Add MSI Support for Azure plugin. #212
Conversation
|
Awaiting for MSI support so much. As far as I understood there is no other way to do a backup in AKS cluster with Azure AD authentication with Azure RBAC, right? I followed this steps and oidcIssuerProfile.issuerUrl was null. |
|
@mykolaichuk Hi , this pr is just for test validation. future , will update it and go to the release version of velero , when the upstream merged . |
Hi @mykolaichuk I'll need to go through workload Identity setup before I comment further on it's setup This PR Is particularly for using MSI without workload identity. This support was already there in velero / azure plugin since very long but got inadvertently removed due to some recent refactoring. |
|
Ref Issue: vmware-tanzu/velero#6931 |
anshulahuja98
requested review from
ywk253100 and
anshulahuja98
and removed request for
reasonerjt and
shubham-pampattiwar
yanggangtony
force-pushed
the
add-support-msi
branch
from
f51ea89 to
363d96d
Compare
|
@anshulahuja98 |
|
@yanggangtony pl also rename the PR name to be more relevant to the change. |
|
Also @yanggangtony the CI is failing, pl check |
yanggangtony
changed the title
yanggangtony
force-pushed
the
add-support-msi
branch
from
363d96d to
800a4dd
Compare
|
wait. |
Signed-off-by: yanggang <[email protected]>
Signed-off-by: yanggang <[email protected]>
|
@anshulahuja98 |
|
Ran it. |
Codecov Report
@@ Coverage Diff @@
## main #212 +/- ##
=======================================
Coverage 19.80% 19.80%
=======================================
Files 3 3
Lines 500 500
=======================================
Hits 99 99
Misses 398 398
Partials 3 3 |
|
You've mentioned that MSI support was in place previously. Is it there now? Is there a usage documentation for this? Thanks in advance! |
|
@mykolaichuk For end users to consume MSI - I would recommend using Workload Identity. There is no public docs for using MSI without workload identity in AKS. I can point you further but would still recommend using WorkloadIdentity. |
|
Could you be so kind as to give me snippets or a short guide for MSI without workload identity, please? I have two AAD enabled clusters in different subscriptions and struggle with workload identity setup. |
|
Sure AZURE_CLIENT_ID= you'll notice as compared to ServicePrincipal, we don't need the SECRET field here. The Client_ID field here will be the client id of the User MSI Create a user msi and mount it on the nodepools of the AKS cluster. From the portal you can navigate to the NodePool > Identity -> User Assigned -> Then add the MSI here. I don't know a programmatic way to mount it automatically on all nodepools of cluster, you can search for those. But at a highlevel you atleast need that identity mounted on the nodepool where the velero pod will run. You can try the above steps out and let me know if you face issues. |
|
Basically by virtue of being mounted on the nodepool, the IMDS endpoint of the VM will return the auth for the MSI client ID. |
|
@anshulahuja98 thank you so much! It worked! I had some issues with a storage account, but I was able to deal with it on my own! |
|
Glad I could help you out :) |
We had discuss in velero repo , for add msi support.
vmware-tanzu/velero#6938.
Can azure plugin use this pr to validation the functions.
@anshulahuja98
Please help to test it in azure cluster.