mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
Merge pull request #105530 from openshift-cherrypick-robot/cherry-pick-104680-to-enterprise-4.21
[enterprise-4.21] callouts and dita fixes for Azure
This commit is contained in:
Shruti Deshpande
@@ -10,7 +10,9 @@ include::_attributes/common-attributes.adoc[]
|
||||
toc::[]
|
||||
|
||||
[role="_abstract"]
|
||||
You install the OpenShift API for Data Protection (OADP) with Microsoft Azure by installing the OADP Operator. The Operator installs link:https://{velero-domain}/docs/v{velero-version}/[Velero {velero-version}].
|
||||
Configure the {oadp-first} with Microsoft Azure to back up and restore cluster resources by using Azure storage. This provides data protection capabilities for your {product-title} clusters.
|
||||
|
||||
The {oadp-short} Operator installs link:https://{velero-domain}/docs/v{velero-version}/[Velero {velero-version}].
|
||||
|
||||
include::snippets/oadp-mtc-operator.adoc[]
|
||||
|
||||
@@ -33,8 +35,6 @@ include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+1]
|
||||
|
||||
include::snippets/oadp-nodeselector-snippet.adoc[]
|
||||
|
||||
For more details, see xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc#oadp-configuring-node-agents_installing-oadp-azure[Configuring node agents and node labels].
|
||||
|
||||
include::modules/oadp-self-signed-certificate.adoc[leveloffset=+1]
|
||||
|
||||
include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset=+1]
|
||||
@@ -67,7 +67,8 @@ include::modules/oadp-about-disable-node-agent-dpa.adoc[leveloffset=+2]
|
||||
.Additional resources
|
||||
|
||||
* xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc#oadp-installing-dpa_installing-oadp-kubevirt[Installing the Data Protection Application with the `kubevirt` and `openshift` plugins]
|
||||
* xref:../../../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs[Running tasks in pods using jobs].
|
||||
|
||||
* xref:../../../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs[Running tasks in pods using jobs]
|
||||
|
||||
* xref:../../../backup_and_restore/application_backup_and_restore/installing/configuring-oadp-multiple-bsl.adoc#configuring-oadp-multiple-bsl[Configuring the {oadp-first} with multiple backup storage locations]
|
||||
|
||||
|
||||
@@ -8,16 +8,18 @@
|
||||
[id="migration-configuring-azure_{context}"]
|
||||
= Configuring {azure-full}
|
||||
|
||||
[role="_abstract"]
|
||||
ifdef::installing-3-4,installing-mtc[]
|
||||
You configure a {azure-full} Blob storage container as a replication repository for the {mtc-first}.
|
||||
Configure Microsoft Azure storage and service principal credentials for backup storage with {mtc-first}. This provides the necessary authentication and storage infrastructure for data protection operations.
|
||||
endif::[]
|
||||
ifdef::installing-oadp-azure[]
|
||||
You configure {azure-full} for {oadp-first}.
|
||||
Configure Microsoft Azure storage and service principal credentials for backup storage with {oadp-short}. This provides the necessary authentication and storage infrastructure for data protection operations.
|
||||
endif::[]
|
||||
|
||||
.Prerequisites
|
||||
|
||||
* You must have the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli[{azure-short} CLI] installed.
|
||||
|
||||
ifdef::installing-3-4,installing-mtc[]
|
||||
* The Azure Blob storage container must be accessible to the source and target clusters.
|
||||
* If you are using the snapshot copy method:
|
||||
@@ -25,6 +27,7 @@ ifdef::installing-3-4,installing-mtc[]
|
||||
** The source and target clusters must have the same storage class.
|
||||
** The storage class must be compatible with snapshots.
|
||||
endif::[]
|
||||
|
||||
ifdef::installing-oadp-azure[]
|
||||
|
||||
Tools that use {azure-short} services should always have restricted permissions to make sure that {azure-short} resources are safe. Therefore, instead of having applications sign in as a fully privileged user, {azure-short} offers service principals. An {azure-short} service principal is a name that can be used with applications, hosted services, or automated tools.
|
||||
@@ -39,8 +42,11 @@ This identity is used for access to resources.
|
||||
* Reset service principal credentials
|
||||
|
||||
For more details, see link:https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-1?tabs=bash[Create an {azure-short} service principal with Azure CLI].
|
||||
|
||||
endif::[]
|
||||
ifndef::installing-oadp-azure[]
|
||||
|
||||
ifdef::installing-oadp-azure[]
|
||||
|
||||
.Procedure
|
||||
|
||||
. Log in to {azure-short}:
|
||||
@@ -61,9 +67,12 @@ $ AZURE_RESOURCE_GROUP=Velero_Backups
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ az group create -n $AZURE_RESOURCE_GROUP --location CentralUS <1>
|
||||
$ az group create -n $AZURE_RESOURCE_GROUP --location CentralUS
|
||||
----
|
||||
<1> Specify your location.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`CentralUS`:: Specifies your location.
|
||||
|
||||
. Set the `AZURE_STORAGE_ACCOUNT_ID` variable:
|
||||
+
|
||||
@@ -135,7 +144,9 @@ $ AZURE_CLIENT_ID=`az ad app credential list --id <your_app_id>`
|
||||
For this to be successful, you must know your {azure-short} application ID.
|
||||
====
|
||||
endif::[]
|
||||
ifndef::installing-oadp-azure[]
|
||||
|
||||
ifdef::installing-oadp-azure[]
|
||||
|
||||
. Save the service principal credentials in the `credentials-velero` file:
|
||||
+
|
||||
[source,terminal]
|
||||
@@ -151,57 +162,6 @@ EOF
|
||||
----
|
||||
+
|
||||
You use the `credentials-velero` file to add {azure-short} as a replication repository.
|
||||
endif::[]
|
||||
////
|
||||
ifdef::installing-oadp-azure[]
|
||||
. Obtain the storage account access key:
|
||||
+
|
||||
[source,terminal]
|
||||
----
|
||||
$ AZURE_STORAGE_ACCOUNT_ACCESS_KEY=`az storage account keys list \
|
||||
--account-name $AZURE_STORAGE_ACCOUNT_ID \
|
||||
--query "[?keyName == 'key1'].value" -o tsv`
|
||||
----
|
||||
|
||||
. Create a custom role that has the minimum required permissions:
|
||||
+
|
||||
[source,terminal,subs="attributes+"]
|
||||
----
|
||||
AZURE_ROLE=Velero
|
||||
az role definition create --role-definition '{
|
||||
"Name": "'$AZURE_ROLE'",
|
||||
"Description": "Velero related permissions to perform backups, restores and deletions",
|
||||
"Actions": [
|
||||
"Microsoft.Compute/disks/read",
|
||||
"Microsoft.Compute/disks/write",
|
||||
"Microsoft.Compute/disks/endGetAccess/action",
|
||||
"Microsoft.Compute/disks/beginGetAccess/action",
|
||||
"Microsoft.Compute/snapshots/read",
|
||||
"Microsoft.Compute/snapshots/write",
|
||||
"Microsoft.Compute/snapshots/delete",
|
||||
"Microsoft.Storage/storageAccounts/listkeys/action",
|
||||
"Microsoft.Storage/storageAccounts/regeneratekey/action"
|
||||
],
|
||||
"AssignableScopes": ["/subscriptions/'$AZURE_SUBSCRIPTION_ID'"]
|
||||
}'
|
||||
----
|
||||
|
||||
. Create a `credentials-velero` file:
|
||||
+
|
||||
[source,terminal,subs="attributes+"]
|
||||
----
|
||||
$ cat << EOF > ./credentials-velero
|
||||
AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
|
||||
AZURE_TENANT_ID=${AZURE_TENANT_ID}
|
||||
AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
|
||||
AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
|
||||
AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP}
|
||||
AZURE_STORAGE_ACCOUNT_ACCESS_KEY=${AZURE_STORAGE_ACCOUNT_ACCESS_KEY} <1>
|
||||
AZURE_CLOUD_NAME=AzurePublicCloud
|
||||
EOF
|
||||
----
|
||||
<1> Mandatory. You cannot back up internal images if the `credentials-velero` file contains only the service principal credentials.
|
||||
+
|
||||
You use the `credentials-velero` file to create a `Secret` object for {azure-short} before you install the Data Protection Application.
|
||||
endif::[]
|
||||
////
|
||||
|
||||
|
||||
@@ -6,6 +6,9 @@
|
||||
[id="oadp-auth-azure-methods_{context}"]
|
||||
= About authenticating OADP with Azure
|
||||
|
||||
[role="_abstract"]
|
||||
Review authentication methods for {oadp-short} with Azure to select the appropriate authentication approach for your security requirements.
|
||||
|
||||
You can authenticate {oadp-short} with Azure by using the following methods:
|
||||
|
||||
* A Velero-specific service principal with secret-based authentication.
|
||||
|
||||
@@ -77,10 +77,10 @@ spec:
|
||||
config:
|
||||
resourceGroup: <azure_resource_group>
|
||||
storageAccount: <azure_storage_account_id>
|
||||
subscriptionId: <azure_subscription_id>
|
||||
subscriptionId: <azure_subscription_id>
|
||||
credential:
|
||||
key: cloud
|
||||
name: <custom_secret> # <1>
|
||||
name: <custom_secret>
|
||||
provider: azure
|
||||
default: true
|
||||
objectStorage:
|
||||
@@ -94,4 +94,7 @@ spec:
|
||||
incremental: "true"
|
||||
provider: {provider}
|
||||
----
|
||||
<1> Backup location `Secret` with custom name.
|
||||
+
|
||||
where:
|
||||
+
|
||||
`<custom_secret>`:: Specifies the backup location `Secret` with custom name.
|
||||
@@ -210,10 +210,10 @@ EOF
|
||||
+
|
||||
where:
|
||||
|
||||
<cloud_storage_cr>:: Specify the `CloudStorage` CR name.
|
||||
<storage_account_name>:: Specify the Azure storage account name.
|
||||
<resource_group>:: Specify the resource group.
|
||||
<subscription_ID>:: Specify the subscription ID.
|
||||
`<cloud_storage_cr>`:: Specifies the `CloudStorage` CR name.
|
||||
`<storage_account_name>`:: Specifies the Azure storage account name.
|
||||
`<resource_group>`:: Specifies the resource group.
|
||||
`<subscription_ID>`:: Specifies the subscription ID.
|
||||
|
||||
.Verification
|
||||
|
||||
|
||||
Reference in New Issue
Block a user