Add support for container-level immutability to Azure Blob Storage Containers #1098
Conversation
gardener-robot
added
needs/review
gardener-robot-ci-2
added
the
reviewed/ok-to-test
gardener-robot
added
the
size/xl
gardener-robot-ci-2
added
needs/ok-to-test
renormalize
force-pushed
the
immutable-backups
branch
from
4a2552a to
8f67e1f
Compare
gardener-robot-ci-3
added
reviewed/ok-to-test
|
Rebasing since there seems to be merge conflicts with master after #1101. |
* The immutability configuration required to make Azure Blob Storage containers immutable gets deserialized into the `BackupBucketConfig` `struct`. This `struct` now contains the additional field `ImmutableConfig`. * Generated code, mocks, and the api-reference.
* The new `BlobContainers` interface (with `BlobContainersClient` struct) is introduced, which extends the factory pattern used for all other resources in the repository. * The new `BlobContainersClient` uses the `github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage` package, instead of `github.com/Azure/azure-sdk-for-go/sdk/storage/azblob` which is used by `BlobStorageClient`. * `BlobContainersClient` is necessary since `BlobStorageClient` does not expose APIs which can be used to change ABS Container level immutability policies. * Generate the mock client for `BlobContainers`.
…ation. * The reconciler now uses the newly introduced `BlobContainers` client for creation and deletion of the ABS containers. * The reconciler now introduces logic to handle immutability configuration passed to the `BackupBucket` resource.
…he first reconciliation
…rateStorageAccountName`.
… type * `RetentionType` holds the immutability type that is to be used with the bucket. * Ran `make generate`
* Add the webhook which validates the backup configuration of the seed. * Add corresponding unit tests.
renormalize
force-pushed
the
immutable-backups
branch
from
8f67e1f to
c176986
Compare
gardener-robot-ci-2
added
reviewed/ok-to-test
…ilityPolicy`. * Rename `updateBackupBucketIfNeeded` to `ensureBackupBucketImmutabilityPolicy`. * Move all bucket immutability handling into `ensureBackupBucketImmutabilityPolicy`. * Enhance `CreateOrUpdateImmutabilityPolicy` to return the etag of the immutability policy that is created, which will then be used for locking the policy if configured. An unnecessary cal to `GetImmutabilityPolicy` is now avoided.
* Move all `BackupBucket` validation code to `pkg/apis/validation`. * Add unit tests for `ValidateBackupBucketConfigUpdate`
gardener-robot-ci-3
added
the
reviewed/ok-to-test
gardener-robot-ci-1
removed
the
reviewed/ok-to-test
|
It was noticed that control plane migrations of shoots scheduled on seeds with immutable buckets would fail since the However, after more deliberation and research, it was concluded that the proposed changes in the gardener/gardener PR are not the optimal way to solve this problem, as hinted at by the review comments in the gardener/gardener PR. The workaround solution that I propose is to use data lifecycle management policies provided by Azure. This solution is a delayed-delete, which is performed by the infrastructure provider completely by itself. With this approach, we satisfy the immutability properties of objects in the bucket, and avoid making changes to gardener/gardener to make it work with buckets with certain configurations. |
|
This solution was fully agreed upon by the etcd-druid maintainers yesterday, therefore I was not able to include these changes in the initial commits with which I raised this PR. However, the changes will be quite simple. I estimate that I will be able to push them sometime tomorrow. |
| @@ -701,3 +701,48 @@ Some key facts about VMSS Flex based clusters: | |||
| - In case the configuration of the VMSS will change (e.g. amount of fault domains in a region change; configured in the CloudProfile) all machines of the worker pool need to be rolled | |||
| - It is not possible to migrate an existing primary AvailabilitySet based Shoot cluster to VMSS Flex based Shoot cluster and vice versa | |||
| - VMSS Flex based clusters are using `Standard` SKU LoadBalancers instead of `Basic` SKU LoadBalancers for AvailabilitySet based Shoot clusters | |||
|
|
|||
| ## `BackupBucketConfig` | |||
There was a problem hiding this comment.
| ## `BackupBucketConfig` | |
| ## BackupBucketConfig |
|
|
||
| `BackupBucketConfig` describes the configuration that needs to be passed over for creation of the backup bucket infrastructure. Configuration like immutability (WORM, i.e. write-once-read-many) that can be set on the bucket are specified here. Objects in the bucket will inherit the immutability duration which is set on the bucket, and they can not be modified or deleted for that duration. | ||
|
|
||
| This extension supports creating (and migrating already existing buckets) to use [container-level WORM policies](https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-container-level-worm-policies). |
There was a problem hiding this comment.
| This extension supports creating (and migrating already existing buckets) to use [container-level WORM policies](https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-container-level-worm-policies). | |
| This extension supports creating (and migrating already existing buckets if enabled) to use [container-level WORM policies](https://learn.microsoft.com/en-us/azure/storage/blobs/immutable-container-level-worm-policies). |
| ```yaml | ||
| apiVersion: azure.provider.extensions.gardener.cloud/v1alpha1 | ||
| kind: BackupBucketConfig | ||
| immutability: | ||
| retentionType: "bucket" | ||
| retentionPeriod: 24h | ||
| locked: false | ||
| ``` |
There was a problem hiding this comment.
| ```yaml | |
| apiVersion: azure.provider.extensions.gardener.cloud/v1alpha1 | |
| kind: BackupBucketConfig | |
| immutability: | |
| retentionType: "bucket" | |
| retentionPeriod: 24h | |
| locked: false | |
| ``` | |
| apiVersion: azure.provider.extensions.gardener.cloud/v1alpha1 | |
| kind: BackupBucketConfig | |
| immutability: | |
| retentionType: "bucket" | |
| retentionPeriod: 24h | |
| lockedPolicy: false |
Can we use lockedPolicy instead of just locked as to me lockedPolicy name makes more sense ?
There was a problem hiding this comment.
I don't have a strong opinion here. For a boolean value locked is okay.
It will diverge from the GCP spec but let's decide on the correct name and it can be retrofitted if needed.
| ```yaml | ||
| apiVersion: extensions.gardener.cloud/v1alpha1 | ||
| kind: BackupBucket | ||
| metadata: | ||
| name: my-backup-bucket | ||
| spec: | ||
| provider: | ||
| region: westeurope | ||
| secretRef: | ||
| name: my-azure-secret | ||
| namespace: my-namespace | ||
| providerConfig: | ||
| apiVersion: azure.provider.extensions.gardener.cloud/v1alpha1 | ||
| kind: BackupBucketConfig | ||
| immutability: | ||
| retentionType: "bucket" | ||
| retentionPeriod: 24h | ||
| locked: true | ||
| ``` |
There was a problem hiding this comment.
I checked the BackupBucket resource on dev landscape, I didn't find .spec.provider.region. I find this .spec.region, can you please check this again and update this doc accordingly ?
apiVersion: extensions.gardener.cloud/v1alpha1
kind: BackupBucket
metadata:
...
spec:
region: westeurope
secretRef:
name: ..
namespace: garden
type: azure| DescribeTable("Invalid update scenarios", | ||
| func(oldSeed, newSeed *core.Seed, expectedError string) { | ||
| err := seedValidator.Validate(context.Background(), newSeed, oldSeed) | ||
| fmt.Printf("%#v\n", err) |
There was a problem hiding this comment.
may be you forgot to remove this ?
There was a problem hiding this comment.
Will remove in a future commit where newer changes will be introduced. Thanks for noticing.
How to categorize this PR?
/area backup security
/kind enhancement
/platform azure
What this PR does / why we need it:
Mirror of gardener/gardener-extension-provider-gcp#906
Which issue(s) this PR fixes:
Part of gardener/gardener#10866
Tests performed:
immutabilitytonullTests policy deletion while unlocked
immutabilitysectionTests policy deletion while unlocked
providerConfigsectionTests policy deletion while unlocked
Special notes for your reviewer:
This PR introduces a new client
BlobContainersClientwhich is a client for ABS containers.The reason this new client is introduced is because the storage client that was previously used did not expose methods for making the necessary API calls to Azure to modify buckets to become container-level immutable.
These changes also make the container client more uniform with the rest of the codebase.
Release note: