nabsl workflow

Signed-off-by: Shruti Deshpande <shdeshpa@redhat.com>

Author: shdeshpa07

backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-non-admin-use-cases.adoc

@@ -1,21 +1,22 @@
 :_mod-docs-content-type: ASSEMBLY
-[id="oadp-self-service-use-cases"]
+[id="oadp-self-service-non-admin-use-cases"]
 = {oadp-short} Self-Service non-admin use cases
 include::_attributes/common-attributes.adoc[]
 :context: oadp-self-service-non-admin-use-cases
 
 toc::[]
 
-Following are the non-admin uses cases for using {oadp-short} Self-Service to back up and restore applications. The use cases cover:
+Following are a few non-admin uses cases for using {oadp-short} Self-Service to back up and restore applications. The use cases cover:
 
 * Non-admin filesystem backup and restore by using Kopia.
 * Non-admin Data Mover backup and restore.
 * Non-admin Container Storage Interface (CSI) backup and restore.
+* Creating a `NonAdminBackupStorageLocation` CR.
 
 include::modules/oadp-self-service-use-case-kopia.adoc[leveloffset=+1]
 
 include::modules/oadp-self-service-use-case-datamover.adoc[leveloffset=+1]
 
 include::modules/oadp-self-service-use-case-csi.adoc[leveloffset=+1]
 
-include::modules/oadp-self-service-creating-nabsl.adoc[leveloffset=+1]
+include::modules/oadp-self-service-backup-using-nabsl.adoc[leveloffset=+1]

modules/oadp-self-service-admin-spec-enforcement.adoc

@@ -8,16 +8,6 @@
 
 As a cluster administrator, you can also enforce policies in the `DataProtectionApplication` (DPA) spec template. The spec enforcement applies to Self-Service CRs such as the `NonAdminBackup`, `NonAdminRestore`, and `NonAdminBackupStorageLocation`. 
 
-To ensure secure backup and restore, {oadp-short} Self-Service automatically excludes the following resources from being backed up or restored:
-
-* Security Context Constraints (SCCs)
-* Cluster roles
-* Cluster role bindings
-* Custom resource definitions (CRDs)
-* `PriorityClasses`
-* Virtual machine cluster instance types
-* Virtual machine cluster preferences
-
 The cluster administrator can enforce a company, or a compliance policy by using the following fields in the `DataProtectionApplication` (DPA) CR:
 
 * `enforceBSLSpec` to enforce a policy on the `NonAdminBackupStorageLocation` CR .

modules/oadp-self-service-creating-nabsl.adoc renamed to modules/oadp-self-service-backup-using-nabsl.adoc

@@ -3,22 +3,36 @@
 // backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-non-admin-use-cases.adoc
 
 :_mod-docs-content-type: PROCEDURE
-[id="oadp-self-service-creating-nabsl_{context}"]
-= Creating a `NonAdminBackupStorageLocation` CR
+[id="oadp-self-service-backup-using-nabsl_{context}"]
+= Using a `NonAdminBackupStorageLocation` CR for a non-admin Data Mover backup
 
-A non-admin user can create a `NonAdminBackupStorageLocation` CR in their authorized namespace.
+In this use case, you:
 
-If the cluster administrator has enabled the `requireApprovalForBSL` field on the DPA, then the NABSL CR remains in the `Pending` state until the administrator approves the NABSL creation request.
+* Create a `NonAdminBackupStorageLocation` (NABSL) CR in your authorized namespace.
+** The NABSL CR request goes to the cluster administrator for approval. 
+** The cluster administrator approves the request.
+* Create a `NonAdminBackup` (NAB) configuration file and set the NABSL as the backup storage location.
+* Apply the NAB configuration file to take a Data Mover backup of your application.
 
 .Prerequisites
 
 * You are logged in to the cluster as a non-admin user.
 * The cluster administrator has installed the {oadp-short} Operator.
 * The cluster administrator has configured the `DataProtectionApplication` to enable {oadp-short} Self-Service.
+* The cluster administrator has enabled the NABSL approval workflow. For more details, see "Enabling `NonAdminBackupStorageLocation` administrator approval workflow".
 * The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.
+* You have installed an application in your authorized namespace. 
 
 .Procedure
 
+. Create a `Secret` CR named `cloud-credentials` by using the cloud credentials file content for your cloud provider. Run the following command:
++
+[source,terminal]
+----
+$ oc create secret generic cloud-credentials -n test-nac-ns --from-file cloud=<cloud_credentials_file> # <1>
+----
+1. Specify the cloud credentials file name. Also, note that the namespace in this example is `test-nac-ns`, which is your authorized namespace.
+
 . To create a `NonAdminBackupStorageLocation` CR, create a YAML manifest file with the following configuration:
 +
 .Example `NonAdminBackupStorageLocation`
@@ -55,13 +69,6 @@ $ oc apply -f <nabsl_cr_filename> # <1>
 ----
 1. Specify the file name containing the NABSL CR configuration.
 
-.Verification
-
-[IMPORTANT]
-====
-The NABSL is created only after the cluster administrator approves the NABSL CR request.
-====
-
 . To verify that the NABSL CR is in the `New` phase and is pending administrator approval, run the following command:
 +
 [source,terminal]
@@ -97,7 +104,7 @@ status:
 1. The `status.conditions.message` field has the message `NonAdminBackupStorageLocationRequest approval pending`.
 2. The `status.phase` is `New`.
 
-. To verify that the NABSL CR is successfully created, run the following command:
+. After the cluster administrator approves the `NonAdminBackupStorageLocationRequest` CR request, verify that the NABSL CR is successfully created by running the following command:
 +
 [source,terminal]
 ----
@@ -164,3 +171,65 @@ status:
 5. This is the name of the associated `Velero` backup storage location object.
 6. The `phase` is `Available`. This indicates that the NABSL is ready for use.
 
+. To use the NABL you created in your namespace for a Data Mover backup of your application, configure a YAML manifest file as shown in the following example:
++
+.Example `NonAdminBackup`
+[source,yaml]
+----
+apiVersion: oadp.openshift.io/v1alpha1
+kind: NonAdminBackup
+metadata:
+  name: test-nab
+spec:
+  backupSpec:
+    includedNamespaces:
+    - "test-nac" # <1>
+    snapshotMoveData: true # <2>
+    storageLocation: test-nabsl # <3>
+----
+1. Specify the name of your authorized namespace in which your application is running. In this example, the namespace is `test-nac`.
+2. Set the `snapshotMoveData` field to `true` to enable Data Mover backup.
+3. Set the `storageLocation` field to the NABSL CR. In this example, the name of the NABSL CR is `test-nabsl`.
+
+. Create the NAB CR by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f <nab_cr_filename> # <1>
+----
+1. Specify the YAML file name containing the NAB CR configuration.
+
+. Verify that the backup is successfully created by running the following command:
++
+[source,terminal]
+----
+$ oc get nab test-nab -o yaml
+----
++
+.Example output
+[source,yaml]
+----
+apiVersion: oadp.openshift.io/v1alpha1
+kind: NonAdminBackup
+....
+status:
+  ...
+  veleroBackup:
+    nacuuid: test-nac-test-nab-b00...8-67c9797295c1
+    name: test-nac-test-nab-b0...7c9797295c1
+    namespace: openshift-adp
+    status:
+      backupItemOperationsAttempted: 2
+      backupItemOperationsCompleted: 2
+      completionTimestamp: "2025-02-17T13:57:20Z"
+      expiration: "2025-03-19T13:55:30Z"
+      formatVersion: 1.1.0
+      hookStatus: {}
+      phase: Completed # <1>
+      progress:
+        itemsBackedUp: 54
+        totalItems: 54
+      startTimestamp: "2025-02-17T13:55:30Z"
+      version: 1
+----
+1. The phase is now `Completed`.

modules/oadp-self-service-enabling-nabsl-approval.adoc

@@ -8,6 +8,8 @@
 
 The `NonAdminBackupStorageLocation` (NABSL) administrator approval workflow is an opt-in feature. As a cluster administrator, you must explicitly enable the feature in the DPA by setting the `nonAdmin.requireApprovalForBSL` field to `true`.
 
+You also need to set the `noDefaultBackupLocation` field in the DPA to `true`. This setting indicates that, there is no default backup storage location configured in the DPA and the non-admin user can create a NABSL CR and send the CR request for approval.
+
 .Prerequisites
 
 * You are logged in to the cluster with administrator privileges.
@@ -17,8 +19,8 @@ The `NonAdminBackupStorageLocation` (NABSL) administrator approval workflow is a
 .Procedure
 
 * To enable the NABSL administrator approval workflow, edit the DPA and:
-.. Add the `requireApprovalForBSL` field as shown in the example.
-.. Set the `requireApprovalForBSL` field to `true`.
+.. Add the `noDefaultBackupLocation` field and set it to `true` as shown in the example.
+.. Add the `requireApprovalForBSL` field and set it to `true` as shown in the example.
 +
 .Example `DataProtectionApplication`
 [source,yaml]
@@ -38,9 +40,10 @@ spec:
         - aws
         - openshift
         - csi
-      defaultSnapshotMoveData: true
+      noDefaultBackupLocation: true # <1>
   nonAdmin:
     enable: true
-    requireApprovalForBSL: true # <1> 
+    requireApprovalForBSL: true # <2> 
 ----
-1. Add the `requireApprovalForBSL` field and set it to `true`.
+1. Add the `noDefaultBackupLocation` field and set it to `true`.
+2. Add the `requireApprovalForBSL` field and set it to `true`.

modules/oadp-self-service-unsupported-features.adoc

@@ -9,6 +9,19 @@
 The following features are not supported by {oadp-short} Self-Service:
 
 * Cross cluster backup and restore, or migrations are not supported. These {oadp-short} operations are supported for the cluster administrator.
+
 * A non-admin user cannot create a `VolumeSnapshotLocation` (VSL) CR. The cluster administrator creates and configures the VSL in the `DataProtectionApplication` (DPA) for a non-admin user.
+
 * `ResourceModifiers` and volume policies are not supported for a non-admin user.
-* A non-admin user cannot request backup and restore logs by using the `NonAdminDownloadRequest` CR for a `BackupStorageLocation` created by the cluster administrator. A non-admin user must create a `NonAdminBackupStorageLocation` in their authorized namespace to access the backup and restore logs.
+
+* A non-admin user cannot request backup and restore logs by using the `NonAdminDownloadRequest` CR for a `BackupStorageLocation` created by the cluster administrator. A non-admin user must create a `NonAdminBackupStorageLocation` in their authorized namespace to access the backup and restore logs.
+
+* To ensure secure backup and restore, Self-Service automatically excludes the following resources from being backed up or restored:
+
+** Security Context Constraints (SCCs)
+** Cluster roles
+** Cluster role bindings
+** Custom resource definitions (CRDs)
+** `PriorityClasses`
+** Virtual machine cluster instance types
+** Virtual machine cluster preferences

modules/oadp-self-service-use-case-csi.adoc

@@ -151,7 +151,7 @@ status:
 $ oc get pod -n test-nac # <1>
 ----
 1. `test-nac` is your authorized namespace.
-
++
 .Example output
 
 [source,terminal]
@@ -182,7 +182,7 @@ $ oc apply -f <nar_cr_filename> # <1>
 ----
 1. Specify the YAML file name containing the NAR CR configuration.
 
-. Verify that the NAR CR is in the `created` phase and eventually, the `completed` phase by running the following command:
+. Verify that the NAR CR is in the `created` phase, and eventually, the `completed` phase by running the following command:
 +
 [source,terminal]
 ----

modules/oadp-self-service-use-case-datamover.adoc

@@ -147,7 +147,7 @@ status:
 $ oc get pod -n test-nac # <1>
 ----
 1. `test-nac` is your authorized namespace.
-
++
 .Example output
 
 [source,terminal]
@@ -178,7 +178,7 @@ $ oc apply -f <nar_cr_filename> # <1>
 ----
 1. Specify the YAML file name containing the NAR CR configuration.
 
-. Verify that the NAR CR is in the `created` phase and eventually, the `completed` phase by running the following command:
+. Verify that the NAR CR is in the `created` phase, and eventually, the `completed` phase by running the following command:
 +
 [source,terminal]
 ----

modules/oadp-self-service-use-case-kopia.adoc

@@ -139,12 +139,11 @@ $ oc get pod -n test-nac # <1>
 1. `test-nac` is your authorized namespace.
 +
 .Example output
-
 [source,terminal]
 ----
 No resources found in test-nac namespace.
 ----
-+
+
 . To create a `NonAdminRestore` (NAR) CR, configure a YAML manifest file as shown in the following example:
 +
 .Example `NonAdminRestore`
@@ -168,7 +167,7 @@ $ oc apply -f <nar_cr_filename> # <1>
 ----
 1. Specify the YAML file name containing the NAR CR configuration.
 
-. Verify that the NAR CR is in the `created` phase and eventually, the `completed` phase by running the following command:
+. Verify that the NAR CR is in the `created` phase, and eventually, the `completed` phase by running the following command:
 +
 [source,terminal]
 ----