[b/r] Add OpenStackBackupConfig controller

Add the BackupConfig CRD, API types, controller, RBAC, samples, and
envtests for the backup/restore labeling feature. The controller watches
CRD instances across operators and labels resources (secrets, configmaps,
NADs) with backup.openstack.org labels for backup/restore integration.
Supports annotation overrides on individual resources to customize
restore ordering or exclude from backup.

Custom Issuer labeling is handled by the ControlPlane controller in
ca.go, not by the BackupConfig controller.

Jira: OSPRH-22912
Jira: OSPRH-22913

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Martin Schuppert <mschuppert@redhat.com>

Author: stuggi

PROJECT

@@ -99,4 +99,13 @@ resources:
   kind: OpenStack
   path: github.com/openstack-k8s-operators/openstack-operator/api/operator/v1beta1
   version: v1beta1
+- api:
+    crdVersion: v1
+    namespaced: true
+  controller: true
+  domain: openstack.org
+  group: backup
+  kind: OpenStackBackupConfig
+  path: github.com/openstack-k8s-operators/openstack-operator/api/backup/v1beta1
+  version: v1beta1
 version: "3"

api/backup/v1beta1/conditions.go

@@ -0,0 +1,20 @@
+package v1beta1
+
+import (
+	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+)
+
+// Condition types for OpenStackBackupConfig
+const (
+	// OpenStackBackupConfigSecretsReadyCondition - Secrets labeling status
+	OpenStackBackupConfigSecretsReadyCondition condition.Type = "SecretsReady"
+
+	// OpenStackBackupConfigConfigMapsReadyCondition - ConfigMaps labeling status
+	OpenStackBackupConfigConfigMapsReadyCondition condition.Type = "ConfigMapsReady"
+
+	// OpenStackBackupConfigNADsReadyCondition - NetworkAttachmentDefinitions labeling status
+	OpenStackBackupConfigNADsReadyCondition condition.Type = "NADsReady"
+
+	// OpenStackBackupConfigCRsReadyCondition - CR instances labeling status
+	OpenStackBackupConfigCRsReadyCondition condition.Type = "CRsReady"
+)

api/backup/v1beta1/groupversion_info.go

@@ -0,0 +1,36 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+// Package v1beta1 contains API Schema definitions for the backup v1beta1 API group.
+// +kubebuilder:object:generate=true
+// +groupName=backup.openstack.org
+package v1beta1
+
+import (
+	"k8s.io/apimachinery/pkg/runtime/schema"
+	"sigs.k8s.io/controller-runtime/pkg/scheme"
+)
+
+var (
+	// GroupVersion is group version used to register these objects.
+	GroupVersion = schema.GroupVersion{Group: "backup.openstack.org", Version: "v1beta1"}
+
+	// SchemeBuilder is used to add go types to the GroupVersionKind scheme.
+	SchemeBuilder = &scheme.Builder{GroupVersion: GroupVersion}
+
+	// AddToScheme adds the types in this group-version to the given scheme.
+	AddToScheme = SchemeBuilder.AddToScheme
+)

api/backup/v1beta1/openstackbackupconfig_types.go

@@ -0,0 +1,149 @@
+/*
+Copyright 2022.
+
+Licensed under the Apache License, Version 2.0 (the "License");
+you may not use this file except in compliance with the License.
+You may obtain a copy of the License at
+
+    http://www.apache.org/licenses/LICENSE-2.0
+
+Unless required by applicable law or agreed to in writing, software
+distributed under the License is distributed on an "AS IS" BASIS,
+WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+See the License for the specific language governing permissions and
+limitations under the License.
+*/
+
+package v1beta1
+
+import (
+	condition "github.com/openstack-k8s-operators/lib-common/modules/common/condition"
+	metav1 "k8s.io/apimachinery/pkg/apis/meta/v1"
+)
+
+// BackupLabelingPolicy controls whether backup labeling is active for a resource type
+// +kubebuilder:validation:Enum=enabled;disabled
+type BackupLabelingPolicy string
+
+const (
+	// BackupLabelingEnabled enables backup labeling for the resource type
+	BackupLabelingEnabled BackupLabelingPolicy = "enabled"
+	// BackupLabelingDisabled disables backup labeling for the resource type
+	BackupLabelingDisabled BackupLabelingPolicy = "disabled"
+)
+
+// OpenStackBackupConfigSpec defines the desired state of OpenStackBackupConfig.
+type OpenStackBackupConfigSpec struct {
+	// DefaultRestoreOrder is the restore order assigned to user-provided resources
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default="10"
+	DefaultRestoreOrder string `json:"defaultRestoreOrder"`
+
+	// Secrets configuration for backup labeling
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default={labeling:enabled}
+	Secrets ResourceBackupConfig `json:"secrets"`
+
+	// ConfigMaps configuration for backup labeling
+	// Defaults: Excludes kube-root-ca.crt and openshift-service-ca.crt
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default={labeling:enabled,excludeNames:{"kube-root-ca.crt","openshift-service-ca.crt"}}
+	ConfigMaps ResourceBackupConfig `json:"configMaps"`
+
+	// NetworkAttachmentDefinitions configuration for backup labeling
+	// +kubebuilder:validation:Optional
+	// +kubebuilder:default={labeling:enabled}
+	NetworkAttachmentDefinitions ResourceBackupConfig `json:"networkAttachmentDefinitions"`
+
+}
+
+// ResourceBackupConfig defines backup labeling rules for a resource type
+type ResourceBackupConfig struct {
+	// Labeling controls whether to label this resource type for backup
+	// +kubebuilder:validation:Optional
+	Labeling *BackupLabelingPolicy `json:"labeling,omitempty"`
+
+	// RestoreOrder overrides the default restore order for this resource type.
+	// If empty, the global DefaultRestoreOrder is used.
+	// +kubebuilder:validation:Optional
+	RestoreOrder string `json:"restoreOrder,omitempty"`
+
+	// ExcludeLabelKeys is a list of label keys - resources with any of these labels are excluded
+	// Example: ["service-cert", "osdp-service"] excludes service-cert and dataplane service secrets
+	// +kubebuilder:validation:Optional
+	ExcludeLabelKeys []string `json:"excludeLabelKeys,omitempty"`
+
+	// ExcludeNames is a list of resource names to exclude from backup labeling
+	// Example: ["kube-root-ca.crt", "openshift-service-ca.crt"] for system ConfigMaps
+	// +kubebuilder:validation:Optional
+	ExcludeNames []string `json:"excludeNames,omitempty"`
+
+	// IncludeLabelSelector allows filtering resources by label selector
+	// Only resources matching this selector will be labeled (in addition to ownerRef check)
+	// +kubebuilder:validation:Optional
+	IncludeLabelSelector map[string]string `json:"includeLabelSelector,omitempty"`
+}
+
+// OpenStackBackupConfigStatus defines the observed state of OpenStackBackupConfig.
+type OpenStackBackupConfigStatus struct {
+	// LabeledResources tracks how many resources of each type were labeled
+	// +kubebuilder:validation:Optional
+	LabeledResources ResourceCounts `json:"labeledResources,omitempty"`
+
+	// Conditions represents the latest available observations of the resource's current state
+	// +operator-sdk:csv:customresourcedefinitions:type=status
+	Conditions condition.Conditions `json:"conditions,omitempty"`
+}
+
+// ResourceCounts tracks labeled resource counts by type
+type ResourceCounts struct {
+	// Secrets is the number of secrets labeled for backup
+	// +kubebuilder:validation:Optional
+	Secrets int `json:"secrets"`
+
+	// ConfigMaps is the number of configmaps labeled for backup
+	// +kubebuilder:validation:Optional
+	ConfigMaps int `json:"configMaps"`
+
+	// NetworkAttachmentDefinitions is the number of NADs labeled for backup
+	// +kubebuilder:validation:Optional
+	NetworkAttachmentDefinitions int `json:"networkAttachmentDefinitions"`
+
+	// CRs is the number of CR instances labeled for backup
+	// +kubebuilder:validation:Optional
+	CRs int `json:"crs"`
+}
+
+// +kubebuilder:object:root=true
+// +kubebuilder:subresource:status
+// +kubebuilder:resource:shortName=osbkpcfg;osbackupcfg;osbackupconfig
+// +kubebuilder:printcolumn:name="Secrets",type="integer",JSONPath=".status.labeledResources.secrets",description="Labeled Secrets"
+// +kubebuilder:printcolumn:name="ConfigMaps",type="integer",JSONPath=".status.labeledResources.configMaps",description="Labeled ConfigMaps"
+// +kubebuilder:printcolumn:name="NADs",type="integer",JSONPath=".status.labeledResources.networkAttachmentDefinitions",description="Labeled NADs"
+// +kubebuilder:printcolumn:name="CRs",type="integer",JSONPath=".status.labeledResources.crs",description="Labeled CR instances"
+// +kubebuilder:metadata:labels=backup.openstack.org/restore=true
+// +kubebuilder:metadata:labels=backup.openstack.org/category=controlplane
+// +kubebuilder:metadata:labels=backup.openstack.org/restore-order=20
+
+// OpenStackBackupConfig is the Schema for the openstackbackupconfigs API.
+// It configures automatic backup labeling for user-provided resources (without ownerReferences).
+type OpenStackBackupConfig struct {
+	metav1.TypeMeta   `json:",inline"`
+	metav1.ObjectMeta `json:"metadata,omitempty"`
+
+	Spec   OpenStackBackupConfigSpec   `json:"spec,omitempty"`
+	Status OpenStackBackupConfigStatus `json:"status,omitempty"`
+}
+
+// +kubebuilder:object:root=true
+
+// OpenStackBackupConfigList contains a list of OpenStackBackupConfig.
+type OpenStackBackupConfigList struct {
+	metav1.TypeMeta `json:",inline"`
+	metav1.ListMeta `json:"metadata,omitempty"`
+	Items           []OpenStackBackupConfig `json:"items"`
+}
+
+func init() {
+	SchemeBuilder.Register(&OpenStackBackupConfig{}, &OpenStackBackupConfigList{})
+}