Add DEP-06: Immutable ETCD Backups

[seshachalam-yv]

How to categorize this PR?

/area backup
/area disaster-recovery
/area security
/area compliance
/area storage
/kind enhancement

What this PR does / why we need it:
This PR adds DEP-06: Immutable ETCD Backups. The proposal aims to enhance the reliability and integrity of ETCD backups in ETCD Druid by introducing immutable backups. By leveraging cloud provider features that support a write-once-read-many (WORM) model, this approach prevents unauthorized modifications to backup data, ensuring that backups remain available and intact for restoration.

Which issue(s) this PR fixes:
Fixes #

Special notes for your reviewer:

Release note:

Add DEP-06: Immutable ETCD Backups

[ashwani2k]

Thanks @seshachalam-yv @ishan16696 @renormalize for the proposal.
It captures thing well, but I've put some open points esp. on the structure as well some details esp. as it addresses design considerations.

[ashwani2k]

This can happen even outside of immutable backups scenarios as well, so how is this handled there? I'm guessing currently by deleting manually the affected snapshots.
But with this new approach it should be same mechanism there as well.

[renormalize]

If snapshots are mutable, this is achieved through deletion of snapshots.
The same functionality will be achieved through custom metadata tags. Will enhance the doc for this.

[ashwani2k]

Its not clear from the doc who takes care of attaching the custom metadata flag and how its consumed? Can we describe here to avoid any unintended interpretation of the flow.

[renormalize]

Human operators add these tags; will include this.

[ashwani2k]

I think we should create a new name for the job for Hibernated Full Snapshots and ensure that we have flags and even flow which can leverage the existing compaction feature and enhance it with additional change required for Immuatable backup snapshotting and garbage collection.

Also we cannot have a compaction job for hibernated cluster in practical terms, so it will be even more confusing to see a compaction job running for a hibernated cluster.

[ashwani2k]

What is the retry threshold for this job?
What happens if it fails to run for a period of 24hrs.
What happens if druid is down?
What happens when druid comes back up esp. for failed jobs which have breached the retry threshold?
What happens if we breach the bucket retention period? Is no data to restore possible on wake-up of hibernated clusters.
Does garbage collection runs independent or in sequence only after the job takes a full snapshot on its run.

[renormalize]

Thanks a ton for this PR @seshachalam-yv! It was no small feat to bring the DEP to this stage.

[renormalize]

Suggested change

	- "@renormalize"
	- "@ishan16696"

Since the DEP has changed significantly since the original draft, and the both of us have only acted as reviewers after the first draft, it is not right to have our names in the author section.

[ashwani2k]

This is such a neat proposal now to from where it has started.
No nitpics, it was sufficiently detailed without getting into implementation semantics and was able to convey the intent aptly.

Thanks a lot for taking all the inputs @seshachalam-yv and to the reviewers for the detailed review.

[unmarshall]

By leveraging cloud provider immutability features, backups can neither be modified nor deleted once created - to be precise this statement tells the reader that once the immutability feature is enabled then it will ensure immutability for backups for eternity. This is not true. Therefore you must mention that this is true for a configured retention duration or immutability duration.

[unmarshall]

Thinking about it again - irrespective of whether its a large-scale or small-scale consumer, the choice to automate or do it manually applies equally to both consumers. Therefore this section can only mention the following:

Creating and configuring immutable buckets on providers is not handled by etcd-druid and must be done by the consumers. For a large-scale consumer like Gardener provider extensions are leveraged to automate both the creation and configuration of buckets. For more details see BackupBucket and refer issue.

This simplifies the section further.

[unmarshall]

If you are providing hints for 2 out of the 3 supported providers then i would say just complete the list and provide it as bullet points - one for each provider. Alternatively, you can completely remove this point since you have already provided link to a detailed documentation in etcd-backup-restore repo.

[unmarshall]

Just add a line saying that we have defined a new type to allow us future enhancements to the immutability specification.

[unmarshall]

you should also mention that if a bucket is shared across several etcd clusters then this enhancement would increase the storage cost and perhaps some numbers would be nice.

[unmarshall]

what you have missed is that this task should only be active as long as the cluster is hibernated. Once the etcd cluster comes out of hibernation then this task should no longer exist. So have a section on lifecycle of this task.

[unmarshall]

So one task is extending the snapshot's immutability and also doing garbage collection? If that is the case then the name does not reflect that.

[unmarshall]

i did not quite understand this type in context of ExtendFullSnapshotImmutabilityTaskConfig - why is it that complicated? If GC needs to be done via this task as well then it should only be done for copied last full snapshot (taken prior to hibernation). I am confused why is delta snapshot retention coming here and what is exponential GC policy and how is relevant w.r.t this task.

[gardener-prow]

@seshachalam-yv: The following test failed, say /retest to rerun all failed tests or /retest-required to rerun all mandatory failed tests:

Test name	Commit	Details	Required	Rerun command
pull-etcd-druid-e2e-kind	b8655fb	link	true	/test pull-etcd-druid-e2e-kind

Full PR test history. Your PR dashboard. Command help for this repository.
Please help us cut down on flakes by linking this test failure to an open flake report or filing a new flake report if you can't find an existing one. Also see our testing guideline for how to avoid and hunt flakes.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

[shreyas-s-rao]

@seshachalam-yv the flow is neat and understandable from a new-reader's perspective too. Thanks a lot for taking the time and making all the changes! I have a few nits. Please address them, thanks.

Please also update https://github.com/gardener/etcd-druid/blob/master/docs/README.md to include link to this proposal.

[shreyas-s-rao]

Is the proposed feature just immutable backups, or does it also include handling hibernated clusters? I'm a but confused, since the non-goals section mentions that the proposal doesn't focus on handling immutable backups for hibernated clusters, but the Handling of Hibernated Clusters section talks about how druid can handle hibernated clusters. I'm a bit confused about this.

Because if the proposal is just about immutable backups, then the proposal is already in implemented status, correct?

[shreyas-s-rao]

Suggested change

	- **Garbage Collection:** The process of deleting old snapshot data that is no longer needed to free up storage space.
	- **Garbage Collection:** The process of deleting old snapshot data that is no longer needed, in order to free up storage space.

[shreyas-s-rao]

Suggested change

Periodic backups of an etcd cluster state ensure the ability to recover from a complete quorum loss, enhancing reliability and fault tolerance. It is crucial that these backups, which are vital for restoring the etcd cluster, remain protected from any form of tampering, whether intentional or accidental. To safeguard the integrity of these backups, the authors recommend utilizing `WORM` protection, a feature offered by various cloud providers, to ensure the backups remain immutable and secure.

Periodic backups of an etcd cluster state ensure the ability to recover from a data loss or a quorum loss, enhancing reliability and fault tolerance. It is crucial that these backups, which are vital for restoring the etcd cluster, remain protected from any form of tampering, whether intentional or accidental. To safeguard the integrity of these backups, the authors recommend utilizing `WORM` protection, a feature offered by various cloud providers, to ensure the backups remain immutable and secure.

[shreyas-s-rao]

This point seems out-of-context here. A better wording for this would be:
Ensuring immutability of snapshots when the etcd cluster is hibernated for a period longer than the configured immutability period.

This is more in-line with this proposal's theme, ie immutable backups. Whereas, the issue you mentioned here simply talks about providing certain features upon hibernation of the etcd cluster, which is a general feature and not necessarily related to immutable backups.

[shreyas-s-rao]

Can you please also add line items for Support for enabling bucket-level immutability in existing buckets and Support for enabling bucket-level immutability in new buckets?

[shreyas-s-rao]

Suggested change

	Given the nuances across providers:
	At the time of writing this proposal, these are the current limitations seen across providers:

[shreyas-s-rao]

Wouldn't it be more optimal to utilise provider APIs to perform a server-side copy of the object with a new name? That we we save on download+upload time as well as network costs.

If so, can we rename this to renew-snapshot rather than reupload-snapshot? Because the task is to renew or refresh the snapshot's timestamp, rather than download+upload.

If not, then the term reupload is incorrect, since it technically needs to be re-upload. So it'll be re-upload-snapshot.

[shreyas-s-rao]

What about reverting from immutable backups to mutable backups? Is that possible? If so, can you please elaborate on the nuances of this? If not, then can you add that as a limitation here?

[shreyas-s-rao]

Please add a limitation note for AWS, since we currently don't support this for S3 buckets, atleast at the time of writing this proposal.

[ishan16696]

few nits

[ishan16696]

Suggested change

	This proposal introduces immutable backups for etcd clusters managed by `etcd-druid`. By leveraging cloud provider immutability features, backups can neither be modified nor deleted once created. This approach strengthens the reliability and fault tolerance of the etcd restoration process.
	This proposal introduces immutable backups for etcd clusters managed by `etcd-druid`. By leveraging cloud provider immutability features, backups taken by `etcd-backup-restore` can neither be modified nor deleted once created for a configured retention period. This approach strengthens the reliability and fault tolerance of the etcd restoration process.

[ishan16696]

can you mention this link for more information on GC, https://github.com/gardener/etcd-backup-restore/blob/master/docs/usage/garbage_collection.md

[ishan16696]

can you mention about the openstack here.

Note

Currently, Openstack object storage (swift) doesn't support immutability for objects: https://blueprints.launchpad.net/swift/+spec/immutability-middleware.

[ishan16696]

Suggested change

	> In AWS S3, it is possible to decrease the bucket-level immutability period; however, this action may be blocked by specific bucket policy settings.
	> In AWS S3, it is possible to increase and decrease the bucket-level immutability period; however, this action can be blocked by configuring specific bucket policy settings.

[ishan16696]

For AWS S3, for example, you enable Object Lock at bucket creation

can you explain what do you mean by this ?
IMO, this line can be removed

[ishan16696]

Suggested change

	- Introduce new CLI commands:
	- Introduce new CLI sub-commands:

[ishan16696]

Why we want to GC the old snapshots ? why can't we leave them as we currently leave them already.

[ishan16696]

same as above