From d0f2cfc2f2b9b45680fb8f933a40cdb685c12ebc Mon Sep 17 00:00:00 2001 From: Shruti Deshpande Date: Tue, 13 Jan 2026 10:39:30 +0530 Subject: [PATCH] callouts and dita fixes for Azure Signed-off-by: Shruti Deshpande --- .../installing/installing-oadp-azure.adoc | 9 ++- modules/migration-configuring-azure.adoc | 76 +++++-------------- modules/oadp-auth-azure-methods.adoc | 3 + modules/oadp-auth-azure-secret-based.adoc | 9 ++- modules/oadp-auth-azure-sts.adoc | 8 +- 5 files changed, 36 insertions(+), 69 deletions(-) diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc index 58582e2cb2..ecca44d2fe 100644 --- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc +++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc @@ -10,7 +10,9 @@ include::_attributes/common-attributes.adoc[] toc::[] [role="_abstract"] -You install the OpenShift API for Data Protection (OADP) with Microsoft Azure by installing the OADP Operator. The Operator installs link:https://{velero-domain}/docs/v{velero-version}/[Velero {velero-version}]. +Configure the {oadp-first} with Microsoft Azure to back up and restore cluster resources by using Azure storage. This provides data protection capabilities for your {product-title} clusters. + +The {oadp-short} Operator installs link:https://{velero-domain}/docs/v{velero-version}/[Velero {velero-version}]. include::snippets/oadp-mtc-operator.adoc[] @@ -33,8 +35,6 @@ include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+1] include::snippets/oadp-nodeselector-snippet.adoc[] -For more details, see xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc#oadp-configuring-node-agents_installing-oadp-azure[Configuring node agents and node labels]. - include::modules/oadp-self-signed-certificate.adoc[leveloffset=+1] include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset=+1] @@ -67,7 +67,8 @@ include::modules/oadp-about-disable-node-agent-dpa.adoc[leveloffset=+2] .Additional resources * xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc#oadp-installing-dpa_installing-oadp-kubevirt[Installing the Data Protection Application with the `kubevirt` and `openshift` plugins] -* xref:../../../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs[Running tasks in pods using jobs]. + +* xref:../../../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs[Running tasks in pods using jobs] * xref:../../../backup_and_restore/application_backup_and_restore/installing/configuring-oadp-multiple-bsl.adoc#configuring-oadp-multiple-bsl[Configuring the {oadp-first} with multiple backup storage locations] diff --git a/modules/migration-configuring-azure.adoc b/modules/migration-configuring-azure.adoc index 5ed3c754d7..d5e9d2564b 100644 --- a/modules/migration-configuring-azure.adoc +++ b/modules/migration-configuring-azure.adoc @@ -8,16 +8,18 @@ [id="migration-configuring-azure_{context}"] = Configuring {azure-full} +[role="_abstract"] ifdef::installing-3-4,installing-mtc[] -You configure a {azure-full} Blob storage container as a replication repository for the {mtc-first}. +Configure Microsoft Azure storage and service principal credentials for backup storage with {mtc-first}. This provides the necessary authentication and storage infrastructure for data protection operations. endif::[] ifdef::installing-oadp-azure[] -You configure {azure-full} for {oadp-first}. +Configure Microsoft Azure storage and service principal credentials for backup storage with {oadp-short}. This provides the necessary authentication and storage infrastructure for data protection operations. endif::[] .Prerequisites * You must have the link:https://docs.microsoft.com/en-us/cli/azure/install-azure-cli[{azure-short} CLI] installed. + ifdef::installing-3-4,installing-mtc[] * The Azure Blob storage container must be accessible to the source and target clusters. * If you are using the snapshot copy method: @@ -25,6 +27,7 @@ ifdef::installing-3-4,installing-mtc[] ** The source and target clusters must have the same storage class. ** The storage class must be compatible with snapshots. endif::[] + ifdef::installing-oadp-azure[] Tools that use {azure-short} services should always have restricted permissions to make sure that {azure-short} resources are safe. Therefore, instead of having applications sign in as a fully privileged user, {azure-short} offers service principals. An {azure-short} service principal is a name that can be used with applications, hosted services, or automated tools. @@ -39,8 +42,11 @@ This identity is used for access to resources. * Reset service principal credentials For more details, see link:https://learn.microsoft.com/en-us/cli/azure/azure-cli-sp-tutorial-1?tabs=bash[Create an {azure-short} service principal with Azure CLI]. + endif::[] -ifndef::installing-oadp-azure[] + +ifdef::installing-oadp-azure[] + .Procedure . Log in to {azure-short}: @@ -61,9 +67,12 @@ $ AZURE_RESOURCE_GROUP=Velero_Backups + [source,terminal] ---- -$ az group create -n $AZURE_RESOURCE_GROUP --location CentralUS <1> +$ az group create -n $AZURE_RESOURCE_GROUP --location CentralUS ---- -<1> Specify your location. ++ +where: ++ +`CentralUS`:: Specifies your location. . Set the `AZURE_STORAGE_ACCOUNT_ID` variable: + @@ -135,7 +144,9 @@ $ AZURE_CLIENT_ID=`az ad app credential list --id ` For this to be successful, you must know your {azure-short} application ID. ==== endif::[] -ifndef::installing-oadp-azure[] + +ifdef::installing-oadp-azure[] + . Save the service principal credentials in the `credentials-velero` file: + [source,terminal] @@ -151,57 +162,6 @@ EOF ---- + You use the `credentials-velero` file to add {azure-short} as a replication repository. -endif::[] -//// -ifdef::installing-oadp-azure[] -. Obtain the storage account access key: -+ -[source,terminal] ----- -$ AZURE_STORAGE_ACCOUNT_ACCESS_KEY=`az storage account keys list \ - --account-name $AZURE_STORAGE_ACCOUNT_ID \ - --query "[?keyName == 'key1'].value" -o tsv` ----- -. Create a custom role that has the minimum required permissions: -+ -[source,terminal,subs="attributes+"] ----- -AZURE_ROLE=Velero -az role definition create --role-definition '{ - "Name": "'$AZURE_ROLE'", - "Description": "Velero related permissions to perform backups, restores and deletions", - "Actions": [ - "Microsoft.Compute/disks/read", - "Microsoft.Compute/disks/write", - "Microsoft.Compute/disks/endGetAccess/action", - "Microsoft.Compute/disks/beginGetAccess/action", - "Microsoft.Compute/snapshots/read", - "Microsoft.Compute/snapshots/write", - "Microsoft.Compute/snapshots/delete", - "Microsoft.Storage/storageAccounts/listkeys/action", - "Microsoft.Storage/storageAccounts/regeneratekey/action" - ], - "AssignableScopes": ["/subscriptions/'$AZURE_SUBSCRIPTION_ID'"] - }' ----- - -. Create a `credentials-velero` file: -+ -[source,terminal,subs="attributes+"] ----- -$ cat << EOF > ./credentials-velero -AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID} -AZURE_TENANT_ID=${AZURE_TENANT_ID} -AZURE_CLIENT_ID=${AZURE_CLIENT_ID} -AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} -AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP} -AZURE_STORAGE_ACCOUNT_ACCESS_KEY=${AZURE_STORAGE_ACCOUNT_ACCESS_KEY} <1> -AZURE_CLOUD_NAME=AzurePublicCloud -EOF ----- -<1> Mandatory. You cannot back up internal images if the `credentials-velero` file contains only the service principal credentials. -+ -You use the `credentials-velero` file to create a `Secret` object for {azure-short} before you install the Data Protection Application. endif::[] -//// + diff --git a/modules/oadp-auth-azure-methods.adoc b/modules/oadp-auth-azure-methods.adoc index e3157c1869..a5862ef29c 100644 --- a/modules/oadp-auth-azure-methods.adoc +++ b/modules/oadp-auth-azure-methods.adoc @@ -6,6 +6,9 @@ [id="oadp-auth-azure-methods_{context}"] = About authenticating OADP with Azure +[role="_abstract"] +Review authentication methods for {oadp-short} with Azure to select the appropriate authentication approach for your security requirements. + You can authenticate {oadp-short} with Azure by using the following methods: * A Velero-specific service principal with secret-based authentication. diff --git a/modules/oadp-auth-azure-secret-based.adoc b/modules/oadp-auth-azure-secret-based.adoc index 954010777b..f2b326a292 100644 --- a/modules/oadp-auth-azure-secret-based.adoc +++ b/modules/oadp-auth-azure-secret-based.adoc @@ -77,10 +77,10 @@ spec: config: resourceGroup: storageAccount: - subscriptionId: + subscriptionId: credential: key: cloud - name: # <1> + name: provider: azure default: true objectStorage: @@ -94,4 +94,7 @@ spec: incremental: "true" provider: {provider} ---- -<1> Backup location `Secret` with custom name. \ No newline at end of file ++ +where: ++ +``:: Specifies the backup location `Secret` with custom name. \ No newline at end of file diff --git a/modules/oadp-auth-azure-sts.adoc b/modules/oadp-auth-azure-sts.adoc index 30cbc98479..7bcd58675a 100644 --- a/modules/oadp-auth-azure-sts.adoc +++ b/modules/oadp-auth-azure-sts.adoc @@ -210,10 +210,10 @@ EOF + where: -:: Specify the `CloudStorage` CR name. -:: Specify the Azure storage account name. -:: Specify the resource group. -:: Specify the subscription ID. +``:: Specifies the `CloudStorage` CR name. +``:: Specifies the Azure storage account name. +``:: Specifies the resource group. +``:: Specifies the subscription ID. .Verification