# Intro to OADP self-service ## Glossary of terms * NAB - Non Admin Backup * NAR - Non Admin Restore * NAC - Non Admin Controller * Puppies are kicked and killed when you refer to the feature as anything other than `self-service` * TC - New TestCase required ## Engineering testing overview ( master branch ) * install works * backup and restore works * queue works * cluster-admin backup spec [customizations](https://github.com/migtools/oadp-non-admin/blob/master/docs/design/admin_control_over_spec.md) * BSL - in progress ## Admin Install ### OADP - NAC integration/Deployment tests: Installing Self-Service will work off oadp-operator master branch w/ `make deploy-olm` 1. Installation via OADP Operator, check if NAC controller is running and CRDs are installed successfully - DPA spec must have these 2 things: ``` nonAdmin: enable: true unsupportedOverrides: tech-preview-ack: "true" ``` - check whether the nac controller pod is running in oadp install ns **NOTE** * DO NOT immediately try to create a NAB ( non-admin-backup ) after installing, it will fail as cluster-admin. Create a [non-cluster-admin first](https://github.com/migtools/oadp-non-admin/blob/master/docs/non_admin_user.md) * Once you have a non-cluster-admin user that has admin rights on a namespace, then you can create a NAB / NAR ## Deploy application as NON-ADMIN * You will need a simple app deployed in the non-admin namespace deployed BY the NON-ADMIN user. ## First look at NAB Essentially we have a few new CRD's for this feature, NAB being one. When a non-admin create's a NAB, it essentially runs some checks and a controller creates a velero backup crd on behalf of the non-admin user. As a cluster admin you should see a 1-1 mapping from a NAB -> Velero Backup. Easy right? * meh [pictures are worth a thousand words](https://github.com/migtools/oadp-non-admin/blob/master/docs/images/Backup-Workflow-Details.jpg) && [words](https://github.com/migtools/oadp-non-admin/blob/master/docs/images/nab-backup-workflow.jpg) && [words](https://youtu.be/KNfney5cT2A) ### what a FULL NAB w/ status looks like: Very much like a Velero backup but with some extra's ```yaml apiVersion: oadp.openshift.io/v1alpha1 kind: NonAdminBackup metadata: creationTimestamp: "2024-12-04T17:44:58Z" finalizers: - nonadminbackup.oadp.openshift.io/finalizer generation: 2 labels: app.kubernetes.io/created-by: oadp-operator app.kubernetes.io/instance: nonadminbackup-sample app.kubernetes.io/managed-by: kustomize app.kubernetes.io/name: nonadminbackup app.kubernetes.io/part-of: oadp-operator name: wes-bak1 namespace: wes-ns resourceVersion: "875102" uid: 14a22385-ed08-4781-af06-5bcd1d462e6a spec: backupSpec: csiSnapshotTimeout: 0s hooks: {} itemOperationTimeout: 0s metadata: {} ttl: 720h0m0s status: conditions: - lastTransitionTime: "2024-12-04T17:44:58Z" message: backup accepted reason: BackupAccepted status: "True" type: Accepted - lastTransitionTime: "2024-12-04T17:44:58Z" message: Created Velero Backup object reason: BackupScheduled status: "True" type: Queued phase: Created queueInfo: estimatedQueuePosition: 0 veleroBackup: nacuuid: wes-ns-wes-bak1-49575abd-e4a8-4f3d-a45f-996bd97aad67 name: wes-ns-wes-bak1-49575abd-e4a8-4f3d-a45f-996bd97aad67 namespace: openshift-adp status: completionTimestamp: "2024-12-04T17:45:00Z" expiration: "2025-01-03T17:44:58Z" formatVersion: 1.1.0 hookStatus: {} phase: Completed progress: itemsBackedUp: 52 totalItems: 52 startTimestamp: "2024-12-04T17:44:58Z" version: 1 ``` ### NAB minimal spec * NAB that creates a simple velero backup CR that does a simple namespace backup. ```yaml apiVersion: nac.oadp.openshift.io/v1alpha1 kind: NonAdminBackup metadata: name: mysql-nonadmin-1 namespace: mysql-persistent spec: backupSpec: includedNamespaces: - mysql-persistent storageLocation: dpa-sample-1 ttl: 720h0m0s ``` * Because a NAB is it's own CR we have to track the [status](https://github.com/migtools/oadp-non-admin/blob/master/docs/design/nab_and_nar_status_update.md) of both the NAB and the related Velero backup. **TC** Need test cases to ensure the correct status is communicated to the user. * Because non-admin's can't see the velero queue w/ `velero backup get` or `oc get backup` && that velero is single threaded w/ backups.. imagine a very busy cluster w/ lots of backups running.. We added `queueInfo`, **TC** ``` queueInfo: estimatedQueuePosition: 0 ``` * Full (NAB CRD)[https://github.com/openshift/oadp-operator/blob/master/bundle/manifests/oadp.openshift.io_nonadminbackups.yaml] * Full (NAR CRD)[https://github.com/openshift/oadp-operator/blob/master/bundle/manifests/oadp.openshift.io_nonadminrestores.yaml] ## UI atm a non-admin can use the default openshift UI to create and view NAB's and NAR's via: * Administrator -> Home -> API Explorer -> search `oadp`  ## NAR * to-do * sorry all the NAR's were deleted, the spec would only require the NAB backup name. **Notes:** - Enure you go through mandatory cleanup steps before performing any kind of tests - Check for cosmetic and UX improvements things along the way. Do we need more data in object status ? Does short name of NAB and NAR objects work ? and so on. - Always check the context of your shell/terminal/login session. PLEASE DO NOT PERFORM NON-ADMIN TESTS UNDER ADMIN SESSION. THIS TEST DAY WONT BE BENEFICIAL FOR US IN SUCH CASES. - Install OADP Operator from master using `make deploy-olm` command ## Mandatory cleanup: - Delete OADP Operator install NS if any - Remove OADP/NAC/Velero CRDs from the cluster if any; - `oc delete crd $(oc get crds | grep oadp | awk -F ' ' '{print $1}')` - `oc delete crd $(oc get crds | grep velero.io | awk -F ' ' '{print $1}')` ## Test Scenarios: #### install test cases 1. Creating NAC objects when NAC controller is not deployed 1. Try another install of OADP operator with NAC enabled in the same cluster Hint: `make deploy-olm OADP_TEST_NAMESPACE=openshift-adp-2` * Example test cases once you have a good feel for self-service https://docs.google.com/spreadsheets/d/1tqxcX6fXDFaWhkWifO08a4qXnUBxL0x4tWtoc3zxUdg/edit?usp=sharing ## For Non-Admin ### Non-Admin Backup tests 1. Create a NAB object with valid backup spec, VB should be sucessfully created and NAB status should be updated successfully 2. Invalid NAB spec scenarios, check if NAB is updated with correct status 3. Valid NAB spec with wrong Velero Backup config, VB will fail and check if status is cascaded back to NAB. 4. Create Backup of namespace the user has no access to 5. Check the status of the backup queue, when there are multiple NABs in the cluster 6. Create multiple NAB of the same NS, multiple times even if earlier NAB object exsits, each NAB should be mapped to one VB ### Non-Admin Restore tests 1. Create a NAR object with valid restore spec, VR should be successfully created and NAR status should be updated successfully 2. Invalid NAR spec scenarios, check if NAR is updated with correct status 3. Valid NAR spec with wrong Velero Restore config, VR will fail and check if status is cascaded back to NAR. 4. Create Restore of namespace the user has no access to 5. Check the status of the backup queue, when there are multiple NARs in the cluster 6. Create multiple NAR of the same NS, multiple times even if earlier NAR object exsits, each NAR should be mapped to one VR ### Enforce NAB and NAR spec tests 1. NAC Backup Spec Enforce via DPA - Refer example workflows from here: https://github.com/migtools/oadp-non-admin/blob/master/docs/design/admin_control_over_spec.md#example-workflows 2. Similarly, NAC Restore Spec Enforce via DPA ### Destructive tests (Assuming a completed VB exists for the NAB object) 1. Delete NAB object using oc cli 2. Delete NAB object via NAB spec (`spec.deleteBackup` to true) 3. ForceDelete via NAB spec (`spec.forceDeleteBackup` to true) (More wild scenarios) 4. Delete specific NAR object using oc cli 5. Delete app NS when only NAB exists 6. Delete app NS when both NAR and NAB exists ## Status and Bugs * current devel status: https://github.com/orgs/migtools/projects/7/views/4 * Where do I open a bug? * We are still under development so, https://github.com/migtools/oadp-non-admin/issues HAPPY HOLIDAYS!