-
Notifications
You must be signed in to change notification settings - Fork 84
OADP-6675: Add Azure workload identity support for image registry #1952
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
base: oadp-dev
Are you sure you want to change the base?
Conversation
- Add AzureIsWorkloadIdentity() helper function to check for Azure workload identity - Replace deprecated SPN environment variables with new CREDENTIALS_* format - Support workload identity authentication with default_credentials type - Refactor repeated workload identity detection pattern into reusable function - Remove legacy SPN environment variable constants This enables Azure AD authentication for the image registry when using workload identity, aligning with the standardized STS authentication flow. Note: Requires corresponding changes in openshift-velero-plugin repository to consume the new secret format with CREDENTIALS_* environment variables. 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <[email protected]>
Skipping CI for Draft Pull Request. |
[APPROVALNOTIFIER] This PR is APPROVED This pull-request has been approved by: kaovilai The full list of commands accepted by this bot can be found here. The pull request process is described here
Needs approval from an approver in each of these files:
Approvers can indicate their approval by writing |
Additional Testing: Service Principal Credentials (Backward Compatibility)To ensure backward compatibility with existing Service Principal authentication, please also test with traditional Azure credentials: Test with Service Principal
# Create service principal
az ad sp create-for-rbac \
--name "velero-sp-${CLUSTER_NAME}" \
--role "Storage Blob Data Contributor" \
--scopes "/subscriptions/${AZURE_SUBSCRIPTION_ID}/resourceGroups/${CLUSTER_RESOURCE_GROUP}/providers/Microsoft.Storage/storageAccounts/${STORAGE_ACCOUNT_NAME}"
# Save the output values:
# - appId (client_id)
# - password (client_secret)
# - tenant (tenant_id)
cat <<EOF > /tmp/credentials-velero
AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
AZURE_TENANT_ID=<tenant-from-sp-output>
AZURE_CLIENT_ID=<appId-from-sp-output>
AZURE_CLIENT_SECRET=<password-from-sp-output>
AZURE_RESOURCE_GROUP=${CLUSTER_RESOURCE_GROUP}
AZURE_STORAGE_ACCOUNT_ID=${STORAGE_ACCOUNT_NAME}
AZURE_CLOUD_NAME=AzurePublicCloud
EOF
oc create secret generic cloud-credentials-azure \
-n openshift-adp \
--from-file=cloud=/tmp/credentials-velero
# Deploy using standard OLM without STS flow
make deploy-olm
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: dpa-sp
namespace: openshift-adp
spec:
backupLocations:
- velero:
provider: azure
config:
storageAccount: ${STORAGE_ACCOUNT_NAME}
resourceGroup: ${CLUSTER_RESOURCE_GROUP}
credential:
name: cloud-credentials-azure
key: cloud
objectStorage:
bucket: ${CONTAINER_NAME}
# Check registry secret has client_secret credentials_type
oc get secret -n openshift-adp oadp-dpa-sp-azure-registry-secret -o yaml | grep credentials_type
# Should show: credentials_type: Y2xpZW50X3NlY3JldA== (base64 for "client_secret")
# Verify NO azure-workload-identity-env secret is created
oc get secret -n openshift-adp azure-workload-identity-env 2>&1 | grep "NotFound"
# Test backup/restore with SP credentials
velero backup create sp-test-backup --include-namespaces test-images Verification for Backward Compatibility
|
/test unit-test images |
@kaovilai: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here. |
@kaovilai: This pull request references OADP-6675 which is a valid jira issue. In response to this:
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository. |
@kaovilai let's keep pushing and get this out of draft :) |
Why the changes were made
This PR adds Azure workload identity support for the image registry component, enabling Azure AD authentication when using workload identity federation. This is required to support image backup/restore operations in Azure environments using workload identity instead of service principal credentials.
Related to standardized STS authentication workflow for Azure.
How to test the changes made
Prerequisites
Setup Azure Workload Identity
Follow Azure workload identity setup from oadp-azure-sts-cloud-authentication.adoc
Install OADP operator with Azure workload identity:
Verification Points
AzureIsWorkloadIdentity()
returns true when env vars are setcredentials_type: default_credentials
envFrom
reference toazure-workload-identity-env
secretTechnical Details
Azure Workload Identity Authentication Flow
When Azure workload identity is detected (via the
AzureIsWorkloadIdentity()
function), the operator:Creates a secret (
azure-workload-identity-env
) containing:AZURE_CLIENT_ID
: The managed identity client IDAZURE_TENANT_ID
: The Azure tenant IDAZURE_FEDERATED_TOKEN_FILE
: Set to/var/run/secrets/openshift/serviceaccount/token
Injects the secret into Velero (see
internal/controller/velero.go:642-655
):Azure SDK authentication: The Azure SDK's
DefaultAzureCredential
automatically:AZURE_FEDERATED_TOKEN_FILE
This design ensures that both Velero and the registry components have the necessary environment variables for workload identity authentication, while the Azure SDK handles the actual token exchange and authentication flow.
Changes Summary
AzureIsWorkloadIdentity()
helper function to detect Azure workload identity configurationReconcileAzureWorkloadIdentitySecret()
to manage the workload identity secretenvFrom
CREDENTIALS_*
format matching docker-distribution expectationsdefault_credentials
authentication type when workload identity is detectedDependencies
This PR requires corresponding changes in the openshift-velero-plugin repository to consume the new secret format.
🤖 Generated with Claude Code