Ability for non-admin users to create BackupStorageLocations(BSL)

[shubham-pampattiwar]

Add the the functionality of providing the non-admin users the ability to create their own BackupStorageLocations. In other words BYOB (Bring your own Bucket/BSL). The task would entail:

• Introduction of a Non-Admin NackupStorageLocation CRD (NABSL)
• NABSL controller
  • The NABSL controller would cascade the BSL request to Velero controller
  • Validation that the NABSL CR is appropriate and relevant secrets from non-admin user are also obtained (note that authenticating the access keys will not be the NABSL controller's responsiblity)
  • The NABSL request can be create/update/view/delete BSL type requests
  • NABSL controller would be responsible of gathering the status Velero BSL and updating the status of NABSL CR, keeping them in sync
  • Every BSL needs user access keys and storage credentials, NABSL controller will be responsible for provisioning them in Velero NS, once they are provided by the non-admin user
• Addition of Validating Webhooks to ensure that only give Velero CLI/OC access is available to the non-admin user's relevant BSL CRs
• Control over general Velero BSL Spec that gets exposed or allow listed via NABSL CRD spec.

[shubham-pampattiwar]

Lets target for this phase 1 with an optional cluster-wide BSL usage flag.

[shubham-pampattiwar]

Additional responsibilities of the controller:

• Ensure non-sharing of Non-Admin BSL
• Non-BSL Sync could be another responsibility
• Types of Authentication supported

[mateusoliveira43]

Velero Backup spec has the field storageLocation (and current NonAdminBackup also has it). Should we put some validation or even remove that field from NonAdminBackup :question: My fear is that non admin user can use a admin BSL for backups.

I think this is not https://github.com/migtools/oadp-non-admin/issues/37 responsibility, because this should be a always active check, and not only admin user turns it on.

Maybe add to OADP DPA which BSL NAC will use (bad UX if NAC is used by many non admin users :question:) or with this feature, only allow NonAdminBackups if a NonAdminBackupStorageLocation exists and add a field in NonAdminBackup spec and remove storageLocation from backupSpec.