Design: Velero client download APIServer

[kaovilai]

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Thank you for contributing to Velero!

Please add a summary of your change

Does your change fix a particular issue?

Fixes #7432

Please indicate you've done the following:

• Accepted the DCO. Commits without the DCO will delay acceptance.
• Created a changelog file or added /kind changelog-not-required as a comment on this pull request.
• Updated the corresponding documentation in site/content/docs/main.

Slack threads:

• examples of immutable resources https://kubernetes.slack.com/archives/C021GPR1L3S/p1709329227490779

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 58.83%. Comparing base (bc29471) to head (119ac46).
Report is 142 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #7344      +/-   ##
==========================================
+ Coverage   58.49%   58.83%   +0.34%     
==========================================
  Files         343      345       +2     
  Lines       28457    28798     +341     
==========================================
+ Hits        16646    16944     +298     
- Misses      10392    10425      +33     
- Partials     1419     1429      +10     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[kaovilai]

/kind changelog-not-required

[ywk253100]

The alternative approach is that the DownloadRequest Reconciler decides the correct way to download the data and return the URL, the Velero CLI doesn't need to care about the details, it just gets the URL from the DownloadURL field.
The benefit of this approach is that there are some other downstream products/projects rely on the DownloadRequest directly to download the data, they don't need to change to work with the download server.

[shawn-hurley]

IIUC @ywk253100, you are advocating that for some object stores, we would want to use the signed URL that is returned and not the download request when it is not needed?

If that is the case I agree, I wonder how we will determine that though?

[ywk253100]

IIUC @ywk253100, you are advocating that for some object stores, we would want to use the signed URL that is returned and not the download request when it is not needed?

No, What I'm saying is that we always read the URL from the downloadURL field of the download request rather than adding a new veleroServerURL.

If that is the case I agree, I wonder how we will determine that though?

We can add a new field in the BSL spec to determine how to get the URL.

[kaovilai]

I like this idea.

[kaovilai]

decides the correct way to download the data

Not sure if there's an easy way to determine from DR reconciler what cli has access to.. CLI can perhaps create another CR saying prior attempt was unsuccessful so the next DR url returned would be download server url.

[ywk253100]

If we add a new field (e.g. downloadViaVeleroServer bool) to the BSL spec, the DR reconciler can determine which URL (the URL of direct access or via the Velero server) should be returned.
And the CLI doesn't need to care about this, it downloads the data from the downloadURL of DR.

[ywk253100]

What is the command used here for?

[kaovilai]

This is for the case where user shell only has kubectl, and not velero CLI. They can access velero CLI via kubectl exec command.

If executing velero CLI from velero pod, it would be possible to use cluster.local address and/or localhost address.

[shawn-hurley]

I am a little confused about when this is used. Is this just for documentation for a user to be able to access things if they don't have a velero CLI installed?

[kaovilai]

A little technique, that could have code dedicated to it. Since download api server is a fallback, we can move this out of scope or remove entirely.

[kaovilai]

An example of where we told folks they could alias velero command so they don't need to actually install anything to their machine to use velero CLI functions.

https://access.redhat.com/articles/5456281#:~:text=alias%20velero%3D%27oc%20%2Dn%20openshift%2Dadp%20exec%20deployment/velero%20%2Dc%20velero%20%2Dit%20%2D%2D%20./velero%27

[ywk253100]

Velero CLI isn't the only client talks to the server, so it's possible there is no kubeconfig file.

How about we follow the similar way the object storage uses that generate a signed URL with a secret? Only the requests with the signed URL are valid.

[kaovilai]

Velero CLI isn't the only client talks to the server

I was not aware. Can you clarify what else talks to the server in this way?

[ywk253100]

In our downstream product, the client runs inside the pod and uses CRs directly to talk to the server.

Currently, if users have permission to create the DownloadReqeust then they have permission to download data from the object storage, and a signed URL is returned. The permission checking happens actually against the DownloadRequest. The object storage only checks the request is signed and valid. So we can follow the same pattern that in the download server side we only check the request is signed and valid.

[kaovilai]

Ok so just as long as DownloadRequests is able to get created, and the velero CLI have permission to read its status, then the signedUrl there should be usable without the kubeconfig mechanism proposed.

[ywk253100]

Yes.

[shawn-hurley]

This is scary to have URLs that contain the entire backup that could be world accessible.

If we go down this path I think you have to have the link expire at some reasonable time

[ywk253100]

If we go down this path I think you have to have the link expire at some reasonable time

Yes, we can follow the way how object storage does

[ywk253100]

This should be configurable

[shawn-hurley]

I would also explore when an ingress/router can use a CA cert and doesn't want to re-encrypt to talk to the service.

[ywk253100]

Could you add a section about what the endpoint looks like?

[kaovilai]

Yes. Will do. I think we can simply use the same path pattern as to how the files are stored today.. so something like /backups/<backupName>/<contents>/...

[shawn-hurley]

I think this is looking really good! I am glad that we are making progress on this!

[shawn-hurley]

IIUC @ywk253100, you are advocating that for some object stores, we would want to use the signed URL that is returned and not the download request when it is not needed?

If that is the case I agree, I wonder how we will determine that though?

[shawn-hurley]

I am a little confused about when this is used. Is this just for documentation for a user to be able to access things if they don't have a velero CLI installed?

[shawn-hurley]

I would also explore when an ingress/router can use a CA cert and doesn't want to re-encrypt to talk to the service.

[kaovilai]

Will be researching more info around cacerts for this design.

[ywk253100]

@kaovilai Do you think we should put the download server in a separate pod or in the same pod with Velero server? Could you also clarify this in the design?

[kaovilai]

I think a separate pod would be overkill in terms of resource requirements. Most of the time there's no download request to serve.