Merge pull request #99533 from shdeshpa07/azure-auth-bug-fix

[enterprise-4.18] azure auth bug fix

Author: shdeshpa07

backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc

@@ -17,24 +17,21 @@ You configure Azure for Velero, create a default `Secret`, and then install the
 
 To install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See xref:../../../disconnected/using-olm.adoc#olm-restricted-networks[Using Operator Lifecycle Manager in disconnected environments] for details.
 
-// include::modules/oadp-installing-operator.adoc[leveloffset=+1]
+
 include::modules/migration-configuring-azure.adoc[leveloffset=+1]
 include::modules/oadp-about-backup-snapshot-locations-secrets.adoc[leveloffset=+1]
-include::modules/oadp-creating-default-secret.adoc[leveloffset=+2]
-include::modules/oadp-secrets-for-different-credentials.adoc[leveloffset=+2]
-
-[id="configuring-dpa-azure"]
-== Configuring the Data Protection Application
+include::modules/oadp-auth-azure-methods.adoc[leveloffset=+1]
+include::modules/oadp-auth-azure-secret-based.adoc[leveloffset=+1]
 
 You can configure the Data Protection Application by setting Velero resource allocations or enabling self-signed CA certificates.
 
-include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+2]
+include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+1]
 
 include::snippets/oadp-nodeselector-snippet.adoc[]
 
 For more details, see xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc#oadp-configuring-node-agents_installing-oadp-azure[Configuring node agents and node labels].
 
-include::modules/oadp-self-signed-certificate.adoc[leveloffset=+2]
+include::modules/oadp-self-signed-certificate.adoc[leveloffset=+1]
 
 // include::modules/oadp-installing-dpa-1-2-and-earlier.adoc[leveloffset=+1]
 include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]

modules/oadp-auth-azure-methods.adoc

@@ -0,0 +1,12 @@
+// Module included in the following assemblies:
+
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
+
+:_mod-docs-content-type: CONCEPT
+[id="oadp-auth-azure-methods_{context}"]
+= About authenticating OADP with Azure
+
+You can authenticate {oadp-short} with Azure by using the following methods:
+
+* A Velero-specific service principal with secret-based authentication.
+* A Velero-specific storage account access key with secret-based authentication.

modules/oadp-auth-azure-secret-based.adoc

@@ -0,0 +1,97 @@
+// Module included in the following assemblies:
+
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
+
+:_mod-docs-content-type: PROCEDURE
+[id="oadp-auth-azure-secret-based_{context}"]
+= Using a service principal or a storage account access key
+
+[role="_abstract"]
+You create a default `Secret` object and reference it in the backup storage location custom resource. The credentials file for the `Secret` object can contain information about the Azure service principal or a storage account access key.
+
+The default name of the `Secret` is `{credentials}`.
+
+[NOTE]
+====
+The `DataProtectionApplication` custom resource (CR) requires a default `Secret`.  Otherwise, the installation will fail. If the name of the backup location `Secret` is not specified, the default name is used.
+
+If you do not want to use the backup location credentials during the installation, you can create a `Secret` with the default name by using an empty `credentials-velero` file.
+====
+
+
+.Prerequisites
+
+* You have access to the OpenShift cluster as a user with `cluster-admin` privileges.
+* You have an Azure subscription with appropriate permissions.
+* You have installed {oadp-short}.
+* You have configured an object storage for storing the backups.
+
+.Procedure
+
+. Create a `credentials-velero` file for the backup storage location in the appropriate format for your cloud provider.
++
+You can use one of the following two methods to authenticate {oadp-short} with Azure.
+
+* Use the service principal with secret-based authentication. See the following example:
++
+[source,terminal]
+----
+AZURE_SUBSCRIPTION_ID=<azure_subscription_id>
+AZURE_TENANT_ID=<azure_tenant_id>
+AZURE_CLIENT_ID=<azure_client_id>
+AZURE_CLIENT_SECRET=<azure_client_secret>
+AZURE_RESOURCE_GROUP=<azure_resource_group>
+AZURE_CLOUD_NAME=<azure_cloud_name>
+----
+
+* Use a storage account access key. See the following example:
++
+[source,terminal]
+----
+AZURE_STORAGE_ACCOUNT_ACCESS_KEY=<azure_storage_account_access_key>
+AZURE_SUBSCRIPTION_ID=<azure_subscription_id> 
+AZURE_RESOURCE_GROUP=<azure_resource_group>
+AZURE_CLOUD_NAME=<azure_cloud_name> 
+----
+
+. Create a `Secret` custom resource (CR) with the default name:
++
+[source,terminal,subs="attributes+"]
+----
+$ oc create secret generic {credentials} -n openshift-adp --from-file cloud=credentials-velero
+----
+
+. Reference the `Secret` in the `spec.backupLocations.velero.credential` block of the `DataProtectionApplication` CR when you install the Data Protection Application as shown in the following example:
++
+[source,yaml,subs="attributes+"]
+----
+apiVersion: oadp.openshift.io/v1alpha1
+kind: DataProtectionApplication
+metadata:
+  name: <dpa_sample>
+  namespace: openshift-adp
+spec:
+...
+  backupLocations:
+    - velero:
+        config:
+          resourceGroup: <azure_resource_group>
+          storageAccount: <azure_storage_account_id>
+          subscriptionId: <azure_subscription_id>          
+        credential:
+          key: cloud
+          name: <custom_secret> # <1>
+        provider: azure
+        default: true
+        objectStorage:
+          bucket: <bucket_name>
+          prefix: <prefix>
+  snapshotLocations:
+    - velero:
+        config:
+          resourceGroup: <azure_resource_group>
+          subscriptionId: <azure_subscription_id>
+          incremental: "true"
+        provider: {provider}
+----
+<1> Backup location `Secret` with custom name.

modules/oadp-creating-default-secret.adoc

@@ -48,18 +48,29 @@ aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
 endif::[]
 ifdef::installing-oadp-azure[]
 +
-See the following example:
+You can use one of the following two methods to authenticate {oadp-short} with Azure.
+
+* Use the service principal with secret-based authentication. See the following example:
 +
 [source,terminal]
 ----
-AZURE_SUBSCRIPTION_ID= <azure_subscription_id>
+AZURE_SUBSCRIPTION_ID=<azure_subscription_id>
 AZURE_TENANT_ID=<azure_tenant_id>
 AZURE_CLIENT_ID=<azure_client_id>
 AZURE_CLIENT_SECRET=<azure_client_secret>
-AZURE_STORAGE_ACCOUNT_ACCESS_KEY=<azure_storage_account_access_key>
 AZURE_RESOURCE_GROUP=<azure_resource_group>
 AZURE_CLOUD_NAME=<azure_cloud_name>
 ----
+
+* Use a storage account access key. See the following example:
++
+[source,terminal]
+----
+AZURE_STORAGE_ACCOUNT_ACCESS_KEY=<azure_storage_account_access_key>
+AZURE_SUBSCRIPTION_ID=<azure_subscription_id> 
+AZURE_RESOURCE_GROUP=<azure_resource_group>
+AZURE_CLOUD_NAME=<azure_cloud_name> 
+----
 endif::[]
 
 . Create a `Secret` custom resource (CR) with the default name:

modules/oadp-installing-dpa-1-3.adoc

@@ -174,8 +174,7 @@ spec:
         config:
           resourceGroup: <azure_resource_group> # <8>
           storageAccount: <azure_storage_account_id> # <9>
-          subscriptionId: <azure_subscription_id> # <10>
-          storageAccountKeyEnvVar: AZURE_STORAGE_ACCOUNT_ACCESS_KEY
+          subscriptionId: <azure_subscription_id> # <10>          
         credential:
           key: cloud
           name: {credentials}  # <11>