Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[doc] OBJ resource usage #213

Merged
merged 4 commits into from
Mar 27, 2024
Merged
Show file tree
Hide file tree
Changes from all commits
Commits
File filter

Filter by extension

Filter by extension

Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
8 changes: 4 additions & 4 deletions controller/linodeobjectstoragebucket_controller_test.go
Original file line number Diff line number Diff line change
Expand Up @@ -53,7 +53,7 @@ func mockLinodeClientBuilder(m *mock.MockLinodeObjectStorageClient) scope.Linode
}
}

var _ = Describe("lifecycle", Label("lifecycle"), func() {
var _ = Describe("lifecycle", Ordered, Label("bucket", "lifecycle"), func() {
var mockCtrl *gomock.Controller
var reconciler *LinodeObjectStorageBucketReconciler
var testLogs *bytes.Buffer
Expand Down Expand Up @@ -306,7 +306,7 @@ var _ = Describe("lifecycle", Label("lifecycle"), func() {
})
})

var _ = Describe("pre-reconcile", Label("pre-reconcile"), func() {
var _ = Describe("pre-reconcile", Label("bucket", "pre-reconcile"), func() {
var obj infrav1.LinodeObjectStorageBucket
var mockCtrl *gomock.Controller
var reconciler *LinodeObjectStorageBucketReconciler
Expand Down Expand Up @@ -378,7 +378,7 @@ var _ = Describe("pre-reconcile", Label("pre-reconcile"), func() {
})
})

var _ = Describe("apply", Label("apply"), func() {
var _ = Describe("apply", Label("bucket", "apply"), func() {
var obj infrav1.LinodeObjectStorageBucket
var mockCtrl *gomock.Controller
var testLogs *bytes.Buffer
Expand Down Expand Up @@ -421,7 +421,7 @@ var _ = Describe("apply", Label("apply"), func() {
}
})

It("fails when a finalizer cannot be added", Label("current"), func(ctx SpecContext) {
It("fails when a finalizer cannot be added", func(ctx SpecContext) {
mockK8sClient := mock.NewMockk8sClient(mockCtrl)
prev := mockK8sClient.EXPECT().
Scheme().
Expand Down
1 change: 1 addition & 0 deletions docs/src/SUMMARY.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@
- [k3s](./topics/flavors/k3s.md)
- [rke2](./topics/flavors/rke2.md)
- [Etcd](./topics/etcd.md)
- [Backups](./topics/backups.md)
- [Multi-Tenancy](./topics/multi-tenancy.md)
- [Development](./developers/development.md)
- [Releasing](./developers/releasing.md)
Expand Down
116 changes: 116 additions & 0 deletions docs/src/topics/backups.md
Original file line number Diff line number Diff line change
@@ -0,0 +1,116 @@
# Backups

CAPL supports performing etcd backups by provisioning an Object Storage bucket and access keys. This feature is not enabled by default and can be configured as an addon.

```admonish warning
Enabling this addon requires enabling Object Storage in the account where the resources will be provisioned. Please refer to the [Pricing](https://www.linode.com/docs/products/storage/object-storage/#pricing) information in Linode's [Object Storage documentation](https://www.linode.com/docs/products/storage/object-storage/).
```

## Enabling Backups

TODO

## Object Storage

Additionally, CAPL can be used to provision Object Storage buckets and access keys for general purposes by configuring a `LinodeObjectStorageBucket` resource.

```admonish warning
Using this feature requires enabling Object Storage in the account where the resources will be provisioned. Please refer to the [Pricing](https://www.linode.com/docs/products/storage/object-storage/#pricing) information in Linode's [Object Storage documentation](https://www.linode.com/docs/products/storage/object-storage/).
```

### Bucket Creation

The following is the minimal required configuration needed to provision an Object Storage bucket and set of access keys.

```yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: <unique-bucket-label>
namespace: <namespace>
spec:
cluster: <object-storage-region>
secretType: Opaque
```

Upon creation of the resource, CAPL will provision a bucket in the region specified using the `.metadata.name` as the bucket's label.

```admonish warning
The bucket label must be unique within the region across all accounts. Otherwise, CAPL will populate the resource status fields with errors to show that the operation failed.
```

### Access Keys Creation

CAPL will also create `read_write` and `read_only` access keys for the bucket and store credentials in a secret in the same namespace where the `LinodeObjectStorageBucket` was created:

```yaml
apiVersion: v1
kind: Secret
metadata:
name: <unique-bucket-label>-access-keys
namespace: <same-namespace-as-object-storage-bucket>
ownerReferences:
- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
name: <unique-bucket-label>
controller: true
data:
bucket_name: <unique-bucket-label>
access_key_rw: <base64-encoded-access-key>
secret_key_rw: <base64-encoded-secret-key>
access_key_ro: <base64-encoded-access-key>
secret_key_ro: <base64-encoded-secret-key>
```

The access key secret is owned and managed by CAPL during the life of the `LinodeObjectStorageBucket`.

### Access Keys Rotation

The following configuration with `keyGeneration` set to a new value (different from `.status.lastKeyGeneration`) will instruct CAPL to rotate the access keys.

```yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: <unique-bucket-label>
namespace: <namespace>
spec:
cluster: <object-storage-region>
secretType: Opaque
keyGeneration: 1
# status:
# lastKeyGeneration: 0
```

### Bucket Status

Upon successful provisioning of a bucket and keys, the `LinodeObjectStorageBucket` resource's status will resemble the following:

```yaml
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: <unique-bucket-label>
namespace: <namespace>
spec:
cluster: <object-storage-region>
secretType: Opaque
keyGeneration: 0
status:
ready: true
conditions:
- type: Ready
status: "True"
lastTransitionTime: <timestamp>
hostname: <hostname-for-bucket>
creationTime: <bucket-creation-timestamp>
lastKeyGeneration: 0
keySecretName: <unique-bucket-label>-access-keys
accessKeyRefs:
- <access-key-rw-id>
- <access-key-ro-id>
```

### Resource Deletion

When deleting a `LinodeObjectStorageBucket` resource, CAPL will deprovision the access keys and managed secret but retain the underlying bucket to avoid unintended data loss.
1 change: 1 addition & 0 deletions docs/src/topics/getting-started.md
Original file line number Diff line number Diff line change
Expand Up @@ -11,6 +11,7 @@ Make sure to create the token with at least the following read/write permissions
- Volumes
- VPCs
- IPs
- Object Storage

```admonish question title=""
For more information please see the
Expand Down
10 changes: 10 additions & 0 deletions docs/src/topics/multi-tenancy.md
Original file line number Diff line number Diff line change
Expand Up @@ -51,6 +51,16 @@ spec:
credentialsRef:
name: linode-credentials
...
---
# Example: LinodeObjectStorageBucket
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: test-bucket
spec:
credentialsRef:
name: linode-credentials
...
```

Secrets from other namespaces by additionally specifying an optional
Expand Down