Add VM file restore feature integration (#2003)

* Add VM file restore feature integration

This commit integrates the VM file restore feature into OADP operator,
following the same pattern as the non-admin controller integration.

Features:
- Enable/disable VM file restore via DPA.Spec.VMFileRestore.Enable
- Automatic deployment of oadp-vm-file-restore-controller when enabled
- Support for custom resource limits via DPA configuration
- Image override support for all 4 required images:
  * VM file restore controller
  * File access container
  * SSH sidecar
  * FileBrowser sidecar

Changes:
- API: Added VMFileRestore struct to DataProtectionApplication spec
- API: Added 4 image key constants for unsupportedOverrides
- Controller: Created vmfilerestore_controller.go with reconciliation logic
- Validation: Added VM file restore validation requiring kubevirt and openshift plugins
- CRDs: Added VirtualMachineBackupsDiscovery and VirtualMachineFileRestore
- RBAC: Added ClusterRole, binding, and ServiceAccount for controller
- Bundle: Updated CSV with new CRDs, environment variables, and related images
- Documentation: Created comprehensive user guide at docs/config/vm_file_restore.md
- Tests: Added 33 unit test scenarios with full coverage

Prerequisites:
- KubeVirt must be installed in the cluster
- kubevirt-velero-plugin must be configured in defaultPlugins (required)
- openshift-velero-plugin must be configured in defaultPlugins (required)

Implements: migtools/oadp-vm-file-restore#10

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix VM file restore controller deployment and permissions

This commit fixes issues found during live cluster testing:

1. Add missing RBAC permissions:
   - events permission for controller to create events
   - coordination.k8s.io/leases for leader election

2. Fix reconciliation loop in OADP operator:
   - Only update dynamic container fields (Image, ImagePullPolicy, Env, Resources)
   - Make PodSecurityContext conditional (set only if nil)
   - Prevents continuous reconciliation by leaving static fields unchanged

3. Bundle generation fixes:
   - Add vm-file-restore RBAC kustomization.yaml
   - Add oadp-vm-file-restore-controller-manager to Makefile BUNDLE_GEN_FLAGS
   - Reference vm-file-restore RBAC in config/manifests/kustomization.yaml
   - Clean unwanted RBAC from CSV (buckets, velero-privileged SCC, wildcards)

Tested on live cluster - controller now deploys successfully, performs
leader election, and no longer causes reconciliation loops.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* Fix code formatting and clean unwanted RBAC permissions

- Fix import grouping (gci) in validator_test.go, vmfilerestore_controller.go, and vmfilerestore_controller_test.go
- Replace custom contains helper with strings.Contains from stdlib
- Remove unwanted RBAC from config/rbac/role.yaml:
  - Full wildcard permissions (apiGroups: *, resources: *, verbs: *)
  - buckets resources (3 locations)
  - velero-privileged SCC reference
  - Duplicate privileged SCC entry
  - Extra velero.io resource listings
- Remove unwanted RBAC from bundle CSV:
  - Full wildcard from velero ServiceAccount

All tests pass.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* lint fix

* make bundle

* `make bundle` after `gh pr checkout 2003 --recurse-submodules`

❯ gh pr checkout 2003 --recurse-submodules
remote: Enumerating objects: 77, done.
remote: Counting objects: 100% (29/29), done.
remote: Compressing objects: 100% (14/14), done.
remote: Total 77 (delta 15), reused 18 (delta 14), pack-reused 48 (from 1)
Unpacking objects: 100% (77/77), 118.21 KiB | 1.01 MiB/s, done.
From https://github.com/shubham-pampattiwar/oadp-operator
 * [new branch]        vm-file-restore-integration -> shub/vm-file-restore-integration
Previous HEAD position was 24e3758 update prow notes, operator-config (#2029)
branch 'vm-file-restore-integration' set up to track 'shub/vm-file-restore-integration'.
Switched to a new branch 'vm-file-restore-integration'

~/oadp-operator vm-file-restore-integration
❯ make bundle
Using Container Tool: docker
[ -f /Users/tkaovila/oadp-operator/bin/oadp-dev/controller-gen ] || { set -e ; mkdir -p /Users/tkaovila/oadp-operator/bin/oadp-dev/ ; TMP_DIR=$(mktemp -d) ; cd $TMP_DIR ; go mod init tmp ; echo "Downloading sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.5 to branch directory" ; GOBIN=/Users/tkaovila/oadp-operator/bin/oadp-dev/ go install -mod=mod sigs.k8s.io/controller-tools/cmd/controller-gen@v0.16.5 ; rm -rf $TMP_DIR ; }
GOFLAGS="-mod=mod" /Users/tkaovila/oadp-operator/bin/oadp-dev/controller-gen rbac:roleName=manager-role crd webhook paths="./..." output:crd:artifacts:config=config/crd/bases
[ -f /Users/tkaovila/oadp-operator/bin/oadp-dev/kustomize ] || { set -e ; mkdir -p /Users/tkaovila/oadp-operator/bin/oadp-dev/ ; TMP_DIR=$(mktemp -d) ; cd $TMP_DIR ; go mod init tmp ; echo "Downloading sigs.k8s.io/kustomize/kustomize/v5@v5.2.1 to branch directory" ; GOBIN=/Users/tkaovila/oadp-operator/bin/oadp-dev/ go install -mod=mod sigs.k8s.io/kustomize/kustomize/v5@v5.2.1 ; rm -rf $TMP_DIR ; }
GOFLAGS="-mod=mod" /Users/tkaovila/oadp-operator/bin/oadp-dev/operator-sdk generate kustomize manifests -q
cd config/manager && GOFLAGS="-mod=mod" /Users/tkaovila/oadp-operator/bin/oadp-dev/kustomize edit set image controller=quay.io/konveyor/oadp-operator:latest
GOFLAGS="-mod=mod" /Users/tkaovila/oadp-operator/bin/oadp-dev/kustomize build config/manifests | GOFLAGS="-mod=mod" /Users/tkaovila/oadp-operator/bin/oadp-dev/operator-sdk generate bundle -q --extra-service-accounts "velero,non-admin-controller,oadp-vm-file-restore-controller-manager" --overwrite --version 99.0.0  --channels="dev" --default-channel="dev"
WARN[0000] ClusterServiceVersion validation: [OperationFailed] provided API should have an example annotation
WARN[0000] ClusterServiceVersion validation: [OperationFailed] provided API should have an example annotation
WARN[0000] ClusterServiceVersion validation: [OperationFailed] provided API should have an example annotation
WARN[0000] ClusterServiceVersion validation: [OperationFailed] provided API should have an example annotation
WARN[0000] ClusterServiceVersion validation: [OperationFailed] provided API should have an example annotation
WARN[0000] ClusterServiceVersion validation: [OperationFailed] provided API should have an example annotation
WARN[0000] ClusterServiceVersion validation: [CSVFileNotValid] (oadp-operator.v99.0.0) csv.Spec.minKubeVersion is not informed. It is recommended you provide this information. Otherwise, it would mean that your operator project can be distributed and installed in any cluster version available, which is not necessarily the case for all projects.
INFO[0000] Creating bundle.Dockerfile
INFO[0000] Creating bundle/metadata/annotations.yaml
INFO[0000] Bundle metadata generated successfully
Using Container Tool: docker
Using Container Tool: docker
[ -f /Users/tkaovila/oadp-operator/bin/yq ] || { set -e ; TMP_DIR=$(mktemp -d) ; cd $TMP_DIR ; go mod init tmp ; echo "Downloading github.com/mikefarah/yq/v4@v4.28.1" ; GOBIN=/Users/tkaovila/oadp-operator/bin go install -mod=mod github.com/mikefarah/yq/v4@v4.28.1 ; rm -rf $TMP_DIR ; }
go: creating new go.mod: module tmp
Downloading github.com/mikefarah/yq/v4@v4.28.1
Using Container Tool: docker
[ -f /Users/tkaovila/oadp-operator/bin/yq ] || { set -e ; TMP_DIR=$(mktemp -d) ; cd $TMP_DIR ; go mod init tmp ; echo "Downloading github.com/mikefarah/yq/v4@v4.28.1" ; GOBIN=/Users/tkaovila/oadp-operator/bin go install -mod=mod github.com/mikefarah/yq/v4@v4.28.1 ; rm -rf $TMP_DIR ; }
cp bundle.Dockerfile build/Dockerfile.bundle
GOFLAGS="-mod=mod" /Users/tkaovila/oadp-operator/bin/oadp-dev/operator-sdk bundle validate ./bundle
WARN[0000] Warning: Value velero.io/v1, Kind=BackupRepository: provided API should have an example annotation
WARN[0000] Warning: Value oadp.openshift.io/v1alpha1, Kind=VirtualMachineBackupsDiscovery: provided API should have an example annotation
WARN[0000] Warning: Value oadp.openshift.io/v1alpha1, Kind=CloudStorage: provided API should have an example annotation
WARN[0000] Warning: Value velero.io/v2alpha1, Kind=DataUpload: provided API should have an example annotation
WARN[0000] Warning: Value velero.io/v2alpha1, Kind=DataDownload: provided API should have an example annotation
WARN[0000] Warning: Value oadp.openshift.io/v1alpha1, Kind=VirtualMachineFileRestore: provided API should have an example annotation
WARN[0000] Warning: Value : (oadp-operator.v99.0.0) csv.Spec.minKubeVersion is not informed. It is recommended you provide this information. Otherwise, it would mean that your operator project can be distributed and installed in any cluster version available, which is not necessarily the case for all projects.
INFO[0000] All validation tests have completed successfully
gsed -e 's/    createdAt: .*/    createdAt: "2025-02-28T20:03:54Z"/' bundle/manifests/oadp-operator.clusterserviceversion.yaml > bundle/manifests/oadp-operator.clusterserviceversion.yaml.tmp
mv bundle/manifests/oadp-operator.clusterserviceversion.yaml.tmp bundle/manifests/oadp-operator.clusterserviceversion.yaml

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

---------

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
Co-authored-by: Claude <noreply@anthropic.com>
Co-authored-by: Tiger Kaovilai <tkaovila@redhat.com>

Author: 3 people

Makefile

@@ -4,7 +4,7 @@ DEFAULT_VERSION := 99.0.0
 VERSION ?= $(DEFAULT_VERSION) # the version of the operator
 OPERATOR_SDK_VERSION ?= v1.35.0
 ENVTEST_K8S_VERSION = 1.32 #refers to the version of kubebuilder assets to be downloaded by envtest binary # Kubernetes version from OpenShift 4.19.x
-GOLANGCI_LINT_VERSION ?= v2.1.2
+GOLANGCI_LINT_VERSION ?= v2.6.1
 KUSTOMIZE_VERSION ?= v5.2.1
 CONTROLLER_TOOLS_VERSION ?= v0.16.5
 OPM_VERSION ?= v1.23.0
@@ -47,7 +47,7 @@ IMAGE_TAG_BASE ?= openshift.io/oadp-operator
 BUNDLE_IMG ?= $(IMAGE_TAG_BASE)-bundle:v$(VERSION)
 
 # BUNDLE_GEN_FLAGS are the flags passed to the operator-sdk generate bundle command
-BUNDLE_GEN_FLAGS ?= -q --extra-service-accounts "velero,non-admin-controller" --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
+BUNDLE_GEN_FLAGS ?= -q --extra-service-accounts "velero,non-admin-controller,oadp-vm-file-restore-controller-manager" --overwrite --version $(VERSION) $(BUNDLE_METADATA_OPTS)
 
 # USE_IMAGE_DIGESTS defines if images are resolved via tags or digests
 # You can enable this value if you would like to use SHA Based Digests

README.md

@@ -103,6 +103,7 @@ Documentation in this repository are considered unofficial and for development p
     5. [Use NooBaa as a Backup Storage Location](docs/config/noobaa/install_oadp_noobaa.md)
     6. [Use Velero --features flag](docs/config/features_flag.md)
     7. [Use Custom Plugin Images for Velero ](docs/config/custom_plugin_images.md)
+    8. [Enable VM File Restore](docs/config/vm_file_restore.md)
 5. Examples
     1. [Sample Apps used in OADP CI](https://github.com/openshift/oadp-operator/tree/oadp-dev/tests/e2e/sample-applications)
     2. [Stateless App Backup/Restore](docs/examples/stateless.md)

api/v1alpha1/dataprotectionapplication_types.go

@@ -73,6 +73,10 @@ const GCPPluginImageKey UnsupportedImageKey = "gcpPluginImageFqin"
 const KubeVirtPluginImageKey UnsupportedImageKey = "kubevirtPluginImageFqin"
 const HypershiftPluginImageKey UnsupportedImageKey = "hypershiftPluginImageFqin"
 const NonAdminControllerImageKey UnsupportedImageKey = "nonAdminControllerImageFqin"
+const VMFileRestoreControllerImageKey UnsupportedImageKey = "vmFileRestoreControllerImageFqin"
+const VMFileRestoreAccessImageKey UnsupportedImageKey = "vmFileRestoreAccessImageFqin"
+const VMFileRestoreSSHImageKey UnsupportedImageKey = "vmFileRestoreSSHImageFqin"
+const VMFileRestoreBrowserImageKey UnsupportedImageKey = "vmFileRestoreBrowserImageFqin"
 const OperatorTypeKey UnsupportedImageKey = "operator-type"
 
 const OperatorTypeMTC = "mtc"
@@ -728,6 +732,18 @@ type NonAdmin struct {
 	BackupSyncPeriod *metav1.Duration `json:"backupSyncPeriod,omitempty"`
 }
 
+// VMFileRestore defines VM file restore feature configuration
+type VMFileRestore struct {
+	// Enable flag to deploy VM file restore controller
+	// By default is disabled
+	// +optional
+	Enable *bool `json:"enable,omitempty"`
+
+	// Resource requirements for the VM file restore controller
+	// +optional
+	Resources *corev1.ResourceRequirements `json:"resources,omitempty"`
+}
+
 // DataMover defines the various config for DPA data mover
 type DataMover struct {
 	// enable flag is used to specify whether you want to deploy the volume snapshot mover controller
@@ -840,6 +856,10 @@ type DataProtectionApplicationSpec struct {
 	//   - kubevirtPluginImageFqin
 	//   - hypershiftPluginImageFqin
 	//   - nonAdminControllerImageFqin
+	//   - vmFileRestoreControllerImageFqin
+	//   - vmFileRestoreAccessImageFqin
+	//   - vmFileRestoreSSHImageFqin
+	//   - vmFileRestoreBrowserImageFqin
 	//   - operator-type
 	//   - tech-preview-ack
 	// +optional
@@ -873,6 +893,9 @@ type DataProtectionApplicationSpec struct {
 	// nonAdmin defines the configuration for the DPA to enable backup and restore operations for non-admin users
 	// +optional
 	NonAdmin *NonAdmin `json:"nonAdmin,omitempty"`
+	// vmFileRestore defines the configuration for the DPA to enable VM file restore feature
+	// +optional
+	VMFileRestore *VMFileRestore `json:"vmFileRestore,omitempty"`
 	// The format for log output. Valid values are text, json. (default text)
 	// +kubebuilder:validation:Enum=text;json
 	// +kubebuilder:default=text

api/v1alpha1/zz_generated.deepcopy.go

@@ -688,6 +688,12 @@ spec:
         displayName: Plugins
         path: plugins
       version: v1
+    - kind: VirtualMachineBackupsDiscovery
+      name: virtualmachinebackupsdiscoveries.oadp.openshift.io
+      version: v1alpha1
+    - kind: VirtualMachineFileRestore
+      name: virtualmachinefilerestores.oadp.openshift.io
+      version: v1alpha1
     - description: VolumeSnapshotLocation is a location where Velero stores volume
         snapshots.
       displayName: VolumeSnapshotLocation
@@ -835,6 +841,149 @@ spec:
           verbs:
           - get
         serviceAccountName: non-admin-controller
+      - rules:
+        - apiGroups:
+          - ""
+          resources:
+          - events
+          - namespaces
+          - pods
+          - secrets
+          - serviceaccounts
+          - services
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - ""
+          resources:
+          - persistentvolumeclaims
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - apps
+          resources:
+          - deployments
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - coordination.k8s.io
+          resources:
+          - leases
+          verbs:
+          - get
+          - list
+          - watch
+          - create
+          - update
+          - patch
+          - delete
+        - apiGroups:
+          - oadp.openshift.io
+          resources:
+          - virtualmachinebackupsdiscoveries
+          - virtualmachinefilerestores
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - oadp.openshift.io
+          resources:
+          - virtualmachinebackupsdiscoveries/finalizers
+          - virtualmachinefilerestores/finalizers
+          verbs:
+          - update
+        - apiGroups:
+          - oadp.openshift.io
+          resources:
+          - virtualmachinebackupsdiscoveries/status
+          - virtualmachinefilerestores/status
+          verbs:
+          - get
+          - patch
+          - update
+        - apiGroups:
+          - rbac.authorization.k8s.io
+          resources:
+          - rolebindings
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - route.openshift.io
+          resources:
+          - routes
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - backups
+          verbs:
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - datadownloads
+          verbs:
+          - get
+          - list
+          - patch
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - downloadrequests
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - watch
+        - apiGroups:
+          - velero.io
+          resources:
+          - restores
+          verbs:
+          - create
+          - delete
+          - get
+          - list
+          - patch
+          - update
+          - watch
+        serviceAccountName: oadp-vm-file-restore-controller-manager
       - rules:
         - apiGroups:
           - ""
@@ -1135,6 +1284,14 @@ spec:
                   value: registry.redhat.io/oadp/oadp-mustgather-rhel8:v1.2
                 - name: RELATED_IMAGE_NON_ADMIN_CONTROLLER
                   value: quay.io/konveyor/oadp-non-admin:latest
+                - name: RELATED_IMAGE_VM_FILE_RESTORE_CONTROLLER
+                  value: quay.io/konveyor/oadp-vm-file-restore:latest
+                - name: RELATED_IMAGE_VM_FILE_RESTORE_ACCESS
+                  value: quay.io/konveyor/oadp-vmfr-access:latest
+                - name: RELATED_IMAGE_VM_FILE_RESTORE_SSH
+                  value: quay.io/konveyor/oadp-vmfr-access-sshd:latest
+                - name: RELATED_IMAGE_VM_FILE_RESTORE_BROWSER
+                  value: quay.io/konveyor/oadp-vmfr-access-filebrowser:latest
                 image: quay.io/konveyor/oadp-operator:latest
                 imagePullPolicy: Always
                 livenessProbe:
@@ -1297,4 +1454,12 @@ spec:
     name: mustgather
   - image: quay.io/konveyor/oadp-non-admin:latest
     name: non-admin-controller
+  - image: quay.io/konveyor/oadp-vm-file-restore:latest
+    name: vm-file-restore-controller
+  - image: quay.io/konveyor/oadp-vmfr-access:latest
+    name: vm-file-restore-access
+  - image: quay.io/konveyor/oadp-vmfr-access-sshd:latest
+    name: vm-file-restore-ssh
+  - image: quay.io/konveyor/oadp-vmfr-access-filebrowser:latest
+    name: vm-file-restore-browser
   version: 99.0.0

bundle/manifests/oadp-operator.clusterserviceversion.yaml

@@ -2669,9 +2669,81 @@ spec:
                       - kubevirtPluginImageFqin
                       - hypershiftPluginImageFqin
                       - nonAdminControllerImageFqin
+                      - vmFileRestoreControllerImageFqin
+                      - vmFileRestoreAccessImageFqin
+                      - vmFileRestoreSSHImageFqin
+                      - vmFileRestoreBrowserImageFqin
                       - operator-type
                       - tech-preview-ack
                   type: object
+                vmFileRestore:
+                  description: vmFileRestore defines the configuration for the DPA to enable VM file restore feature
+                  properties:
+                    enable:
+                      description: |-
+                        Enable flag to deploy VM file restore controller
+                        By default is disabled
+                      type: boolean
+                    resources:
+                      description: Resource requirements for the VM file restore controller
+                      properties:
+                        claims:
+                          description: |-
+                            Claims lists the names of resources, defined in spec.resourceClaims,
+                            that are used by this container.
+
+                            This is an alpha field and requires enabling the
+                            DynamicResourceAllocation feature gate.
+
+                            This field is immutable. It can only be set for containers.
+                          items:
+                            description: ResourceClaim references one entry in PodSpec.ResourceClaims.
+                            properties:
+                              name:
+                                description: |-
+                                  Name must match the name of one entry in pod.spec.resourceClaims of
+                                  the Pod where this field is used. It makes that resource available
+                                  inside a container.
+                                type: string
+                              request:
+                                description: |-
+                                  Request is the name chosen for a request in the referenced claim.
+                                  If empty, everything from the claim is made available, otherwise
+                                  only the result of this request.
+                                type: string
+                            required:
+                              - name
+                            type: object
+                          type: array
+                          x-kubernetes-list-map-keys:
+                            - name
+                          x-kubernetes-list-type: map
+                        limits:
+                          additionalProperties:
+                            anyOf:
+                              - type: integer
+                              - type: string
+                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                            x-kubernetes-int-or-string: true
+                          description: |-
+                            Limits describes the maximum amount of compute resources allowed.
+                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                          type: object
+                        requests:
+                          additionalProperties:
+                            anyOf:
+                              - type: integer
+                              - type: string
+                            pattern: ^(\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))(([KMGTPE]i)|[numkMGTPE]|([eE](\+|-)?(([0-9]+(\.[0-9]*)?)|(\.[0-9]+))))?$
+                            x-kubernetes-int-or-string: true
+                          description: |-
+                            Requests describes the minimum amount of compute resources required.
+                            If Requests is omitted for a container, it defaults to Limits if that is explicitly specified,
+                            otherwise to an implementation-defined value. Requests cannot exceed Limits.
+                            More info: https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/
+                          type: object
+                      type: object
+                  type: object
               required:
                 - configuration
               type: object