Expose download command/url to debug information perhaps for non-admin backup/restore ops

[shubham-pampattiwar]

This would help debug the B/R as the non-admin user will be able to fetch logs and describe the relevant Backup/Restore objects.

• Velero CLI should work only on the non-admin user relevant objects
• Check How to do this via DownloadBackupRequest, mimic Velero CLI behavior for commands like describe and logs using a new CRD

[mateusoliveira43]

related to #7 ?

[mpryc]

related to #7 ?

I think so.

[kaovilai]

From Scrum we decided on providing NAC CLI/controller providing user an object store url / path / command that user can execute to retrieve relevant logs given they have bucket credentials to the path.

The con is non admin is assumed to have access to the entire bucket and there are no restrictions enforcable on retrievable paths from NAC side.

An alternative approach of using signed URL would enable possibility of NAC enforcing short lived signed URL so NAC CLI can download limited set of items users are granted access to (controlled by NAC) without requiring user to have bucket credentials.

[shubham-pampattiwar]

Adding on to this:

• The object storage URL would be part of the NAC object status (NAB/NAR).
• The NAC object status would be patched with the URL at the end of Backup/Restore operation.
• The motivation is to add more transparency for debugging via Logs, ResourceList and Errors.
• Clear Documentation would be needed to specify the steps on how to extract the information from the object storage URL.
• This work would act as a building block for a NAC CLI (if we want to pursue it in the future with expanded scope).

[kaovilai]

This work would act as a building block for a NAC CLI (if we want to pursue it in the future with expanded scope).

So this issue should be renamed to expose download command/url to debug information perhaps and not exactly CLI building.