Skip to content

OADP-6675: Update Azure registry configuration for workload identity support #350

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Draft
kaovilai wants to merge 1 commit into
base: oadp-dev
Choose a base branch
from
Draft

OADP-6675: Update Azure registry configuration for workload identity support #350

kaovilai wants to merge 1 commit into from
+174 −42

Conversation

@kaovilai
Copy link
Member

@kaovilai kaovilai commented Sep 9, 2025
edited
Loading

Why the changes were made

This PR updates the Azure registry configuration to support workload identity authentication. These changes are required to work with the updated OADP operator that now supports Azure workload identity for the image registry component.

Without these changes, the openshift-velero-plugin cannot consume the new secret format created by the OADP operator when using Azure workload identity.

How to test the changes made

Prerequisites

  • OADP operator with Azure workload identity support (PR #1952)
  • OpenShift cluster with Azure workload identity configured
  • Test instructions follow those in the OADP operator PR

Testing Steps

  1. Deploy OADP operator with Azure workload identity support from PR #1952

  2. Build and deploy this version of openshift-velero-plugin:

# Build the plugin
make build

# Update the velero deployment to use the new plugin version
oc set image deployment/velero -n openshift-adp \
  velero=<your-registry>/openshift-velero-plugin:latest
  1. Verify secret consumption:
# Check that the registry secret is created with new format
oc get secret -n openshift-adp oadp-<bsl-name>-azure-registry-secret -o yaml

# Verify the secret contains the new credential keys:
# - credentials_type (should be "default_credentials" for workload identity)
# - client_id_key  
# - client_secret_key (empty for workload identity)
# - tenant_id_key

# Verify Velero has Azure workload identity env vars
oc exec -n openshift-adp deployment/velero -- env | grep AZURE
# Should show: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE
  1. Test image backup/restore following the test plan in OADP operator PR #1952

Verification Points

  • Plugin correctly reads Azure credentials from new secret format
  • Environment variables are properly mapped (CREDENTIALS_* instead of SPN_*)
  • Registry authentication succeeds with workload identity
  • Image backup and restore operations complete successfully
  • No errors related to missing SPN environment variables

Technical Details

Azure Workload Identity Environment Setup

The OADP operator injects Azure workload identity environment variables into the Velero container through a secret (azure-workload-identity-env). This secret contains:

  • AZURE_CLIENT_ID: The managed identity client ID
  • AZURE_TENANT_ID: The Azure tenant ID
  • AZURE_FEDERATED_TOKEN_FILE: Path to the federated token (/var/run/secrets/openshift/serviceaccount/token)

These environment variables are injected into the Velero deployment using envFrom (see oadp-operator internal/controller/velero.go:642-655), ensuring they're available to both Velero and its plugins.

Registry Authentication with Workload Identity

The registry component (docker-distribution) supports Azure AD authentication through the default_credentials type. When this type is set in the registry secret, the Azure storage driver:

  1. Uses the Azure SDK's DefaultAzureCredential
  2. Automatically detects the workload identity environment variables (inherited from Velero container)
  3. Reads the federated token from the mounted service account token path
  4. Exchanges it for Azure AD tokens
  5. Authenticates to Azure Blob Storage

The plugin doesn't need to explicitly handle AZURE_FEDERATED_TOKEN_FILE because:

  • It's already set in the Velero container environment
  • The registry process inherits the environment from its parent container
  • The Azure SDK automatically uses these variables for authentication

Changes Summary

  • Replaced deprecated SPN_* environment variable constants with CREDENTIALS_* format
  • Updated getAzureRegistryEnvVars() to reference new secret keys matching OADP operator
  • Added support for credentials_type field from secret
  • Fixed BSL spec references (using ObjectStorage instead of StorageType.ObjectStorage)

Dependencies

This PR depends on: openshift/oadp-operator#1952

Both PRs must be merged together for Azure workload identity support to function properly. The OADP operator PR handles creating and injecting the workload identity environment variables, while this PR ensures the plugin correctly consumes the new secret format.

🤖 Generated with Claude Code

@kaovilai @claude
feat: Update Azure registry configuration for workload identity support
095cbdb 
- Replace deprecated SPN_* environment variables with CREDENTIALS_* format
- Add support for Azure credentials type from secret
- Update secret key references to match OADP operator changes

This change is required to work with the updated OADP operator that now
supports Azure workload identity authentication for the image registry.

Depends on: OADP operator changes for Azure workload identity support

🤖 Generated with [Claude Code](https://claude.ai/code)

Co-Authored-By: Claude <[email protected]>
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Sep 9, 2025
@openshift-ci
Copy link

openshift-ci bot commented Sep 9, 2025

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci
Copy link

openshift-ci bot commented Sep 9, 2025

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Sep 9, 2025
@kaovilai kaovilai mentioned this pull request Sep 9, 2025
Draft
9 tasks
@kaovilai kaovilai changed the title OADP-XXXX: Update Azure registry configuration for workload identity support OADP-6675: Update Azure registry configuration for workload identity support Sep 10, 2025
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Sep 10, 2025
@openshift-ci-robot
Copy link

openshift-ci-robot commented Sep 10, 2025
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-6675 which is a valid jira issue.

In response to this:

Why the changes were made

This PR updates the Azure registry configuration to support workload identity authentication. These changes are required to work with the updated OADP operator that now supports Azure workload identity for the image registry component.

Without these changes, the openshift-velero-plugin cannot consume the new secret format created by the OADP operator when using Azure workload identity.

How to test the changes made

Prerequisites

  • OADP operator with Azure workload identity support (PR #1952)
  • OpenShift cluster with Azure workload identity configured
  • Test instructions follow those in the OADP operator PR

Testing Steps

  1. Deploy OADP operator with Azure workload identity support from PR #1952

  2. Build and deploy this version of openshift-velero-plugin:

# Build the plugin
make build

# Update the velero deployment to use the new plugin version
oc set image deployment/velero -n openshift-adp \
 velero=<your-registry>/openshift-velero-plugin:latest
  1. Verify secret consumption:
# Check that the registry secret is created with new format
oc get secret -n openshift-adp oadp-<bsl-name>-azure-registry-secret -o yaml

# Verify the secret contains the new credential keys:
# - credentials_type (should be "default_credentials" for workload identity)
# - client_id_key  
# - client_secret_key (empty for workload identity)
# - tenant_id_key

# Verify Velero has Azure workload identity env vars
oc exec -n openshift-adp deployment/velero -- env | grep AZURE
# Should show: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE
  1. Test image backup/restore following the test plan in OADP operator PR #1952

Verification Points

  • Plugin correctly reads Azure credentials from new secret format
  • Environment variables are properly mapped (CREDENTIALS_* instead of SPN_*)
  • Registry authentication succeeds with workload identity
  • Image backup and restore operations complete successfully
  • No errors related to missing SPN environment variables

Technical Details

Azure Workload Identity Environment Setup

The OADP operator injects Azure workload identity environment variables into the Velero container through a secret (azure-workload-identity-env). This secret contains:

  • AZURE_CLIENT_ID: The managed identity client ID
  • AZURE_TENANT_ID: The Azure tenant ID
  • AZURE_FEDERATED_TOKEN_FILE: Path to the federated token (/var/run/secrets/openshift/serviceaccount/token)

These environment variables are injected into the Velero deployment using envFrom (see oadp-operator internal/controller/velero.go:642-655), ensuring they're available to both Velero and its plugins.

Registry Authentication with Workload Identity

The registry component (docker-distribution) supports Azure AD authentication through the default_credentials type. When this type is set in the registry secret, the Azure storage driver:

  1. Uses the Azure SDK's DefaultAzureCredential
  2. Automatically detects the workload identity environment variables (inherited from Velero container)
  3. Reads the federated token from the mounted service account token path
  4. Exchanges it for Azure AD tokens
  5. Authenticates to Azure Blob Storage

The plugin doesn't need to explicitly handle AZURE_FEDERATED_TOKEN_FILE because:

  • It's already set in the Velero container environment
  • The registry process inherits the environment from its parent container
  • The Azure SDK automatically uses these variables for authentication

Changes Summary

  • Replaced deprecated SPN_* environment variable constants with CREDENTIALS_* format
  • Updated getAzureRegistryEnvVars() to reference new secret keys matching OADP operator
  • Added support for credentials_type field from secret
  • Fixed BSL spec references (using ObjectStorage instead of StorageType.ObjectStorage)

Dependencies

This PR depends on: openshift/oadp-operator#1952

Both PRs must be merged together for Azure workload identity support to function properly. The OADP operator PR handles creating and injecting the workload identity environment variables, while this PR ensures the plugin correctly consumes the new secret format.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@openshift-bot
Copy link

openshift-bot commented Dec 10, 2025

Issues go stale after 90d of inactivity.

Mark the issue as fresh by commenting /remove-lifecycle stale.
Stale issues rot after an additional 30d of inactivity and eventually close.
Exclude this issue from closing by commenting /lifecycle frozen.

If this issue is safe to close now please do so with /close.

/lifecycle stale

@openshift-ci openshift-ci bot added the lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale. label Dec 10, 2025
@coderabbitai
Copy link

coderabbitai bot commented Dec 10, 2025

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Review skipped — only excluded labels are configured. (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

✨ Finishing touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Post copyable unit tests in a comment

Comment @coderabbitai help to get the list of available commands and usage tips.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. lifecycle/stale Denotes an issue or PR has remained open with no activity and has become stale.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@kaovilai @openshift-ci-robot @openshift-bot