Skip to content

Conversation

@mpryc
Copy link
Contributor

@mpryc mpryc commented Jul 15, 2025

Introduces the BSLS design to enable backup and restore operations through a proxy service managed by the OADP Operator.

Why the changes were made

This is complementary design to the #1827

To enable backup and restore operations via a proxy service managed by the OADP Operator, improving flexibility and management of backup workflows.

How to test the changes made

Read the design.

Introduces the BSLS design to enable backup and restore
operations through a proxy service managed by the OADP Operator.

Signed-off-by: Michal Pryc <[email protected]>
@openshift-ci openshift-ci bot requested review from kaovilai and sseago July 15, 2025 08:46
@openshift-ci
Copy link

openshift-ci bot commented Jul 15, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: mpryc

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jul 15, 2025
@weshayutin
Copy link
Contributor

This looks great to me @mpryc
Do you think we can market this feature as OADP VMDR ( Virtual Machine Disaster Recovery? )

@mpryc
Copy link
Contributor Author

mpryc commented Jul 15, 2025

@weshayutin certainly, I will actually combine the BSLR and BSLS designs into one more "usecase centric" and less implementation driven - this was a great offline comment from @kaovilai.

@mpryc
Copy link
Contributor Author

mpryc commented Jul 15, 2025

This looks great to me @mpryc Do you think we can market this feature as OADP VMDR ( Virtual Machine Disaster Recovery? )

@weshayutin how about "Virtual Machine Data Protection" (VMDP), The Disaster Recovery imo implies the ability to recover an entire virtual machine to a functional state which would first need a traditional block-level backup and then restore (from a CSI snapshot). This new feature won't be able to restore users actual VM on it's own.


The BSLS is a persistent server component deployed in the OpenShift cluster that proxies secure access to a shared Kopia repository.

The BSLS acts as a secure proxy, enabling users to connect to it via Kopia-compatible clients with per user individual credentials. These credentials are provisioned and managed as OpenShift `Secrets` and are synced to the Kopia repository by the BSLS controller to enforce user-level access control.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Could we use the OAuth tokens for this?

* Verify that the spec.LocationRepository field references a valid and Ready BackupStorageLocationRepository (BSLR) in the same namespace.
* If invalid, mark the BSLS as NotReady and Requeue.
2. **TLS Setup**
* Generate new or use a TLS certificate(s) from mounted from the OpenShift Secret for the BSLS service.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We will need to make sure that anything we do here is FIPS-compliant if we generate the certs. I don't see why that would be an immediate problem, but it's something to verify.

Copy link
Contributor

@shawn-hurley shawn-hurley left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I would love for the spec of this CRD to be added to the enhancement to get a better feel for it.

@openshift-ci
Copy link

openshift-ci bot commented Aug 13, 2025

@mpryc: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants