Rbac

docs/administer/manage_users.md

@@ -94,8 +94,10 @@ You will be prompted to enter the password for this user.
     ```
 
 !!! info "Important"
+
     For Percona Everest versions 1.0.0 and later, new users have full access to the system. However, once RBAC support is in place, an admin user will be able to manage permissions for users, granting them fine-grained control over database resources.
 
+For detailed information on granting permissions to new users, see [assign permissions to a new user](rbac.md#assign-users-to-a-group-and-grant-them-permissions) section.
 
 ### List the users
 

docs/api_rbac.md

@@ -0,0 +1,48 @@
+# Navigating the breaking API changes for RBAC
+
+Starting with Percona Everest v1.2.0, breaking changes are being made to the API for `monitoring-instances` and `backup-storage` resources. These changes are:
+
+- Before the release of Percona Everest 1.2.0, these resources were globally scoped, but now they will be specific to namespaces. 
+
+- The database clusters can only use `monitoring-instances` and `backup-storages` located within the same namespace as the cluster. The system used a `.spec.allowedNamespaces` field to control access to these global resources. This field determined the namespaces where the resource could be accessed, providing a certain degree of access control.
+
+- With the update to Percona Everest v1.2.0, the shift from global scope to designated namespaces for these resources marks a significant change in the way access control is managed. This change enhances security by ensuring these resources are only accessible within their designated namespaces.
+
+## Challenges with globally scoped namespaces
+
+In Percona Everest v1.2.0, we’ve rolled out Role Based Access Control (RBAC) to enhance security and provide more granular control over the access privileges for specific resources within the system. This implementation provides fine-grained control over which users and user groups can access particular resources within the system. 
+
+The RBAC model functions on the principle that all resources are organized into namespaces. This enables a well-structured and hierarchical arrangement of resources, simplifying access rights management according to the namespace to which a resource is associated.
+
+Prior to Percona Everest version 1.2.0, certain resources such as `backup-storages` and `monitoring-instances` were not organized into namespaces but were accessible globally. To enforce access restrictions on these globally scoped resources, the system utilized a `.spec.allowedNamespaces` field. The `.spec.allowedNamespaces` field specifies the namespaces within which the resource can be accessed, giving you certain level of control.
+
+Using the `.spec.allowedNamespaces` field for globally scoped resources presented challenges when integrating with the core RBAC model. To fix this and align with the RBAC framework, `backup-storages` and `monitoring-instances` are now namespaced resources. This ensures that all resources conform to the same RBAC model, which results in a consistent and manageable access control structure across the system.
+
+##  Changes in the Percona Everest APIs
+
+The APIs have been updated with the following modifications:
+
+- The existing APIs for backup storage and monitoring instances are deprecated. Now, you should use the API path prefixed with `/namespaces/{namespace}`.
+
+    ??? example "Example"
+
+        ```/v1/backup-storages``` is now
+
+        ```/v1/namespaces/{namespace}/backup-storages```
+
+        Check out the [API](https://percona-everest.readme.io/reference/getkubernetesclusterresources) documentation for more details.
+
+- The `.spec.allowedNamespaces` field has been deprecated. Access control for these resources is now managed through the RBAC policy.
+
+- `database-clusters` can now only reference `backup-storages` and `monitoring-instances` created within the same namespace as the `database-cluster`.
+
+### Migrating to Percona Everest 1.2.0
+
+When upgrading to 1.2.0, all your existing backup-storages and monitoring-instances will be automatically migrated to the namespaces specified in their `.spec.allowedNamespaces `fields. After the upgrade, these resources will be accessible exclusively through the new API endpoints.
+
+Need more details? Check out the [upgrade](../upgrade_with_cli.md#upgrading-to-percona-everest-120) section.
+
+
+
+
+

docs/install/SetupPrereqs.md

@@ -7,25 +7,25 @@ Percona Everest has two primary components:
 
 ## Supported operators
 
-* Percona Operator for MySQL Based on Percona XtraDB Cluster (PXC) 1.13.0, 1.14.0
+* Percona Operator for MySQL Based on Percona XtraDB Cluster (PXC) 1.14.0, 1.15.0
 * Percona Operator for MongoDB (PSMDB) 1.15.0
-* Percona Operator for PostgreSQL (PG) 2.3.1
+* Percona Operator for PostgreSQL (PG) 2.3.1, 2.4.1
 
 ## Supported k8s clusters
 
 Percona Everest works on most of the cloud K8s and on most of the on-prem vanilla K8s.
 
 However, not all the many combinations of K8s distributions and K8s versions might be fully tested and certified. Refer to the matrix below and [reach out to us](SetupPrereqs.md#get-expert-help) should you have any questions.
 
-| Platform              | Kubernetes Version | Percona Everest Version | State                                   |
-|:----------------------|:-------------------|:------------------------|:----------------------------------------|
-| Google GKE            | 1.24 - 1.28        | >= 1.0.0                | Fully tested and certified                |
-| Amazon EKS            | 1.24 - 1.28        | >= 1.0.0                | Fully tested and certified                |
-| Vanilla K8s (kubeadm) | 1.24 - 1.28        | >= 1.0.0                | Fully tested and certified                |
-| Azure AKS             | -                  | >= 1.0.0                | Works but not fully certified yet       |
-| DigitalOcean          | -                  | >= 1.0.0                | Works but not fully certified yet       |
-| OpenShift             | -                  |                         | Coming soon                             |
-| Other cloud K8s       | -                  |                         | Should work but not fully certified yet |
+| Platform              | Kubernetes Version | State                                   |
+|:----------------------|:-------------------|:----------------------------------------|
+| Google GKE            | 1.27 - 1.29        | Fully tested and certified                |
+| Amazon EKS            | 1.28 - 1.30        | Fully tested and certified                |
+| Azure AKS             | -                  | Works but not fully certified yet       |
+| DigitalOcean          | -                  | Works but not fully certified yet       |
+| Vanilla K8s (kubeadm) | -                  | Works but not fully certified yet       |
+| OpenShift             | -                  | Coming soon                             |
+| Other cloud K8s       | -                  | Should work but not fully certified yet |
 
 !!! note
     Air-gapped environments (i.e. environments physically isolated from unsecured networks such as the public Internet) are not currently supported. Their support is coming soon.

docs/release-notes/Percona-Everest-1.1.0-(2024-08-12).md

@@ -138,7 +138,7 @@ curl -sS "https://raw.githubusercontent.com/percona/everest-doc/main/tools/bin/c
 
 What to do if you have schedules or backups that are using duplicated storages in different database technologies.
 
-=== ":simple-mongodb: MongoDB :simple-mysql: MySQL"
+=== ":simple-mongodb: MongoDB or :simple-mysql: MySQL"
 
     Create a new backup using a different backup storage. Then, delete the old schedules and backups that use the duplicated storage.
 

docs/release-notes/release_notes_index.md

@@ -2,6 +2,7 @@
 
 
 - [Percona Everest 1.1.1 (2024-08-22)](Percona-Everest-1.1.1-(2024-08-22).md)
+- [Percona Everest 1.2.0 (2024-09-12)](Percona-Everest-1.2.0-(2024-09-12).md)
 - [Percona Everest 1.1.0 (2024-08-12)](Percona-Everest-1.1.0-(2024-08-12).md)
 - [Percona Everest 1.0.1 (2024-07-08)](Percona-Everest-1.0.1-(2024-07-08).md)
 - [Percona Everest 1.0.0 (2024-06-28)](Percona-Everest-1.0.0-(2024-06-28).md)

docs/upgrade_with_cli.md

@@ -44,17 +44,112 @@ During the upgrade of Percona Everest, only Everest and Everest operator are upg
         2024-05-03T12:07:28Z    info    upgrade/upgrade.go:148  Everest has been upgraded to version 0.10.0 {"component": "upgrade"}
         ```
 
+3. After upgrading, refresh the Percona Everest UI to access the new version.
 
 
+### Upgrading to Percona Everest 1.2.0
 
-3. After upgrading, refresh the Percona Everest UI to access the new version.
+When upgrading to 1.2.0 using the CLI command `everestctl upgrade`, all your existing backup storages and monitoring instances will be automatically migrated to the namespaces specified in their `.spec.allowedNamespaces` fields.
+
+Following the upgrade, your databases should not experience any downtime. Your backup, restore, and monitoring functionalities should continue to operate normally. 
 
+In the unlikely event that your upgrade fails, and you need to manually migrate these resources, follow the steps in [how to resolve upgrade failures in Percona Everest 1.2.0](#how-to-resolve-upgrade-failures-in-percona-everest-120) section.
 
 
 ## How to address a failed upgrade
 
 If the upgrade fails, you can attempt it again. If the issue persists, [create a GitHub issue](https://docs.github.com/en/issues/tracking-your-work-with-issues/creating-an-issue#creating-an-issue-from-a-repository).
 
+### Resolving upgrade failures due to the breaking API changes in Percona Everest 1.2.0
+
+Percona Everest 1.2.0 includes some [breaking API changes](administer/api_rbac.md#navigating-the-breaking-api-changes-for-rbac). While all your resources will be migrated automatically, in the unlikely event that your upgrade fails and you need to manually migrate these resources, follow the steps below:
+{.power-number}
+
+1. List the existing backup-storages:
+
+    ```
+    kubectl get backupstorages -n everest-system -oyaml > new-backupstorages.yaml
+    ```
+
+2. Check whether the backup storage has been retrieved.
+
+    ```sh
+    cat new-backupstorages.yaml
+
+    apiVersion: everest.percona.com/v1alpha1
+    kind: BackupStorage
+    metadata:
+    name: s3
+    namespace: everest-system
+    spec:
+    allowedNamespaces:
+    - my-cool-namespace
+    - another-cool-namespace
+    bucket: my-cool-bucket
+    credentialsSecretName: s3
+    description: s3
+    endpointURL: https://s3.us-west-2.amazonaws.com
+    forcePathStyle: false
+    region: us-west-2
+    type: s3
+    verifyTLS: true
+    ```
+
+    !!! note
+        You may see more than one object, depending on the number of objects created.
+
+
+3. Edit `new-backupstorages.yaml` as follows:
+
+    1. For each `BackupStorage` retrieved, create a copy in each namespace specified under `.spec.allowedNamespaces`.
+
+    2. Remove (or unset) `.spec.allowedNamespaces` in each copy of the `BackupStorages` object.
+
+    3. Ensure that `.metadata` contains only `name` and `namespace`.
+
+    ??? example "Example"
+        ```sh
+        apiVersion: everest.percona.com/v1alpha1
+        kind: BackupStorage
+        metadata:
+        name: s3
+        namespace: my-cool-namespace
+        spec:
+        allowedNamespaces: []
+        bucket: my-cool-bucket
+        credentialsSecretName: s3
+        description: s3
+        endpointURL: https://s3.us-west-2.amazonaws.com
+        forcePathStyle: false
+        region: us-west-2
+        type: s3
+        verifyTLS: true
+        ---
+        apiVersion: everest.percona.com/v1alpha1
+        kind: BackupStorage
+        metadata:
+        name: s3
+        namespace: another-cool-namespace
+        spec:
+        allowedNamespaces: []
+        bucket: my-cool-bucket
+        credentialsSecretName: s3
+        description: s3
+        endpointURL: https://s3.us-west-2.amazonaws.com
+        forcePathStyle: false
+        region: us-west-2
+        type: s3
+        verifyTLS: true
+        ```
+
+4. Create your new backup storages:
+
+        kubectl apply -f new-backupstorages.yaml
+
+    A similar set of steps can also be followed for monitoring configs as well:
+
+        kubectl get monitoringconfigs -n everest-monitoring > new-monitoringconfigs.yaml
+
 
 ## After your upgrade is complete
 

mkdocs-base.yml

@@ -178,6 +178,9 @@ nav:
   - Administer:
       - User management: administer/manage_users.md
       - Single sign-on (SSO): administer/Idp_integration.md
+      - Access Control: 
+        - RBAC: administer/rbac.md
+
 
   - Use:
       - Database view: use/database_view.md
@@ -197,6 +200,7 @@ nav:
       - API rate limiting: use/API_rate_limit.md
   - API: API.md
   - Reference:
+      - Breaking API changes: api_rbac.md
       - Limitations: reference/known_limitations.md
       - Telemetry on Percona Everest: reference/telemetry.md
       - Migrate to Percona Everest: reference/migration_guide.md