-

Kopia Repository Configuration Options
-

What is the nature and description of the request?

Upstream Velero makes use of kopia repositories but does little to expose the various options such as compression, encryption, splitter algorithms. Depending on environment these can make significant impact on storage and compute resources.

The existing implementation forces everyone into a singular set of options. OADP has slightly mitigated this by adding splitter options through the DPA via environmental variables in nodeAgent.podConfig.

In addition, existing credential design locks the password to be the same across all BackupRepositories.

1. 1. Additional

Kopia supports AWS StorageClass options. This is  currently not used. https://kopia.io/docs/advanced/storage-tiers/ Admittedly, this is often missing from "compatibles".

Why does the customer need this? (List the business requirements here)

1. 1. Kopia data movement settings

Different customers and cloud providers put different resources at a premium.

Setting Kopia compression, encryption, splitter algorithm allows for optimization of the required values. Backup and Restore operations can see significant performance improvement.

1. 1. BackupRepository password

The Secret repo-credentials acts as a process lock on cross-cluster restore and is unacceptable to multi-tenant scenarios who cannot install velero in their individual namespaces due to Velero's broad RBAC requirements.

Optional: List affected component/s.

BSL: <--- if decided to put these options in BSL as "defaults" potentially for BackupRepository objects descended from BSL

BackupRepository: no existing component

kopia: configures kopia repository in Velero

DPA: Settings in backupLocations potentially for BSL kopia settings

Velero:  handles and sets the kopia repository settings

velero-cli:  No command currently to manually create or modifiy BackupRepository with desired options. Command "velero repo get" is affected for displaying options.

documentation: documentation of the new options for kopia repositories

CR Proposal:

Modification of BackupRepository.spec

New fields:

Arrangement under BackupRepository.spec to be determined.

encryption (str): Encryption option for the repository TODO: check if immutable after creation, CRs don't have immutability options and have to be implemented via controller.https://kubernetes.io/blog/2022/09/29/enforce-immutability-using-cel/

splitter (str): Splitter algorithm https://kopia.io/docs/features/#end-to-end-zero-knowledge-encryption

compression (str): Compression options. Immutable after BackupRepository creation. https://kopia.io/docs/features/#compression 

credentials (str): Secret to use for the repo credentials. Should reuse the existing velero-repo-credentials Secret format. Expected to have key repository-password. Known to not be immutable. https://kopia.io/docs/reference/command-line/common/repository-change-password/

DPA CR:

Whether the DPA would have to change is somewhat dependent on if these fields can be set at BackupStorageLocation. If yes, then would have to be added to spec.backupLocations[] to be supported through OADP. To be decided.