-
Notifications
You must be signed in to change notification settings - Fork 99
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Don't use storage account key for object storage if SP or MI is provided #111
Conversation
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Just a question around the golang version for now -- I'll look at this in more detail a bit later.
.github/workflows/push.yml
Outdated
@@ -13,10 +13,10 @@ jobs: | |||
runs-on: ubuntu-latest | |||
steps: | |||
|
|||
- name: Set up Go 1.14 | |||
- name: Set up Go 1.17 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
velero still uses go 1.16 on the main branch. We should probably do the same here unless there is a specific need for 1.17 for this plugin.
Dockerfile
Outdated
@@ -12,12 +12,12 @@ | |||
# See the License for the specific language governing permissions and | |||
# limitations under the License. | |||
|
|||
FROM golang:1.13-buster AS build | |||
FROM golang:1.17-buster AS build |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
As above, velero still uses go 1.16 on the main branch. We should probably do the same here unless there is a specific need for 1.17 for this plugin.
0838c8a
to
b0c47ff
Compare
I downgraded it to 1.16 and also added a go setup step to |
Hi! Has someone time to review this? Thanks, |
c8a7d4f
to
eda23c5
Compare
34066b0
to
b43a9b8
Compare
Rebased to master. |
This is exactly what we need as well and makes a lot more sense than dealing with access keys when they aren't necessary. |
Codecov Report
@@ Coverage Diff @@
## main #111 +/- ##
==========================================
+ Coverage 12.77% 14.07% +1.29%
==========================================
Files 4 4
Lines 626 668 +42
==========================================
+ Hits 80 94 +14
- Misses 542 571 +29
+ Partials 4 3 -1
Help us with your feedback. Take ten seconds to tell us how you rate us. Have a feature suggestion? Share it here. |
Does the PR also addresses this issue? vmware-tanzu/velero#4930 |
Yes, ListKeys will be removed with this PR. |
Awesome! Thank you for your contribution. |
Reliance on Azure storage account shared keys is preventing my org from using Velero, would be great to see this merged ❤️ @ywk253100 @eleanor-millman |
HI @yvespp When I created a backup, the following error came in the Backup Status. The BSL was still showing as available │ completionTimestamp: "2022-09-08T05:12:03Z" ││ expiration: "2022-10-08T05:12:03Z" ││ failureReason: | ││ error checking if backup already exists in object storage: rpc error: code = Unknown desc = ===== RESPONSE ERROR (ErrorCode=AuthorizationPermissionMismatch) ===== ││ Description=, Details: (none) ││ formatVersion: 1.1.0 ││ phase: Failed ││ startTimestamp: "2022-09-08T05:12:03Z" ││ version: 1 |
@yvespp Sorry for the late review. I have added some comments but haven't reviewed the delegationsas.go yet and I will continue to add comments. |
Hi! Would be really great if this could be merged sometime soon :) @sseago @ywk253100 @dsu-igeek |
I second that. This PR will allow me to start using Velero. |
5a45768
to
96b6d31
Compare
Hi @anshulahuja98, do you know how the backup location is verified? I was looking through the code but couldn't find it. |
@yvespp I added a few comments about the document, please take a look. |
Switches the to newer blob client Add integration test Signed-off-by: Yves Peter <[email protected]>
Signed-off-by: Yves Peter <[email protected]>
@ywk253100 I addressed your comments, rebased and squashed. |
Hi all, could the PR released? It looks like this PR is not port of the 1.6.1 version. Current workaround: Add |
I think the plan is to release this with the next minor version 1.7.0 and Velero 1.11: #111 (comment) If you want to try it out you can use my image which includes this pull request: https://hub.docker.com/r/yvespp/velero-plugin-for-microsoft-azure |
We introduced changes in vmware-tanzu#111 to remove the logic of listing storage account access key, the Velero Azure plugin supports auth via Azure AD directly after the changes, but that isn't enough as Restic/Kopia still doesn't support auth via Azure AD at this moment, this will cause filesystem backup failure on Azure. So we revert the doc change in this commit and Velero still needs the permission of listing storage access key to work as expected. But as we keep the code changes, users can workaround the permission issue by refer to vmware-tanzu/velero#5984 Signed-off-by: Wenkai Yin(尹文开) <[email protected]>
Revert the changes made to doc in #111
If this PR is already merged, may i know the plugin version in which this PR is available? |
Hello everyone - is there any release date planned for this feature yet? This feature is essential for Azure and I would like to use it :) |
@vikrantoct7 @mkemmerz This change isn't available in Velero 1.11, please see vmware-tanzu/velero#5984 for details. But if you guys take backup without Restic/Kopia, the Velero Azure plugin can be configured as work without listing storage account access keys. |
Implements vmware-tanzu/velero#4267
The plugin no longer uses the storage access key to access the blobs by default. The key is only used if it's configured via
AZURE_STORAGE_ACCOUNT_ACCESS_KEY
. Therefore "Allow storage account key access" can be disabled on the storage account if using MI or SP.Changes:
delegationsas.go
. This code can be delete once it's implemented in azblobintegration
is specified e.g.go test ./... -tags=integration -v