Restore workspace from backup #1572
Conversation
Allda
requested review from
akurinnoy,
dkwon17,
ibuziuk and
rohanKanojia
as code owners
|
[APPROVALNOTIFIER] This PR is NOT APPROVED This pull-request has been approved by: Allda The full list of commands accepted by this bot can be found here. DetailsNeeds approval from an approver in each of these files:Approvers can indicate their approval by writing |
pkg/library/restore/restore.go
Outdated
| ) (*corev1.Container, error) { | ||
| wokrspaceTempplate := &workspace.Spec.Template | ||
| // Check if restore is requested via workspace attribute | ||
| if !wokrspaceTempplate.Attributes.Exists(constants.WorkspaceRestoreAttribute) { |
There was a problem hiding this comment.
IMHO I think it would be more readable if this check was done by the caller in devworkspace_controller.go
There was a problem hiding this comment.
In the example presented in the Is it tested? How? section of this PR, the example has:
controller.devfile.io/restore-workspace: 'true'
which made me assume that:
controller.devfile.io/restore-workspace: 'false'
would disable the restore functionality for the devworkspace.
Could we also check for "false" string here?
There was a problem hiding this comment.
I extracted the condition and moved it to the controller itself to make the code path easier to read. I also enhanced the logic to recognize the attribute value. The new test verifies that setting a value to false skips the restore container.
A new init container is added to the workspace deployment in case user choose to restore the workspace from backup. By setting workspace attribute "controller.devfile.io/restore-workspace" the controller sets a new init container instead of cloning data from git repository. By default an automated path to restore image is used based on cluster settings. However user is capable overwrite that value using another attribute "controller.devfile.io/restore-source-image". The restore container runs a wokspace-recovery.sh script that pull an image using oras an extract files to a /project directory. Signed-off-by: Ales Raszka <araszka@redhat.com>
A new tests that verifies the workspace is created from a backup. It checks if a deployment is ready and if it contains a new restore init container with proper configuration. There are 2 tests - one focused on common pvc and other that have per-workspace storage. Signed-off-by: Ales Raszka <araszka@redhat.com>
The condition whether an workspace should be restored from workspace was in the restore module itself. This make a reading a code more difficult. Now the condition is checked in the controller itself and restore container is only added when enabled. This commit also fixes few minor changes based on the code review comments: - Licence header - Attribute validation - Add a test for disabled workspace recovery - Typos Signed-off-by: Ales Raszka <araszka@redhat.com>
A new config is added to control the restore container. Default values are set for the new init container. It can be changed by user in the config. The config uses same logic as the project clone container config. Signed-off-by: Ales Raszka <araszka@redhat.com>
Allda
force-pushed
the
23570-restore-workspace
branch
from
1b95d94 to
5480c1c
Compare
| BackupCronJob: &controllerv1alpha1.BackupCronJobConfig{ | ||
| Enable: ptr.To[bool](true), | ||
| Registry: &controllerv1alpha1.RegistryConfig{ | ||
| Path: "localhost:5000", |
There was a problem hiding this comment.
@dkwon17 For the purposes of the integration tests, I need a valid backup container somewhere in a registry (the container could be empty with vely low size) to be able start and successfully execute the restore container. What would be the best place to upload it?
To verify the tests works I used my local registry, but that's not an option for running it outside of the localhost.
There was a problem hiding this comment.
have just created https://quay.io/repository/devfile/project-backup-test?tab=info
There was a problem hiding this comment.
@ibuziuk, could you please give me a push permission to the repo so I can push the image there? My Quay account is araszka
|
@Allda : I'm facing a strange issue while testing this functionality on CRC cluster . I've tried on both amd64 and arm64 variants but face same issue. I used samples/plain-workspace.yaml for testing. Everything goes fine till step 4, but when I create the restore backup manifest I can see devworkspace resource is created but there is no corresponding pod for it: oc create -f restore-dw.yaml
devworkspace.workspace.devfile.io/plain-devworkspace created
oc get dw
NAME DEVWORKSPACE ID PHASE INFO
plain-devworkspace workspace612b8ddca9ff45d5 Running Workspace is running
oc get pods
No resources found in rokumar-dev namespace.I had just modified the name from the restore manifest you shared: kind: DevWorkspace
apiVersion: workspace.devfile.io/v1alpha2
metadata:
labels:
controller.devfile.io/creator: ""
name: plain-devworkspace
spec:
started: true
routingClass: 'basic'
template:
attributes:
controller.devfile.io/storage-type: common
controller.devfile.io/restore-workspace: 'true'Could you please check if I'm missing something? |
I am not sure why it doesn't work on your system. I tried the workspace you mentioned and the backup and other pods were created successfully. Are there any logs you can share or see if the workspace has any pods at the very start? |
|
@Allda : Okay, I'll try it again and report back |
Signed-off-by: Ales Raszka <araszka@redhat.com>
Allda
force-pushed
the
23570-restore-workspace
branch
from
368a98f to
9db9b7c
Compare
|
I was able to successfully restore a real Dev Spaces project: |
| mkdir /tmp/extracted-backup | ||
| tar -xzvf /tmp/devworkspace-backup.tar.gz -C /tmp/extracted-backup | ||
|
|
||
| cp -r /tmp/extracted-backup/* "$PROJECTS_ROOT" |
There was a problem hiding this comment.
Maybe we should restore only if $PROJECTS_ROOT is empty so that restoration happens only once?
Because, if not, we can run into this case:
1. Workspace starts, restores from image
2. User makes changes to project
3. User stops workspace
4. User starts workspace
5. Restore init conatiner restores $PROJECTS_ROOT
6. Changes from 2. are gone since files were overwritten
There was a problem hiding this comment.
Sure, I can change that. Or is there any other mechanism or indicator that worskspace was stopped and it resumed? If so I could skip adding the restore container.
There was a problem hiding this comment.
One clarifying question... How is the scenario you described handled for the clone container? Does it clone a repo again or does it skip the cloning?
There was a problem hiding this comment.
is there any other mechanism or indicator that workspace was stopped and it resumed?
Unfortunately we don't have a robust way to detect that today
Currently for the project clone container, the cloning is skipped when the project has already been cloned and is available under /projects:
devworkspace-operator/project-clone/internal/utils.go
Lines 30 to 41 in b79d90d
There was a problem hiding this comment.
Sure, I added a logic to skip the restore function in case a project dir is not empty.
The function handleRegistryAuthSecret is also needed for restore action. The backup controller is not a right place for it as it can't be reused. Moving it to separate module to be reusable. Signed-off-by: Ales Raszka <araszka@redhat.com>
pkg/library/restore/restore.go
Outdated
|
|
||
| if !hasContainerComponents(workspaceTemplate) { | ||
| // Avoid adding restore init container when DevWorkspace does not define any containers | ||
| return nil, nil |
There was a problem hiding this comment.
@rohanKanojia for your comment: #1572 (comment)
I believe you're running into this case?
There was a problem hiding this comment.
Yeah I'm trying to literally create the same DevWorkspace manifest as provided in the description.
It started working when I provided full DevWorkspace manifest with restore attribute
The workspace restore process now support access to registries that require authentication. The default operator config is used to detect a right secret name and the secret is injected to the container as a volume. The second part of the commit adds support for OCP build-in registry. With this registry a user doesn't have to provide any secrets because a workspace service account have image puller role associated using role bindings. Signed-off-by: Ales Raszka <araszka@redhat.com>
The image stream created by the backup mechanism can't be owned by the workspace otherwise a deletion of the workspace also deletes the image stream. Removing the reference keep these 2 objects unrelated. Signed-off-by: Ales Raszka <araszka@redhat.com>
In case a workspace directory is not empty the restore process should just log the event and skip the restoration. This logic is added to not override data in case a workspace is resumed. Usual flow: - create a workspace and enable restoration - a restore container restores data from backup - a user updates files in workspace - a user stops a workspace - a user resumes a workspace - a restore container skips the restore process due to not empty dir Signed-off-by: Ales Raszka <araszka@redhat.com>
|
@dkwon17 I extended the controller to support an authenticated registry and also natively support the default built-in OCP registry. I tested it with multiple scenarios:
|
|
@Allda: The following test failed, say
Full PR test history. Your PR dashboard. DetailsInstructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
| defaultRoleName := common.WorkspaceRoleName() | ||
| defaultRolebindingName := common.WorkspaceRolebindingName() | ||
| if err := addServiceAccountToRolebinding(saName, workspace.Namespace, defaultRoleName, defaultRolebindingName, api); err != nil { | ||
| if err := addServiceAccountToRolebinding(saName, workspace.Namespace, defaultRoleName, defaultRolebindingName, "Role", api); err != nil { |
There was a problem hiding this comment.
Could we define "Role" and "ClusterRole" as a constant in https://github.com/devfile/devworkspace-operator/blob/23570-restore-workspace/pkg/constants/constants.go ?
| if registryAuthSecret != nil { | ||
| // Add the registry auth secret volume | ||
| devfilePodAdditions.Volumes = append(devfilePodAdditions.Volumes, corev1.Volume{ | ||
| Name: "registry-auth-secret", |
There was a problem hiding this comment.
Could we define registry-auth-secret as a constant in https://github.com/devfile/devworkspace-operator/blob/23570-restore-workspace/pkg/constants/constants.go ?
|
@Allda thank you for the updates,
I ran into some issues with this in my lab cluster where the auth secret isn't mounting properly onto the restore initcontainer, I will investigate more on Monday and provide more feedback |
What does this PR do?
Add init container for workspace restoration
A new init container is added to the workspace deployment in case user choose to restore the workspace from backup.
By setting the workspace attribute "controller.devfile.io/restore-workspace" the controller sets a new init container instead of cloning data from git repository.
By default an automated path to restore image is used based on cluster settings. However user is capable overwrite that value using another attribute "controller.devfile.io/restore-source-image".
The restore container runs a wokspace-recovery.sh script that pull an image using oras an extract files to a /project directory.
What issues does this PR fix or reference?
#1525
Is it tested? How?
No automated tests are available in the first phase. I will add tests once I get the first approval that the concept is ok.
How to test:
kubectl delete devworkspace restore-workspace-2controller.devfile.io/restore-workspace)PR Checklist
/test v8-devworkspace-operator-e2e, v8-che-happy-pathto trigger)v8-devworkspace-operator-e2e: DevWorkspace e2e testv8-che-happy-path: Happy path for verification integration with CheWhat's missing: