feat(23570): Add controller for workspace backup (#1530)

A new backup controller orchestrates a backup process for workspace PVC.
A new configuration option is added to DevWorkspaceOperatorConfig that
enables running regular cronjob that is responsible for backup
mechanism. The job executes following steps:
- Find a workspaces
- Finds out that workspace has been recently stopped
- Detect a workspace PVC
- Execute a job in the same namespace that does the backup

Signed-off-by: Ales Raszka <araszka@redhat.com>

Author: Allda

.github/workflows/next-build.yml

@@ -73,6 +73,17 @@ jobs:
           quay.io/devfile/project-clone:sha-${{ steps.git-sha.outputs.sha }}
         file: ./project-clone/Dockerfile
 
+    - name: Build and push
+      uses: docker/build-push-action@0a97817b6ade9f46837855d676c4cca3a2471fc9 #v4.2.1
+      with:
+        context: ./project-backup
+        push: true
+        platforms: linux/amd64, linux/arm64, linux/ppc64le, linux/s390x
+        tags: |
+          quay.io/devfile/project-backup:next
+          quay.io/devfile/project-backup:sha-${{ steps.git-sha.outputs.sha }}
+        file: ./project-backup/Dockerfile
+
   build-next-olm-imgs:
     runs-on: ubuntu-latest
     needs: build-next-imgs
@@ -147,6 +158,7 @@ jobs:
           export TAG="sha-${{ needs.build-next-imgs.outputs.git-sha }}"
           export DEFAULT_DWO_IMG="quay.io/devfile/devworkspace-controller:$TAG"
           export PROJECT_CLONE_IMG="quay.io/devfile/project-clone:$TAG"
+          export PROJECT_BACKUP_IMG="quay.io/devfile/project-backup:$TAG"
 
           # Next builds are not rolled out unless the version is incremented. We want to use semver
           # prerelease tags to make sure each new build increments on the previous one, e.g.

.github/workflows/pr.yml

@@ -130,3 +130,6 @@ jobs:
     -
       name: Check if project-clone dockerimage build is working
       run: docker build -f ./project-clone/Dockerfile .
+    -
+      name: Check if project-backup containerimage build is working
+      run: docker build -f ./project-backup/Containerfile project-backup/

Makefile

@@ -26,6 +26,7 @@ export DWO_IMG ?= quay.io/devfile/devworkspace-controller:next
 export DWO_BUNDLE_IMG ?= quay.io/devfile/devworkspace-operator-bundle:next
 export DWO_INDEX_IMG ?= quay.io/devfile/devworkspace-operator-index:next
 export PROJECT_CLONE_IMG ?= quay.io/devfile/project-clone:next
+export PROJECT_BACKUP_IMG ?= quay.io/devfile/project-backup:next
 export PULL_POLICY ?= Always
 export DEFAULT_ROUTING ?= basic
 export KUBECONFIG ?= ${HOME}/.kube/config
@@ -128,6 +129,7 @@ _print_vars:
 	@echo "    DWO_BUNDLE_IMG=$(DWO_BUNDLE_IMG)"
 	@echo "    DWO_INDEX_IMG=$(DWO_INDEX_IMG)"
 	@echo "    PROJECT_CLONE_IMG=$(PROJECT_CLONE_IMG)"
+	@echo "    PROJECT_BACKUP_IMG=$(PROJECT_BACKUP_IMG)"
 	@echo "    PULL_POLICY=$(PULL_POLICY)"
 	@echo "    ROUTING_SUFFIX=$(ROUTING_SUFFIX)"
 	@echo "    DEFAULT_ROUTING=$(DEFAULT_ROUTING)"
@@ -369,6 +371,7 @@ help: Makefile
 	@echo 'Supported environment variables:'
 	@echo '    DWO_IMG                    - Image used for controller'
 	@echo '    PROJECT_CLONE_IMG          - Image used for project-clone init container'
+	@echo '    PROJECT_BACKUP_IMG         - Image used for project-backup workspace backup container'
 	@echo '    NAMESPACE                  - Namespace to use for deploying controller'
 	@echo '    KUBECONFIG                 - Kubeconfig which should be used for accessing to the cluster. Currently is: $(KUBECONFIG)'
 	@echo '    ROUTING_SUFFIX             - Cluster routing suffix (e.g. $$(minikube ip).nip.io, apps-crc.testing)'

apis/controller/v1alpha1/devworkspaceoperatorconfig_types.go

@@ -72,6 +72,47 @@ type CleanupCronJobConfig struct {
 	Schedule string `json:"schedule,omitempty"`
 }
 
+type RegistryConfig struct {
+	// A registry where backup images are stored. Images are stored
+	// in {path}/${DEVWORKSPACE_NAMESPACE}/${DEVWORKSPACE_NAME}:latest
+	// +kubebuilder:validation:Required
+	Path string `json:"path,omitempty"`
+	// AuthSecret is the name of a Kubernetes secret of
+	// type kubernetes.io/dockerconfigjson.
+	// The secret is expected to be in the same namespace the workspace is running in.
+	// If secret is not found in the workspace namespace, the operator will look for the secret
+	// in the namespace where the operator is running in.
+	// as the DevWorkspaceOperatorCongfig.
+	// The secret must contain "controller.devfile.io/watch-secret=true" label so that it can be
+	// recognized by the operator.
+	// +kubebuilder:validation:Optional
+	AuthSecret string `json:"authSecret,omitempty"`
+}
+
+type OrasConfig struct {
+	// ExtraArgs are additional arguments passed to the oras CLI
+	// +kubebuilder:validation:Optional
+	ExtraArgs string `json:"extraArgs,omitempty"`
+}
+
+type BackupCronJobConfig struct {
+	// Enable determines whether backup CronJobs should be created for workspace PVCs.
+	// Defaults to false if not specified.
+	// +kubebuilder:validation:Optional
+	Enable *bool `json:"enable,omitempty"`
+	// RegistryConfig defines the registry configuration where backup images are stored.
+	// +kubebuilder:validation:Required
+	Registry *RegistryConfig `json:"registry,omitempty"`
+	// OrasConfig defines additional configuration options for the oras CLI used to
+	// push and pull backup images.
+	OrasConfig *OrasConfig `json:"oras,omitempty"`
+	// Schedule specifies the cron schedule for the backup cron job.
+	// For example, "0 1 * * *" runs daily at 1 AM.
+	// +kubebuilder:default:="0 1 * * *"
+	// +kubebuilder:validation:Optional
+	Schedule string `json:"schedule,omitempty"`
+}
+
 type RoutingConfig struct {
 	// DefaultRoutingClass specifies the routingClass to be used when a DevWorkspace
 	// specifies an empty `.spec.routingClass`. Supported routingClasses can be defined
@@ -189,6 +230,8 @@ type WorkspaceConfig struct {
 	RuntimeClassName *string `json:"runtimeClassName,omitempty"`
 	// CleanupCronJobConfig defines configuration options for a cron job that automatically cleans up stale DevWorkspaces.
 	CleanupCronJob *CleanupCronJobConfig `json:"cleanupCronJob,omitempty"`
+	// BackupCronJobConfig defines configuration options for a cron job that automatically backs up workspace PVCs.
+	BackupCronJob *BackupCronJobConfig `json:"backupCronJob,omitempty"`
 	// PostStartTimeout defines the maximum duration the PostStart hook can run
 	// before it is automatically failed. This timeout is used for the postStart lifecycle hook
 	// that is used to run commands in the workspace container. The timeout is specified in seconds.
@@ -331,14 +374,26 @@ type ConfigmapReference struct {
 	Namespace string `json:"namespace"`
 }
 
+type OperatorConfigurationStatus struct {
+	// Conditions represent the latest available observations of the OperatorConfiguration's state
+	Conditions []metav1.Condition `json:"conditions,omitempty"`
+	// LastBackupTime is the timestamp of the last successful backup. Nil if
+	// no backup is configured or no backup has yet succeeded.
+	LastBackupTime *metav1.Time `json:"lastBackupTime,omitempty"`
+}
+
 // DevWorkspaceOperatorConfig is the Schema for the devworkspaceoperatorconfigs API
 // +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
 // +kubebuilder:resource:path=devworkspaceoperatorconfigs,scope=Namespaced,shortName=dwoc
 type DevWorkspaceOperatorConfig struct {
 	metav1.TypeMeta   `json:",inline"`
 	metav1.ObjectMeta `json:"metadata,omitempty"`
 
 	Config *OperatorConfiguration `json:"config,omitempty"`
+	// Status represents the current status of the DevWorkspaceOperatorConfig
+	// automatically managed by the DevWorkspace Operator.
+	Status *OperatorConfigurationStatus `json:"status,omitempty"`
 }
 
 // DevWorkspaceOperatorConfigList contains a list of DevWorkspaceOperatorConfig

apis/controller/v1alpha1/zz_generated.deepcopy.go

@@ -31,7 +31,7 @@
 set -e
 
 # List of environment variables that will be replaced by envsubst
-SUBST_VARS='$NAMESPACE $DWO_IMG $PROJECT_CLONE_IMG $ROUTING_SUFFIX $DEFAULT_ROUTING $PULL_POLICY'
+SUBST_VARS='$NAMESPACE $DWO_IMG $PROJECT_CLONE_IMG $PROJECT_BACKUP_IMG $ROUTING_SUFFIX $DEFAULT_ROUTING $PULL_POLICY'
 
 SCRIPT_DIR=$(cd "$(dirname "$0")"; pwd)
 DEPLOY_DIR="$SCRIPT_DIR/../../deploy/"
@@ -58,6 +58,11 @@ Arguments:
       '--use-defaults' is passed; otherwise, the value of the PROJECT_CLONE_IMG
       environment variable is used. If unspecifed, the default value of
       'quay.io/devfile/project-clone:next' is used.
+  --project-backup-image
+      Image to use for the project backup workspace. Used only when
+      '--use-defaults' is passed; otherwise, the value of the PROJECT_BACKUP_IMG
+      environment variable is used. If unspecifed, the default value of
+      'quay.io/devfile/project-backup:next' is used.
   --split-yaml
       Parse output file combined.yaml into a yaml file for each record
       in combined yaml. Files are output to the 'objects' subdirectory
@@ -96,6 +101,10 @@ while [[ "$#" -gt 0 ]]; do
       PROJECT_CLONE_IMG=$2
       shift
       ;;
+      --project-backup-image)
+      PROJECT_BACKUP_IMG=$2
+      shift
+      ;;
       --split-yamls)
       SPLIT_YAMLS=true
       ;;
@@ -118,6 +127,7 @@ if $USE_DEFAULT_ENV; then
   export NAMESPACE=devworkspace-controller
   export DWO_IMG=${DEFAULT_DWO_IMG:-"quay.io/devfile/devworkspace-controller:next"}
   export PROJECT_CLONE_IMG=${PROJECT_CLONE_IMG:-"quay.io/devfile/project-clone:next"}
+  export PROJECT_BACKUP_IMG=${PROJECT_BACKUP_IMG:-"quay.io/devfile/project-backup:next"}
   export PULL_POLICY=Always
   export DEFAULT_ROUTING=basic
   export DEVWORKSPACE_API_VERSION=a6ec0a38307b63a29fad2eea945cc69bee97a683