api: add protectedNamespaces field to DRPC and VRG

This new field will be used by DRPC and VRG in the multi namespace mode. When this field is set, it is expected that the PlacementRef and DRPC are created in the RamenOpsNamespace. When set, ramen will treat the resources listed in these namespaces as unmanaged and not controlled by any gitops. It is upto the admins to ensure that only cluster admins of the hub are allowed to create DRPC and Placement Objects in the RamenOpsNamespace. Signed-off-by: Raghavendra Talur <[email protected]>
RamenDR · Mar 30, 2024 · 6269b17 · 6269b17
1 parent fc41b0d
commit 6269b17
Show file tree

Hide file tree

Showing 6 changed files with 64 additions and 0 deletions.
diff --git a/api/v1alpha1/drplacementcontrol_types.go b/api/v1alpha1/drplacementcontrol_types.go
@@ -108,6 +108,14 @@ type DRPlacementControlSpec struct {
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="placementRef is immutable"
 	PlacementRef v1.ObjectReference `json:"placementRef"`
 
+	// ProtectedNamespaces is a list of namespaces that are protected by the DRPC.
+	// Omitting this field means resources are only protected in the namespace controlled by the PlacementRef.
+	// If this field is set, the PlacementRef and the DRPC must be in the RamenOpsNamespace as set in the Ramen Config.
+	// If this field is set, the protected namespace resources are treated as unmanaged.
+	// You can use a recipe to filter and coordinate the order of the resources that are protected.
+	// +kubebuilder:validation:Optional
+	ProtectedNamespaces *[]string `json:"protectedNamespace,omitempty"`
+
 	// DRPolicyRef is the reference to the DRPolicy participating in the DR replication for this DRPC
 	// +kubebuilder:validation:Required
 	// +kubebuilder:validation:XValidation:rule="self == oldSelf", message="drPolicyRef is immutable"

diff --git a/api/v1alpha1/volumereplicationgroup_types.go b/api/v1alpha1/volumereplicationgroup_types.go
@@ -185,6 +185,14 @@ type VolumeReplicationGroupSpec struct {
 	Action VRGAction `json:"action,omitempty"`
 	//+optional
 	KubeObjectProtection *KubeObjectProtectionSpec `json:"kubeObjectProtection,omitempty"`
+
+	// ProtectedNamespaces is a list of namespaces that are considered for protection by the VRG.
+	// Omitting this field means resources are only protected in the namespace where VRG is.
+	// If this field is set, the VRG must be in the Ramen Ops Namespace as configured in the Ramen Config.
+	// If this field is set, the protected namespace resources are treated as unmanaged.
+	// You can use a recipe to filter and coordinate the order of the resources that are protected.
+	//+optional
+	ProtectedNamespaces *[]string `json:"protectedNamespace,omitempty"`
 }
 
 type Identifier struct {

diff --git a/api/v1alpha1/zz_generated.deepcopy.go b/api/v1alpha1/zz_generated.deepcopy.go
diff --git a/config/crd/bases/ramendr.openshift.io_drplacementcontrols.yaml b/config/crd/bases/ramendr.openshift.io_drplacementcontrols.yaml
@@ -210,6 +210,16 @@ spec:
                 description: PreferredCluster is the cluster name that the user preferred
                   to run the application on
                 type: string
+              protectedNamespace:
+                description: |-
+                  ProtectedNamespaces is a list of namespaces that are protected by the DRPC.
+                  Omitting this field means resources are only protected in the namespace controlled by the PlacementRef.
+                  If this field is set, the PlacementRef and the DRPC must be in the RamenOpsNamespace as set in the Ramen Config.
+                  If this field is set, the protected namespace resources are treated as unmanaged.
+                  You can use a recipe to filter and coordinate the order of the resources that are protected.
+                items:
+                  type: string
+                type: array
               pvcSelector:
                 description: |-
                   Label selector to identify all the PVCs that need DR protection.

diff --git a/config/crd/bases/ramendr.openshift.io_protectedvolumereplicationgrouplists.yaml b/config/crd/bases/ramendr.openshift.io_protectedvolumereplicationgrouplists.yaml
@@ -255,6 +255,16 @@ spec:
                             PrepareForFinalSync when set, it tells VRG to prepare for the final sync from source to destination
                             cluster. Final sync is needed for relocation only, and for VolSync only
                           type: boolean
+                        protectedNamespace:
+                          description: |-
+                            ProtectedNamespaces is a list of namespaces that are considered for protection by the VRG.
+                            Omitting this field means resources are only protected in the namespace where VRG is.
+                            If this field is set, the VRG must be in the Ramen Ops Namespace as configured in the Ramen Config.
+                            If this field is set, the protected namespace resources are treated as unmanaged.
+                            You can use a recipe to filter and coordinate the order of the resources that are protected.
+                          items:
+                            type: string
+                          type: array
                         pvcSelector:
                           description: |-
                             Label selector to identify all the PVCs that are in this group

diff --git a/config/crd/bases/ramendr.openshift.io_volumereplicationgroups.yaml b/config/crd/bases/ramendr.openshift.io_volumereplicationgroups.yaml
@@ -205,6 +205,16 @@ spec:
                   PrepareForFinalSync when set, it tells VRG to prepare for the final sync from source to destination
                   cluster. Final sync is needed for relocation only, and for VolSync only
                 type: boolean
+              protectedNamespace:
+                description: |-
+                  ProtectedNamespaces is a list of namespaces that are considered for protection by the VRG.
+                  Omitting this field means resources are only protected in the namespace where VRG is.
+                  If this field is set, the VRG must be in the Ramen Ops Namespace as configured in the Ramen Config.
+                  If this field is set, the protected namespace resources are treated as unmanaged.
+                  You can use a recipe to filter and coordinate the order of the resources that are protected.
+                items:
+                  type: string
+                type: array
               pvcSelector:
                 description: |-
                   Label selector to identify all the PVCs that are in this group