Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Listing storage account access key is still needed for Restic/Kopia to work as expected on Azure #5984

Closed
ywk253100 opened this issue Mar 15, 2023 · 3 comments
Closed

Listing storage account access key is still needed for Restic/Kopia to work as expected on Azure #5984

ywk253100 opened this issue Mar 15, 2023 · 3 comments
Assignees
@ywk253100
Labels
Area/Cloud/Azure area/kopia-integration backlog PodVolume Restic Relates to the restic integration
Milestone
v1.13

Comments

@ywk253100
Copy link
Contributor

We introduced several changes for the Velero Azure plugin to resolve #4267 in v1.11.0 timeframe, but besides the Azure plugin, the support for Azure AD auth is also needed in Restic/Kopia side.

However, Restic/Kopia only supports authentication/authorization by access key and SAS token but not Azure AD at this moment, so in order to work with filesystem backup/restore with Restic/Kopia, listing storage account access key is still needed on Azure.

For users who don't use filesystem backup/restore and cannot list the storage account access key, they can refer to the doc to workaround it.

Issue is opened for Kopia.

We'll remove the listing storage account access key completely once Kopia supports auth via Azure AD.

Vote on this issue!

This is an invitation to the Velero community to vote on issues, you can see the project's top voted issues listed here.
Use the "reaction smiley face" up to the right of this comment to vote.

  • 👍 for "I would like to see this bug fixed as soon as possible"
  • 👎 for "There are more important bugs to focus on right now"
ywk253100 added a commit to ywk253100/velero-plugin-for-microsoft-azure that referenced this issue Mar 15, 2023
@ywk253100
Revert the changes made to doc in vmware-tanzu#111
b49ce5e 
We introduced changes in vmware-tanzu#111 to remove the logic of listing storage account access key, the Velero Azure plugin supports auth via Azure AD directly after the changes, but that isn't enough as Restic/Kopia still doesn't support auth via Azure AD at this moment, this will cause filesystem backup failure on Azure.

So we revert the doc change in this commit and Velero still needs the permission of listing storage access key to work as expected. But as we keep the code changes, users can workaround the permission issue by refer to vmware-tanzu/velero#5984

Signed-off-by: Wenkai Yin(尹文开) <[email protected]>
@ywk253100 ywk253100 mentioned this issue Mar 15, 2023
Merged
@ywk253100 ywk253100 mentioned this issue Apr 6, 2023
Merged
@reasonerjt
Copy link
Contributor

@ywk253100
IMO we should consider it as a higher priority as it's an enhancement to security.
Let's see if we can fix it on kopia side.
But given this has external dependency, let's leave it as candidate for now and triage later.

@reasonerjt reasonerjt added the Needs triage We need discussion to understand problem and decide the priority label Apr 18, 2023
@ywk253100
Copy link
Contributor Author

We can start the work to fix it on the Kopia side in the 1.12 timeframe, but it is very likely that we cannot make it in v1.12 as this has external dependency.

@ywk253100 ywk253100 mentioned this issue May 9, 2023
Merged
@Lyndon-Li Lyndon-Li added this to the v1.12 milestone May 24, 2023
@reasonerjt reasonerjt removed this from the v1.12 milestone Jul 19, 2023
@pradeepkchaturvedi pradeepkchaturvedi added the 1.13-candidate issue/pr that should be considered to target v1.13 minor release label Aug 4, 2023
@reasonerjt reasonerjt removed Needs triage We need discussion to understand problem and decide the priority limitation 1.13-candidate issue/pr that should be considered to target v1.13 minor release labels Aug 18, 2023
@reasonerjt reasonerjt added this to the v1.13 milestone Aug 18, 2023
@ywk253100
Copy link
Contributor Author

Fixed by #6686

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@ywk253100 ywk253100

Labels
Area/Cloud/Azure area/kopia-integration backlog PodVolume Restic Relates to the restic integration
Projects
None yet
Milestone
v1.13
Development

No branches or pull requests
4 participants
@reasonerjt @ywk253100 @pradeepkchaturvedi @Lyndon-Li