openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity

OADP-4001 Self-Service

Browse Source 
Signed-off-by: Shruti Deshpande <shdeshpa@redhat.com>
This commit is contained in:
Shruti Deshpande
2025-02-24 09:13:43 +05:30
committed by openshift-cherrypick-robot
parent fd1eaf191b
commit 941d1310d4
34 changed files with 2017 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
_topic_maps/_topic_map.yml
View File

@@ -3712,6 +3712,17 @@ Topics:
Topics:
- Name: Restoring applications
File: restoring-applications
#- Name: OADP Self-Service Note:Commenting out this block because the PR is huge and I would like to get the files merged. I will open a separate PR to un-comment this block on the date of GA.
# Dir: oadp-self-service
# Topics:
# - Name: OADP Self-Service
# File: oadp-self-service
# - Name: OADP Self-Service cluster admin use cases
# File: oadp-self-service-cluster-admin-use-cases
# - Name: OADP Self-Service namespace admin use cases
# File: oadp-self-service-namespace-admin-use-cases
# - Name: OADP Self-Service troubleshooting
# File: oadp-self-service-troubleshooting
- Name: OADP and ROSA
Dir: oadp-rosa
Topics:

1
backup_and_restore/application_backup_and_restore/oadp-self-service/_attributes Symbolic link
View File

@@ -0,0 +1 @@
../../../_attributes/

1
backup_and_restore/application_backup_and_restore/oadp-self-service/images Symbolic link
View File

@@ -0,0 +1 @@
../../../images/

1
backup_and_restore/application_backup_and_restore/oadp-self-service/modules Symbolic link
View File

@@ -0,0 +1 @@
../../modules/

29
backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc Normal file
View File

@@ -0,0 +1,29 @@
:_mod-docs-content-type: ASSEMBLY
[id="oadp-self-service-cluster-admin-use-cases"]
= {oadp-short} Self-Service cluster admin use cases
include::_attributes/common-attributes.adoc[]
:context: oadp-self-service-cluster-admin-use-cases
toc::[]
As a cluster administrator, you can use the Self-Service feature in the following scenarios:
* Enable or disable {oadp-short} Self-Service.
* Approve or reject the NABSL custom resource (CR).
* Enforce template policies in the `DataProtectionApplication` (DPA) CR.
include::modules/oadp-self-service-admin-enable-disable.adoc[leveloffset=+1]
include::modules/oadp-self-service-enabling-nabsl-approval.adoc[leveloffset=+1]
include::modules/oadp-self-service-approving-nabsl.adoc[leveloffset=+1]
include::modules/oadp-self-service-rejecting-nabsl.adoc[leveloffset=+1]
include::modules/oadp-self-service-admin-spec-enforcement.adoc[leveloffset=+1]
include::modules/oadp-self-service-admin-spec-enforce-nabsl.adoc[leveloffset=+1]
include::modules/oadp-self-service-admin-spec-enforce-nab.adoc[leveloffset=+1]
include::modules/oadp-self-service-admin-spec-enforce-nar.adoc[leveloffset=+1]

24
backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.adoc Normal file
View File

@@ -0,0 +1,24 @@
:_mod-docs-content-type: ASSEMBLY
[id="oadp-self-service-namespace-admin-use-cases"]
= {oadp-short} Self-Service namespace admin use cases
include::_attributes/common-attributes.adoc[]
:context: oadp-self-service-namespace-admin-use-cases
toc::[]
As a namespace admin user, you can use the Self-Service feature in the following scenarios:
* Create a backup storage location in your authorized namespace.
* Create a `NonAdminBackup` (NAB) custom resource (CR).
* Create a `NonAdminRestore` (NAR) CR.
* Review NAB and NAR logs.
include::modules/oadp-self-service-creating-nabsl.adoc[leveloffset=+1]
include::modules/oadp-self-service-creating-nab.adoc[leveloffset=+1]
include::modules/oadp-self-service-creating-nar.adoc[leveloffset=+1]
include::modules/oadp-self-service-about-nadr.adoc[leveloffset=+1]
include::modules/oadp-self-service-nab-nar-logs.adoc[leveloffset=+1]

13
backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-troubleshooting.adoc Normal file
View File

@@ -0,0 +1,13 @@
:_mod-docs-content-type: ASSEMBLY
[id="oadp-self-service-troubleshooting"]
= {oadp-short} Self-Service troubleshooting
include::_attributes/common-attributes.adoc[]
:context: oadp-self-service-troubleshooting
toc::[]
You can use the following sections to troubleshoot common errors when using {oadp-short} Self-Service.
include::modules/oadp-self-service-troubleshoot-nabsl-same-ns.adoc[leveloffset=+1]
include::modules/oadp-self-service-troubleshoot-nabsl-default.adoc[leveloffset=+1]

30
backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc Normal file
View File

@@ -0,0 +1,30 @@
:_mod-docs-content-type: ASSEMBLY
[id="oadp-self-service"]
= {oadp-short} Self-Service
include::_attributes/common-attributes.adoc[]
:context: oadp-self-service
toc::[]
{oadp-full} ({oadp-short}) 1.5.0 introduces a new feature named {oadp-short} Self-Service, enabling namespace admin users to back up and restore applications on {product-title}.
include::modules/oadp-self-service-overview.adoc[leveloffset=+1]
[role="_additional-resources"]
.Additional resources
* xref:../../../authentication/identity_providers/configuring-htpasswd-identity-provider.adoc#configuring-htpasswd-identity-provider[Configuring an htpasswd identity provider]
include::modules/oadp-self-service-components.adoc[leveloffset=+1]
include::modules/oadp-self-service-how-it-works.adoc[leveloffset=+1]
include::modules/oadp-self-service-prerequisites.adoc[leveloffset=+1]
include::modules/oadp-self-service-namespace-permissions.adoc[leveloffset=+1]
include::modules/oadp-self-service-unsupported-features.adoc[leveloffset=+1]
include::modules/oadp-self-service-phases.adoc[leveloffset=+1]
include::modules/oadp-self-service-about-nabsl.adoc[leveloffset=+1]

1
backup_and_restore/application_backup_and_restore/oadp-self-service/snippets Symbolic link
View File

@@ -0,0 +1 @@
../../../snippets/

576
images/oadp-self-service.svg Normal file
View File

@@ -0,0 +1,576 @@
<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<!-- Created with Inkscape (http://www.inkscape.org/) -->
<svg
width="760"
height="400"
viewBox="0 0 201.08333 105.83333"
version="1.1"
id="svg1"
inkscape:version="1.4 (e7c3feb100, 2024-10-09)"
sodipodi:docname="oadp-self-service.svg"
xmlns:inkscape="http://www.inkscape.org/namespaces/inkscape"
xmlns:sodipodi="http://sodipodi.sourceforge.net/DTD/sodipodi-0.dtd"
xmlns:xlink="http://www.w3.org/1999/xlink"
xmlns="http://www.w3.org/2000/svg"
xmlns:svg="http://www.w3.org/2000/svg">
<sodipodi:namedview
id="namedview1"
pagecolor="#ffffff"
bordercolor="#000000"
borderopacity="0.25"
inkscape:showpageshadow="2"
inkscape:pageopacity="0.0"
inkscape:pagecheckerboard="0"
inkscape:deskcolor="#d1d1d1"
inkscape:document-units="px"
showgrid="true"
inkscape:zoom="3.5200001"
inkscape:cx="29.403408"
inkscape:cy="296.87499"
inkscape:window-width="2560"
inkscape:window-height="1461"
inkscape:window-x="0"
inkscape:window-y="0"
inkscape:window-maximized="1"
inkscape:current-layer="layer1">
<inkscape:grid
id="grid1"
units="px"
originx="0"
originy="0"
spacingx="1.3229166"
spacingy="1.3229166"
empcolor="#0099e5"
empopacity="0.30196078"
color="#0099e5"
opacity="0.14901961"
empspacing="2"
enabled="true"
visible="true" />
</sodipodi:namedview>
<defs
id="defs1">
<symbol
id="red-hat-diagram-icons.svg:user">
<title
id="title8">User</title>
<g
id="user_transform"
transform="matrix(0.26458333,0,0,0.26458333,-156.42166,-19.83052)">
<path
class="cls-10"
d="m 628.85,112.21 c 0,-10.06 -8.26,-18.22 -18.45,-18.22 -10.19,0 -18.45,8.16 -18.45,18.22 z"
id="path117"
style="fill:#ffffff;stroke:#4d4d4d;stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:round" />
<ellipse
class="cls-10"
cx="610.40002"
cy="84.849998"
rx="9.2600002"
ry="9.1499996"
id="ellipse117"
style="fill:#ffffff;stroke:#4d4d4d;stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:round" />
</g>
</symbol>
<marker
style="overflow:visible"
id="Triangle"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1.6"
markerHeight="1.6"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135" />
</marker>
<marker
style="overflow:visible"
id="Triangle-4-8"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1.6"
markerHeight="1.6"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135-9-0" />
</marker>
<symbol
id="red-hat-diagram-icons.svg:storage_stack">
<title
id="title3">Storage stack, repo, database</title>
<g
id="storage_stack_transform"
transform="matrix(0.26458333,0,0,0.26458333,-33.438041,-47.429208)">
<path
class="cls-10"
d="m 145.58,180.01 c -10.19,0 -18.45,4.06 -18.45,9.69 v 16.94 c 0,5.63 8.26,10.19 18.45,10.19 10.19,0 18.45,-4.56 18.45,-10.19 V 189.7 c 0,-5.63 -8.26,-9.69 -18.45,-9.69 z"
id="path131"
style="fill:#ffffff;stroke:#4d4d4d;stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:round" />
<path
class="cls-10"
d="m 164.03,200.95 c 0,5.63 -8.26,10.19 -18.45,10.19 -10.19,0 -18.45,-4.56 -18.45,-10.19"
id="path132"
style="fill:#ffffff;stroke:#4d4d4d;stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:round" />
<path
class="cls-10"
d="m 164.03,195.2 c 0,5.63 -8.26,10.19 -18.45,10.19 -10.19,0 -18.45,-4.56 -18.45,-10.19"
id="path133"
style="fill:#ffffff;stroke:#4d4d4d;stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:round" />
<path
class="cls-10"
d="m 164.03,189.7 c 0,5.63 -8.26,10.19 -18.45,10.19 -10.19,0 -18.45,-4.56 -18.45,-10.19 0,-5.63 8.26,-9.69 18.45,-9.69 10.19,0 18.45,4.06 18.45,9.69 z"
id="path134"
style="fill:#ffffff;stroke:#4d4d4d;stroke-width:1.5px;stroke-linecap:round;stroke-linejoin:round" />
</g>
</symbol>
<marker
style="overflow:visible"
id="Triangle-4-8-2"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1.6"
markerHeight="1.6"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135-9-0-3" />
</marker>
<marker
style="overflow:visible"
id="Triangle-4-8-02"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1.6"
markerHeight="1.6"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135-9-0-9" />
</marker>
<marker
style="overflow:visible"
id="Triangle-4-8-2-7"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1.6"
markerHeight="1.6"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135-9-0-3-8" />
</marker>
<marker
style="overflow:visible"
id="Triangle-4-8-02-2"
refX="0"
refY="0"
orient="auto-start-reverse"
inkscape:stockid="Triangle arrow"
markerWidth="1.6"
markerHeight="1.6"
viewBox="0 0 1 1"
inkscape:isstock="true"
inkscape:collect="always"
preserveAspectRatio="xMidYMid">
<path
transform="scale(0.5)"
style="fill:context-stroke;fill-rule:evenodd;stroke:context-stroke;stroke-width:1pt"
d="M 5.77,0 -2.88,5 V -5 Z"
id="path135-9-0-9-0" />
</marker>
</defs>
<g
inkscape:label="Layer 1"
inkscape:groupmode="layer"
id="layer1">
<g
id="g18">
<rect
style="fill:#e0e0e0;stroke:none;stroke-width:0.529167;stroke-dasharray:2.11668, 0.529167;stroke-dashoffset:0.529167"
id="rect17"
width="83.478485"
height="72.760422"
x="3.8340125"
y="22.489582" />
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.70417px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke:none;stroke-width:0.529167;stroke-dasharray:2.11667, 0.529167;stroke-dashoffset:0.529167"
x="43.65625"
y="93.927078"
id="text14"><tspan
sodipodi:role="line"
id="tspan14"
style="font-size:3.70417px;fill:#151515;stroke-width:0.529167"
x="43.65625"
y="93.927078">User namespace</tspan></text>
</g>
<use
xlink:href="#red-hat-diagram-icons.svg:user"
id="use1"
transform="matrix(1.5840108,0,0,1.5965489,5.1052473,53.085869)"
style="stroke-width:0.628825" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle)"
d="m 21.221832,62.435868 c 23.757333,0 23.757333,0 23.757333,0"
id="path3" />
<rect
style="fill:#e0e0e0;stroke:none;stroke-width:0.529167;stroke-dasharray:2.11667, 0.529167;stroke-dashoffset:0.529167"
id="rect18"
width="103.18749"
height="72.760414"
x="92.604164"
y="22.489582" />
<rect
style="fill:#e0f0ff;stroke-width:0.264583;stroke-dasharray:none"
id="rect2"
width="52.993793"
height="24.091309"
x="95.172867"
y="50.270832" />
<rect
style="fill:#e0f0ff;stroke-width:0.264583;stroke-dasharray:none"
id="rect3"
width="37.041668"
height="15.875"
x="156.02704"
y="53.195477" />
<rect
style="fill:#e0f0ff;stroke-width:0.264583;stroke-dasharray:none"
id="rect3-1"
width="37.041668"
height="15.875"
x="46.302082"
y="52.916664" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264586;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 124.38188,29.724419 c 0,-9.692697 0,-9.692697 0,-9.692697"
id="path7-9" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 66.200999,52.773785 c 0,-15.57501 0,-15.57501 0,-15.57501"
id="path7" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 108.61146,87.196235 c 0,-12.704716 0,-12.704716 0,-12.704716"
id="path7-3" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 66.200995,37.188183 c 42.201045,0 42.201045,0 42.201045,0"
id="path11" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 134.8052,50.138541 c 0,-13.096875 0,-13.096875 0,-13.096875"
id="path7-93" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264585;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 174.54787,87.442515 c 0,-18.320129 0,-18.320129 0,-18.320129"
id="path7-93-5" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 134.93705,37.041666 c 39.55609,0 39.55609,0 39.55609,0"
id="path11-1" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 134.8052,87.44479 c 39.6875,0 39.6875,0 39.6875,0"
id="path11-1-0" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle-4-8)"
d="m 108.40204,37.188183 c 0.0611,11.447086 0.0611,11.447086 0.0611,11.447086"
id="path3-0-2" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle-4-8-2)"
d="m 124.29306,33.130498 c 0.0611,15.776749 0.0611,15.776749 0.0611,15.776749"
id="path3-0-2-5" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264585;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle-4-8-2-7)"
d="m 174.56389,37.02463 c 0.0611,14.569118 0.0611,14.569118 0.0611,14.569118"
id="path3-0-2-5-5" />
<use
xlink:href="#red-hat-diagram-icons.svg:storage_stack"
id="use1-6"
transform="matrix(1.2926828,0,0,1.3343291,117.78733,2.3810527)"
style="stroke-width:0.761417" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle-4-8-02)"
d="m 66.094401,87.114868 c 0.05143,-16.964065 0.05143,-16.964065 0.05143,-16.964065"
id="path3-0-2-35" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1;marker-end:url(#Triangle-4-8-02-2)"
d="m 134.88609,87.443584 c 0.0514,-11.602096 0.0514,-11.602096 0.0514,-11.602096"
id="path3-0-2-35-1" />
<path
style="fill:#151515;stroke:#151515;stroke-width:0.264584;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
d="m 66.295477,87.312498 c 42.183683,0 42.183683,0 42.183683,0"
id="path11-2" />
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.175px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
x="64.69857"
y="60.564182"
id="text3"><tspan
sodipodi:role="line"
id="tspan3"
style="font-size:3.175px;stroke-width:0.264583"
x="64.69857"
y="60.564182">NonAdminBackup</tspan><tspan
sodipodi:role="line"
style="font-size:3.175px;stroke-width:0.264583"
x="64.69857"
y="64.532928"
id="tspan4">(NAB)</tspan></text>
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.175px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
x="120.38541"
y="61.383331"
id="text5"><tspan
sodipodi:role="line"
id="tspan5"
style="font-size:3.175px;stroke-width:0.264583"
x="120.38541"
y="61.383331">NonAdminController</tspan><tspan
sodipodi:role="line"
style="font-size:3.175px;stroke-width:0.264583"
x="120.38541"
y="65.352081"
id="tspan6">(NAC)</tspan></text>
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.175px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
x="175.15416"
y="60.060417"
id="text7"><tspan
sodipodi:role="line"
id="tspan7"
style="font-size:3.175px;stroke-width:0.264583"
x="175.15416"
y="60.060417">Velero backup </tspan><tspan
sodipodi:role="line"
style="font-size:3.175px;stroke-width:0.264583"
x="175.15416"
y="64.029167"
id="tspan8">object</tspan></text>
<g
id="g21"
transform="matrix(1.4484747,0,0,1.4482824,-13.484509,-72.500855)"
style="stroke-width:0.690428">
<ellipse
style="fill:#151515;stroke:#151515;stroke-width:0.182675;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
id="path20"
cx="31.022398"
cy="95.845322"
rx="1.9182298"
ry="1.9182267" />
<text
xml:space="preserve"
style="font-weight:500;font-size:2.82223px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#ffffff;stroke:#ffffff;stroke-width:0.182675;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
x="31.071789"
y="96.833099"
id="text21"><tspan
sodipodi:role="line"
id="tspan21"
style="fill:#ffffff;stroke:#ffffff;stroke-width:0.182675"
x="31.071789"
y="96.833099">1</tspan></text>
</g>
<g
id="g24"
transform="matrix(1.4462178,0,0,1.450275,27.880607,-95.5371)"
style="stroke-width:0.690491">
<ellipse
style="fill:#151515;stroke:#151515;stroke-width:0.182693;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
id="path20-3"
cx="38.350475"
cy="94.246704"
rx="1.9182298"
ry="1.9182267" />
<text
xml:space="preserve"
style="font-weight:500;font-size:2.82223px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#ffffff;stroke:#ffffff;stroke-width:0.182693;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
x="38.364586"
y="95.250008"
id="text21-8"><tspan
sodipodi:role="line"
id="tspan21-3"
style="fill:#ffffff;stroke:#ffffff;stroke-width:0.182693"
x="38.364586"
y="95.250008">2</tspan></text>
</g>
<g
id="g25"
transform="matrix(1.4450764,0,0,1.4513352,19.470794,-54.115463)"
style="stroke-width:0.690512">
<ellipse
style="fill:#151515;stroke:#151515;stroke-width:0.182697;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
id="path20-4"
cx="44.113098"
cy="94.712242"
rx="1.9182298"
ry="1.9182267" />
<text
xml:space="preserve"
style="font-weight:500;font-size:2.82223px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#ffffff;stroke:#ffffff;stroke-width:0.182697;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
x="44.137089"
y="95.70002"
id="text23"><tspan
sodipodi:role="line"
id="tspan23"
style="stroke-width:0.182697"
x="44.137089"
y="95.70002">3</tspan></text>
</g>
<g
id="g23"
transform="matrix(1.4450761,0,0,1.4502751,105.69452,-92.758835)"
style="stroke-width:0.690763">
<ellipse
style="fill:#151515;stroke:#151515;stroke-width:0.182765;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
id="path20-4-7"
cx="34.883724"
cy="92.331017"
rx="1.9182298"
ry="1.9182267" />
<text
xml:space="preserve"
style="font-weight:500;font-size:2.82223px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#ffffff;stroke:#ffffff;stroke-width:0.182765;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
x="34.876671"
y="93.318794"
id="text23-9"><tspan
sodipodi:role="line"
id="tspan23-0"
style="stroke-width:0.182765"
x="34.876671"
y="93.318794">4</tspan></text>
</g>
<g
id="g1-7"
transform="matrix(1.4450761,0,0,1.4502751,105.6202,-50.603204)"
style="stroke-width:0.690763">
<g
id="g21-0-3"
transform="translate(1.0968644e-6,0.13228412)"
style="stroke-width:0.690763">
<ellipse
style="fill:#151515;stroke:#151515;stroke-width:0.182765;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
id="path20-4-2"
cx="34.991146"
cy="92.27346"
rx="1.9182298"
ry="1.9182267" />
<text
xml:space="preserve"
style="font-weight:500;font-size:2.82223px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#ffffff;stroke:#ffffff;stroke-width:0.182765;stroke-linecap:round;stroke-linejoin:round;stroke-dasharray:none;stroke-opacity:1"
x="35.006668"
y="93.24572"
id="text23-6"><tspan
sodipodi:role="line"
id="tspan23-5"
style="stroke-width:0.182765"
x="35.006668"
y="93.24572">5</tspan></text>
</g>
</g>
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.175px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
x="12.939186"
y="74.036766"
id="text9"><tspan
sodipodi:role="line"
style="font-size:3.175px;stroke-width:0.264583"
x="12.939185"
y="74.036766"
id="tspan16">Namespace</tspan><tspan
sodipodi:role="line"
style="font-size:3.175px;stroke-width:0.264583"
x="12.939186"
y="78.005516"
id="tspan2">admin user</tspan></text>
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.175px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
x="124.97224"
y="32.753296"
id="text10"><tspan
sodipodi:role="line"
id="tspan10"
style="font-size:3.175px;stroke-width:0.264583"
x="124.97224"
y="32.753296">Installs</tspan></text>
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.175px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
x="125.94167"
y="18.520832"
id="text11"><tspan
sodipodi:role="line"
id="tspan11"
style="font-size:3.175px;stroke-width:0.264583"
x="125.94167"
y="18.520832">OADP Operator deployment</tspan></text>
<path
style="fill:#151515;stroke-width:0.264583;stroke-dasharray:none"
d="m 92.604166,7.9374999 c 0,95.2500001 0,95.2500001 0,95.2500001"
id="path12" />
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:4.23333px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke:none;stroke-width:0.529167;stroke-dasharray:2.11667, 0.529167;stroke-dashoffset:0.529167"
x="18.520834"
y="97.895836"
id="text13"><tspan
sodipodi:role="line"
id="tspan13"
style="stroke-width:0.529167;stroke:none"
x="18.520834"
y="97.895836" /></text>
<text
xml:space="preserve"
style="font-style:normal;font-variant:normal;font-weight:500;font-stretch:normal;font-size:3.70416658px;font-family:'Red Hat Text';-inkscape-font-specification:'Red Hat Text Medium';text-align:center;writing-mode:lr-tb;direction:ltr;text-anchor:middle;fill:#151515;stroke:none;stroke-width:0.529167;stroke-dasharray:2.11667, 0.529167;stroke-dashoffset:0.529167"
x="137.58333"
y="93.927078"
id="text15"><tspan
sodipodi:role="line"
id="tspan15"
style="stroke-width:0.529167;font-size:3.70416658px"
x="137.58333"
y="93.927078">OADP Operator namespace</tspan></text>
</g>
</svg>
Side by Side

After

Width:  |  Height:  |  Size: 24 KiB

27
modules/oadp-self-service-about-nabsl.adoc Normal file
View File

@@ -0,0 +1,27 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-about-nabsl_{context}"]
= About NonAdminBackupStorageLocation CR
A namespace administrator can create a `NonAdminBackupStorageLocation` (NABSL) custom resource (CR) to store the backup data.
To ensure that the NABSL CR is created and used securely, use cluster administrator controls. The cluster administrator manages the NABSL CR to comply with company policies, and compliance requirements.
You can create a NABSL CR by using one of the following workflows:
* *Administrator creation workflow*: In this workflow, the cluster administrator creates the NABSL CR for the namespace admin user. The namespace admin user then references the NABSL in the `NonAdminBackup` CR.
* *Administrator approval workflow*: The cluster administrator must explicitly enable this opt-in feature in the DPA by setting the `nonAdmin.requireApprovalForBSL` field to `true`. The cluster administrator approval process works as follows:
.. A namespace admin user creates a NABSL CR. Because the administrator has enforced an approval process in the DPA, it triggers the creation of a `NonAdminBackupStorageLocationRequest` CR in the `openshift-adp` namespace.
.. The cluster administrator reviews the request and either approves or rejects the request.
** If approved, a `Velero` `BackupStorageLocation` (BSL) is created in the `openshift-adp` namespace, and the NABSL CR status is updated to reflect the approval.
** If rejected, the status of the NABSL CR is updated to reflect the rejection.
.. The cluster administrator can also revoke a previously approved NABSL CR. The `approve` field is set back to `pending` or `reject`. This results in the deletion of the `Velero` BSL, and the namespace admin user is notified of the rejection.
* *Automatic approval workflow*: In this workflow, the cluster administrator has not enforced an approval process for the NABSL CR by setting the `nonAdmin.requireApprovalForBSL` field in the DPA to `false`. The default value of this field is `false`. Not setting the field results in an automatic approval of the NABSL. Therefore, the namespace admin user can create the NABSL CR from their authorized namespace.
[IMPORTANT]
====
For security purposes, use either the administrator creation or the administrator approval workflow. The automatic approval workflow is less secure as it does not require administrator review.
====

27
modules/oadp-self-service-about-nadr.adoc Normal file
View File

@@ -0,0 +1,27 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.adoc
:_mod-docs-content-type: REFERENCE
[id="oadp-self-service-about-nadr_{context}"]
= About NonAdminDownloadRequest CR
As a namespace admin user, you can use the `NonAdminDownloadRequest` (NADR) custom resource (CR) to access detailed information about your backups and restores for troubleshooting.
This CR provides information that is equivalent to what a cluster administrator can access by using the `velero backup describe --details` command.
After the NADR CR request is validated, a secure download URL is generated to access the requested information.
You can download the following NADR resources:
.NADR resources
|===
| *Resource type* | *Description* | *Equivalent to*
| `BackupResourceList` | List of resources included in the backup | `velero backup describe --details` (resource listing)
| `BackupContents` | Contents of files backed up | Part of backup details
| `BackupLog` | Logs from the backup operation | `velero backup logs`
| `BackupVolumeSnapshots` | Information about volume snapshots | `velero backup describe --details` (snapshots section)
| `BackupItemOperations` | Information about item operations performed during backup | `velero backup describe --details` (operations section)
| `RestoreLog` | Logs from the restore operation | `velero restore logs`
| `RestoreResults` | Detailed results of the restore | `velero restore describe --details`
|===

90
modules/oadp-self-service-admin-enable-disable.adoc Normal file
View File

@@ -0,0 +1,90 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-admin-enable-disable_{context}"]
= Enabling and disabling {oadp-short} Self-Service
You must be a cluster administrator to enable the {oadp-short} Self-Service feature. You can use the `spec.nonAdmin.enable` section of the `DataProtectionApplication` (DPA) custom resource (CR) to enable and disable the Self-Service feature.
Enabling the Self-Service feature installs the `NonAdminController` (NAC) CR in the {oadp-short} Operator namespace.
[NOTE]
====
You can install only one instance of the `NonAdminController` (NAC) CR in the cluster. If you install multiple instances of the NAC CR, you get the following error:
.Example error
[source,terminal]
----
message: only a single instance of Non-Admin Controller can be installed across the entire cluster. Non-Admin controller is already configured and installed in openshift-adp namespace.
----
====
.Prerequisites
* You are logged in to the cluster with the `cluster-admin` role.
* You have installed the {oadp-short} Operator.
* You have configured the DPA.
.Procedure
* To enable {oadp-short} Self-Service, edit the DPA CR to configure the `nonAdmin.enable` section. See the following example configuration:
+
.Example `DataProtectionApplication` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: oadp-backup
namespace: openshift-adp
spec:
configuration:
nodeAgent:
enable: true
uploaderType: kopia
velero:
defaultPlugins:
- aws
- openshift
- csi
defaultSnapshotMoveData: true
nonAdmin: # <1>
enable: true # <2>
backupLocations:
- velero:
config:
profile: "default"
region: noobaa
s3Url: https://s3.openshift-storage.svc
s3ForcePathStyle: "true"
insecureSkipTLSVerify: "true"
provider: aws
default: true
credential:
key: cloud
name: <cloud_credentials>
objectStorage:
bucket: <bucket_name>
prefix: oadp
----
<1> Add the `nonAdmin.enable` section in the `spec` section of the DPA.
<2> Set the `enable` field to `true`. To disable the Self-Service feature, set the `enable` field to `false`.
.Verification
* To verify that the `NonAdminController` (NAC) pod is running in the {oadp-short} namespace, run the following command:
+
[source,terminal]
----
$ oc get pod -n openshift-adp -l control-plane=non-admin-controller
----
+
.Example output
+
[source,terminal]
----
NAME READY STATUS RESTARTS AGE
non-admin-controller-5d....f5-p..9p 1/1 Running 0 99m
----

47
modules/oadp-self-service-admin-spec-enforce-nab.adoc Normal file
View File

@@ -0,0 +1,47 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: REFERENCE
[id="oadp-self-service-admin-spec-enforce-nab_{context}"]
= Self-Service administrator spec enforcement for NAB
As a cluster administrator, you can enforce the following fields for a `NonAdminBackup` (NAB) CR:
* `csiSnapshotTimeout`
* `itemOperationTimeout`
* `resourcePolicy`
* `includedResources`
* `excludedResources`
* `orderedResources`
* `includeClusterResources`
* `excludedClusterScopedResources`
* `excludedNamespaceScopedResources`
* `includedNamespaceScopedResources`
* `labelSelector`
* `orLabelSelectors`
* `snapshotVolumes`
* `ttl`
* `snapshotMoveData`
* `uploaderConfig.parallelFilesUpload`
If you want to enforce a `ttl` value and a Data Mover backup for a namespace admin user, you can set up the `DataProtectionApplication` (DPA) CR as shown in the following example:
.Example `DataProtectionApplication` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
...
spec:
nonAdmin:
enable: true
enforceBackupSpec: # <1>
snapshotMoveData: true # <2>
ttl: 158h0m0s # <3>
----
<1> Add the `enforceBackupSpec` section.
<2> Enforce Data Mover by setting the `snapshotMoveData` field to `true`.
<3> Enforce the `ttl` value by setting the field to `158h0m0s`.
When a namespace admin user creates a NAB CR, they must follow the template set up in the DPA. Otherwise, the `status.phase` field on the NAB CR is set to `BackingOff` and the NAB CR fails to create.

42
modules/oadp-self-service-admin-spec-enforce-nabsl.adoc Normal file
View File

@@ -0,0 +1,42 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: REFERENCE
[id="oadp-self-service-admin-spec-enforce-nabsl_{context}"]
= Self-Service administrator spec enforcement for NABSL
As a cluster administrator, you can enforce the following fields for a `NonAdminBackupStorageLocation` (NABSL) custom resource (CR):
* `objectStorage`
* `credential`
* `config`
* `accessMode`
* `validationFrequency`
For example, if you want to enforce a namespace admin user to use a specific storage bucket, you can set up the `DataProtectionApplication` (DPA) CR as following:
.Example `DataProtectionApplication` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
...
spec:
nonAdmin:
enable: true
enforceBSLSpec: # <1>
config: # <2>
checksumAlgorithm: ""
profile: default
region: us-west-2
objectStorage: # <3>
bucket: my-company-bucket
prefix: velero
provider: aws
----
<1> Add the `enforceBSLSpec` section.
<2> Enforce the `config` section of a NABSL to use an {aws-short} S3 bucket in the `us-west-2` region.
<3> Enforce the `objectStorage` section of a NABSL to use a company bucket named `my-company-bucket`.
When a namespace admin user creates a NABSL, they must follow the template set up in the DPA. Otherwise, the `status.phase` field on the NABSL CR is set to `BackingOff` and the NABSL fails to create.

20
modules/oadp-self-service-admin-spec-enforce-nar.adoc Normal file
View File

@@ -0,0 +1,20 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: REFERENCE
[id="oadp-self-service-admin-spec-enforce-nar_{context}"]
= Self-Service administrator spec enforcement for NAR
As a cluster administrator, you can enforce the following fields for a `NonAdminRestore` (NAR) custom resource (CR):
* `itemOperationTimeout`
* `uploaderConfig`
* `includedResources`
* `excludedResources`
* `restoreStatus`
* `includeClusterResources`
* `labelSelector`
* `orLabelSelectors`
* `restorePVs`
* `preserveNodePorts`

17
modules/oadp-self-service-admin-spec-enforcement.adoc Normal file
View File

@@ -0,0 +1,17 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-admin-spec-enforcement_{context}"]
= {oadp-short} Self-Service administrator DPA spec enforcement
As a cluster administrator, you can enforce policies in the `DataProtectionApplication` (DPA) spec template. The spec enforcement applies to Self-Service custom resources (CRs) such as `NonAdminBackup`, `NonAdminRestore`, and `NonAdminBackupStorageLocation`.
The cluster administrator can enforce a company, or a compliance policy by using the following fields in the `DataProtectionApplication` (DPA) CR:
`enforceBSLSpec`:: To enforce a policy on the `NonAdminBackupStorageLocation` CR.
`enforceBackupSpec`:: To enforce a policy on the `NonAdminBackup` CR.
`enforceRestoreSpec`:: To enforce a policy on the `NonAdminRestore` CR.
By using the enforceable fields, administrators can ensure that the NABSL, NAB, and NAR CRs created by a namespace admin user, comply with the administrator defined policy.

61
modules/oadp-self-service-approving-nabsl.adoc Normal file
View File

@@ -0,0 +1,61 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-approving-nabsl_{context}"]
= Approving a NonAdminBackupStorageLocation request
As a cluster administrator, to approve a `NonAdminBackupStorageLocation` (NABSL) CR request, you can edit the `NonAdminBackupStorageLocationRequest` CR and set the `approvalDecision` field to `approve`.
.Prerequisites
* You are logged in to the cluster with the `cluster-admin` role.
* You have installed the {oadp-short} Operator.
* You have enabled {oadp-short} Self-Service in the `DataProtectionApplication` (DPA) CR.
* You have enabled the NABSL CR approval workflow in the DPA.
.Procedure
. To see the NABSL CR requests that are in queue for administrator approval, run the following command:
+
[source,terminal]
----
$ oc -n openshift-adp get NonAdminBackupStorageLocationRequests
----
+
.Example output
[source,terminal]
----
NAME REQUEST-PHASE REQUEST-NAMESPACE REQUEST-NAME AGE
non-admin-bsl-test-.....175 Approved non-admin-bsl-test incorrect-bucket-nabsl 4m57s
non-admin-bsl-test-.....196 Approved non-admin-bsl-test perfect-nabsl 5m26s
non-admin-bsl-test-s....e1a Rejected non-admin-bsl-test suspicious-sample 2m56s
non-admin-bsl-test-.....5e0 Pending non-admin-bsl-test waitingapproval-nabsl 4m20s
----
. To approve the NABSL CR request, set the `approvalDecision` field to `approve` by running the following command:
+
[source,terminal]
----
$ oc patch nabslrequest <nabsl_name> -n openshift-adp --type=merge -p '{"spec": {"approvalDecision": "approve"}}' # <1>
----
<1> Specify the name of the `NonAdminBackupStorageLocationRequest` CR.
.Verification
* Verify that the Velero backup storage location is created and the phase is `Available` by running the following command:
+
[source,terminal]
----
$ oc get velero.io.backupstoragelocation
----
+
.Example output
[source,terminal]
----
NAME PHASE LAST VALIDATED AGE DEFAULT
test-nac-test-bsl-cd...930 Available 62s 62s
----

19
modules/oadp-self-service-components.adoc Normal file
View File

@@ -0,0 +1,19 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: REFERENCE
[id="oadp-self-service-custom-resources_{context}"]
= {oadp-short} Self-Service custom resources
The {oadp-short} Self-Service feature has the following new custom resources (CRs) to perform the backup and restore operations for a namespace admin user:
.Custom resources
|===
|*CR* |*Description*
|`NonAdminController` (NAC)| Controls and orchestrates the Self-Service operations.
|`NonAdminBackup` (NAB)| Manages namespace-scoped backup operations.
|`NonAdminRestore` (NAR)| Manages namespace-scoped restore operations.
|`NonAdminBackupStorageLocation` (NABSL)| Defines user-specific backup storage location.
|`NonAdminDownloadRequest` (NADR)| Manages namespace-scoped download request operations.
|===

160
modules/oadp-self-service-creating-nab.adoc Normal file
View File

@@ -0,0 +1,160 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-creating-nab_{context}"]
= Creating a NonAdminBackup CR
As a namespace admin user, you can create a `NonAdminBackup` (NAB) custom resource (CR) to back up your application from your authorized namespace. NAB is an {product-title} CR that securely facilitates the creation of a `Velero` backup object. The `Velero` backup object reports the status back to the NAB CR that ultimately updates the `status.phase` field.
After you create a NAB CR, the CR undergoes the following phases:
* The initial phase for the CR is `New`.
* The CR creation request goes to the `NonAdminController` (NAC) for reconciliation and validation.
* Upon successful validation and creation of the `Velero` backup object, the `status.phase` field of the NAB CR is updated to the next phase, which is, `Created`.
Review the following important points when creating a NAB CR:
* The `NonAdminBackup` CR creates the `Velero` backup object securely so that other namespace admin users cannot access the CR.
* As a namespace admin user, you can only specify your authorized namespace in the NAB CR. You get an error when you specify a namespace you are not authorized to use.
.Prerequisites
* You are logged in to the cluster as a namespace admin user.
* The cluster administrator has installed the {oadp-short} Operator.
* The cluster administrator has configured the `DataProtectionApplication` (DPA) CR to enable {oadp-short} Self-Service.
* The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.
* Optional: You can create and use a `NonAdminBackupStorageLocation` (NABSL) CR to store the backup data. If you do not use a NABSL CR, then the backup is stored in the default backup storage location configured in the DPA.
.Procedure
. To create a `NonAdminBackup` CR, create a YAML manifest file with the following configuration:
+
.Example `NonAdminBackup` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackup
metadata:
name: test-nab # <1>
spec:
backupSpec:
defaultVolumesToFsBackup: true # <2>
snapshotMoveData: false # <3>
storageLocation: test-bsl # <4>
----
<1> Specify a name for the NAB CR, for example, `test-nab`.
<2> To use File System Backup (FSB), set `defaultVolumesToFsBackup` to `true`.
<3> If you want to backup your data volumes by using the Data Mover, set the `snapshotMoveData` to `true`. This example uses the FSB for backup.
<4> Optionally, set a NABSL CR as a storage location. If you do not set a `storageLocation`, then the default backup storage location configured in the DPA is used.
. To apply the NAB CR configuration, run the following command:
+
[source,terminal]
----
$ oc apply -f <nab_cr_filename> # <1>
----
<1> Specify the file name containing the NAB CR configuration.
.Verification
* To verify that the NAB CR is successfully created, run the following command:
+
[source,terminal]
----
$ oc get nab test-nab -o yaml
----
+
.Example output
+
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackup
metadata:
creationTimestamp: "2025-03-06T10:02:56Z"
finalizers:
- nonadminbackup.oadp.openshift.io/finalizer
generation: 2
name: test-nab
namespace: test-nac-ns # <1>
resourceVersion: "134316"
uid: c5...4c8a8
spec:
backupSpec:
csiSnapshotTimeout: 0s
defaultVolumesToFsBackup: true
hooks: {}
itemOperationTimeout: 0s
metadata: {}
storageLocation: test-bsl
ttl: 0s
status:
conditions:
- lastTransitionTime: "202...56Z"
message: backup accepted # <2>
reason: BackupAccepted
status: "True"
type: Accepted
- lastTransitionTime: "202..T10:02:56Z"
message: Created Velero Backup object
reason: BackupScheduled
status: "True"
type: Queued
dataMoverDataUploads: {}
fileSystemPodVolumeBackups: # <3>
completed: 2
total: 2
phase: Created # <4>
queueInfo:
estimatedQueuePosition: 0 # <5>
veleroBackup:
nacuuid: test-nac-test-nab-d2...a9b14 # <6>
name: test-nac-test-nab-d2...b14 # <7>
namespace: openshift-adp
spec:
csiSnapshotTimeout: 10m0s
defaultVolumesToFsBackup: true
excludedResources:
- nonadminbackups
- nonadminrestores
- nonadminbackupstoragelocations
- securitycontextconstraints
- clusterroles
- clusterrolebindings
- priorityclasses
- customresourcedefinitions
- virtualmachineclusterinstancetypes
- virtualmachineclusterpreferences
hooks: {}
includedNamespaces:
- test-nac-ns
itemOperationTimeout: 4h0m0s
metadata: {}
snapshotMoveData: false
storageLocation: test-nac-test-bsl-bf..02b70a
ttl: 720h0m0s
status: # <8>
completionTimestamp: "2025-0..3:13Z"
expiration: "2025..2:56Z"
formatVersion: 1.1.0
hookStatus: {}
phase: Completed # <9>
progress:
itemsBackedUp: 46
totalItems: 46
startTimestamp: "2025-..56Z"
version: 1
warnings: 1
----
<1> The namespace name that the `NonAdminController` CR sets on the `Velero` backup object to back up.
<2> The NAC has reconciled and validated the NAB CR and has created the `Velero` backup object.
<3> The `fileSystemPodVolumeBackups` field indicates the number of volumes that are backed up by using FSB.
<4> The NAB CR is in the `Created` phase.
<5> This field indicates the queue position of the backup object. There can be multiple backups in process, and each backup object is assigned a queue position. When the backup is complete, the queue position is set to `0`.
<6> The NAC creates the `Velero` backup object and sets the value for the `nacuuid` field.
<7> The name of the associated `Velero` backup object.
<8> The status of the `Velero` backup object.
<9> The `Velero` backup object is in the `Completed` phase and the backup is successful.

165
modules/oadp-self-service-creating-nabsl.adoc Normal file
View File

@@ -0,0 +1,165 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-creating-nabsl_{context}"]
= Creating a NonAdminBackupStorageLocation CR
You can create a `NonAdminBackupStorageLocation` (NABSL) custom resource (CR) in your authorized namespace. After the cluster administrator approves the NABSL CR request, you can use the NABSL CR in the `NonAdminBackup` CR spec.
.Prerequisites
* You are logged in to the cluster as a namespace admin user.
* The cluster administrator has installed the {oadp-short} Operator.
* The cluster administrator has configured the `DataProtectionApplication` (DPA) CR to enable {oadp-short} Self-Service.
* The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.
.Procedure
. Create a `Secret` CR by using the cloud credentials file content for your cloud provider. Run the following command:
+
[source,terminal]
----
$ oc create secret generic cloud-credentials -n test-nac-ns --from-file <cloud_key_name>=<cloud_credentials_file> # <1>
----
<1> In this example, the `Secret` name is `cloud-credentials` and the authorized namespace name is `test-nac-ns`. Replace `<cloud_key_name>` and `<cloud_credentials_file>` with your cloud key name and the cloud credentials file name, respectively.
. To create a `NonAdminBackupStorageLocation` CR, create a YAML manifest file with the following configuration:
+
.Example `NonAdminBackupStorageLocation` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
metadata:
name: test-nabsl
namespace: test-nac-ns # <1>
spec:
backupStorageLocationSpec:
config:
profile: default
region: <region_name> # <2>
credential:
key: cloud
name: cloud-credentials
objectStorage:
bucket: <bucket_name> # <3>
prefix: velero
provider: aws
----
<1> Specify the namespace you are authorized to operate from. For example, `test-nac-ns`.
<2> Replace `<region_name>` with a region name.
<3> Replace `<bucket_name>` with a bucket name.
. To apply the NABSL CR configuration, run the following command:
+
[source,terminal]
----
$ oc apply -f <nabsl_cr_filename> # <1>
----
<1> Replace `<nabsl_cr_filename>` with the file name containing the NABSL CR configuration.
.Verification
. To verify that the NABSL CR is in the `New` phase and is pending administrator approval, run the following command:
+
[source,terminal]
----
$ oc get nabsl test-nabsl -o yaml
----
+
.Example output
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
...
status:
conditions:
- lastTransitionTime: "2025-02-26T09:07:15Z"
message: NonAdminBackupStorageLocation spec validation successful
reason: BslSpecValidation
status: "True"
type: Accepted
- lastTransitionTime: "2025-02-26T09:07:15Z"
message: NonAdminBackupStorageLocationRequest approval pending # <1>
reason: BslSpecApprovalPending
status: "False"
type: ClusterAdminApproved
phase: New # <2>
veleroBackupStorageLocation:
nacuuid: test-nac-test-bsl-c...d4389a1930
name: test-nac-test-bsl-cd....1930
namespace: openshift-adp
----
<1> Defines that the `status.conditions.message` field contains the `NonAdminBackupStorageLocationRequest approval pending` message .
<2> Defines that the status of a phase is `New`.
. After the cluster administrator approves the `NonAdminBackupStorageLocationRequest` CR request, verify that the NABSL CR is successfully created by running the following command:
+
[source,terminal]
----
$ oc get nabsl test-nabsl -o yaml
----
+
.Example output
+
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
metadata:
creationTimestamp: "2025-02-19T09:30:34Z"
finalizers:
- nonadminbackupstoragelocation.oadp.openshift.io/finalizer
generation: 1
name: test-nabsl
namespace: test-nac-ns
resourceVersion: "159973"
uid: 4a..80-3260-4ef9-a3..5a-00...d1922
spec:
backupStorageLocationSpec:
credential:
key: cloud
name: cloud-credentials
objectStorage:
bucket: oadp...51rrdqj
prefix: velero
provider: aws
status:
conditions:
- lastTransitionTime: "2025-02-19T09:30:34Z"
message: NonAdminBackupStorageLocation spec validation successful # <1>
reason: BslSpecValidation
status: "True"
type: Accepted
- lastTransitionTime: "2025-02-19T09:30:34Z"
message: Secret successfully created in the OADP namespace # <2>
reason: SecretCreated
status: "True"
type: SecretSynced
- lastTransitionTime: "2025-02-19T09:30:34Z"
message: BackupStorageLocation successfully created in the OADP namespace # <3>
reason: BackupStorageLocationCreated
status: "True"
type: BackupStorageLocationSynced
phase: Created
veleroBackupStorageLocation:
nacuuid: test-nac-..f933a-4ec1-4f6a-8099-ee...b8b26 # <4>
name: test-nac-test-nabsl-36...11ab8b26 # <5>
namespace: openshift-adp
status:
lastSyncedTime: "2025-02-19T11:47:10Z"
lastValidationTime: "2025-02-19T11:47:31Z"
phase: Available # <6>
----
<1> The NABSL `spec` is validated and approved by the cluster administrator.
<2> The `secret` object is successfully created in the `openshift-adp` namespace.
<3> The associated `Velero` `BackupStorageLocation` is successfully created in the `openshift-adp` namespace.
<4> The `nacuuid` NAC is orchestrating the NABSL CR.
<5> The name of the associated `Velero` backup storage location object.
<6> The `Available` phase indicates that the NABSL is ready for use.

114
modules/oadp-self-service-creating-nar.adoc Normal file
View File

@@ -0,0 +1,114 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-creating-nar_{context}"]
= Creating a NonAdminRestore CR
As a namespace admin user, to restore a backup, you can create a `NonAdminRestore` (NAR) custom resource (CR). The backup is restored to your authorized namespace.
.Prerequisites
* You are logged in to the cluster as a namespace admin user.
* The cluster administrator has installed the {oadp-short} Operator.
* The cluster administrator has configured the `DataProtectionApplication` (DPA) CR to enable {oadp-short} Self-Service.
* The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.
* You have a backup of your application by creating a `NonAdminBackup` (NAB) CR.
.Procedure
. To create a `NonAdminRestore` CR, create a YAML manifest file with the following configuration:
+
.Example `NonAdminRestore` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminRestore
metadata:
name: test-nar # <1>
spec:
restoreSpec:
backupName: test-nab # <2>
----
<1> Defines a name for the NAR CR, for example, `test-nar`.
<2> Defines the name of the NAB CR you want to restore from. For example, `test-nab`.
. To apply the NAR CR configuration, run the following command:
+
[source,terminal]
----
$ oc apply -f <nar_cr_filename> # <1>
----
<1> Replace `<nar_cr_filename>` with the file name containing the NAR CR configuration.
.Verification
. To verify that the NAR CR is successfully created, run the following command:
+
[source,terminal]
----
$ oc get nar test-nar -o yaml
----
+
.Example output
+
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminRestore
metadata:
creationTimestamp: "2025-..:15Z"
finalizers:
- nonadminrestore.oadp.openshift.io/finalizer
generation: 2
name: test-nar
namespace: test-nac-ns
resourceVersion: "156517"
uid: f9f5...63ef34
spec:
restoreSpec:
backupName: test-nab
hooks: {}
itemOperationTimeout: 0s
status:
conditions:
- lastTransitionTime: "2025..15Z"
message: restore accepted # <1>
reason: RestoreAccepted
status: "True"
type: Accepted
- lastTransitionTime: "2025-03-06T11:22:15Z"
message: Created Velero Restore object
reason: RestoreScheduled
status: "True"
type: Queued
dataMoverDataDownloads: {}
fileSystemPodVolumeRestores: # <2>
completed: 2
total: 2
phase: Created # <3>
queueInfo:
estimatedQueuePosition: 0 # <4>
veleroRestore:
nacuuid: test-nac-test-nar-c...1ba # <5>
name: test-nac-test-nar-c7...1ba # <6>
namespace: openshift-adp
status:
completionTimestamp: "2025...22:44Z"
hookStatus: {}
phase: Completed # <7>
progress:
itemsRestored: 28
totalItems: 28
startTimestamp: "2025..15Z"
warnings: 7
----
<1> The `NonAdminController` (NAC) CR has reconciled and validated the NAR CR.
<2> The `fileSystemPodVolumeRestores` field indicates the number of volumes that are restored.
<3> The NAR CR is in the `Created` phase.
<4> This field indicates the queue position of the restore object. There can be multiple restores in process, and each restore is assigned a queue position. When the restore is complete, the queue position is set to `0`.
<5> The NAC creates the `Velero` restore object and sets the value as `nacuuid`.
<6> The name of the associated `Velero` restore object.
<7> The `Velero` restore object is in the `Completed` phase and the restore is successful.

47
modules/oadp-self-service-enabling-nabsl-approval.adoc Normal file
View File

@@ -0,0 +1,47 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-enabling-nabsl-approval_{context}"]
= Enabling NonAdminBackupStorageLocation administrator approval workflow
The `NonAdminBackupStorageLocation` (NABSL) custom resource (CR) administrator approval workflow is an opt-in feature. As a cluster administrator, you must explicitly enable the feature in the `DataProtectionApplication` (DPA) CR by setting the `nonAdmin.requireApprovalForBSL` field to `true`.
You also need to set the `noDefaultBackupLocation` field in the DPA CR to `true`. This setting indicates that, there is no default backup storage location configured in the DPA CR and the namespace admin user can create a NABSL CR and send the CR request for approval.
.Prerequisites
* You are logged in to the cluster with the `cluster-admin` role.
* You have installed the {oadp-short} Operator.
* You have enabled {oadp-short} Self-Service in the `DataProtectionApplication` CR.
.Procedure
* To enable the NABSL administrator approval workflow, edit the DPA CR by using the following example configuration:
+
.Example `DataProtectionApplication` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: oadp-backup
namespace: openshift-adp
spec:
configuration:
nodeAgent:
enable: true
uploaderType: kopia
velero:
defaultPlugins:
- aws
- openshift
- csi
noDefaultBackupLocation: true # <1>
nonAdmin:
enable: true
requireApprovalForBSL: true # <2>
----
<1> Add the `noDefaultBackupLocation` field and set it to `true`.
<2> Add the `requireApprovalForBSL` field and set it to `true`.

18
modules/oadp-self-service-how-it-works.adoc Normal file
View File

@@ -0,0 +1,18 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-how-it-works_{context}"]
= How {oadp-short} Self-Service works
The following diagram describes how {oadp-short} Self-Service works at a high level. The diagram describes the following workflow:
. A namespace admin user creates a `NonAdminBackup` (NAB) custom resource (CR) request.
. The `NonAdminController` (NAC) CR receives the NAB CR request.
. The NAC validates the request and updates the NAB CR about the request.
. The NAC creates the `Velero` backup object.
. The NAC monitors the `Velero` backup object and cascades the status back to the NAB CR.
.How {oadp-short} Self-Service works
image::oadp-self-service.svg[{oadp-short} Self-Service]

146
modules/oadp-self-service-nab-nar-logs.adoc Normal file
View File

@@ -0,0 +1,146 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-namespace-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-nab-nar-logs_{context}"]
= Reviewing NAB and NAR logs
As a namespace admin user, you can review the logs for the NAB and NAR custom resources (CRs) by creating a `NonAdminDownloadRequest` (NADR) CR.
[NOTE]
====
You can review the NAB logs only if you are using a `NonAdminBackupStorageLocation` (NABSL) CR as a backup storage location for the backup.
====
.Prerequisites
* You are logged in to the cluster as a namespace admin user.
* The cluster administrator has installed the {oadp-short} Operator.
* The cluster administrator has configured the `DataProtectionApplication` (DPA) CR to enable {oadp-short} Self-Service.
* The cluster administrator has created a namespace for you and has authorized you to operate from that namespace.
* You have a backup of your application by creating a `NonAdminBackup` (NAB) CR.
* You have restored the application by creating a `NonAdminRestore` (NAR) CR.
.Procedure
. To review NAB CR logs, create a `NonAdminDownloadRequest` CR and specify the NAB CR name as shown in the following example:
+
.Example `NonAdminDownloadRequest` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
name: test-nadr-backup
spec:
target:
kind: BackupLog # <1>
name: test-nab # <2>
----
<1> Specify `BackupLog` as the value for the `kind` field of the NADR CR.
<2> Specify the name of the NAB CR.
. Verify that the NADR CR is processed by running the following command.
+
[source,terminal]
----
$ oc get nadr test-nadr-backup -o yaml
----
+
.Example output
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
creationTimestamp: "2025-03-06T10:05:22Z"
generation: 1
name: test-nadr-backup
namespace: test-nac-ns
resourceVersion: "134866"
uid: 520...8d9
spec:
target:
kind: BackupLog
name: test-nab
status:
conditions:
- lastTransitionTime: "202...5:22Z"
message: ""
reason: Success
status: "True"
type: Processed
phase: Created
velero:
status:
downloadURL: https://... # <1>
expiration: "202...22Z"
phase: Processed # <2>
----
<1> The `status.downloadURL` field contains the download URL of the NAB logs. You can use the `downloadURL` to download and review the NAB logs.
<2> The `status.phase` is `Processed`.
. Download and analyze the backup information by using the `status.downloadURL` URL.
. To review NAR CR logs, create a `NonAdminDownloadRequest` CR and specify the NAR CR name as shown in the following example:
+
.Example `NonAdminDownloadRequest` CR
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
name: test-nadr-restore
spec:
target:
kind: RestoreLog # <1>
name: test-nar # <2>
----
<1> Specify `RestoreLog` as the value for the `kind` field of the NADR CR.
<2> Defines the name of the NAR CR.
. Verify that the NADR CR is processed by running the following command.
+
[source,terminal]
----
$ oc get nadr test-nadr-restore -o yaml
----
+
.Example output
[source,yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminDownloadRequest
metadata:
creationTimestamp: "2025-03-06T11:26:01Z"
generation: 1
name: test-nadr-restore
namespace: test-nac-ns
resourceVersion: "157842"
uid: f3e...7862f
spec:
target:
kind: RestoreLog
name: test-nar
status:
conditions:
- lastTransitionTime: "202..:01Z"
message: ""
reason: Success
status: "True"
type: Processed
phase: Created
velero:
status:
downloadURL: https://... # <1>
expiration: "202..:01Z"
phase: Processed # <2>
----
<1> The `status.downloadURL` field contains the download URL of the NAR logs. You can use the `downloadURL` to download and review the NAR logs.
<2> The `status.phase` is `Processed`.
. Download and analyze the restore information by using the `status.downloadURL` URL.

51
modules/oadp-self-service-namespace-permissions.adoc Normal file
View File

@@ -0,0 +1,51 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: REFERENCE
[id="oadp-self-service-namespace-permissions_{context}"]
= {oadp-short} Self-Service namespace permissions
As a cluster administrator, ensure that a namespace admin user has editor roles assigned for the following list of objects in their namespace. These objects ensure that a namespace admin user can perform the backup and restore operations in their namespace.
* `nonadminbackups.oadp.openshift.io`
* `nonadminbackupstoragelocations.oadp.openshift.io`
* `nonadminrestores.oadp.openshift.io`
* `nonadmindownloadrequests.oadp.openshift.io`
For more details on the namespace `admin` role, see link:https://docs.redhat.com/en/documentation/openshift_container_platform/{product-version}/html/authentication_and_authorization/using-rbac#default-roles_using-rbac[Default cluster roles].
A cluster administrator can also define their own specifications so that users can have rights similar to `project` or namespace `admin` roles.
[id="oadp-self-service-yaml-backup-operation_{context}"]
== Example RBAC YAML for backup operation
See the following RBAC YAML file example with namespace permissions for a namespace `admin` user to perform a backup operation.
.Example RBAC
[source,yaml]
----
...
- apiGroups:
- oadp.openshift.io
resources:
- nonadminbackups
- nonadminrestores
- nonadminbackupstoragelocations
- nonadmindownloadrequests
verbs:
- create
- delete
- get
- list
- patch
- update
- watch
- apiGroups:
- oadp.openshift.io
resources:
- nonadminbackups/status
- nonadminrestores/status
verbs:
- get
----

47
modules/oadp-self-service-overview.adoc Normal file
View File

@@ -0,0 +1,47 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-overview_{context}"]
= About {oadp-short} Self-Service
From {oadp-short} 1.5.0 onward, you do not need the `cluster-admin` role to perform the backup and restore operations. You can use {oadp-short} with the namespace `admin` role. The namespace `admin` role has administrator access only to the namespace the user is assigned to.
You can use the Self-Service feature only after the cluster administrator installs the {oadp-short} Operator and provides the necessary permissions.
The {oadp-short} Self-Service feature provides secure self-service data protection capabilities for users without `cluster-admin` privileges while maintaining proper access controls.
The {oadp-short} cluster administrator creates a user with the namespace `admin` role and provides the necessary Role Based Access Controls (RBAC) to the user to perform {oadp-short} Self-Service actions. As this user has limited access compared to the `cluster-admin` role, this user is referred to as a namespace admin user.
As a namespace admin user, you can back up and restore applications deployed in your authorized namespace on the cluster.
{oadp-short} Self-Service offers the following benefits:
* As a cluster administrator:
** You allow namespace-scoped backup and restore operations to a namespace admin user. This means, a namespace admin user cannot access a namespace that they are not authorized to.
** You keep administrator control over non-administrator operations through `DataProtectionApplication` configuration and policies.
* As a namespace admin user:
** You can create backup and restore custom resources for your authorized namespace.
** You can create dedicated backup storage locations in your authorized namespace.
** You have secure access to backup logs and status information.
[id="oadp-self-service-overview-namespace-scope_{context}"]
= What namespace-scoped backup and restore means
{oadp-short} Self-Service ensures that namespace admin users can only operate within their authorized namespace. For example, if you do not have access to a namespace, as a namespace admin user, you cannot back up that namespace.
A namespace admin user cannot access backup and restore data of other users.
The cluster administrator enforces the access control through custom resources (CRs) that securely manage the backup and restore operations.
Additionally, the cluster administrator can control the allowed options within the CRs, restricting certain operations for added security by using `spec` enforcements in the `DataProtectionApplication` (DPA) CR.
Namespace `admin` users can perform the following Self-Service operations:
* Create and manage backups of their authorized namespaces.
* Restore data to their authorized namespaces.
* Configure their own backup storage locations.
* Check backup and restore status.
* Request retrieval of relevant logs.

22
modules/oadp-self-service-phases.adoc Normal file
View File

@@ -0,0 +1,22 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-phases_{context}"]
= {oadp-short} Self-Service backup and restore phases
The `status.phase` field of a `NonAdminBackup` (NAB) CR and a `NonAdminRestore` (NAR) CR provide an overview of the current state of the CRs. Review the values for the NAB and NAR phases in the following table.
The phase of the CRs only progress forward. Once a phase transitions to the next phase, it cannot revert to a previous phase.
.Phases
|===
|*Value* |*Description*
|New|A creation request of the NAB or NAR CR is accepted by the NAC, but it has not yet been validated by the NAC.
|BackingOff|NAB or NAR CR is invalidated by the NAC CR because of an invalid `spec` of the NAB or NAR CR.
The namespace admin user can update the NAB or NAR `spec` to comply with the policies set by the administrator. After the namespace admin user edits the CRs, the NAC reconciles the CR again.
|Created|NAB or NAR CR is validated by the NAC, and the `Velero` backup or restore object is created.
|Deletion|NAB or NAR CR is marked for deletion. The NAC deletes the corresponding `Velero` backup or restore object. When the `Velero` object is deleted, the NAB or NAR CR is also deleted.
|===

16
modules/oadp-self-service-prerequisites.adoc Normal file
View File

@@ -0,0 +1,16 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-prerequisites_{context}"]
= {oadp-short} Self-Service prerequisites
Before you start using {oadp-short} Self-Service as a namespace `admin` user, ensure you meet the following prerequisites:
* The cluster administrator has configured the {oadp-short} `DataProtectionApplication` (DPA) CR to enable Self-Service.
* The cluster administrator has completed the following tasks:
** Created a namespace `admin` user account.
** Created a namespace for the namespace `admin` user.
** Assigned appropriate privileges for the namespace admin user's namespace. This ensures that the namespace admin user is authorized to access and perform backup and restore operations in their assigned namespace.
* Optionally, the cluster administrator can create a `NonAdminBackupStorageLocation` (NABSL) CR for the namespace `admin` user.

45
modules/oadp-self-service-rejecting-nabsl.adoc Normal file
View File

@@ -0,0 +1,45 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-cluster-admin-use-cases.adoc
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-rejecting-nabsl_{context}"]
= Rejecting a NonAdminBackupStorageLocation request
As a cluster administrator, to reject a `NonAdminBackupStorageLocation` (NABSL) custom resource (CR) request, you can edit the `NonAdminBackupStorageLocationRequest` CR and set the `approvalDecision` field to `reject`.
.Prerequisites
* You are logged in to the cluster with the `cluster-admin` role.
* You have installed the {oadp-short} Operator.
* You have enabled {oadp-short} Self-Service in the `DataProtectionApplication` (DPA) CR.
* You have enabled the NABSL CR approval workflow in the DPA.
.Procedure
. To see the NABSL CR requests that are in queue for administrator approval, run the following command:
+
[source,terminal]
----
$ oc -n openshift-adp get NonAdminBackupStorageLocationRequests
----
+
.Example output
[source,terminal]
----
$ oc get nabslrequest
NAME REQUEST-PHASE REQUEST-NAMESPACE REQUEST-NAME AGE
non-admin-bsl-test-.....175 Approved non-admin-bsl-test incorrect-bucket-nabsl 4m57s
non-admin-bsl-test-.....196 Approved non-admin-bsl-test perfect-nabsl 5m26s
non-admin-bsl-test-s....e1a Rejected non-admin-bsl-test suspicious-sample 2m56s
non-admin-bsl-test-.....5e0 Pending non-admin-bsl-test waitingapproval-nabsl 4m20s
----
. To reject the NABSL CR request, set the `approvalDecision` field to `reject` by running the following command:
+
[source,terminal]
----
$ oc patch nabslrequest <nabsl_name> -n openshift-adp --type=merge -p '{"spec": {"approvalDecision": "reject"}}' # <1>
----
<1> Specify the name of the `NonAdminBackupStorageLocationRequest` CR.

50
modules/oadp-self-service-troubleshoot-nabsl-default.adoc Normal file
View File

@@ -0,0 +1,50 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-troubleshooting.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-troubleshoot-nabsl-default_{context}"]
= NonAdminBackupStorageLocation cannot be set as default
As a non-admin user, if you have created a `NonAdminBackupStorageLocation` (NABSL) custom resource (CR) in your authorized namespace, you cannot set the NABSL CR as the default backup storage location.
In such a scenario, the NABSL CR fails to validate and the `NonAdminController` (NAC) gives an error message.
.Example NABSL error
[source, yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackupStorageLocation
metadata:
creationTimestamp: "20...:03Z"
generation: 1
name: nabsl1
namespace: test-nac-1
resourceVersion: "11...9"
uid: 8d2fc....c9b6c4401
spec:
backupStorageLocationSpec:
credential:
key: cloud
name: cloud-credentials-gcp
default: true # <1>
objectStorage:
bucket: oad..7l8
prefix: velero
provider: gcp
status:
conditions:
- lastTransitionTime: "20...:27:03Z"
message: NonAdminBackupStorageLocation cannot be used as a default BSL # <2>
reason: BslSpecValidation
status: "False"
type: Accepted
phase: BackingOff
----
<1> The value of the `default` field is set to `true`.
<2> The error message reported by NAC.
.Solution
To successfully validate and reconcile the NABSL CR, ensure that the `default` field is set to `false` in the NABSL CR.

46
modules/oadp-self-service-troubleshoot-nabsl-same-ns.adoc Normal file
View File

@@ -0,0 +1,46 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service-troubleshooting.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-troubleshoot-nabsl-same-ns_{context}"]
= Error NonAdminBackupStorageLocation not found in the namespace
Consider the following scenario of a namespace `admin` backup:
* You have created two `NonAdminBackupStorageLocations` (NABLs) custom resources (CRs) in two different namespaces, for example, `nabsl-1` in `namespace-1` and `nabsl-2` in `namespace-2`.
* You are taking a backup of `namespace-1` and use `nabsl-2` in the `NonAdminBackup` (NAB) CR.
In this scenario, after creating the NAB CR, you get the following error:
[source,text]
----
NonAdminBackupStorageLocation not found in the namespace: NonAdminBackupStorageLocation.oadp.openshift.io
----
The cause of the error is that the NABSL CR does not belong to the namespace that you are trying to back up.
.Error
[source, yaml]
----
apiVersion: oadp.openshift.io/v1alpha1
kind: NonAdminBackup
...
status:
conditions:
- lastTransitionTime: "2025-02-20T10:13:00Z"
message: 'NonAdminBackupStorageLocation not found in the namespace: NonAdminBackupStorageLocation.oadp.openshift.io
"nabsl2" not found'
reason: InvalidBackupSpec
status: "False"
type: Accepted
phase: BackingOff
----
.Solution
Use the NABSL that belongs to the same namespace that you are trying to back up.
In this scenario, you must use `nabsl-1` in the NAB CR to back up `namespace-1`.

23
modules/oadp-self-service-troubleshooting.adoc Normal file
View File

@@ -0,0 +1,23 @@
// Module included in the following assemblies:
//
//
:_mod-docs-content-type: PROCEDURE
[id="oadp-self-service-troubleshooting_{context}"]
= Troubleshooting {oadp-short} Self-Service
.Error `pods is forbidden`
If you are a non-admin user trying to access a namespace that you do not have access to, you get the following error:
[source, terminal]
----
Error from server (Forbidden): pods is forbidden: User "nac-user" cannot list resource "pods" in API group "" in the namespace "openshift-adp"
----
The cluster administrator has not authorized the non-admin user to access the namespace.
.Solution
The cluster administrator must authorize the non-admin user to access the namespace.

30
modules/oadp-self-service-unsupported-features.adoc Normal file
View File

@@ -0,0 +1,30 @@
// Module included in the following assemblies:
//
// backup_and_restore/application_backup_and_restore/oadp-self-service/oadp-self-service.adoc
:_mod-docs-content-type: CONCEPT
[id="oadp-self-service-unsupported-features_{context}"]
= {oadp-short} Self-Service unsupported features
The following features are not supported by {oadp-short} Self-Service:
* Cross cluster backup and restore, or migrations are not supported. These {oadp-short} operations are supported for the cluster administrator.
* A namespace `admin` user cannot create a `VolumeSnapshotLocation` (VSL) CR. The cluster administrator creates and configures the VSL in the `DataProtectionApplication` (DPA) CR for a namespace `admin` user.
* The `ResourceModifiers` CR and volume policies are not supported for a namespace `admin` user.
* A namespace `admin` user can request backup or restore logs by using the `NonAdminDownloadRequest` CR, only if the backup or restore is created by a user through the `NonAdminBackupStorageLocation` CR and not the cluster-wide default backup storage location.
* To ensure secure backup and restore, {oadp-short} Self-Service automatically excludes the following CRs from being backed up or restored:
** `NonAdminBackup`
** `NonAdminRestore`
** `NonAdminBackupStorageLocation`
** `SecurityContextConstraints`
** `ClusterRole`
** `ClusterRoleBinding`
** `CustomResourceDefinition`
** `PriorityClasses`
** `VirtualMachineClusterInstanceTypes`
** `VirtualMachineClusterPreferences`