[b/r] Update restore README with ci-framework and manual procedure

Update automated Quick Start to use ci-framework playbooks. Rewrite
manual restore procedure with fully rendered Restore CRs and resource
modifier ConfigMap instead of Jinja2 template references. Update Velero
version notes for OCP 4.20.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: stuggi

docs/dev/backup-restore/README.md

@@ -36,7 +36,7 @@ ansible-playbook playbooks/backup_restore.yaml \
   -e cifmw_backup_restore_run_backup=false \
   -e cifmw_backup_restore_run_cleanup=true \
   -e cifmw_backup_restore_run_restore=true \
-  -e cifmw_backup_restore_backup_timestamp=20260311-081234
+  -e cifmw_backup_restore_backup_name_suffix=20260311-081234
 ```
 
 The restore triggers an EDPM deployment to resync credentials but does

docs/dev/backup-restore/backup-restore-controller-design.md

@@ -1117,21 +1117,19 @@ Use cases:
 ### Phase 2: OADP Backup (Done)
 
 - Split backup: two OADP Backup CRs (PVCs with CSI snapshots + everything else)
-- Backup templates in `docs/dev/backup-restore/backup/templates/`
-- Ansible playbook orchestrates Galera DB dumps + OADP backups
+- ci-framework `cifmw_backup_restore` role orchestrates Galera DB dumps + OADP backups
 - Data Mover support (`snapshotMoveData: true`, default)
+- Manual procedure documented in `docs/dev/backup-restore/backup/README.md`
 
 ### Phase 3: OADP Restore with Ansible Automation (Done)
 
-- Restore templates in `docs/dev/backup-restore/restore/templates/`
-- Ansible playbook orchestrates the full restore flow:
+- ci-framework `cifmw_backup_restore` role orchestrates the full restore flow:
   - Ordered OADP restores (00 → 10 → 20 → 30 → 40 → 60)
   - Automated database restore (GaleraRestore CRs + restore script)
   - RabbitMQ credential restore (secrets from backup + RabbitMQUser CRs)
   - Staged deployment (infrastructure-only → full)
   - EDPM deployment to resync credentials
-- Interactive pauses between steps (skippable with `auto_ack=true`)
-- See `docs/dev/backup-restore/restore/README.md` for usage
+- Manual procedure documented in `docs/dev/backup-restore/restore/README.md`
 
 ### Phase 4: Golang Backup/Restore Controllers (Future)
 

docs/dev/backup-restore/backup-restore-controller-implementation.md

@@ -366,7 +366,7 @@ We use two separate OADP backups:
 
 ### Restore CRs
 
-Restore CRs are in `docs/dev/backup-restore/restore/`. Each uses a shared resource modifier ConfigMap (`00-resource-modifiers-configmap.yaml`) that:
+Restore CRs are documented in `docs/dev/backup-restore/restore/README.md`. Each uses a shared resource modifier ConfigMap that:
 - Strips `kubectl.kubernetes.io/last-applied-configuration` annotations
 - Adds `deployment-stage: infrastructure-only` annotation to OpenStackControlPlane
 
@@ -401,17 +401,12 @@ RabbitMQ clusters generate new random credentials on creation, but EDPM nodes st
 4. Create RabbitMQUser CRs to import the old credentials
 5. Clean up the temporary namespace
 
-See `docs/dev/backup-restore/restore/06b-restore-rabbitmq-secrets.yaml` for the manual procedure or the restore playbook (`docs/dev/backup-restore/restore/restore-openstack.yaml`) for automation.
+See `docs/dev/backup-restore/restore/06c-manual-rabbitmq-restore.md` for the manual procedure or the ci-framework `cifmw_backup_restore` role for automation.
 
-### Automated Restore Playbook
+### Automated Restore
 
-The Ansible playbook at `docs/dev/backup-restore/restore/restore-openstack.yaml` orchestrates the full restore flow:
-
-```bash
-ansible-playbook docs/dev/backup-restore/restore/restore-openstack.yaml \
-  -e pvc_backup_name=openstack-backup-pvcs \
-  -e resources_backup_name=openstack-backup-resources
-```
+The ci-framework `cifmw_backup_restore` role orchestrates the full restore flow.
+See `docs/dev/backup-restore/restore/README.md` for usage.
 
 ## Testing Checklist
 
@@ -462,12 +457,8 @@ oc get volumesnapshot -n openstack
 ### Restore Testing
 
 ```bash
-# Apply restore CRs in order and wait for each
-oc apply -f docs/dev/backup-restore/restore/01-restore-order-00-pvcs.yaml
-oc wait --for=jsonpath='{.status.phase}'=Completed restore/openstack-restore-00-pvcs -n openshift-adp --timeout=15m
-
-# Continue with each order...
-# See docs/dev/backup-restore/restore/README.md for full procedure
+# Follow the manual restore procedure in docs/dev/backup-restore/restore/README.md
+# or use the ci-framework cifmw_backup_restore role
 ```
 
 ## Troubleshooting
@@ -509,7 +500,6 @@ oc wait --for=jsonpath='{.status.phase}'=Completed restore/openstack-restore-00-
 ## See Also
 
 - Design document: `docs/dev/backup-restore/backup-restore-controller-design.md`
-- Backup CRs: `docs/dev/backup-restore/backup/`
-- Restore CRs: `docs/dev/backup-restore/restore/`
-- Restore playbook: `docs/dev/backup-restore/restore/restore-openstack.yaml`
-- Restore scripts: `docs/dev/backup-restore/scripts/restore-galera.sh`
+- Backup: `docs/dev/backup-restore/backup/README.md`
+- Restore: `docs/dev/backup-restore/restore/README.md`
+- ci-framework playbooks: [ci-framework](https://github.com/openstack-k8s-operators/ci-framework)

docs/dev/backup-restore/restore/06-manual-database-restore.md

@@ -127,27 +127,8 @@ oc delete galerarestore openstackrestore -n openstack
 oc delete galerarestore openstackrestorecell1 -n openstack
 ```
 
-### 8. Remove deployment-stage annotation
-
-Resume full OpenStack deployment by removing the annotation:
-
-```bash
-oc annotate openstackcontrolplane <name> -n openstack core.openstack.org/deployment-stage-
-```
-
-Replace `<name>` with your OpenStackControlPlane CR name.
-
-### 9. Wait for OpenStack services to start
-
-```bash
-oc get pods -n openstack
-oc get openstackcontrolplane -n openstack
-```
-
 ## Next Steps
 
-After database restore and annotation removal, proceed to:
-1. **Order 55**: Restore RabbitMQ credentials (see `06c-manual-rabbitmq-restore.md`)
-2. **Order 60**: Restore DataPlane resources (if applicable)
-3. See [Post-Restore](../README.md#post-restore-credential-rotation-and-edpm-nodes)
-   for EDPM deployment and InstanceHa re-enablement
+After database restore, return to the main restore procedure in
+[README.md](README.md#step-6b-rabbitmq-credential-restore) for
+RabbitMQ credential restore and removing the deployment-stage annotation.

docs/dev/backup-restore/restore/06c-manual-rabbitmq-restore.md

@@ -14,15 +14,59 @@ and creates RabbitMQUser CRs to re-establish the old credentials.
 
 ### 1. Restore secrets to a temporary namespace
 
+First, create a resource modifier ConfigMap that strips finalizers so
+the temp namespace can be deleted cleanly:
+
 ```bash
-# Create temp namespace
 oc create namespace openstack-restore-tmp
 
-# Restore all secrets from backup to temp namespace
-# Edit backupName in 06b-restore-rabbitmq-secrets.yaml first, then:
-oc apply -f 06b-restore-rabbitmq-secrets.yaml
+cat <<'EOF' | oc apply -f -
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: openstack-restore-tmp-resource-modifiers
+  namespace: openshift-adp
+data:
+  resource-modifiers.yaml: |
+    version: v1
+    resourceModifierRules:
+    - conditions:
+        groupResource: "*"
+        namespaces:
+        - openstack-restore-tmp
+      mergePatches:
+      - patchData: |
+          metadata:
+            finalizers: null
+EOF
+```
+
+Then restore all secrets from the backup to the temp namespace. Replace
+`RESOURCES_BACKUP` with your backup name (e.g.,
+`openstack-backup-resources-20260311-081234`):
+
+```bash
+cat <<EOF | oc apply -f -
+apiVersion: velero.io/v1
+kind: Restore
+metadata:
+  name: openstack-restore-rabbitmq-secrets-${RESTORE_SUFFIX}
+  namespace: openshift-adp
+spec:
+  backupName: ${RESOURCES_BACKUP}
+  includedNamespaces:
+  - openstack
+  namespaceMapping:
+    openstack: openstack-restore-tmp
+  includedResources:
+  - secrets
+  resourceModifier:
+    kind: ConfigMap
+    name: openstack-restore-tmp-resource-modifiers
+EOF
+
 oc wait --for=jsonpath='{.status.phase}'=Completed \
-  restore/openstack-restore-rabbitmq-secrets -n openshift-adp --timeout=5m
+  restore/openstack-restore-rabbitmq-secrets-${RESTORE_SUFFIX} -n openshift-adp --timeout=5m
 ```
 
 ### 2. Copy old credentials to target namespace
@@ -85,7 +129,6 @@ oc delete namespace openstack-restore-tmp
 
 ## Next Steps
 
-After RabbitMQ credential restore, proceed to:
-1. **Order 60**: Restore DataPlane resources (if applicable)
-2. See [Post-Restore](../README.md#post-restore-credential-rotation-and-edpm-nodes)
-   for EDPM deployment and InstanceHa re-enablement
+After RabbitMQ credential restore, return to the main restore procedure in
+[README.md](README.md#step-6c-remove-deployment-stage-annotation) to
+remove the deployment-stage annotation and resume full deployment.