From f891f6307cb0d8e81bced530bcbfb9bae19ee382 Mon Sep 17 00:00:00 2001 From: cgong Date: Wed, 24 Sep 2025 10:54:58 +1200 Subject: [PATCH 01/13] Add OADP configuration to replace MVO for Red Hat managed clusters --- .../100-oadp.Subscription.yaml | 11 +++ .../110-oadp.Namespace.yaml | 7 ++ .../120-oadp.OperatorGroup.yaml | 8 +++ .../130-oadp.DataProtectionApplication.yaml | 36 ++++++++++ .../140-oadp.TestBackup.yaml | 15 ++++ deploy/oadp-configuration/OWNERS | 4 ++ deploy/oadp-configuration/README.md | 70 +++++++++++++++++++ deploy/oadp-configuration/config.yaml | 13 ++++ ...p-schedule-admins-cluster.ClusterRole.yaml | 25 +++++++ .../hive-specific/111-oadp.Schedules.yaml | 29 ++++++++ .../hive-specific/config.yaml | 9 +++ 11 files changed, 227 insertions(+) create mode 100644 deploy/oadp-configuration/100-oadp.Subscription.yaml create mode 100644 deploy/oadp-configuration/110-oadp.Namespace.yaml create mode 100644 deploy/oadp-configuration/120-oadp.OperatorGroup.yaml create mode 100644 deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml create mode 100644 deploy/oadp-configuration/140-oadp.TestBackup.yaml create mode 100644 deploy/oadp-configuration/OWNERS create mode 100644 deploy/oadp-configuration/README.md create mode 100644 deploy/oadp-configuration/config.yaml create mode 100644 deploy/oadp-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml create mode 100644 deploy/oadp-configuration/hive-specific/111-oadp.Schedules.yaml create mode 100644 deploy/oadp-configuration/hive-specific/config.yaml diff --git a/deploy/oadp-configuration/100-oadp.Subscription.yaml b/deploy/oadp-configuration/100-oadp.Subscription.yaml new file mode 100644 index 000000000..86bd79322 --- /dev/null +++ b/deploy/oadp-configuration/100-oadp.Subscription.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: redhat-oadp-operator + namespace: openshift-adp +spec: + channel: stable-1.4 + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic \ No newline at end of file diff --git a/deploy/oadp-configuration/110-oadp.Namespace.yaml b/deploy/oadp-configuration/110-oadp.Namespace.yaml new file mode 100644 index 000000000..c2258803e --- /dev/null +++ b/deploy/oadp-configuration/110-oadp.Namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: "true" \ No newline at end of file diff --git a/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml b/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml new file mode 100644 index 000000000..eb00256f7 --- /dev/null +++ b/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: redhat-oadp-operator + namespace: openshift-adp +spec: + targetNamespaces: + - openshift-adp \ No newline at end of file diff --git a/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml b/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml new file mode 100644 index 000000000..5ba4b21d3 --- /dev/null +++ b/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml @@ -0,0 +1,36 @@ +apiVersion: oadp.openshift.io/v1alpha1 +kind: DataProtectionApplication +metadata: + name: dpa-sample + namespace: openshift-adp +spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + - csi + resourceAllocations: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: us-east-1 + profile: "default" + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: oadp-backup-bucket + prefix: velero \ No newline at end of file diff --git a/deploy/oadp-configuration/140-oadp.TestBackup.yaml b/deploy/oadp-configuration/140-oadp.TestBackup.yaml new file mode 100644 index 000000000..6cb937cef --- /dev/null +++ b/deploy/oadp-configuration/140-oadp.TestBackup.yaml @@ -0,0 +1,15 @@ +apiVersion: velero.io/v1 +kind: Backup +metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: "true" +spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s \ No newline at end of file diff --git a/deploy/oadp-configuration/OWNERS b/deploy/oadp-configuration/OWNERS new file mode 100644 index 000000000..d20f8891b --- /dev/null +++ b/deploy/oadp-configuration/OWNERS @@ -0,0 +1,4 @@ +reviewers: +- app-sre +approvers: +- app-sre \ No newline at end of file diff --git a/deploy/oadp-configuration/README.md b/deploy/oadp-configuration/README.md new file mode 100644 index 000000000..a8df98ae1 --- /dev/null +++ b/deploy/oadp-configuration/README.md @@ -0,0 +1,70 @@ +# OADP Configuration for Red Hat Managed Clusters + +This directory contains OpenShift API for Data Protection (OADP) operator configurations to replace the deprecated Managed Velero Operator (MVO) on Red Hat managed clusters. + +## Overview + +OADP provides backup and restore capabilities for OpenShift clusters and is the supported data protection solution for Red Hat managed clusters going forward. + +## Components + +### Main Configuration +- `100-oadp.Subscription.yaml` - OADP operator subscription +- `110-oadp.Namespace.yaml` - openshift-adp namespace creation +- `120-oadp.OperatorGroup.yaml` - Operator group for OADP +- `130-oadp.DataProtectionApplication.yaml` - Main DPA configuration +- `140-oadp.TestBackup.yaml` - Validation backup for testing + +### Hive-Specific Configuration +- `hive-specific/config.yaml` - SelectorSyncSet configuration for Hive clusters +- `hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml` - RBAC for backup management +- `hive-specific/111-oadp.Schedules.yaml` - Backup schedule configuration + +## Migration from MVO + +This configuration replaces the Managed Velero Operator (MVO) with the following changes: + +1. **Namespace**: Changed from `openshift-velero` to `openshift-adp` +2. **Operator**: Uses OADP operator instead of MVO +3. **API**: Uses DataProtectionApplication CRD instead of VeleroInstall +4. **RBAC**: Updated cluster roles to include OADP resources + +## Deployment + +This configuration is deployed via Hive SelectorSyncSets to clusters matching the selector criteria: +- Clusters with `ext-managed.openshift.io/hive-shard: "true"` label +- Excludes FedRAMP clusters + +## Validation + +After deployment, validate the installation: + +1. Verify OADP operator is running: + ```bash + oc get pods -n openshift-adp + ``` + +2. Check DataProtectionApplication status: + ```bash + oc get dpa -n openshift-adp + ``` + +3. Verify backup schedule is created: + ```bash + oc get schedule -n openshift-adp + ``` + +4. Test backup creation: + ```bash + oc create -f 140-oadp.TestBackup.yaml + oc get backup -n openshift-adp + ``` + +## Related Issues + +- SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal + +## References + +- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) +- [Original Velero Configuration](../velero-configuration/hive-specific/) \ No newline at end of file diff --git a/deploy/oadp-configuration/config.yaml b/deploy/oadp-configuration/config.yaml new file mode 100644 index 000000000..b498ea834 --- /dev/null +++ b/deploy/oadp-configuration/config.yaml @@ -0,0 +1,13 @@ +deploymentMode: "SelectorSyncSet" +selectorSyncSet: + matchExpressions: + - key: api.openshift.com/product + operator: In + values: + - osd + - rosa + - key: api.openshift.com/fedramp + operator: NotIn + values: + - "true" + resourceApplyMode: "Sync" \ No newline at end of file diff --git a/deploy/oadp-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml b/deploy/oadp-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml new file mode 100644 index 000000000..eb3ec837e --- /dev/null +++ b/deploy/oadp-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml @@ -0,0 +1,25 @@ +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + labels: + managed.openshift.io/aggregate-to-dedicated-admins: "cluster" + name: oadp-schedule-admins-cluster +rules: +- apiGroups: + - velero.io + attributeRestrictions: null + resources: + - schedules + - backups + - restores + verbs: + - "*" +- apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch \ No newline at end of file diff --git a/deploy/oadp-configuration/hive-specific/111-oadp.Schedules.yaml b/deploy/oadp-configuration/hive-specific/111-oadp.Schedules.yaml new file mode 100644 index 000000000..4a86e9b23 --- /dev/null +++ b/deploy/oadp-configuration/hive-specific/111-oadp.Schedules.yaml @@ -0,0 +1,29 @@ +apiVersion: velero.io/v1 +kind: Schedule +metadata: + name: 5min-object-backup + namespace: openshift-adp +spec: + schedule: '*/5 * * * *' + template: + includedNamespaces: + - '*' + excludedResources: + - imagetags.image.openshift.io + - images.image.openshift.io + - oauthaccesstokens.oauth.openshift.io + - oauthauthorizetokens.oauth.openshift.io + - templateinstances.template.openshift.io + - clusterserviceversions.operators.coreos.com + - packagemanifests.packages.operators.coreos.com + - operatorgroups.operators.coreos.com + - subscriptions.operators.coreos.com + - servicebrokers.servicecatalog.k8s.io + - servicebindings.servicecatalog.k8s.io + - serviceclasses.servicecatalog.k8s.io + - serviceinstances.servicecatalog.k8s.io + - serviceplans.servicecatalog.k8s.io + - events.events.k8s.io + - events + snapshotVolumes: false + ttl: 0h25m0s \ No newline at end of file diff --git a/deploy/oadp-configuration/hive-specific/config.yaml b/deploy/oadp-configuration/hive-specific/config.yaml new file mode 100644 index 000000000..2c44e7c25 --- /dev/null +++ b/deploy/oadp-configuration/hive-specific/config.yaml @@ -0,0 +1,9 @@ +deploymentMode: "SelectorSyncSet" +selectorSyncSet: + matchLabels: + ext-managed.openshift.io/hive-shard: "true" + matchExpressions: + - key: api.openshift.com/fedramp + operator: NotIn + values: + - "true" \ No newline at end of file From e17c1b367df1fd7597237f73ac23997218d1b125 Mon Sep 17 00:00:00 2001 From: cgong Date: Wed, 24 Sep 2025 10:57:42 +1200 Subject: [PATCH 02/13] Use environment variables for OADP bucket configuration MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Replace hardcoded bucket name with ${OADP_BACKUP_BUCKET} - Replace hardcoded AWS region with ${AWS_REGION} - Document required environment variables in README This allows for proper configuration management and avoids hardcoded values that would be inappropriate for production. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude --- .../130-oadp.DataProtectionApplication.yaml | 4 ++-- deploy/oadp-configuration/README.md | 7 +++++++ 2 files changed, 9 insertions(+), 2 deletions(-) diff --git a/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml b/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml index 5ba4b21d3..d2383db83 100644 --- a/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml +++ b/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml @@ -26,11 +26,11 @@ spec: provider: aws default: true config: - region: us-east-1 + region: ${AWS_REGION} profile: "default" credential: name: cloud-credentials key: cloud objectStorage: - bucket: oadp-backup-bucket + bucket: ${OADP_BACKUP_BUCKET} prefix: velero \ No newline at end of file diff --git a/deploy/oadp-configuration/README.md b/deploy/oadp-configuration/README.md index a8df98ae1..51a830d6a 100644 --- a/deploy/oadp-configuration/README.md +++ b/deploy/oadp-configuration/README.md @@ -29,6 +29,13 @@ This configuration replaces the Managed Velero Operator (MVO) with the following 3. **API**: Uses DataProtectionApplication CRD instead of VeleroInstall 4. **RBAC**: Updated cluster roles to include OADP resources +## Environment Variables + +The following environment variables must be configured for the DataProtectionApplication: + +- `OADP_BACKUP_BUCKET` - S3 bucket name for storing backups +- `AWS_REGION` - AWS region where the bucket is located + ## Deployment This configuration is deployed via Hive SelectorSyncSets to clusters matching the selector criteria: From 29971923d0b3ed095aa8e2d5d33d4695b625d6ab Mon Sep 17 00:00:00 2001 From: cgong Date: Wed, 24 Sep 2025 19:30:41 +1200 Subject: [PATCH 03/13] Address reviewer feedback for OADP configuration - Remove CSI plugin from DataProtectionApplication (not needed without snapshots) - Update subscription channel from 'stable-1.4' to 'stable' for latest version - Fix OperatorGroup name from 'redhat-oadp-operator' to 'oadp-operator-group' - Fix Subscription name from 'redhat-oadp-operator' to 'openshift-adp' These changes align with testing recommendations and best practices. --- deploy/oadp-configuration/100-oadp.Subscription.yaml | 4 ++-- deploy/oadp-configuration/120-oadp.OperatorGroup.yaml | 2 +- .../130-oadp.DataProtectionApplication.yaml | 1 - 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/deploy/oadp-configuration/100-oadp.Subscription.yaml b/deploy/oadp-configuration/100-oadp.Subscription.yaml index 86bd79322..283aa68e1 100644 --- a/deploy/oadp-configuration/100-oadp.Subscription.yaml +++ b/deploy/oadp-configuration/100-oadp.Subscription.yaml @@ -1,10 +1,10 @@ apiVersion: operators.coreos.com/v1alpha1 kind: Subscription metadata: - name: redhat-oadp-operator + name: openshift-adp namespace: openshift-adp spec: - channel: stable-1.4 + channel: stable name: redhat-oadp-operator source: redhat-operators sourceNamespace: openshift-marketplace diff --git a/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml b/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml index eb00256f7..b7edcae0c 100644 --- a/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml +++ b/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml @@ -1,7 +1,7 @@ apiVersion: operators.coreos.com/v1 kind: OperatorGroup metadata: - name: redhat-oadp-operator + name: oadp-operator-group namespace: openshift-adp spec: targetNamespaces: diff --git a/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml b/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml index d2383db83..7b834f71c 100644 --- a/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml +++ b/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml @@ -9,7 +9,6 @@ spec: defaultPlugins: - openshift - aws - - csi resourceAllocations: limits: cpu: "1" From 7abe844566f243e644d0feff615015fb10348b41 Mon Sep 17 00:00:00 2001 From: cgong Date: Thu, 25 Sep 2025 10:22:24 +1200 Subject: [PATCH 04/13] Update OWNERS file with correct SREP team assignments - Set reviewers to srep-functional-leads and srep-team-leads - Set approvers to srep-team-leads - Aligns with team structure for OADP/backup related changes --- deploy/oadp-configuration/OWNERS | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) diff --git a/deploy/oadp-configuration/OWNERS b/deploy/oadp-configuration/OWNERS index d20f8891b..6445f57c1 100644 --- a/deploy/oadp-configuration/OWNERS +++ b/deploy/oadp-configuration/OWNERS @@ -1,4 +1,5 @@ reviewers: -- app-sre +- srep-functional-leads +- srep-team-leads approvers: -- app-sre \ No newline at end of file +- srep-team-leads \ No newline at end of file From b0bed6da54f84b7545d80128f55db41b5be3c42e Mon Sep 17 00:00:00 2001 From: cgong Date: Thu, 25 Sep 2025 13:31:31 +1200 Subject: [PATCH 05/13] Add generated template files for OADP configuration Generated by running 'make' to create SelectorSyncSet templates for integration, staging, and production environments. This resolves the CI build error requiring generated files. --- ...naged-cluster-config-integration.yaml.tmpl | 174 ++++++++++++++++++ ...anaged-cluster-config-production.yaml.tmpl | 174 ++++++++++++++++++ ...osd-managed-cluster-config-stage.yaml.tmpl | 174 ++++++++++++++++++ 3 files changed, 522 insertions(+) diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index dfc59831c..d5ad68a2e 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -32452,6 +32452,180 @@ objects: applyMode: Sync patch: '{"spec":{"maxUnavailable":"10%"}}' patchType: merge +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-configuration + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + matchExpressions: + - key: api.openshift.com/product + operator: In + values: + - osd + - rosa + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-configuration-hive-specific + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + ext-managed.openshift.io/hive-shard: 'true' + matchExpressions: + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + managed.openshift.io/aggregate-to-dedicated-admins: cluster + name: oadp-schedule-admins-cluster + rules: + - apiGroups: + - velero.io + attributeRestrictions: null + resources: + - schedules + - backups + - restores + verbs: + - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: velero.io/v1 + kind: Schedule + metadata: + name: 5min-object-backup + namespace: openshift-adp + spec: + schedule: '*/5 * * * *' + template: + includedNamespaces: + - '*' + excludedResources: + - imagetags.image.openshift.io + - images.image.openshift.io + - oauthaccesstokens.oauth.openshift.io + - oauthauthorizetokens.oauth.openshift.io + - templateinstances.template.openshift.io + - clusterserviceversions.operators.coreos.com + - packagemanifests.packages.operators.coreos.com + - operatorgroups.operators.coreos.com + - subscriptions.operators.coreos.com + - servicebrokers.servicecatalog.k8s.io + - servicebindings.servicecatalog.k8s.io + - serviceclasses.servicecatalog.k8s.io + - serviceinstances.servicecatalog.k8s.io + - serviceplans.servicecatalog.k8s.io + - events.events.k8s.io + - events + snapshotVolumes: false + ttl: 0h25m0s - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index dfc59831c..d5ad68a2e 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -32452,6 +32452,180 @@ objects: applyMode: Sync patch: '{"spec":{"maxUnavailable":"10%"}}' patchType: merge +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-configuration + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + matchExpressions: + - key: api.openshift.com/product + operator: In + values: + - osd + - rosa + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-configuration-hive-specific + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + ext-managed.openshift.io/hive-shard: 'true' + matchExpressions: + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + managed.openshift.io/aggregate-to-dedicated-admins: cluster + name: oadp-schedule-admins-cluster + rules: + - apiGroups: + - velero.io + attributeRestrictions: null + resources: + - schedules + - backups + - restores + verbs: + - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: velero.io/v1 + kind: Schedule + metadata: + name: 5min-object-backup + namespace: openshift-adp + spec: + schedule: '*/5 * * * *' + template: + includedNamespaces: + - '*' + excludedResources: + - imagetags.image.openshift.io + - images.image.openshift.io + - oauthaccesstokens.oauth.openshift.io + - oauthauthorizetokens.oauth.openshift.io + - templateinstances.template.openshift.io + - clusterserviceversions.operators.coreos.com + - packagemanifests.packages.operators.coreos.com + - operatorgroups.operators.coreos.com + - subscriptions.operators.coreos.com + - servicebrokers.servicecatalog.k8s.io + - servicebindings.servicecatalog.k8s.io + - serviceclasses.servicecatalog.k8s.io + - serviceinstances.servicecatalog.k8s.io + - serviceplans.servicecatalog.k8s.io + - events.events.k8s.io + - events + snapshotVolumes: false + ttl: 0h25m0s - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index dfc59831c..d5ad68a2e 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -32452,6 +32452,180 @@ objects: applyMode: Sync patch: '{"spec":{"maxUnavailable":"10%"}}' patchType: merge +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-configuration + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + matchExpressions: + - key: api.openshift.com/product + operator: In + values: + - osd + - rosa + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-configuration-hive-specific + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + ext-managed.openshift.io/hive-shard: 'true' + matchExpressions: + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: rbac.authorization.k8s.io/v1 + kind: ClusterRole + metadata: + labels: + managed.openshift.io/aggregate-to-dedicated-admins: cluster + name: oadp-schedule-admins-cluster + rules: + - apiGroups: + - velero.io + attributeRestrictions: null + resources: + - schedules + - backups + - restores + verbs: + - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: velero.io/v1 + kind: Schedule + metadata: + name: 5min-object-backup + namespace: openshift-adp + spec: + schedule: '*/5 * * * *' + template: + includedNamespaces: + - '*' + excludedResources: + - imagetags.image.openshift.io + - images.image.openshift.io + - oauthaccesstokens.oauth.openshift.io + - oauthauthorizetokens.oauth.openshift.io + - templateinstances.template.openshift.io + - clusterserviceversions.operators.coreos.com + - packagemanifests.packages.operators.coreos.com + - operatorgroups.operators.coreos.com + - subscriptions.operators.coreos.com + - servicebrokers.servicecatalog.k8s.io + - servicebindings.servicecatalog.k8s.io + - serviceclasses.servicecatalog.k8s.io + - serviceinstances.servicecatalog.k8s.io + - serviceplans.servicecatalog.k8s.io + - events.events.k8s.io + - events + snapshotVolumes: false + ttl: 0h25m0s - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: From 191817a24ae1e89854677a1280fae2991862e89a Mon Sep 17 00:00:00 2001 From: cgong Date: Thu, 25 Sep 2025 17:09:09 +1200 Subject: [PATCH 06/13] Add srep-functional-team-hulk to OADP configuration OWNERS - Add srep-functional-team-hulk as reviewer and approver - Ensures team hulk can review and approve OADP/backup related changes --- deploy/oadp-configuration/OWNERS | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/deploy/oadp-configuration/OWNERS b/deploy/oadp-configuration/OWNERS index 6445f57c1..aac7ec80b 100644 --- a/deploy/oadp-configuration/OWNERS +++ b/deploy/oadp-configuration/OWNERS @@ -1,5 +1,7 @@ reviewers: - srep-functional-leads - srep-team-leads +- srep-functional-team-hulk approvers: -- srep-team-leads \ No newline at end of file +- srep-team-leads +- srep-functional-team-hulk \ No newline at end of file From 08635ecb6254454078d83bf712f33528d2b55f49 Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 14:04:34 +1300 Subject: [PATCH 07/13] Convert OADP configuration to enable-only mode - Remove operator installation files (Subscription, Namespace, OperatorGroup) - Keep only DataProtectionApplication and related configuration files - Update README to reflect enable-only approach with prerequisites - This assumes OADP operator is pre-installed on target clusters Benefits: - Safer deployment (no operator installation conflicts) - Works with existing OADP installations - Focuses on configuration rather than installation Files removed: - 100-oadp.Subscription.yaml (operator installation) - 110-oadp.Namespace.yaml (namespace creation) - 120-oadp.OperatorGroup.yaml (operator group setup) Files kept: - 130-oadp.DataProtectionApplication.yaml (main config) - 140-oadp.TestBackup.yaml (validation) - hive-specific/ configurations (RBAC, schedules) Addresses feedback for SREP-1607 migration strategy. --- .../100-oadp.Subscription.yaml | 11 --------- .../110-oadp.Namespace.yaml | 7 ------ .../120-oadp.OperatorGroup.yaml | 8 ------- deploy/oadp-configuration/README.md | 24 +++++++++++-------- 4 files changed, 14 insertions(+), 36 deletions(-) delete mode 100644 deploy/oadp-configuration/100-oadp.Subscription.yaml delete mode 100644 deploy/oadp-configuration/110-oadp.Namespace.yaml delete mode 100644 deploy/oadp-configuration/120-oadp.OperatorGroup.yaml diff --git a/deploy/oadp-configuration/100-oadp.Subscription.yaml b/deploy/oadp-configuration/100-oadp.Subscription.yaml deleted file mode 100644 index 283aa68e1..000000000 --- a/deploy/oadp-configuration/100-oadp.Subscription.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: operators.coreos.com/v1alpha1 -kind: Subscription -metadata: - name: openshift-adp - namespace: openshift-adp -spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic \ No newline at end of file diff --git a/deploy/oadp-configuration/110-oadp.Namespace.yaml b/deploy/oadp-configuration/110-oadp.Namespace.yaml deleted file mode 100644 index c2258803e..000000000 --- a/deploy/oadp-configuration/110-oadp.Namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: "true" \ No newline at end of file diff --git a/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml b/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml deleted file mode 100644 index b7edcae0c..000000000 --- a/deploy/oadp-configuration/120-oadp.OperatorGroup.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: operators.coreos.com/v1 -kind: OperatorGroup -metadata: - name: oadp-operator-group - namespace: openshift-adp -spec: - targetNamespaces: - - openshift-adp \ No newline at end of file diff --git a/deploy/oadp-configuration/README.md b/deploy/oadp-configuration/README.md index 51a830d6a..57fbf41a3 100644 --- a/deploy/oadp-configuration/README.md +++ b/deploy/oadp-configuration/README.md @@ -1,18 +1,21 @@ -# OADP Configuration for Red Hat Managed Clusters +# OADP Configuration for Red Hat Managed Clusters (Enable-Only) -This directory contains OpenShift API for Data Protection (OADP) operator configurations to replace the deprecated Managed Velero Operator (MVO) on Red Hat managed clusters. +This directory contains OpenShift API for Data Protection (OADP) configurations to enable backup and restore functionality on clusters where the OADP operator is already installed. ## Overview -OADP provides backup and restore capabilities for OpenShift clusters and is the supported data protection solution for Red Hat managed clusters going forward. +OADP provides backup and restore capabilities for OpenShift clusters and is the supported data protection solution for Red Hat managed clusters going forward. This configuration assumes the OADP operator is pre-installed and only enables/configures the backup functionality. + +## Prerequisites + +- OADP operator must be pre-installed in `openshift-adp` namespace +- Cloud credentials must be properly configured for backup storage access +- Environment variables `${OADP_BACKUP_BUCKET}` and `${AWS_REGION}` must be set ## Components ### Main Configuration -- `100-oadp.Subscription.yaml` - OADP operator subscription -- `110-oadp.Namespace.yaml` - openshift-adp namespace creation -- `120-oadp.OperatorGroup.yaml` - Operator group for OADP -- `130-oadp.DataProtectionApplication.yaml` - Main DPA configuration +- `130-oadp.DataProtectionApplication.yaml` - Main DPA configuration (enables OADP) - `140-oadp.TestBackup.yaml` - Validation backup for testing ### Hive-Specific Configuration @@ -44,16 +47,17 @@ This configuration is deployed via Hive SelectorSyncSets to clusters matching th ## Validation -After deployment, validate the installation: +After deployment, validate the OADP configuration: -1. Verify OADP operator is running: +1. Verify OADP operator is already running (prerequisite): ```bash oc get pods -n openshift-adp ``` -2. Check DataProtectionApplication status: +2. Check DataProtectionApplication was created and is ready: ```bash oc get dpa -n openshift-adp + oc describe dpa dpa-sample -n openshift-adp ``` 3. Verify backup schedule is created: From 45bd4604601e1cf312f239b3cc1b235f34975e4f Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 14:37:44 +1300 Subject: [PATCH 08/13] Add OADP operator installation for Red Hat managed clusters - Create deploy/oadp-operator-install/ directory for Red Hat managed clusters - Add operator installation manifests (Subscription, Namespace, OperatorGroup) - Target clusters with api.openshift.com/customer=redhat selector - Exclude FedRAMP and customer production clusters - Update generated Hive templates via make Components: - 100-oadp.Subscription.yaml - OADP operator subscription - 110-oadp.Namespace.yaml - openshift-adp namespace creation - 120-oadp.OperatorGroup.yaml - Operator group setup - config.yaml - SelectorSyncSet targeting Red Hat clusters - OWNERS - Team ownership (srep-functional-leads, srep-team-leads, srep-functional-team-hulk) - README.md - Documentation for Red Hat cluster installation This complements the existing deploy/oadp-configuration/ which provides enable-only functionality for clusters with pre-installed OADP operators. Deployment Strategy: 1. Install OADP operator on Red Hat managed clusters (this config) 2. Enable OADP with DataProtectionApplication (existing config) 3. Remove MVO after successful OADP deployment Addresses SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal --- .../100-oadp.Subscription.yaml | 11 +++ .../110-oadp.Namespace.yaml | 7 ++ .../120-oadp.OperatorGroup.yaml | 8 ++ deploy/oadp-operator-install/OWNERS | 7 ++ deploy/oadp-operator-install/README.md | 50 ++++++++++++ deploy/oadp-operator-install/config.yaml | 19 +++++ ...naged-cluster-config-integration.yaml.tmpl | 79 +++++++++++++------ ...anaged-cluster-config-production.yaml.tmpl | 79 +++++++++++++------ ...osd-managed-cluster-config-stage.yaml.tmpl | 79 +++++++++++++------ 9 files changed, 261 insertions(+), 78 deletions(-) create mode 100644 deploy/oadp-operator-install/100-oadp.Subscription.yaml create mode 100644 deploy/oadp-operator-install/110-oadp.Namespace.yaml create mode 100644 deploy/oadp-operator-install/120-oadp.OperatorGroup.yaml create mode 100644 deploy/oadp-operator-install/OWNERS create mode 100644 deploy/oadp-operator-install/README.md create mode 100644 deploy/oadp-operator-install/config.yaml diff --git a/deploy/oadp-operator-install/100-oadp.Subscription.yaml b/deploy/oadp-operator-install/100-oadp.Subscription.yaml new file mode 100644 index 000000000..283aa68e1 --- /dev/null +++ b/deploy/oadp-operator-install/100-oadp.Subscription.yaml @@ -0,0 +1,11 @@ +apiVersion: operators.coreos.com/v1alpha1 +kind: Subscription +metadata: + name: openshift-adp + namespace: openshift-adp +spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic \ No newline at end of file diff --git a/deploy/oadp-operator-install/110-oadp.Namespace.yaml b/deploy/oadp-operator-install/110-oadp.Namespace.yaml new file mode 100644 index 000000000..c2258803e --- /dev/null +++ b/deploy/oadp-operator-install/110-oadp.Namespace.yaml @@ -0,0 +1,7 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: "true" \ No newline at end of file diff --git a/deploy/oadp-operator-install/120-oadp.OperatorGroup.yaml b/deploy/oadp-operator-install/120-oadp.OperatorGroup.yaml new file mode 100644 index 000000000..b7edcae0c --- /dev/null +++ b/deploy/oadp-operator-install/120-oadp.OperatorGroup.yaml @@ -0,0 +1,8 @@ +apiVersion: operators.coreos.com/v1 +kind: OperatorGroup +metadata: + name: oadp-operator-group + namespace: openshift-adp +spec: + targetNamespaces: + - openshift-adp \ No newline at end of file diff --git a/deploy/oadp-operator-install/OWNERS b/deploy/oadp-operator-install/OWNERS new file mode 100644 index 000000000..aac7ec80b --- /dev/null +++ b/deploy/oadp-operator-install/OWNERS @@ -0,0 +1,7 @@ +reviewers: +- srep-functional-leads +- srep-team-leads +- srep-functional-team-hulk +approvers: +- srep-team-leads +- srep-functional-team-hulk \ No newline at end of file diff --git a/deploy/oadp-operator-install/README.md b/deploy/oadp-operator-install/README.md new file mode 100644 index 000000000..cc0f42914 --- /dev/null +++ b/deploy/oadp-operator-install/README.md @@ -0,0 +1,50 @@ +# OADP Operator Installation for Red Hat Managed Clusters + +This directory contains OpenShift API for Data Protection (OADP) operator installation manifests specifically for Red Hat managed/internal clusters. + +## Overview + +This configuration installs the OADP operator on Red Hat managed clusters only. It is designed to work alongside the main OADP configuration in `/deploy/oadp-configuration/` which provides the DataProtectionApplication and backup schedules. + +## Target Clusters + +This installation targets **Red Hat managed clusters only**: +- Clusters with `api.openshift.com/customer = redhat` +- Excludes FedRAMP clusters +- Excludes customer production clusters + +## Components + +- `100-oadp.Subscription.yaml` - OADP operator subscription +- `110-oadp.Namespace.yaml` - openshift-adp namespace creation +- `120-oadp.OperatorGroup.yaml` - Operator group for OADP + +## Deployment Strategy + +1. **Phase 1**: This configuration installs OADP operator on Red Hat clusters +2. **Phase 2**: The `/deploy/oadp-configuration/` enables OADP with DataProtectionApplication +3. **Phase 3**: Remove MVO from clusters where OADP is successfully running + +## Validation + +After deployment, verify the operator installation: + +```bash +# Check operator is installed +oc get csv -n openshift-adp | grep oadp + +# Check operator pods are running +oc get pods -n openshift-adp + +# Verify operator group and subscription +oc get operatorgroup,subscription -n openshift-adp +``` + +## Related Issues + +- SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal + +## References + +- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) +- [Main OADP Configuration](../oadp-configuration/) \ No newline at end of file diff --git a/deploy/oadp-operator-install/config.yaml b/deploy/oadp-operator-install/config.yaml new file mode 100644 index 000000000..00cd7aa94 --- /dev/null +++ b/deploy/oadp-operator-install/config.yaml @@ -0,0 +1,19 @@ +deploymentMode: "SelectorSyncSet" +selectorSyncSet: + matchExpressions: + # Target Red Hat managed/internal clusters only + - key: api.openshift.com/customer + operator: In + values: + - redhat + # Exclude FedRAMP clusters + - key: api.openshift.com/fedramp + operator: NotIn + values: + - "true" + # Exclude customer production clusters + - key: managed.openshift.io/customer-cluster + operator: NotIn + values: + - "true" + resourceApplyMode: "Sync" \ No newline at end of file diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index d5ad68a2e..a42d03a57 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -32476,32 +32476,6 @@ objects: - 'true' resourceApplyMode: Sync resources: - - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-adp - namespace: openshift-adp - spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: 'true' - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: oadp-operator-group - namespace: openshift-adp - spec: - targetNamespaces: - - openshift-adp - apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: @@ -32626,6 +32600,59 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-operator-install + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + matchExpressions: + - key: api.openshift.com/customer + operator: In + values: + - redhat + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + - key: managed.openshift.io/customer-cluster + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index d5ad68a2e..a42d03a57 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -32476,32 +32476,6 @@ objects: - 'true' resourceApplyMode: Sync resources: - - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-adp - namespace: openshift-adp - spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: 'true' - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: oadp-operator-group - namespace: openshift-adp - spec: - targetNamespaces: - - openshift-adp - apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: @@ -32626,6 +32600,59 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-operator-install + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + matchExpressions: + - key: api.openshift.com/customer + operator: In + values: + - redhat + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + - key: managed.openshift.io/customer-cluster + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index d5ad68a2e..a42d03a57 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -32476,32 +32476,6 @@ objects: - 'true' resourceApplyMode: Sync resources: - - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-adp - namespace: openshift-adp - spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: 'true' - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: oadp-operator-group - namespace: openshift-adp - spec: - targetNamespaces: - - openshift-adp - apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: @@ -32626,6 +32600,59 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s +- apiVersion: hive.openshift.io/v1 + kind: SelectorSyncSet + metadata: + labels: + managed.openshift.io/gitHash: ${IMAGE_TAG} + managed.openshift.io/gitRepoName: ${REPO_NAME} + managed.openshift.io/osd: 'true' + name: oadp-operator-install + spec: + clusterDeploymentSelector: + matchLabels: + api.openshift.com/managed: 'true' + matchExpressions: + - key: api.openshift.com/customer + operator: In + values: + - redhat + - key: api.openshift.com/fedramp + operator: NotIn + values: + - 'true' + - key: managed.openshift.io/customer-cluster + operator: NotIn + values: + - 'true' + resourceApplyMode: Sync + resources: + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: From e4f3b07dce92927750a2d7fb4fa7feaea76acbaf Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 14:48:36 +1300 Subject: [PATCH 09/13] Update OADP operator installation to target Hive clusters only - Change config.yaml selector to match Hive clusters specifically - Use ext-managed.openshift.io/hive-shard: "true" label selector - Exclude FedRAMP clusters only (remove custom customer filtering) - Update README to reflect Hive-only targeting - Regenerate Hive templates via make This aligns with leadership guidance to focus OADP operator installation on Hive-managed clusters specifically, following the same pattern as the existing velero-configuration. Target clusters: - ext-managed.openshift.io/hive-shard: "true" - NOT api.openshift.com/fedramp: "true" Addresses feedback on SREP-1607 implementation strategy. --- deploy/oadp-operator-install/README.md | 11 +++++------ deploy/oadp-operator-install/config.yaml | 16 +++------------- ...-managed-cluster-config-integration.yaml.tmpl | 9 +-------- ...d-managed-cluster-config-production.yaml.tmpl | 9 +-------- ...00-osd-managed-cluster-config-stage.yaml.tmpl | 9 +-------- 5 files changed, 11 insertions(+), 43 deletions(-) diff --git a/deploy/oadp-operator-install/README.md b/deploy/oadp-operator-install/README.md index cc0f42914..af6c0addc 100644 --- a/deploy/oadp-operator-install/README.md +++ b/deploy/oadp-operator-install/README.md @@ -1,17 +1,16 @@ -# OADP Operator Installation for Red Hat Managed Clusters +# OADP Operator Installation for Hive Clusters -This directory contains OpenShift API for Data Protection (OADP) operator installation manifests specifically for Red Hat managed/internal clusters. +This directory contains OpenShift API for Data Protection (OADP) operator installation manifests specifically for Hive-managed clusters. ## Overview -This configuration installs the OADP operator on Red Hat managed clusters only. It is designed to work alongside the main OADP configuration in `/deploy/oadp-configuration/` which provides the DataProtectionApplication and backup schedules. +This configuration installs the OADP operator on Hive clusters only. It is designed to work alongside the main OADP configuration in `/deploy/oadp-configuration/` which provides the DataProtectionApplication and backup schedules. ## Target Clusters -This installation targets **Red Hat managed clusters only**: -- Clusters with `api.openshift.com/customer = redhat` +This installation targets **Hive clusters only**: +- Clusters with `ext-managed.openshift.io/hive-shard: "true"` label - Excludes FedRAMP clusters -- Excludes customer production clusters ## Components diff --git a/deploy/oadp-operator-install/config.yaml b/deploy/oadp-operator-install/config.yaml index 00cd7aa94..2c44e7c25 100644 --- a/deploy/oadp-operator-install/config.yaml +++ b/deploy/oadp-operator-install/config.yaml @@ -1,19 +1,9 @@ deploymentMode: "SelectorSyncSet" selectorSyncSet: + matchLabels: + ext-managed.openshift.io/hive-shard: "true" matchExpressions: - # Target Red Hat managed/internal clusters only - - key: api.openshift.com/customer - operator: In - values: - - redhat - # Exclude FedRAMP clusters - key: api.openshift.com/fedramp operator: NotIn values: - - "true" - # Exclude customer production clusters - - key: managed.openshift.io/customer-cluster - operator: NotIn - values: - - "true" - resourceApplyMode: "Sync" \ No newline at end of file + - "true" \ No newline at end of file diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index a42d03a57..a19b93fec 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -32612,19 +32612,12 @@ objects: clusterDeploymentSelector: matchLabels: api.openshift.com/managed: 'true' + ext-managed.openshift.io/hive-shard: 'true' matchExpressions: - - key: api.openshift.com/customer - operator: In - values: - - redhat - key: api.openshift.com/fedramp operator: NotIn values: - 'true' - - key: managed.openshift.io/customer-cluster - operator: NotIn - values: - - 'true' resourceApplyMode: Sync resources: - apiVersion: operators.coreos.com/v1alpha1 diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index a42d03a57..a19b93fec 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -32612,19 +32612,12 @@ objects: clusterDeploymentSelector: matchLabels: api.openshift.com/managed: 'true' + ext-managed.openshift.io/hive-shard: 'true' matchExpressions: - - key: api.openshift.com/customer - operator: In - values: - - redhat - key: api.openshift.com/fedramp operator: NotIn values: - 'true' - - key: managed.openshift.io/customer-cluster - operator: NotIn - values: - - 'true' resourceApplyMode: Sync resources: - apiVersion: operators.coreos.com/v1alpha1 diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index a42d03a57..a19b93fec 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -32612,19 +32612,12 @@ objects: clusterDeploymentSelector: matchLabels: api.openshift.com/managed: 'true' + ext-managed.openshift.io/hive-shard: 'true' matchExpressions: - - key: api.openshift.com/customer - operator: In - values: - - redhat - key: api.openshift.com/fedramp operator: NotIn values: - 'true' - - key: managed.openshift.io/customer-cluster - operator: NotIn - values: - - 'true' resourceApplyMode: Sync resources: - apiVersion: operators.coreos.com/v1alpha1 From 4d07af94c70affb71b1d7b18385ee86967c4c939 Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 15:34:16 +1300 Subject: [PATCH 10/13] Consolidate OADP configuration into velero-configuration/hive-specific MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Move all OADP operator installation and configuration files to the existing velero-configuration/hive-specific directory to make it clear that this configuration is only for Hive clusters. Changes: ✅ Moved OADP operator installation to velero-configuration/hive-specific/ - 100-oadp.Subscription.yaml (operator subscription) - 110-oadp.Namespace.yaml (openshift-adp namespace) - 120-oadp.OperatorGroup.yaml (operator group) ✅ Moved OADP configuration to velero-configuration/hive-specific/ - 130-oadp.DataProtectionApplication.yaml (main DPA config) - 140-oadp.TestBackup.yaml (validation backup) ✅ Replaced legacy Velero files with OADP equivalents: - 05-oadp-schedule-admins-cluster.ClusterRole.yaml (replaces velero version) - 111-oadp.Schedules.yaml (replaces velero schedules) ✅ Removed separate OADP directories: - deploy/oadp-configuration/ (consolidated into velero-configuration) - deploy/oadp-operator-install/ (consolidated into velero-configuration) ✅ Added comprehensive README.md documenting the OADP migration strategy ✅ Regenerated Hive templates via make Target Clusters: Hive clusters with ext-managed.openshift.io/hive-shard=true Excludes: FedRAMP clusters This consolidation makes it clear that OADP is the Hive-specific replacement for MVO and provides a single location for all backup/restore configuration targeting Hive clusters. Addresses SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal --- deploy/oadp-configuration/OWNERS | 7 - deploy/oadp-configuration/README.md | 81 ----- deploy/oadp-configuration/config.yaml | 13 - .../hive-specific/config.yaml | 9 - deploy/oadp-operator-install/OWNERS | 7 - deploy/oadp-operator-install/README.md | 49 --- deploy/oadp-operator-install/config.yaml | 9 - deploy/velero-configuration/README.md | 55 ++++ ...p-schedule-admins-cluster.ClusterRole.yaml | 0 ...o-schedule-admins-cluster.ClusterRole.yaml | 14 - .../hive-specific}/100-oadp.Subscription.yaml | 0 .../hive-specific}/110-oadp.Namespace.yaml | 0 .../hive-specific/111-oadp.Schedules.yaml | 0 .../hive-specific/111-velero.Schedules.yaml | 29 -- .../120-oadp.OperatorGroup.yaml | 0 .../130-oadp.DataProtectionApplication.yaml | 0 .../hive-specific}/140-oadp.TestBackup.yaml | 0 ...naged-cluster-config-integration.yaml.tmpl | 285 ++++++------------ ...anaged-cluster-config-production.yaml.tmpl | 285 ++++++------------ ...osd-managed-cluster-config-stage.yaml.tmpl | 285 ++++++------------ 20 files changed, 322 insertions(+), 806 deletions(-) delete mode 100644 deploy/oadp-configuration/OWNERS delete mode 100644 deploy/oadp-configuration/README.md delete mode 100644 deploy/oadp-configuration/config.yaml delete mode 100644 deploy/oadp-configuration/hive-specific/config.yaml delete mode 100644 deploy/oadp-operator-install/OWNERS delete mode 100644 deploy/oadp-operator-install/README.md delete mode 100644 deploy/oadp-operator-install/config.yaml create mode 100644 deploy/velero-configuration/README.md rename deploy/{oadp-configuration => velero-configuration}/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml (100%) delete mode 100644 deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml rename deploy/{oadp-operator-install => velero-configuration/hive-specific}/100-oadp.Subscription.yaml (100%) rename deploy/{oadp-operator-install => velero-configuration/hive-specific}/110-oadp.Namespace.yaml (100%) rename deploy/{oadp-configuration => velero-configuration}/hive-specific/111-oadp.Schedules.yaml (100%) delete mode 100644 deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml rename deploy/{oadp-operator-install => velero-configuration/hive-specific}/120-oadp.OperatorGroup.yaml (100%) rename deploy/{oadp-configuration => velero-configuration/hive-specific}/130-oadp.DataProtectionApplication.yaml (100%) rename deploy/{oadp-configuration => velero-configuration/hive-specific}/140-oadp.TestBackup.yaml (100%) diff --git a/deploy/oadp-configuration/OWNERS b/deploy/oadp-configuration/OWNERS deleted file mode 100644 index aac7ec80b..000000000 --- a/deploy/oadp-configuration/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -reviewers: -- srep-functional-leads -- srep-team-leads -- srep-functional-team-hulk -approvers: -- srep-team-leads -- srep-functional-team-hulk \ No newline at end of file diff --git a/deploy/oadp-configuration/README.md b/deploy/oadp-configuration/README.md deleted file mode 100644 index 57fbf41a3..000000000 --- a/deploy/oadp-configuration/README.md +++ /dev/null @@ -1,81 +0,0 @@ -# OADP Configuration for Red Hat Managed Clusters (Enable-Only) - -This directory contains OpenShift API for Data Protection (OADP) configurations to enable backup and restore functionality on clusters where the OADP operator is already installed. - -## Overview - -OADP provides backup and restore capabilities for OpenShift clusters and is the supported data protection solution for Red Hat managed clusters going forward. This configuration assumes the OADP operator is pre-installed and only enables/configures the backup functionality. - -## Prerequisites - -- OADP operator must be pre-installed in `openshift-adp` namespace -- Cloud credentials must be properly configured for backup storage access -- Environment variables `${OADP_BACKUP_BUCKET}` and `${AWS_REGION}` must be set - -## Components - -### Main Configuration -- `130-oadp.DataProtectionApplication.yaml` - Main DPA configuration (enables OADP) -- `140-oadp.TestBackup.yaml` - Validation backup for testing - -### Hive-Specific Configuration -- `hive-specific/config.yaml` - SelectorSyncSet configuration for Hive clusters -- `hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml` - RBAC for backup management -- `hive-specific/111-oadp.Schedules.yaml` - Backup schedule configuration - -## Migration from MVO - -This configuration replaces the Managed Velero Operator (MVO) with the following changes: - -1. **Namespace**: Changed from `openshift-velero` to `openshift-adp` -2. **Operator**: Uses OADP operator instead of MVO -3. **API**: Uses DataProtectionApplication CRD instead of VeleroInstall -4. **RBAC**: Updated cluster roles to include OADP resources - -## Environment Variables - -The following environment variables must be configured for the DataProtectionApplication: - -- `OADP_BACKUP_BUCKET` - S3 bucket name for storing backups -- `AWS_REGION` - AWS region where the bucket is located - -## Deployment - -This configuration is deployed via Hive SelectorSyncSets to clusters matching the selector criteria: -- Clusters with `ext-managed.openshift.io/hive-shard: "true"` label -- Excludes FedRAMP clusters - -## Validation - -After deployment, validate the OADP configuration: - -1. Verify OADP operator is already running (prerequisite): - ```bash - oc get pods -n openshift-adp - ``` - -2. Check DataProtectionApplication was created and is ready: - ```bash - oc get dpa -n openshift-adp - oc describe dpa dpa-sample -n openshift-adp - ``` - -3. Verify backup schedule is created: - ```bash - oc get schedule -n openshift-adp - ``` - -4. Test backup creation: - ```bash - oc create -f 140-oadp.TestBackup.yaml - oc get backup -n openshift-adp - ``` - -## Related Issues - -- SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal - -## References - -- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) -- [Original Velero Configuration](../velero-configuration/hive-specific/) \ No newline at end of file diff --git a/deploy/oadp-configuration/config.yaml b/deploy/oadp-configuration/config.yaml deleted file mode 100644 index b498ea834..000000000 --- a/deploy/oadp-configuration/config.yaml +++ /dev/null @@ -1,13 +0,0 @@ -deploymentMode: "SelectorSyncSet" -selectorSyncSet: - matchExpressions: - - key: api.openshift.com/product - operator: In - values: - - osd - - rosa - - key: api.openshift.com/fedramp - operator: NotIn - values: - - "true" - resourceApplyMode: "Sync" \ No newline at end of file diff --git a/deploy/oadp-configuration/hive-specific/config.yaml b/deploy/oadp-configuration/hive-specific/config.yaml deleted file mode 100644 index 2c44e7c25..000000000 --- a/deploy/oadp-configuration/hive-specific/config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -deploymentMode: "SelectorSyncSet" -selectorSyncSet: - matchLabels: - ext-managed.openshift.io/hive-shard: "true" - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - "true" \ No newline at end of file diff --git a/deploy/oadp-operator-install/OWNERS b/deploy/oadp-operator-install/OWNERS deleted file mode 100644 index aac7ec80b..000000000 --- a/deploy/oadp-operator-install/OWNERS +++ /dev/null @@ -1,7 +0,0 @@ -reviewers: -- srep-functional-leads -- srep-team-leads -- srep-functional-team-hulk -approvers: -- srep-team-leads -- srep-functional-team-hulk \ No newline at end of file diff --git a/deploy/oadp-operator-install/README.md b/deploy/oadp-operator-install/README.md deleted file mode 100644 index af6c0addc..000000000 --- a/deploy/oadp-operator-install/README.md +++ /dev/null @@ -1,49 +0,0 @@ -# OADP Operator Installation for Hive Clusters - -This directory contains OpenShift API for Data Protection (OADP) operator installation manifests specifically for Hive-managed clusters. - -## Overview - -This configuration installs the OADP operator on Hive clusters only. It is designed to work alongside the main OADP configuration in `/deploy/oadp-configuration/` which provides the DataProtectionApplication and backup schedules. - -## Target Clusters - -This installation targets **Hive clusters only**: -- Clusters with `ext-managed.openshift.io/hive-shard: "true"` label -- Excludes FedRAMP clusters - -## Components - -- `100-oadp.Subscription.yaml` - OADP operator subscription -- `110-oadp.Namespace.yaml` - openshift-adp namespace creation -- `120-oadp.OperatorGroup.yaml` - Operator group for OADP - -## Deployment Strategy - -1. **Phase 1**: This configuration installs OADP operator on Red Hat clusters -2. **Phase 2**: The `/deploy/oadp-configuration/` enables OADP with DataProtectionApplication -3. **Phase 3**: Remove MVO from clusters where OADP is successfully running - -## Validation - -After deployment, verify the operator installation: - -```bash -# Check operator is installed -oc get csv -n openshift-adp | grep oadp - -# Check operator pods are running -oc get pods -n openshift-adp - -# Verify operator group and subscription -oc get operatorgroup,subscription -n openshift-adp -``` - -## Related Issues - -- SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal - -## References - -- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) -- [Main OADP Configuration](../oadp-configuration/) \ No newline at end of file diff --git a/deploy/oadp-operator-install/config.yaml b/deploy/oadp-operator-install/config.yaml deleted file mode 100644 index 2c44e7c25..000000000 --- a/deploy/oadp-operator-install/config.yaml +++ /dev/null @@ -1,9 +0,0 @@ -deploymentMode: "SelectorSyncSet" -selectorSyncSet: - matchLabels: - ext-managed.openshift.io/hive-shard: "true" - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - "true" \ No newline at end of file diff --git a/deploy/velero-configuration/README.md b/deploy/velero-configuration/README.md new file mode 100644 index 000000000..f6db3ece3 --- /dev/null +++ b/deploy/velero-configuration/README.md @@ -0,0 +1,55 @@ +# Velero Configuration & OADP Migration + +This directory contains backup and restore configurations for Red Hat managed clusters, including the migration from Managed Velero Operator (MVO) to OpenShift API for Data Protection (OADP). + +## Directory Structure + +### Main Configuration (Legacy) +- `100-velero.Velero.yaml` - Legacy VeleroInstall resource (MVO) +- `110-velero.Schedules.yaml` - Backup schedules for general clusters +- `120-velero.Secret-Role.yaml` - RBAC for secret access +- `130-velero.Secret-RoleBinding.yaml` - Role bindings for secrets + +### Hive-Specific Configuration +- `hive-specific/` - **Complete OADP migration for Hive clusters** + +## OADP Migration Strategy + +### Phase 1: OADP Installation (Hive Clusters Only) +The `hive-specific/` directory now contains the complete OADP operator installation and configuration for Hive-managed clusters: + +**OADP Operator Installation:** +- `100-oadp.Subscription.yaml` - OADP operator subscription +- `110-oadp.Namespace.yaml` - openshift-adp namespace +- `120-oadp.OperatorGroup.yaml` - Operator group setup + +**OADP Configuration:** +- `130-oadp.DataProtectionApplication.yaml` - Main DPA configuration with environment variables +- `140-oadp.TestBackup.yaml` - Validation backup for testing + +**OADP RBAC & Schedules:** +- `05-oadp-schedule-admins-cluster.ClusterRole.yaml` - Enhanced RBAC for OADP resources +- `111-oadp.Schedules.yaml` - Backup schedules (migrated from Velero) + +### Target Clusters (Hive-Specific) +- Clusters with `ext-managed.openshift.io/hive-shard: "true"` label +- Excludes FedRAMP clusters (`api.openshift.com/fedramp != "true"`) + +### Environment Variables Required +- `${OADP_BACKUP_BUCKET}` - S3 bucket name for storing backups +- `${AWS_REGION}` - AWS region where the bucket is located + +## Migration Timeline + +1. ✅ **Phase 1**: Deploy OADP operator and configuration to Hive clusters +2. 🔄 **Phase 2**: Validate OADP functionality and backup operations +3. 🔄 **Phase 3**: Remove MVO from clusters with successful OADP deployment + +## Related Issues + +- SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal + +## References + +- [OADP Documentation](https://docs.openshift.com/container-platform/latest/backup_and_restore/application_backup_and_restore/oadp-features-plugins.html) +- [Migration from MVO to OADP Guide](https://access.redhat.com/articles/oadp-migration) \ No newline at end of file diff --git a/deploy/oadp-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml b/deploy/velero-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml similarity index 100% rename from deploy/oadp-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml rename to deploy/velero-configuration/hive-specific/05-oadp-schedule-admins-cluster.ClusterRole.yaml diff --git a/deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml b/deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml deleted file mode 100644 index fef1281e5..000000000 --- a/deploy/velero-configuration/hive-specific/05-velero-schedule-admins-cluster.ClusterRole.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - managed.openshift.io/aggregate-to-dedicated-admins: "cluster" - name: velero-schedule-admins-cluster -rules: -- apiGroups: - - velero.io - attributeRestrictions: null - resources: - - schedules - verbs: - - "*" diff --git a/deploy/oadp-operator-install/100-oadp.Subscription.yaml b/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml similarity index 100% rename from deploy/oadp-operator-install/100-oadp.Subscription.yaml rename to deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml diff --git a/deploy/oadp-operator-install/110-oadp.Namespace.yaml b/deploy/velero-configuration/hive-specific/110-oadp.Namespace.yaml similarity index 100% rename from deploy/oadp-operator-install/110-oadp.Namespace.yaml rename to deploy/velero-configuration/hive-specific/110-oadp.Namespace.yaml diff --git a/deploy/oadp-configuration/hive-specific/111-oadp.Schedules.yaml b/deploy/velero-configuration/hive-specific/111-oadp.Schedules.yaml similarity index 100% rename from deploy/oadp-configuration/hive-specific/111-oadp.Schedules.yaml rename to deploy/velero-configuration/hive-specific/111-oadp.Schedules.yaml diff --git a/deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml b/deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml deleted file mode 100644 index e9876414c..000000000 --- a/deploy/velero-configuration/hive-specific/111-velero.Schedules.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: 5min-object-backup - namespace: openshift-velero -spec: - schedule: '*/5 * * * *' - template: - includedNamespaces: - - '*' - excludedResources: - - imagetags.image.openshift.io - - images.image.openshift.io - - oauthaccesstokens.oauth.openshift.io - - oauthauthorizetokens.oauth.openshift.io - - templateinstances.template.openshift.io - - clusterserviceversions.operators.coreos.com - - packagemanifests.packages.operators.coreos.com - - operatorgroups.operators.coreos.com - - subscriptions.operators.coreos.com - - servicebrokers.servicecatalog.k8s.io - - servicebindings.servicecatalog.k8s.io - - serviceclasses.servicecatalog.k8s.io - - serviceinstances.servicecatalog.k8s.io - - serviceplans.servicecatalog.k8s.io - - events.events.k8s.io - - events - snapshotVolumes: false - ttl: 0h25m0s diff --git a/deploy/oadp-operator-install/120-oadp.OperatorGroup.yaml b/deploy/velero-configuration/hive-specific/120-oadp.OperatorGroup.yaml similarity index 100% rename from deploy/oadp-operator-install/120-oadp.OperatorGroup.yaml rename to deploy/velero-configuration/hive-specific/120-oadp.OperatorGroup.yaml diff --git a/deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml b/deploy/velero-configuration/hive-specific/130-oadp.DataProtectionApplication.yaml similarity index 100% rename from deploy/oadp-configuration/130-oadp.DataProtectionApplication.yaml rename to deploy/velero-configuration/hive-specific/130-oadp.DataProtectionApplication.yaml diff --git a/deploy/oadp-configuration/140-oadp.TestBackup.yaml b/deploy/velero-configuration/hive-specific/140-oadp.TestBackup.yaml similarity index 100% rename from deploy/oadp-configuration/140-oadp.TestBackup.yaml rename to deploy/velero-configuration/hive-specific/140-oadp.TestBackup.yaml diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index a19b93fec..648bbf779 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -32452,200 +32452,6 @@ objects: applyMode: Sync patch: '{"spec":{"maxUnavailable":"10%"}}' patchType: merge -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-configuration - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - matchExpressions: - - key: api.openshift.com/product - operator: In - values: - - osd - - rosa - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: oadp.openshift.io/v1alpha1 - kind: DataProtectionApplication - metadata: - name: dpa-sample - namespace: openshift-adp - spec: - configuration: - velero: - defaultPlugins: - - openshift - - aws - resourceAllocations: - limits: - cpu: '1' - memory: 1Gi - requests: - cpu: 500m - memory: 256Mi - logLevel: info - podConfig: - nodeSelector: - kubernetes.io/os: linux - backupLocations: - - velero: - provider: aws - default: true - config: - region: ${AWS_REGION} - profile: default - credential: - name: cloud-credentials - key: cloud - objectStorage: - bucket: ${OADP_BACKUP_BUCKET} - prefix: velero - - apiVersion: velero.io/v1 - kind: Backup - metadata: - name: oadp-validation-backup - namespace: openshift-adp - labels: - managed.openshift.io/oadp-validation: 'true' - spec: - includedNamespaces: - - openshift-adp - excludedResources: - - events - - events.events.k8s.io - snapshotVolumes: false - ttl: 1h0m0s -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-configuration-hive-specific - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - ext-managed.openshift.io/hive-shard: 'true' - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: oadp-schedule-admins-cluster - rules: - - apiGroups: - - velero.io - attributeRestrictions: null - resources: - - schedules - - backups - - restores - verbs: - - '*' - - apiGroups: - - oadp.openshift.io - attributeRestrictions: null - resources: - - dataprotectionapplications - verbs: - - get - - list - - watch - - apiVersion: velero.io/v1 - kind: Schedule - metadata: - name: 5min-object-backup - namespace: openshift-adp - spec: - schedule: '*/5 * * * *' - template: - includedNamespaces: - - '*' - excludedResources: - - imagetags.image.openshift.io - - images.image.openshift.io - - oauthaccesstokens.oauth.openshift.io - - oauthauthorizetokens.oauth.openshift.io - - templateinstances.template.openshift.io - - clusterserviceversions.operators.coreos.com - - packagemanifests.packages.operators.coreos.com - - operatorgroups.operators.coreos.com - - subscriptions.operators.coreos.com - - servicebrokers.servicecatalog.k8s.io - - servicebindings.servicecatalog.k8s.io - - serviceclasses.servicecatalog.k8s.io - - serviceinstances.servicecatalog.k8s.io - - serviceplans.servicecatalog.k8s.io - - events.events.k8s.io - - events - snapshotVolumes: false - ttl: 0h25m0s -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-operator-install - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - ext-managed.openshift.io/hive-shard: 'true' - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-adp - namespace: openshift-adp - spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: 'true' - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: oadp-operator-group - namespace: openshift-adp - spec: - targetNamespaces: - - openshift-adp - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -50499,20 +50305,49 @@ objects: metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' - apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -50537,3 +50372,61 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index a19b93fec..648bbf779 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -32452,200 +32452,6 @@ objects: applyMode: Sync patch: '{"spec":{"maxUnavailable":"10%"}}' patchType: merge -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-configuration - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - matchExpressions: - - key: api.openshift.com/product - operator: In - values: - - osd - - rosa - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: oadp.openshift.io/v1alpha1 - kind: DataProtectionApplication - metadata: - name: dpa-sample - namespace: openshift-adp - spec: - configuration: - velero: - defaultPlugins: - - openshift - - aws - resourceAllocations: - limits: - cpu: '1' - memory: 1Gi - requests: - cpu: 500m - memory: 256Mi - logLevel: info - podConfig: - nodeSelector: - kubernetes.io/os: linux - backupLocations: - - velero: - provider: aws - default: true - config: - region: ${AWS_REGION} - profile: default - credential: - name: cloud-credentials - key: cloud - objectStorage: - bucket: ${OADP_BACKUP_BUCKET} - prefix: velero - - apiVersion: velero.io/v1 - kind: Backup - metadata: - name: oadp-validation-backup - namespace: openshift-adp - labels: - managed.openshift.io/oadp-validation: 'true' - spec: - includedNamespaces: - - openshift-adp - excludedResources: - - events - - events.events.k8s.io - snapshotVolumes: false - ttl: 1h0m0s -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-configuration-hive-specific - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - ext-managed.openshift.io/hive-shard: 'true' - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: oadp-schedule-admins-cluster - rules: - - apiGroups: - - velero.io - attributeRestrictions: null - resources: - - schedules - - backups - - restores - verbs: - - '*' - - apiGroups: - - oadp.openshift.io - attributeRestrictions: null - resources: - - dataprotectionapplications - verbs: - - get - - list - - watch - - apiVersion: velero.io/v1 - kind: Schedule - metadata: - name: 5min-object-backup - namespace: openshift-adp - spec: - schedule: '*/5 * * * *' - template: - includedNamespaces: - - '*' - excludedResources: - - imagetags.image.openshift.io - - images.image.openshift.io - - oauthaccesstokens.oauth.openshift.io - - oauthauthorizetokens.oauth.openshift.io - - templateinstances.template.openshift.io - - clusterserviceversions.operators.coreos.com - - packagemanifests.packages.operators.coreos.com - - operatorgroups.operators.coreos.com - - subscriptions.operators.coreos.com - - servicebrokers.servicecatalog.k8s.io - - servicebindings.servicecatalog.k8s.io - - serviceclasses.servicecatalog.k8s.io - - serviceinstances.servicecatalog.k8s.io - - serviceplans.servicecatalog.k8s.io - - events.events.k8s.io - - events - snapshotVolumes: false - ttl: 0h25m0s -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-operator-install - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - ext-managed.openshift.io/hive-shard: 'true' - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-adp - namespace: openshift-adp - spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: 'true' - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: oadp-operator-group - namespace: openshift-adp - spec: - targetNamespaces: - - openshift-adp - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -50499,20 +50305,49 @@ objects: metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' - apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -50537,3 +50372,61 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index a19b93fec..648bbf779 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -32452,200 +32452,6 @@ objects: applyMode: Sync patch: '{"spec":{"maxUnavailable":"10%"}}' patchType: merge -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-configuration - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - matchExpressions: - - key: api.openshift.com/product - operator: In - values: - - osd - - rosa - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: oadp.openshift.io/v1alpha1 - kind: DataProtectionApplication - metadata: - name: dpa-sample - namespace: openshift-adp - spec: - configuration: - velero: - defaultPlugins: - - openshift - - aws - resourceAllocations: - limits: - cpu: '1' - memory: 1Gi - requests: - cpu: 500m - memory: 256Mi - logLevel: info - podConfig: - nodeSelector: - kubernetes.io/os: linux - backupLocations: - - velero: - provider: aws - default: true - config: - region: ${AWS_REGION} - profile: default - credential: - name: cloud-credentials - key: cloud - objectStorage: - bucket: ${OADP_BACKUP_BUCKET} - prefix: velero - - apiVersion: velero.io/v1 - kind: Backup - metadata: - name: oadp-validation-backup - namespace: openshift-adp - labels: - managed.openshift.io/oadp-validation: 'true' - spec: - includedNamespaces: - - openshift-adp - excludedResources: - - events - - events.events.k8s.io - snapshotVolumes: false - ttl: 1h0m0s -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-configuration-hive-specific - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - ext-managed.openshift.io/hive-shard: 'true' - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: rbac.authorization.k8s.io/v1 - kind: ClusterRole - metadata: - labels: - managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: oadp-schedule-admins-cluster - rules: - - apiGroups: - - velero.io - attributeRestrictions: null - resources: - - schedules - - backups - - restores - verbs: - - '*' - - apiGroups: - - oadp.openshift.io - attributeRestrictions: null - resources: - - dataprotectionapplications - verbs: - - get - - list - - watch - - apiVersion: velero.io/v1 - kind: Schedule - metadata: - name: 5min-object-backup - namespace: openshift-adp - spec: - schedule: '*/5 * * * *' - template: - includedNamespaces: - - '*' - excludedResources: - - imagetags.image.openshift.io - - images.image.openshift.io - - oauthaccesstokens.oauth.openshift.io - - oauthauthorizetokens.oauth.openshift.io - - templateinstances.template.openshift.io - - clusterserviceversions.operators.coreos.com - - packagemanifests.packages.operators.coreos.com - - operatorgroups.operators.coreos.com - - subscriptions.operators.coreos.com - - servicebrokers.servicecatalog.k8s.io - - servicebindings.servicecatalog.k8s.io - - serviceclasses.servicecatalog.k8s.io - - serviceinstances.servicecatalog.k8s.io - - serviceplans.servicecatalog.k8s.io - - events.events.k8s.io - - events - snapshotVolumes: false - ttl: 0h25m0s -- apiVersion: hive.openshift.io/v1 - kind: SelectorSyncSet - metadata: - labels: - managed.openshift.io/gitHash: ${IMAGE_TAG} - managed.openshift.io/gitRepoName: ${REPO_NAME} - managed.openshift.io/osd: 'true' - name: oadp-operator-install - spec: - clusterDeploymentSelector: - matchLabels: - api.openshift.com/managed: 'true' - ext-managed.openshift.io/hive-shard: 'true' - matchExpressions: - - key: api.openshift.com/fedramp - operator: NotIn - values: - - 'true' - resourceApplyMode: Sync - resources: - - apiVersion: operators.coreos.com/v1alpha1 - kind: Subscription - metadata: - name: openshift-adp - namespace: openshift-adp - spec: - channel: stable - name: redhat-oadp-operator - source: redhat-operators - sourceNamespace: openshift-marketplace - installPlanApproval: Automatic - - apiVersion: v1 - kind: Namespace - metadata: - name: openshift-adp - labels: - name: openshift-adp - openshift.io/cluster-monitoring: 'true' - - apiVersion: operators.coreos.com/v1 - kind: OperatorGroup - metadata: - name: oadp-operator-group - namespace: openshift-adp - spec: - targetNamespaces: - - openshift-adp - apiVersion: hive.openshift.io/v1 kind: SelectorSyncSet metadata: @@ -50499,20 +50305,49 @@ objects: metadata: labels: managed.openshift.io/aggregate-to-dedicated-admins: cluster - name: velero-schedule-admins-cluster + name: oadp-schedule-admins-cluster rules: - apiGroups: - velero.io attributeRestrictions: null resources: - schedules + - backups + - restores verbs: - '*' + - apiGroups: + - oadp.openshift.io + attributeRestrictions: null + resources: + - dataprotectionapplications + verbs: + - get + - list + - watch + - apiVersion: operators.coreos.com/v1alpha1 + kind: Subscription + metadata: + name: openshift-adp + namespace: openshift-adp + spec: + channel: stable + name: redhat-oadp-operator + source: redhat-operators + sourceNamespace: openshift-marketplace + installPlanApproval: Automatic + - apiVersion: v1 + kind: Namespace + metadata: + name: openshift-adp + labels: + name: openshift-adp + openshift.io/cluster-monitoring: 'true' - apiVersion: velero.io/v1 kind: Schedule metadata: name: 5min-object-backup - namespace: openshift-velero + namespace: openshift-adp spec: schedule: '*/5 * * * *' template: @@ -50537,3 +50372,61 @@ objects: - events snapshotVolumes: false ttl: 0h25m0s + - apiVersion: operators.coreos.com/v1 + kind: OperatorGroup + metadata: + name: oadp-operator-group + namespace: openshift-adp + spec: + targetNamespaces: + - openshift-adp + - apiVersion: oadp.openshift.io/v1alpha1 + kind: DataProtectionApplication + metadata: + name: dpa-sample + namespace: openshift-adp + spec: + configuration: + velero: + defaultPlugins: + - openshift + - aws + resourceAllocations: + limits: + cpu: '1' + memory: 1Gi + requests: + cpu: 500m + memory: 256Mi + logLevel: info + podConfig: + nodeSelector: + kubernetes.io/os: linux + backupLocations: + - velero: + provider: aws + default: true + config: + region: ${AWS_REGION} + profile: default + credential: + name: cloud-credentials + key: cloud + objectStorage: + bucket: ${OADP_BACKUP_BUCKET} + prefix: velero + - apiVersion: velero.io/v1 + kind: Backup + metadata: + name: oadp-validation-backup + namespace: openshift-adp + labels: + managed.openshift.io/oadp-validation: 'true' + spec: + includedNamespaces: + - openshift-adp + excludedResources: + - events + - events.events.k8s.io + snapshotVolumes: false + ttl: 1h0m0s From 7c6ca7155c456e2b7bdad796d9b906d7068ceaaf Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 16:00:45 +1300 Subject: [PATCH 11/13] Add resourceApplyMode: Upsert for safe OADP deployment MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Critical fix for SyncSet resource management during MVO to OADP migration. Changes: ✅ Add resourceApplyMode: "Upsert" to hive-specific config.yaml ✅ Update README with detailed migration strategy documentation ✅ Regenerate Hive templates with updated configuration Why this is critical: - Without explicit resourceApplyMode, defaults to "Upsert" - Ensures old Velero resources are NOT automatically deleted - Allows safe coexistence of MVO and OADP during transition - Prevents resource conflicts during deployment Migration Strategy: Phase 1 (this PR): Deploy OADP with Upsert mode - ✅ OADP resources created alongside existing Velero resources - ✅ Both backup systems can coexist safely - ✅ No automatic deletion of existing resources Phase 2 (future): Validate OADP functionality Phase 3 (future): Clean up old resources with Sync mode References: - https://github.com/openshift/hive/blob/master/docs/syncset.md - SREP-1607: Setup OADP for RH Internal Clusters after MVO Removal This addresses the resource naming conflicts identified during migration planning and ensures a safe deployment path. --- deploy/velero-configuration/README.md | 26 ++++++++++++++++--- .../hive-specific/config.yaml | 1 + ...naged-cluster-config-integration.yaml.tmpl | 2 +- ...anaged-cluster-config-production.yaml.tmpl | 2 +- ...osd-managed-cluster-config-stage.yaml.tmpl | 2 +- 5 files changed, 27 insertions(+), 6 deletions(-) diff --git a/deploy/velero-configuration/README.md b/deploy/velero-configuration/README.md index f6db3ece3..ef0ff9f80 100644 --- a/deploy/velero-configuration/README.md +++ b/deploy/velero-configuration/README.md @@ -39,11 +39,31 @@ The `hive-specific/` directory now contains the complete OADP operator installat - `${OADP_BACKUP_BUCKET}` - S3 bucket name for storing backups - `${AWS_REGION}` - AWS region where the bucket is located -## Migration Timeline +## Migration Strategy & Resource Handling + +### Resource Apply Mode: "Upsert" +The hive-specific configuration uses `resourceApplyMode: "Upsert"` which means: +- ✅ **Safe Deployment**: New OADP resources will be created alongside existing Velero resources +- ✅ **No Conflicts**: Old Velero resources will NOT be automatically deleted +- ✅ **Coexistence**: Both MVO and OADP can run simultaneously during transition +- ⚠️ **Manual Cleanup**: Old Velero resources require separate cleanup phase + +### Migration Timeline + +1. ✅ **Phase 1**: Deploy OADP operator and configuration to Hive clusters (this PR) + - OADP operator installed in `openshift-adp` namespace + - MVO continues running in `openshift-velero` namespace + - Both backup systems coexist safely -1. ✅ **Phase 1**: Deploy OADP operator and configuration to Hive clusters 2. 🔄 **Phase 2**: Validate OADP functionality and backup operations -3. 🔄 **Phase 3**: Remove MVO from clusters with successful OADP deployment + - Test OADP backups and restores + - Verify environment variable configuration + - Monitor both systems for conflicts + +3. 🔄 **Phase 3**: Clean up old Velero resources (future PR with Sync mode) + - Create cleanup SyncSet with `resourceApplyMode: "Sync"` + - Remove old Velero ClusterRoles, Schedules, and MVO components + - Complete migration to OADP-only ## Related Issues diff --git a/deploy/velero-configuration/hive-specific/config.yaml b/deploy/velero-configuration/hive-specific/config.yaml index c54bbae05..24301f164 100644 --- a/deploy/velero-configuration/hive-specific/config.yaml +++ b/deploy/velero-configuration/hive-specific/config.yaml @@ -7,3 +7,4 @@ selectorSyncSet: operator: NotIn values: - "true" + resourceApplyMode: "Upsert" diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index 648bbf779..f00d481f6 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -50298,7 +50298,7 @@ objects: operator: NotIn values: - 'true' - resourceApplyMode: Sync + resourceApplyMode: Upsert resources: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index 648bbf779..f00d481f6 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -50298,7 +50298,7 @@ objects: operator: NotIn values: - 'true' - resourceApplyMode: Sync + resourceApplyMode: Upsert resources: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index 648bbf779..f00d481f6 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -50298,7 +50298,7 @@ objects: operator: NotIn values: - 'true' - resourceApplyMode: Sync + resourceApplyMode: Upsert resources: - apiVersion: rbac.authorization.k8s.io/v1 kind: ClusterRole From 2bab8d01db39d89ad947e26af22cc00c30a8a754 Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 19:14:10 +1300 Subject: [PATCH 12/13] Fix OADP subscription channel from 'stable' to 'stable-1.4' MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Changed channel from 'stable' to 'stable-1.4' in OADP Subscription - The generic 'stable' channel does not exist for redhat-oadp-operator - 'stable-1.4' is the default channel and provides OADP v1.4.5 - Tested and validated on oadp-test-cluster (OpenShift 4.18.24) - Resolves subscription installation failures Related: SREP-1607 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- .../hive-specific/100-oadp.Subscription.yaml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml b/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml index 283aa68e1..316b8938d 100644 --- a/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml +++ b/deploy/velero-configuration/hive-specific/100-oadp.Subscription.yaml @@ -4,7 +4,7 @@ metadata: name: openshift-adp namespace: openshift-adp spec: - channel: stable + channel: stable-1.4 name: redhat-oadp-operator source: redhat-operators sourceNamespace: openshift-marketplace From 1be082cc8a099afe9282edea47a34a3d05e4bdcb Mon Sep 17 00:00:00 2001 From: cgong Date: Mon, 29 Sep 2025 19:26:37 +1300 Subject: [PATCH 13/13] Generate Hive templates after OADP channel fix MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - Updated all environment templates (integration/stage/production) - Propagated channel change from 'stable' to 'stable-1.4' to templates - Generated via 'make' command as required before push Related: SREP-1607 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude --- hack/00-osd-managed-cluster-config-integration.yaml.tmpl | 2 +- hack/00-osd-managed-cluster-config-production.yaml.tmpl | 2 +- hack/00-osd-managed-cluster-config-stage.yaml.tmpl | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl index f00d481f6..799ceba4d 100644 --- a/hack/00-osd-managed-cluster-config-integration.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-integration.yaml.tmpl @@ -50331,7 +50331,7 @@ objects: name: openshift-adp namespace: openshift-adp spec: - channel: stable + channel: stable-1.4 name: redhat-oadp-operator source: redhat-operators sourceNamespace: openshift-marketplace diff --git a/hack/00-osd-managed-cluster-config-production.yaml.tmpl b/hack/00-osd-managed-cluster-config-production.yaml.tmpl index f00d481f6..799ceba4d 100644 --- a/hack/00-osd-managed-cluster-config-production.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-production.yaml.tmpl @@ -50331,7 +50331,7 @@ objects: name: openshift-adp namespace: openshift-adp spec: - channel: stable + channel: stable-1.4 name: redhat-oadp-operator source: redhat-operators sourceNamespace: openshift-marketplace diff --git a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl index f00d481f6..799ceba4d 100644 --- a/hack/00-osd-managed-cluster-config-stage.yaml.tmpl +++ b/hack/00-osd-managed-cluster-config-stage.yaml.tmpl @@ -50331,7 +50331,7 @@ objects: name: openshift-adp namespace: openshift-adp spec: - channel: stable + channel: stable-1.4 name: redhat-oadp-operator source: redhat-operators sourceNamespace: openshift-marketplace