Skip to content

Commit

Permalink
Merge pull request #235 from ywk253100/240318_cert
Browse files Browse the repository at this point in the history
Add instructions to enable the certificate-based authentication
  • Loading branch information
ywk253100 authored Apr 10, 2024
2 parents e093db3 + dff21ae commit 728a043
Show file tree
Hide file tree
Showing 3 changed files with 146 additions and 79 deletions.
67 changes: 61 additions & 6 deletions README.md
Original file line number Diff line number Diff line change
Expand Up @@ -150,14 +150,14 @@ of your cluster's resources before continuing._
## Set permissions for Velero
There are several ways Velero can authenticate to Azure: (1) by using a Velero-specific [service principal][20]; (2) by using [Azure AD Workload Identity][23]; or (3) by using a storage account access key.
There are several ways Velero can authenticate to Azure: (1) by using a Velero-specific [service principal][20] with secret-based authentication; (2) by using a Velero-specific [service principal][20] with certificate-based authentication; (3) by using [Azure AD Workload Identity][23]; or (4) by using a storage account access key.
If you plan to use Velero to take Azure snapshots of your persistent volume managed disks, you **must** use the service principal or Azure AD Workload Identity method.
If you don't plan to take Azure disk snapshots, any method is valid.

### Specify Role
_**Note**: This is only required for (1) by using a Velero-specific service principal and (2) by using Azure AD Workload Identity._
_**Note**: This is only required for (1) by using a Velero-specific service principal with secret-based authentication, (2) by using a Velero-specific service principal with certificate-based authentication and (3) by using Azure AD Workload Identity._

1. Obtain your Azure Account Subscription ID:
```
Expand Down Expand Up @@ -241,15 +241,15 @@ There are two ways to specify the role: use the built-in role or create a custom
_(Optional) If you are using a different Subscription for backups and cluster resources, make sure to specify both subscriptions
inside `AssignableScopes`._

### Option 1: Create service principal
### Option 1: Create service principal with secret-based authentication

1. Obtain your Azure Account Tenant ID:

```bash
AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv`
```

2. Create a service principal.
2. Create a service principal with secet-based authentication.

If you'll be using Velero to backup multiple clusters with multiple blob containers, it may be desirable to create a unique username per cluster rather than the default `velero`.
Expand Down Expand Up @@ -296,7 +296,62 @@ There are two ways to specify the role: use the built-in role or create a custom
> Available values for `AZURE_CLOUD_NAME`: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`
### Option 2: Use Azure AD Workload Identity
### Option 2: Create service principal with certificate-based authentication
1. Obtain your Azure Account Tenant ID:
```bash
AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv`
```
2. Create a service principal with certificate-based authentication.
If you'll be using Velero to backup multiple clusters with multiple blob containers, it may be desirable to create a unique username per cluster rather than the default `velero`.

Create service principal and let the CLI creates a self-signed certificate for you. Make sure to capture the certificate.

_(Optional) If you are using a different Subscription for backups and cluster resources, make sure to specify both subscriptions
in the `az` command using `--scopes`._

```bash
AZURE_CLIENT_CERTIFICATE_PATH=`az ad sp create-for-rbac --name "velero" --role $AZURE_ROLE --query 'fileWithCertAndPrivateKey' -o tsv \
--scopes /subscriptions/$AZURE_SUBSCRIPTION_ID[ /subscriptions/$AZURE_BACKUP_SUBSCRIPTION_ID] --create-cert`
```

NOTE: Ensure that value for `--name` does not conflict with other service principals/app registrations.

After creating the service principal, obtain the client id.

```bash
AZURE_CLIENT_ID=`az ad sp list --display-name "velero" --query '[0].appId' -o tsv`
```
3. (Optional)Assign additional permissions to the service principal (For useAAD=true with built-in role)

If you use the custom role which has the blob data permissions, skip this step.

If you chose the AAD route, this is an additional permissions required for the service principal to be able to access the storage account.
```bash
az role assignment create --assignee $AZURE_CLIENT_ID --role "Storage Blob Data Contributor" --scope /subscriptions/$AZURE_SUBSCRIPTION_ID
```

Refer: [useAAD parameter in BackupStorageLocation.md](./backupstoragelocation.md#backup-storage-location)

6. Now you need to create a file that contains all the relevant environment variables. The command looks like the following:

```bash
cat << EOF > ./credentials-velero
AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
AZURE_TENANT_ID=${AZURE_TENANT_ID}
AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
AZURE_CLIENT_CERTIFICATE=$(awk 'BEGIN {printf "\""} {sub(/\r/, ""); printf "%s\\n",$0;} END {printf "\""}' $AZURE_CLIENT_CERTIFICATE_PATH)
AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP}
AZURE_CLOUD_NAME=AzurePublicCloud
EOF
```
> Available values for `AZURE_CLOUD_NAME`: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`
### Option 3: Use Azure AD Workload Identity
These instructions have been adapted from the [Azure AD Workload Identity Quick Start][24] documentation.
Expand Down Expand Up @@ -404,7 +459,7 @@ Before proceeding, ensure that you have installed [workload identity mutating ad
> Available values for `AZURE_CLOUD_NAME`: `AzurePublicCloud`, `AzureUSGovernmentCloud`, `AzureChinaCloud`
### Option 3: Use storage account access key
### Option 4: Use storage account access key
_Note: this option is **not valid** if you are planning to take Azure snapshots of your managed disks with Velero._
Expand Down
48 changes: 24 additions & 24 deletions go.mod
Original file line number Diff line number Diff line change
Expand Up @@ -5,44 +5,44 @@ go 1.21
toolchain go1.21.6

require (
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.8.0
github.com/Azure/azure-sdk-for-go/sdk/azcore v1.10.0
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/compute/armcompute/v4 v4.2.1
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.1.0
github.com/Azure/azure-sdk-for-go/sdk/storage/azblob v1.3.1
github.com/gofrs/uuid v4.3.1+incompatible
github.com/pkg/errors v0.9.1
github.com/sirupsen/logrus v1.9.3
github.com/spf13/pflag v1.0.5
github.com/stretchr/testify v1.8.4
github.com/vmware-tanzu/velero v0.0.0-20240312081256-79e9e31d8ddd
github.com/stretchr/testify v1.9.0
github.com/vmware-tanzu/velero v0.0.0-20240327101532-cd0632c5dbfa
k8s.io/api v0.29.0
k8s.io/apimachinery v0.29.0
sigs.k8s.io/azuredisk-csi-driver v1.26.0
)

require (
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.3.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.3.0 // indirect
github.com/Azure/azure-sdk-for-go/sdk/azidentity v1.5.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/resourcemanager/storage/armstorage v1.5.0 // indirect
github.com/joho/godotenv v1.4.0 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20230920204549-e6e6cdab5c13 // indirect
google.golang.org/genproto/googleapis/rpc v0.0.0-20240311132316-a219d84964c2 // indirect
)

require (
github.com/Azure/azure-sdk-for-go/sdk/internal v1.3.0 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.1.1 // indirect
github.com/Azure/azure-sdk-for-go/sdk/internal v1.5.2 // indirect
github.com/AzureAD/microsoft-authentication-library-for-go v1.2.1 // indirect
github.com/davecgh/go-spew v1.1.1 // indirect
github.com/emicklei/go-restful/v3 v3.11.0 // indirect
github.com/fatih/color v1.15.0 // indirect
github.com/fatih/color v1.16.0 // indirect
github.com/go-logr/logr v1.4.1 // indirect
github.com/go-openapi/jsonpointer v0.19.6 // indirect
github.com/go-openapi/jsonreference v0.20.2 // indirect
github.com/go-openapi/swag v0.22.3 // indirect
github.com/gobwas/glob v0.2.3 // indirect
github.com/gogo/protobuf v1.3.2 // indirect
github.com/golang-jwt/jwt/v5 v5.0.0 // indirect
github.com/golang/protobuf v1.5.3 // indirect
github.com/golang-jwt/jwt/v5 v5.2.0 // indirect
github.com/golang/protobuf v1.5.4 // indirect
github.com/google/gnostic-models v0.6.8 // indirect
github.com/google/gofuzz v1.2.0 // indirect
github.com/google/uuid v1.3.1 // indirect
github.com/google/uuid v1.6.0 // indirect
github.com/hashicorp/go-hclog v1.4.0 // indirect
github.com/hashicorp/go-plugin v1.6.0 // indirect
github.com/hashicorp/yamux v0.1.1 // indirect
Expand All @@ -52,26 +52,26 @@ require (
github.com/kylelemons/godebug v1.1.0 // indirect
github.com/mailru/easyjson v0.7.7 // indirect
github.com/mattn/go-colorable v0.1.13 // indirect
github.com/mattn/go-isatty v0.0.19 // indirect
github.com/mattn/go-isatty v0.0.20 // indirect
github.com/mitchellh/go-testing-interface v1.14.1 // indirect
github.com/modern-go/concurrent v0.0.0-20180306012644-bacd9c7ef1dd // indirect
github.com/modern-go/reflect2 v1.0.2 // indirect
github.com/munnerz/goautoneg v0.0.0-20191010083416-a7dc8b61c822 // indirect
github.com/oklog/run v1.1.0 // indirect
github.com/pkg/browser v0.0.0-20210911075715-681adbf594b8 // indirect
github.com/pkg/browser v0.0.0-20240102092130-5ac0b6a4141c // indirect
github.com/pmezard/go-difflib v1.0.0 // indirect
github.com/spf13/afero v1.9.2 // indirect
github.com/spf13/cobra v1.7.0 // indirect
github.com/stretchr/objx v0.5.0 // indirect
golang.org/x/crypto v0.17.0 // indirect
golang.org/x/net v0.19.0 // indirect
golang.org/x/oauth2 v0.13.0 // indirect
golang.org/x/sys v0.16.0 // indirect
golang.org/x/term v0.15.0 // indirect
github.com/stretchr/objx v0.5.2 // indirect
golang.org/x/crypto v0.21.0 // indirect
golang.org/x/net v0.22.0 // indirect
golang.org/x/oauth2 v0.18.0 // indirect
golang.org/x/sys v0.18.0 // indirect
golang.org/x/term v0.18.0 // indirect
golang.org/x/text v0.14.0 // indirect
golang.org/x/time v0.3.0 // indirect
google.golang.org/appengine v1.6.7 // indirect
google.golang.org/grpc v1.58.3 // indirect
golang.org/x/time v0.5.0 // indirect
google.golang.org/appengine v1.6.8 // indirect
google.golang.org/grpc v1.62.1 // indirect
google.golang.org/protobuf v1.33.0 // indirect
gopkg.in/inf.v0 v0.9.1 // indirect
gopkg.in/yaml.v2 v2.4.0 // indirect
Expand Down
Loading

0 comments on commit 728a043

Please sign in to comment.