OADP Virtual Machine Data Protection (VMDP) Design Implementation

Based on OADP Operator PR: #1845

Replaces Previous Designs: #1827, #1830

Overview

The Virtual Machine Data Protection (VMDP) feature introduces a OpenShift-native, client-server architecture that enables file-level backup and restore operations initiated from within OpenShift Virtual Machines. The system integrates seamlessly with OpenShift APIs and the existing OADP infrastructure, while preserving a clear separation of responsibilities between cluster administrators and VM users.

Architecture Overview

VMDP implements a client-server model where:
_ _Backup Server:* Deployed and managed by the OADP Operator using Kopia server technology
_ _VM Clients:* File-level backup operations initiated from within VMs
_ _Repository Management:* Integrated with existing OADP backup storage locations
_ _Authentication:* User-based access control with repository-level security

Key Features

File-Level Backup and Restore

• User-initiated backup operations from within VMs
• Selective file and directory backup capabilities
• Point-in-time restore functionality
• Integration with Kopia backup technology

OpenShift Native Integration

• Seamless integration with OADP infrastructure
• BackupStorageLocationServer (BSLS) CRD for configuration
• OpenShift API compatibility
• Service-based architecture within OADP namespace

Security and Access Control

• User-based authentication (username/password)
• Repository-level access control
• TLS encryption for client-server communication
• Secure credential management

Technical Implementation

BackupStorageLocationServer CRD

• New custom resource for backup server configuration
• Integration with existing DataProtectionApplication (DPA)
• Automated deployment and lifecycle management
• TLS certificate and fingerprint management

Client-Server Communication

• Kopia server deployed as part of OADP operator
• Network connectivity requirements for VM-to-backup-server communication
• Authentication flow: VM User -> [username/password] -> Backup Server -> [repo password] -> Repository

Repository Management

• Integration with existing OADP backup storage locations
• Multi-user repository access
• Backup retention and lifecycle policies
• Storage backend compatibility (S3, etc.)

Design Considerations

Prerequisites

• Internal OpenShift networking must allow VMs to connect to Backup Service in OADP namespace
• Compatible container image for backup server (official Kopia or custom OADP extended image)
• Image override capabilities via DPA configuration

User Experience

• Command-line interface for VM users
• Preflight connectivity checks for troubleshooting
• Network connectivity validation
• Service availability verification
• Performance and bandwidth checks

Administrator Controls

• Integration with DPA configuration or standalone CRD management
• Repository quota and storage cap considerations
• Monitoring and observability features

Scope and Limitations

In Scope

• File-level backup and restore from within VMs
• User-initiated backup operations
• Integration with OADP infrastructure
• Kopia server deployment and management
• OpenShift-native API integration

Out of Scope

_ _Full VM Protection:* Does not modify or replace OADP's snapshot-based backup for entire VMs
_ _Application Quiescing:* No application-level consistency mechanisms (user responsibility)
_ _Block-Level Operations:* No support for raw block devices or unmounted partitions
_ _Graphical User Interface:* No OpenShift Console integration (security and complexity considerations)
_ _Storage Quotas:* No native mechanisms for enforcing storage quotas at repository level (future enhancement)

Security Considerations

Attack Surface Reduction

• No web UI to minimize CVE impact
• Limited network exposure
• Secure authentication mechanisms
• TLS encryption for all communications

Multi-User Repository Management

• Repository-level access control
• Prevention of cross-user interference
• Secure credential isolation
• Configuration protection mechanisms

Testing Strategy

• Unit tests for VMDP components
• Integration tests with OpenShift VMs
• End-to-end backup and restore validation
• Network connectivity and security testing
• Performance benchmarking
• Multi-user scenario validation

Target Release

• Implementation target: OADP 1.6.0
• Technology Preview phase initially
• Future enhancements for storage quotas and UI integration

Benefits

• Enhanced backup capabilities for VM workloads
• User-driven backup operations without cluster admin involvement
• Seamless integration with existing OADP infrastructure
• Improved data protection for virtualized applications
• Flexible file-level restore capabilities