- 
                Notifications
    You must be signed in to change notification settings 
- Fork 84
Add design for the Backup Storage Location Server #1830
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: oadp-dev
Are you sure you want to change the base?
Conversation
Introduces the BSLS design to enable backup and restore operations through a proxy service managed by the OADP Operator. Signed-off-by: Michal Pryc <[email protected]>
| [APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: mpryc The full list of commands accepted by this bot can be found here. The pull request process is described here 
Needs approval from an approver in each of these files:
 
 Approvers can indicate their approval by writing  | 
| This looks great to me @mpryc | 
| @weshayutin certainly, I will actually combine the BSLR and BSLS designs into one more "usecase centric" and less implementation driven - this was a great offline comment from @kaovilai. | 
| 
 @weshayutin how about "Virtual Machine Data Protection" (VMDP), The Disaster Recovery imo implies the ability to recover an entire virtual machine to a functional state which would first need a traditional block-level backup and then restore (from a CSI snapshot). This new feature won't be able to restore users actual VM on it's own. | 
|  | ||
| The BSLS is a persistent server component deployed in the OpenShift cluster that proxies secure access to a shared Kopia repository. | ||
|  | ||
| The BSLS acts as a secure proxy, enabling users to connect to it via Kopia-compatible clients with per user individual credentials. These credentials are provisioned and managed as OpenShift `Secrets` and are synced to the Kopia repository by the BSLS controller to enforce user-level access control. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Could we use the OAuth tokens for this?
| * Verify that the spec.LocationRepository field references a valid and Ready BackupStorageLocationRepository (BSLR) in the same namespace. | ||
| * If invalid, mark the BSLS as NotReady and Requeue. | ||
| 2. **TLS Setup** | ||
| * Generate new or use a TLS certificate(s) from mounted from the OpenShift Secret for the BSLS service. | 
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
We will need to make sure that anything we do here is FIPS-compliant if we generate the certs. I don't see why that would be an immediate problem, but it's something to verify.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I would love for the spec of this CRD to be added to the enhancement to get a better feel for it.
| @mpryc: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. | 
Introduces the BSLS design to enable backup and restore operations through a proxy service managed by the OADP Operator.
Why the changes were made
This is complementary design to the #1827
To enable backup and restore operations via a proxy service managed by the OADP Operator, improving flexibility and management of backup workflows.
How to test the changes made
Read the design.