAC sees it and updates NAB status
the way it it can it pass wrong message that velero updates NAB?
sequenceDiagram
participant User
participant NAB as NonAdminBackup
participant NAC as NonAdminController
participant VB as Velero Backup
User->>NAB: Creates NonAdminBackup CR
NAB->>NAC: Detected by controller
NAC-->>NAB: Validates backup request
NAC->>VB: Creates Velero Backup CR
VB-->>NAC: Status updates
NAC-->>NAB: updates status
NAB-->>User: View backup status
| | `itemOperationTimeout` | ✅ Yes | | | | ||
| | `resourcePolicy` | ✅ Yes | | ⚠️ Non-admin users can specify the config-map that admins created in OADP Operator NS(Admins enforcing this value be a good alternative here), they cannot specify their own configmap as its lifecycle handling is not currently managed by NAC controller | | ||
| | `includedNamespaces` | ❌ No | ✅ Yes | ⚠️ Admins cannot enforce this because it does not make sense for a cluster wide non-admin backup setting, we have validations in place such that only the NS admins NS in included in the NAB spec. | | ||
| | `excludedNamespaces` | ✅ Yes | ✅ Yes | ⚠️ This spec is restricted for non-admin users and hence not enforceable by admins | |
There was a problem hiding this comment.
| | `csiSnapshotTimeout` | ✅ Yes | | | | ||
| | `itemOperationTimeout` | ✅ Yes | | | | ||
| | `resourcePolicy` | ✅ Yes | | ⚠️ Non-admin users can specify the config-map that admins created in OADP Operator NS(Admins enforcing this value be a good alternative here), they cannot specify their own configmap as its lifecycle handling is not currently managed by NAC controller | | ||
| | `includedNamespaces` | ❌ No | ✅ Yes | ⚠️ Admins cannot enforce this because it does not make sense for a cluster wide non-admin backup setting, we have validations in place such that only the NS admins NS in included in the NAB spec. | |
There was a problem hiding this comment.
special case column should be empty here?
| | `orLabelSelectors` | ✅ Yes | | | | ||
| | `snapshotVolumes` | ✅ Yes | | | | ||
| | `storageLocation` | | | ⚠️ Can be empty (implying default BSL usage) or needs to be an existing NABSL | | ||
| | `volumeSnapshotLocations` | | | ⚠️ Not supported for non-admin users, default will be used if needed | |
There was a problem hiding this comment.
There was a problem hiding this comment.
Should have Restricted column Yes?
| | `labelSelector` | ✅ Yes | | | | ||
| | `orLabelSelectors` | ✅ Yes | | | | ||
| | `snapshotVolumes` | ✅ Yes | | | | ||
| | `storageLocation` | | | ⚠️ Can be empty (implying default BSL usage) or needs to be an existing NABSL | |
There was a problem hiding this comment.
|
|
||
| | **NABSL Field** | **Admin Enforceable** | **Restricted** | **special case** | | ||
| |----------------------------|-----------------|----------------|-----------------| | ||
| | `backupSyncPeriod` | | | ⚠️ Must be set lower than the DPA.backupSyncPeriod and lower than the garbage collection period | |
There was a problem hiding this comment.
Must be set lower than the DPA spec.nonAdmin.backupSyncPeriod
| | `includedResources` | ✅ Yes | | | | ||
| | `excludedResources` | ✅ Yes | | | | ||
| | `orderedResources` | ✅ Yes | | | | ||
| | `includeClusterResources` | ✅ Yes | | ⚠️ Non-admin users can only set this spec to false if they want, all other values are restricted, similar rule for admin enforcement regarding this spec value. | |
There was a problem hiding this comment.
should have Restricted column Yes?
| | `orderedResources` | ✅ Yes | | | | ||
| | `includeClusterResources` | ✅ Yes | | ⚠️ Non-admin users can only set this spec to false if they want, all other values are restricted, similar rule for admin enforcement regarding this spec value. | | ||
| | `excludedClusterScopedResources` | ✅ Yes | | | | ||
| | `includedClusterScopedResources` | ✅ Yes | | ⚠️ This spec is restricted and non-enforceable, only empty list is acceptable | |
There was a problem hiding this comment.
Should have Restricted column Yes?
kaovilai
reviewed
Apr 17, 2025
There was a problem hiding this comment.
https://github.com/migtools/oadp-non-admin/blob/master/internal/controller/nonadmindownloadrequest_controller.go is missing from this branch.. although no conflict, a rebase would be appreciated
kaovilai
requested changes
Apr 17, 2025
| warnings: 0 | ||
| ``` | ||
| The complete nonAdminRestore resource definition can be found here: [NonAdminRestore CRD](https://github.com/openshift/oadp-operator/blob/master/bundle/manifests/oadp.openshift.io_nonadminrestores.yaml) | ||
|
|
There was a problem hiding this comment.
Here's doc for NADR
Suggested change
| ### Troubleshooting with NonAdminDownloadRequest (NADR) | |
| NonAdminDownloadRequest (NADR) provides non-admin users with a way to access detailed information about their backups and restores for troubleshooting purposes. This functionality is equivalent to what cluster administrators can access using the `velero backup describe --details` command. | |
| NADR allows users to securely retrieve various types of information that can help diagnose issues with backup and restore operations. The NADR controller validates the request and creates a secure download URL for users to access the requested information. | |
| #### Using NADR for Backup Troubleshooting | |
| The following example shows how to create a NADR object to retrieve detailed information about a backup: | |
| ```yaml | |
| apiVersion: oadp.openshift.io/v1alpha1 | |
| kind: NonAdminDownloadRequest | |
| metadata: | |
| name: backup-details | |
| namespace: nacuser1 | |
| spec: | |
| target: | |
| kind: BackupResourceList # See other kinds below | |
| name: mybackup-1 # The name of your NAB | |
| ``` | |
| Once processed, the NADR status will contain a secure URL where you can download the requested information: | |
| ```yaml | |
| apiVersion: oadp.openshift.io/v1alpha1 | |
| kind: NonAdminDownloadRequest | |
| metadata: | |
| name: backup-details | |
| namespace: nacuser1 | |
| spec: | |
| target: | |
| kind: BackupResourceList | |
| name: mybackup-1 | |
| status: | |
| phase: Processed | |
| velero: | |
| status: | |
| downloadURL: https://storage-url.example.com/path-to-your-download?signed-token | |
| expiration: "2025-03-23T20:57:35Z" | |
| phase: Processed | |
| ``` | |
| #### Available Information Types | |
| The NADR resource supports retrieving different kinds of information: | |
| | Target Kind | Description | Equivalent to | | |
| |-------------|-------------|--------------| | |
| | `BackupResourceList` | List of resources included in the backup | `velero backup describe --details` (resource listing) | | |
| | `BackupContents` | Contents of files backed up | Part of backup details | | |
| | `BackupLog` | Logs from the backup operation | `velero backup logs` | | |
| | `BackupVolumeSnapshots` | Information about volume snapshots | `velero backup describe --details` (snapshots section) | | |
| | `BackupItemOperations` | Information about item operations performed during backup | `velero backup describe --details` (operations section) | | |
| | `RestoreLog` | Logs from the restore operation | `velero restore logs` | | |
| | `RestoreResults` | Detailed results of the restore | `velero restore describe --details` | | |
| #### Troubleshooting Example Workflow | |
| 1. **Create a backup** | |
| ``` | |
| oc create -f nab.yaml | |
| ``` | |
| 2. **Check if the backup completed successfully** | |
| ``` | |
| oc get nonadminbackup mybackup-1 -n nacuser1 | |
| ``` | |
| 3. **If issues are detected, create a NADR to get more details** | |
| ``` | |
| oc create -f nadr-backup-details.yaml | |
| ``` | |
| 4. **Wait for the NADR to be processed and get the download URL** | |
| ``` | |
| oc get nonadmindownloadrequest backup-details -n nacuser1 -o jsonpath='{.status.velero.status.downloadURL}' | |
| ``` | |
| 5. **Download and analyze the information using the URL** | |
| This workflow provides non-admin users the ability to troubleshoot their backup operations with the same level of detail that cluster administrators can access with the `velero backup describe --details` command. | |
| > **Note:** Backup and restore logs via NonAdminDownloadRequest are not supported for default BSLs. If you need access to logs, ask your cluster administrator to create a NonAdminBackupStorageLocation for your namespace. | |
1 task
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Why the changes were made
First pass at draft documentation that may or may not exist in the oadp-non-admin git repo in the long term. The purpose of this draft to get a working draft into the hands of the docs team, qe and others ASAP.
How to test the changes made
Just read :)
https://github.com/weshayutin/oadp-non-admin/blob/draft_docs/docs/draft_production_docs/oadp-self-service.md
https://github.com/weshayutin/oadp-non-admin/blob/draft_docs/docs/draft_production_docs/sequenceDiagram.md