diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc index b4c430480ab3..08a59b63f8ff 100644 --- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc +++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc @@ -17,24 +17,21 @@ You configure Azure for Velero, create a default `Secret`, and then install the To install the OADP Operator in a restricted network environment, you must first disable the default OperatorHub sources and mirror the Operator catalog. See xref:../../../operators/admin/olm-restricted-networks.adoc#olm-restricted-networks[Using Operator Lifecycle Manager on restricted networks] for details. -// include::modules/oadp-installing-operator.adoc[leveloffset=+1] + include::modules/migration-configuring-azure.adoc[leveloffset=+1] include::modules/oadp-about-backup-snapshot-locations-secrets.adoc[leveloffset=+1] -include::modules/oadp-creating-default-secret.adoc[leveloffset=+2] -include::modules/oadp-secrets-for-different-credentials.adoc[leveloffset=+2] - -[id="configuring-dpa-azure"] -== Configuring the Data Protection Application +include::modules/oadp-auth-azure-methods.adoc[leveloffset=+1] +include::modules/oadp-auth-azure-secret-based.adoc[leveloffset=+1] You can configure the Data Protection Application by setting Velero resource allocations or enabling self-signed CA certificates. -include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+2] +include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+1] include::snippets/oadp-nodeselector-snippet.adoc[] For more details, see xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc#oadp-configuring-node-agents_installing-oadp-azure[Configuring node agents and node labels]. -include::modules/oadp-self-signed-certificate.adoc[leveloffset=+2] +include::modules/oadp-self-signed-certificate.adoc[leveloffset=+1] // include::modules/oadp-installing-dpa-1-2-and-earlier.adoc[leveloffset=+1] include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1] diff --git a/modules/oadp-auth-azure-methods.adoc b/modules/oadp-auth-azure-methods.adoc new file mode 100644 index 000000000000..44d0e7472393 --- /dev/null +++ b/modules/oadp-auth-azure-methods.adoc @@ -0,0 +1,12 @@ +// Module included in the following assemblies: + +// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc + +:_mod-docs-content-type: CONCEPT +[id="oadp-auth-azure-methods_{context}"] += About authenticating OADP with Azure + +You can authenticate {oadp-short} with Azure by using the following methods: + +* A Velero-specific service principal with secret-based authentication. +* A Velero-specific storage account access key with secret-based authentication. diff --git a/modules/oadp-auth-azure-secret-based.adoc b/modules/oadp-auth-azure-secret-based.adoc new file mode 100644 index 000000000000..954010777be2 --- /dev/null +++ b/modules/oadp-auth-azure-secret-based.adoc @@ -0,0 +1,97 @@ +// Module included in the following assemblies: + +// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc + +:_mod-docs-content-type: PROCEDURE +[id="oadp-auth-azure-secret-based_{context}"] += Using a service principal or a storage account access key + +[role="_abstract"] +You create a default `Secret` object and reference it in the backup storage location custom resource. The credentials file for the `Secret` object can contain information about the Azure service principal or a storage account access key. + +The default name of the `Secret` is `{credentials}`. + +[NOTE] +==== +The `DataProtectionApplication` custom resource (CR) requires a default `Secret`. Otherwise, the installation will fail. If the name of the backup location `Secret` is not specified, the default name is used. + +If you do not want to use the backup location credentials during the installation, you can create a `Secret` with the default name by using an empty `credentials-velero` file. +==== + + +.Prerequisites + +* You have access to the OpenShift cluster as a user with `cluster-admin` privileges. +* You have an Azure subscription with appropriate permissions. +* You have installed {oadp-short}. +* You have configured an object storage for storing the backups. + +.Procedure + +. Create a `credentials-velero` file for the backup storage location in the appropriate format for your cloud provider. ++ +You can use one of the following two methods to authenticate {oadp-short} with Azure. + +* Use the service principal with secret-based authentication. See the following example: ++ +[source,terminal] +---- +AZURE_SUBSCRIPTION_ID= +AZURE_TENANT_ID= +AZURE_CLIENT_ID= +AZURE_CLIENT_SECRET= +AZURE_RESOURCE_GROUP= +AZURE_CLOUD_NAME= +---- + +* Use a storage account access key. See the following example: ++ +[source,terminal] +---- +AZURE_STORAGE_ACCOUNT_ACCESS_KEY= +AZURE_SUBSCRIPTION_ID= +AZURE_RESOURCE_GROUP= +AZURE_CLOUD_NAME= +---- + +. Create a `Secret` custom resource (CR) with the default name: ++ +[source,terminal,subs="attributes+"] +---- +$ oc create secret generic {credentials} -n openshift-adp --from-file cloud=credentials-velero +---- + +. Reference the `Secret` in the `spec.backupLocations.velero.credential` block of the `DataProtectionApplication` CR when you install the Data Protection Application as shown in the following example: ++ +[source,yaml,subs="attributes+"] +---- +apiVersion: oadp.openshift.io/v1alpha1 +kind: DataProtectionApplication +metadata: + name: + namespace: openshift-adp +spec: +... + backupLocations: + - velero: + config: + resourceGroup: + storageAccount: + subscriptionId: + credential: + key: cloud + name: # <1> + provider: azure + default: true + objectStorage: + bucket: + prefix: + snapshotLocations: + - velero: + config: + resourceGroup: + subscriptionId: + incremental: "true" + provider: {provider} +---- +<1> Backup location `Secret` with custom name. \ No newline at end of file diff --git a/modules/oadp-creating-default-secret.adoc b/modules/oadp-creating-default-secret.adoc index 0cd78f9d18b4..83c70d65fba6 100644 --- a/modules/oadp-creating-default-secret.adoc +++ b/modules/oadp-creating-default-secret.adoc @@ -48,18 +48,29 @@ aws_secret_access_key= endif::[] ifdef::installing-oadp-azure[] + -See the following example: +You can use one of the following two methods to authenticate {oadp-short} with Azure. + +* Use the service principal with secret-based authentication. See the following example: + [source,terminal] ---- -AZURE_SUBSCRIPTION_ID= +AZURE_SUBSCRIPTION_ID= AZURE_TENANT_ID= AZURE_CLIENT_ID= AZURE_CLIENT_SECRET= -AZURE_STORAGE_ACCOUNT_ACCESS_KEY= AZURE_RESOURCE_GROUP= AZURE_CLOUD_NAME= ---- + +* Use a storage account access key. See the following example: ++ +[source,terminal] +---- +AZURE_STORAGE_ACCOUNT_ACCESS_KEY= +AZURE_SUBSCRIPTION_ID= +AZURE_RESOURCE_GROUP= +AZURE_CLOUD_NAME= +---- endif::[] . Create a `Secret` custom resource (CR) with the default name: diff --git a/modules/oadp-installing-dpa-1-3.adoc b/modules/oadp-installing-dpa-1-3.adoc index 9ea9850affd3..5653570297cf 100644 --- a/modules/oadp-installing-dpa-1-3.adoc +++ b/modules/oadp-installing-dpa-1-3.adoc @@ -174,8 +174,7 @@ spec: config: resourceGroup: # <8> storageAccount: # <9> - subscriptionId: # <10> - storageAccountKeyEnvVar: AZURE_STORAGE_ACCOUNT_ACCESS_KEY + subscriptionId: # <10> credential: key: cloud name: {credentials} # <11>