Add new resource filters can separate cluster and namespace scope res…

…ources.

Signed-off-by: Xun Jiang <blackpiglet@gmail.com>

changelogs/unreleased/5838-blackpiglet

@@ -0,0 +1 @@
+Add new resource filters can separate cluster and namespace scope resources.

config/crd/v1/bases/velero.io_backups.yaml

@@ -54,6 +54,22 @@ spec:
                   Use DefaultVolumesToFsBackup instead."
                 nullable: true
                 type: boolean
+              excludedClusterScopeResources:
+                description: ExcludedClusterScopeResources is a slice of cluster scope
+                  resource type names to exclude from the backup. If set to "*", all
+                  cluster scope resource types are excluded.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              excludedNamespacedResources:
+                description: ExcludedNamespacedResources is a slice of namespace scope
+                  resource type names to exclude from the backup. If set to "*", all
+                  namespace scope resource types are excluded.
+                items:
+                  type: string
+                nullable: true
+                type: array
               excludedNamespaces:
                 description: ExcludedNamespaces contains a list of namespaces that
                   are not included in the backup.
@@ -259,6 +275,23 @@ spec:
                   resources should be included for consideration in the backup.
                 nullable: true
                 type: boolean
+              includedClusterScopeResources:
+                description: IncludedClusterScopeResources is a slice of cluster scope
+                  resource type names to include in the backup. If set to "*", all
+                  cluster scope resource types are included. The default value is
+                  empty, which means only related cluster scope resources are included.
+                items:
+                  type: string
+                nullable: true
+                type: array
+              includedNamespacedResources:
+                description: IncludedNamespacedResources is a slice of namespace scope
+                  resource type names to include in the backup. The default value
+                  is "*".
+                items:
+                  type: string
+                nullable: true
+                type: array
               includedNamespaces:
                 description: IncludedNamespaces is a slice of namespace names to include
                   objects from. If empty, all namespaces are included.

config/crd/v1/bases/velero.io_schedules.yaml

@@ -84,6 +84,22 @@ spec:
                       entirely in future. Use DefaultVolumesToFsBackup instead."
                     nullable: true
                     type: boolean
+                  excludedClusterScopeResources:
+                    description: ExcludedClusterScopeResources is a slice of cluster
+                      scope resource type names to exclude from the backup. If set
+                      to "*", all cluster scope resource types are excluded.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  excludedNamespacedResources:
+                    description: ExcludedNamespacedResources is a slice of namespace
+                      scope resource type names to exclude from the backup. If set
+                      to "*", all namespace scope resource types are excluded.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                   excludedNamespaces:
                     description: ExcludedNamespaces contains a list of namespaces
                       that are not included in the backup.
@@ -294,6 +310,24 @@ spec:
                       resources should be included for consideration in the backup.
                     nullable: true
                     type: boolean
+                  includedClusterScopeResources:
+                    description: IncludedClusterScopeResources is a slice of cluster
+                      scope resource type names to include in the backup. If set to
+                      "*", all cluster scope resource types are included. The default
+                      value is empty, which means only related cluster scope resources
+                      are included.
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
+                  includedNamespacedResources:
+                    description: IncludedNamespacedResources is a slice of namespace
+                      scope resource type names to include in the backup. The default
+                      value is "*".
+                    items:
+                      type: string
+                    nullable: true
+                    type: array
                   includedNamespaces:
                     description: IncludedNamespaces is a slice of namespace names
                       to include objects from. If empty, all namespaces are included.

design/cluster-scope-resource-filter.md

@@ -8,7 +8,6 @@
 	- [High-Level Design](#high-level-design)
 		- [Parameters Rules](#parameters-rules)
 		- [Using scenarios:](#using-scenarios)
-			- [no namespaced resources + no cluster resources](#no-namespaced-resources--no-cluster-resources)
 			- [no namespaced resources + some cluster resources](#no-namespaced-resources--some-cluster-resources)
 			- [no namespaced resources + all cluster resources](#no-namespaced-resources--all-cluster-resources)
 			- [some namespaced resources + no cluster resources](#some-namespaced-resources--no-cluster-resources)
@@ -67,14 +66,9 @@ Restore and other code pieces also use resource filtering will be handled in fut
 
 * If both `--include-cluster-scope-resources` and `--exclude-cluster-scope-resources` are not present, it means no additional cluster resource is included per resource type, just as the existing `--include-cluster-resources` parameter not setting value. Cluster resources are related to the namespace scope resources, which means those are returned in the namespace resources' BackupItemAction's result AdditionalItems array, are still included in backup by default. Taking backing up PVC scenario as an example, PVC is namespaced, PV is in cluster scope. PVC's BIA will include PVC related PV into backup too.
 
-* If the backup contains no resource, validation failure should be returned.
-
 ### Using scenarios:
 Please notice, if the scenario give the example of using old filtering parameters (`--include-cluster-resources`, `--include-resources` and `--exclude-resources`), that means the old parameters also work for this case. If old parameters example is not given, that means they don't work for this scenario, only new parameters (`--include-cluster-scope-resources`, `--include-namespaced-resources`, `--exclude-cluster-scope-resources` and `--exclude-namespaced-resources`) work.
 
-#### no namespaced resources + no cluster resources
-This is not allowed. Backup or restore cannot contain no resource.
-
 #### no namespaced resources + some cluster resources
 The following command means backup no namespaced resources and some cluster resources.
 

pkg/apis/velero/v1/backup.go

@@ -52,6 +52,36 @@ type BackupSpec struct {
 	// +nullable
 	ExcludedResources []string `json:"excludedResources,omitempty"`
 
+	// IncludedClusterScopeResources is a slice of cluster scope
+	// resource type names to include in the backup.
+	// If set to "*", all cluster scope resource types are included.
+	// The default value is empty, which means only related cluster
+	// scope resources are included.
+	// +optional
+	// +nullable
+	IncludedClusterScopeResources []string `json:"includedClusterScopeResources,omitempty"`
+
+	// ExcludedClusterScopeResources is a slice of cluster scope
+	// resource type names to exclude from the backup.
+	// If set to "*", all cluster scope resource types are excluded.
+	// +optional
+	// +nullable
+	ExcludedClusterScopeResources []string `json:"excludedClusterScopeResources,omitempty"`
+
+	// IncludedNamespacedResources is a slice of namespace scope
+	// resource type names to include in the backup.
+	// The default value is "*".
+	// +optional
+	// +nullable
+	IncludedNamespacedResources []string `json:"includedNamespacedResources,omitempty"`
+
+	// ExcludedNamespacedResources is a slice of namespace scope
+	// resource type names to exclude from the backup.
+	// If set to "*", all namespace scope resource types are excluded.
+	// +optional
+	// +nullable
+	ExcludedNamespacedResources []string `json:"excludedNamespacedResources,omitempty"`
+
 	// LabelSelector is a metav1.LabelSelector to filter with
 	// when adding individual objects to the backup. If empty
 	// or nil, all objects are included. Optional.

pkg/backup/backup.go

@@ -205,6 +205,15 @@ func (kb *kubernetesBackupper) BackupWithResolvers(log logrus.FieldLogger,
 	backupRequest.ResourceIncludesExcludes = collections.GetResourceIncludesExcludes(kb.discoveryHelper, backupRequest.Spec.IncludedResources, backupRequest.Spec.ExcludedResources)
 	log.Infof("Including resources: %s", backupRequest.ResourceIncludesExcludes.IncludesString())
 	log.Infof("Excluding resources: %s", backupRequest.ResourceIncludesExcludes.ExcludesString())
+
+	backupRequest.NamespaceResourceIncludesExcludes = collections.GetScopedResourceIncludesExcludes(kb.discoveryHelper, backupRequest.Spec.IncludedNamespacedResources, backupRequest.Spec.ExcludedNamespacedResources, true)
+	log.Infof("Including namespaced resources: %s", backupRequest.NamespaceResourceIncludesExcludes.IncludesString())
+	log.Infof("Excluding namespaced resources: %s", backupRequest.NamespaceResourceIncludesExcludes.ExcludesString())
+
+	backupRequest.ClusterResourceIncludesExcludes = collections.GetScopedResourceIncludesExcludes(kb.discoveryHelper, backupRequest.Spec.IncludedClusterScopeResources, backupRequest.Spec.ExcludedClusterScopeResources, false)
+	log.Infof("Including cluster-scoped resources: %s", backupRequest.ClusterResourceIncludesExcludes.ClusterIncludesString())
+	log.Infof("Excluding cluster-scoped resources: %s", backupRequest.ClusterResourceIncludesExcludes.ExcludesString())
+
 	log.Infof("Backing up all volumes using pod volume backup: %t", boolptr.IsSetToTrue(backupRequest.Backup.Spec.DefaultVolumesToFsBackup))
 
 	var err error
@@ -391,12 +400,24 @@ func (kb *kubernetesBackupper) BackupWithResolvers(log logrus.FieldLogger,
 	// no more progress updates will be sent on the 'update' channel
 	quit <- struct{}{}
 
-	// back up CRD for resource if found. We should only need to do this if we've backed up at least
-	// one item for the resource and IncludeClusterResources is nil. If IncludeClusterResources is false
-	// we don't want to back it up, and if it's true it will already be included.
-	if backupRequest.Spec.IncludeClusterResources == nil {
-		for gr := range backedUpGroupResources {
-			kb.backupCRD(log, gr, itemBackupper)
+	if useOldResourceFilters(backupRequest.Spec) {
+		// back up CRD for resource if found. We should only need to do this if we've backed up at least
+		// one item for the resource when IncludeClusterResources is nil. If IncludeClusterResources is false
+		// we don't want to back it up, and if it's true it will already be included.
+		if backupRequest.Spec.IncludeClusterResources == nil {
+			for gr := range backedUpGroupResources {
+				kb.backupCRD(log, gr, itemBackupper)
+			}
+		}
+	} else {
+		// back up CRD for resource if found. We should only need to do this if we've backed up at least
+		// one item for the resource when cluster-scoped resource filters are not specified.
+		// If cluster-scoped resource filters are set, whether or not to backup up the resource,
+		// depending on whether CRD is included by the filters setting.
+		if len(backupRequest.Spec.IncludedClusterScopeResources) == 0 && len(backupRequest.Spec.ExcludedClusterScopeResources) == 0 {
+			for gr := range backedUpGroupResources {
+				kb.backupCRD(log, gr, itemBackupper)
+			}
 		}
 	}