diff --git a/deploy/velero-configuration/README.md b/deploy/velero-configuration/README.md new file mode 100644 index 0000000000..ef0ff9f808 --- /dev/null +++ b/deploy/velero-configuration/README.md @@ -0,0 +1,75 @@ +# Velero Configuration & OADP Migration + +This directory contains backup and restore configurations for Red Hat managed clusters, including the migration from Managed Velero Operator (MVO) to OpenShift API for Data Protection (OADP). + +## Directory Structure + +### Main Configuration (Legacy) +- `100-velero.Velero.yaml` - Legacy VeleroInstall resource (MVO) +- `110-velero.Schedules.yaml` - Backup schedules for general clusters +- `120-velero.Secret-Role.yaml` - RBAC for secret access +- `130-velero.Secret-RoleBinding.yaml` - Role bindings for secrets + +### Hive-Specific Configuration +- `hive-specific/` - **Complete OADP migration for Hive clusters** + +## OADP Migration Strategy + +### Phase 1: OADP Installation (Hive Clusters Only) +The `hive-specific/` directory now contains the complete OADP operator installation and configuration for Hive-managed clusters: + +**OADP Operator Installation:** +- `100-oadp.Subscription.yaml` - OADP operator subscription +- `110-oadp.Namespace.yaml` - openshift-adp namespace +- `120-oadp.OperatorGroup.yaml` - Operator group setup + +**OADP Configuration:** +- `130-oadp.DataProtectionApplication.yaml` - Main DPA configuration with environment variables +- `140-oadp.TestBackup.yaml` - Validation backup for testing + +**OADP RBAC & Schedules:** +- `05-oadp-schedule-admins-cluster.ClusterRole.yaml` - Enhanced RBAC for OADP resources +- `111-oadp.Schedules.yaml` - Backup schedules (migrated from Velero) + +### Target Clusters (Hive-Specific) +- Clusters with `ext-managed.openshift.io/hive-shard: "true"` label +- Excludes FedRAMP clusters (`api.openshift.com/fedramp != "true"`) + +### Environment Variables Required +- `${OADP_BACKUP_BUCKET}` - S3 bucket name for storing backups +- `${AWS_REGION}` - AWS region where the bucket is located + +## Migration Strategy & Resource Handling + +### Resource Apply Mode: "Upsert" +The hive-specific configuration uses `resourceApplyMode: "Upsert"` which means: +- ✅ **Safe Deployment**: New OADP resources will be created alongside existing Velero resources +- ✅ **No Conflicts**: Old Velero resources will NOT be automatically deleted +- ✅ **Coexistence**: Both MVO and OADP can run simultaneously during transition +- ⚠️ **Manual Cleanup**: Old Velero resources require separate cleanup phase + +### Migration Timeline + +1. ✅ **Phase 1**: Deploy OADP operator and configuration to Hive clusters (this PR) + - OADP operator installed in `openshift-adp` namespace + - MVO continues running in `openshift-velero` namespace + - Both backup systems coexist safely + +2. 🔄 **Phase 2**: Validate OADP functionality and backup operations + - Test OADP backups and restores + - Verify environment variable configuration + - Monitor both systems for conflicts + +3. 🔄 **Phase 3**: Clean up old Velero resources (future PR with Sync mode) + - Create cleanup SyncSet with `resourceApplyMode: "Sync"` + - Remove old Velero ClusterRoles, Schedules, and MVO components + - Complete migration to OADP-only + +## Related Issues + +- SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal + +## References + +- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) +- [Migration from MVO to OADP Guide](https://access.redhat.com/articles/oadp-migration) \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml b/deploy/velero-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml similarity index 55% rename from deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml rename to deploy/velero-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml index fef1281e54..eb3ec837e1 100644 --- a/deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml +++ b/deploy/velero-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml @@ -3,12 +3,23 @@ kind: ClusterRole metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: "cluster" - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - "*" +- apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml b/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml new file mode 100644 index 0000000000..316b8938d3 --- /dev/null +++ b/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-adp + namespace: openshift-adp +spec: + channel: stable-1.4 + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/110-oadp.Namespace.yaml b/deploy/velero-configuration/hive-specific/110-oadp.Namespace.yaml new file mode 100644 index 0000000000..c2258803ec --- /dev/null +++ b/deploy/velero-configuration/hive-specific/110-oadp.Namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: "true" \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml b/deploy/velero-configuration/hive-specific/111-oadp.Schedules.yaml similarity index 94% rename from deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml rename to deploy/velero-configuration/hive-specific/111-oadp.Schedules.yaml index e9876414c5..4a86e9b234 100644 --- a/deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml +++ b/deploy/velero-configuration/hive-specific/111-oadp.Schedules.yaml @@ -2,7 +2,7 @@ apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -26,4 +26,4 @@ spec: - events.events.k8s.io - events snapshotVolumes: false - ttl: 0h25m0s + ttl: 0h25m0s \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/120-oadp.OperatorGroup.yaml b/deploy/velero-configuration/hive-specific/120-oadp.OperatorGroup.yaml new file mode 100644 index 0000000000..b7edcae0c7 --- /dev/null +++ b/deploy/velero-configuration/hive-specific/120-oadp.OperatorGroup.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: oadp-operator-group + namespace: openshift-adp +spec: + targetNamespaces: + - openshift-adp \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/130-oadp.DataProtectionApplication.yaml b/deploy/velero-configuration/hive-specific/130-oadp.DataProtectionApplication.yaml new file mode 100644 index 0000000000..7b834f71cf --- /dev/null +++ b/deploy/velero-configuration/hive-specific/130-oadp.DataProtectionApplication.yaml @@ -0,0 +1,35 @@ +apiVersion: oadp.openshift.io/v1alpha1 +kind: DataProtectionApplication +metadata: + name: dpa-sample + namespace: openshift-adp +spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: "default" + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/140-oadp.TestBackup.yaml b/deploy/velero-configuration/hive-specific/140-oadp.TestBackup.yaml new file mode 100644 index 0000000000..6cb937cef0 --- /dev/null +++ b/deploy/velero-configuration/hive-specific/140-oadp.TestBackup.yaml @@ -0,0 +1,15 @@ +apiVersion: velero.io/v1 +kind: Backup +metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: "true" +spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s \ No newline at end of file diff --git a/deploy/velero-configuration/hive-specific/config.yaml b/deploy/velero-configuration/hive-specific/config.yaml index c54bbae055..24301f164b 100644 --- a/deploy/velero-configuration/hive-specific/config.yaml +++ b/deploy/velero-configuration/hive-specific/config.yaml @@ -7,3 +7,4 @@ selectorSyncSet: operator: NotIn values: - "true" + resourceApplyMode: "Upsert" diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index dfc59831c9..799ceba4d2 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -50298,27 +50298,56 @@ objects: operator: NotIn values: - 'true' - resourceApplyMode: Sync + resourceApplyMode: Upsert resources: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable-1.4 + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' - apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -50343,3 +50372,61 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index dfc59831c9..799ceba4d2 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -50298,27 +50298,56 @@ objects: operator: NotIn values: - 'true' - resourceApplyMode: Sync + resourceApplyMode: Upsert resources: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable-1.4 + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' - apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -50343,3 +50372,61 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index dfc59831c9..799ceba4d2 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -50298,27 +50298,56 @@ objects: operator: NotIn values: - 'true' - resourceApplyMode: Sync + resourceApplyMode: Upsert resources: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable-1.4 + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' - apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -50343,3 +50372,61 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s