Uploaded image for project: 'Couchbase Server'
  1. Couchbase Server
  2. MB-45620

[Backup Service] Add Azure support

    XMLWordPrintable

Details

    • Improvement
    • Status: Closed
    • Major
    • Resolution: Fixed
    • Cheshire-Cat
    • 7.1.2
    • tools

    Description

      With the introduction of Azure to CBM the backup service has to match the functionality

      Attachments

        Issue Links

          No reviews matched the request. Check your Options in the drop-down menu of this sections header.

          Activity

            Has been moved out of Neo as QE cannot contain it.

            pvarley Patrick Varley added a comment - Has been moved out of Neo as QE cannot contain it.

            Build couchbase-server-7.2.0-1018 contains cbbs commit 72fd594 with commit message:
            MB-45620 Add Azure client with static credentials

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.2.0-1018 contains cbbs commit 72fd594 with commit message: MB-45620 Add Azure client with static credentials

            Build couchbase-server-7.2.0-1019 contains cbbs commit 404dd47 with commit message:
            MB-45620 Change repo panels to only list valid auth methods for provider

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.2.0-1019 contains cbbs commit 404dd47 with commit message: MB-45620 Change repo panels to only list valid auth methods for provider

            Build couchbase-server-7.1.1-3074 contains cbbs commit 7c8a507 with commit message:
            MB-45620 [BP] Add Azure client with static credentials

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.1-3074 contains cbbs commit 7c8a507 with commit message: MB-45620 [BP] Add Azure client with static credentials

            Build couchbase-server-7.1.1-3075 contains cbbs commit 9a9e6f0 with commit message:
            MB-45620 [BP] Change repo panels to only list valid auth methods for provider

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.1.1-3075 contains cbbs commit 9a9e6f0 with commit message: MB-45620 [BP] Change repo panels to only list valid auth methods for provider
            lynn.straus Lynn Straus added a comment -

            With 7.1.1 split into "early" 7.1.1 and "new" 7.1.2, all related Enhancements and features move to 7.1.2. Changing fixversion of 7.1.1 to 7.1.2.

            lynn.straus Lynn Straus added a comment - With 7.1.1 split into "early" 7.1.1 and "new" 7.1.2, all related Enhancements and features move to 7.1.2. Changing fixversion of 7.1.1 to 7.1.2.

            Build couchbase-server-7.2.0-1445 contains cbbs commit 9a9e6f0 with commit message:
            MB-45620 [BP] Change repo panels to only list valid auth methods for provider

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.2.0-1445 contains cbbs commit 9a9e6f0 with commit message: MB-45620 [BP] Change repo panels to only list valid auth methods for provider

            Build couchbase-server-7.2.0-1445 contains cbbs commit 7c8a507 with commit message:
            MB-45620 [BP] Add Azure client with static credentials

            build-team Couchbase Build Team added a comment - Build couchbase-server-7.2.0-1445 contains cbbs commit 7c8a507 with commit message: MB-45620 [BP] Add Azure client with static credentials

            Build couchbase-server-8.0.0-1034 contains cbbs commit 9a9e6f0 with commit message:
            MB-45620 [BP] Change repo panels to only list valid auth methods for provider

            build-team Couchbase Build Team added a comment - Build couchbase-server-8.0.0-1034 contains cbbs commit 9a9e6f0 with commit message: MB-45620 [BP] Change repo panels to only list valid auth methods for provider

            Build couchbase-server-8.0.0-1034 contains cbbs commit 7c8a507 with commit message:
            MB-45620 [BP] Add Azure client with static credentials

            build-team Couchbase Build Team added a comment - Build couchbase-server-8.0.0-1034 contains cbbs commit 7c8a507 with commit message: MB-45620 [BP] Add Azure client with static credentials
            sciornei_amdocs Seb added a comment -

            Please confirm if azure blob auth. will work with workload identity and/or AAD pod identity. Is so, we will require the option to set the labels (and annotations) used by the backup pod: https://issues.couchbase.com/browse/K8S-2838?focusedCommentId=636403&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-636403 

            sciornei_amdocs Seb added a comment - Please confirm if azure blob auth. will work with workload identity and/or AAD pod identity. Is so, we will require the option to set the labels (and annotations) used by the backup pod: https://issues.couchbase.com/browse/K8S-2838?focusedCommentId=636403&page=com.atlassian.jira.plugin.system.issuetabpanels%3Acomment-tabpanel#comment-636403  

            Hi Seb,

            I don't believe we've tested authentication using Azure Managed Identity with Kubernetes pods but I don't think there is a reason why it wouldn't work since we are relying on the Azure Go SDK and it should work fine with workload identities according to the Microsoft documentation:

            Azure AD workload identity works especially well with the Azure Identity client library using the Azure SDK...
            

            In our implementation we are relying on authentication with ManagedIdentityCredential and let the SDK handle the rest:

            ManagedIdentityCredential authenticates an Azure managed identity in any hosting environment supporting managed identities. This credential authenticates a system-assigned identity by default.
            

            I've tried looking into how this works with workload identity and/or AAD pod identity and I don't really understand what you mean by "we will require the option to set the labels (and annotations) used by the backup pod", do you mean this is supposed to be something you can do using cbbackupmgr/in the backup service WebUI? To me it seems like an environment configuration step, which a user is supposed to do themselves, correct me if I'm wrong.

            maks.januska Maksimiljans Januska added a comment - Hi Seb , I don't believe we've tested authentication using Azure Managed Identity with Kubernetes pods but I don't think there is a reason why it wouldn't work since we are relying on the Azure Go SDK and it should work fine with workload identities according to the Microsoft documentation : Azure AD workload identity works especially well with the Azure Identity client library using the Azure SDK... In our implementation we are relying on authentication with ManagedIdentityCredential and let the SDK handle the rest: ManagedIdentityCredential authenticates an Azure managed identity in any hosting environment supporting managed identities. This credential authenticates a system-assigned identity by default. I've tried looking into how this works with workload identity and/or AAD pod identity and I don't really understand what you mean by "we will require the option to set the labels (and annotations) used by the backup pod", do you mean this is supposed to be something you can do using cbbackupmgr/in the backup service WebUI? To me it seems like an environment configuration step, which a user is supposed to do themselves, correct me if I'm wrong.
            sciornei_amdocs Seb added a comment -

            Hi Maksimiljans Januska ,
            Thanks for quick reply.

            As cbbackupmgr runs inside a pod, as per their docs, depending on which of the 2 options we use, we require to have either specific labels (https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity#run-a-sample-application ) on the backup pod, or specific annotations (https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#pod-annotations ).
            Currently we are not able to control those, as the CronJob is generated by CAO, and we cannot add any additional labels&annotations the backup pods.

             

            sciornei_amdocs Seb added a comment - Hi Maksimiljans Januska , Thanks for quick reply. As cbbackupmgr runs inside a pod, as per their docs, depending on which of the 2 options we use, we require to have either specific labels ( https://learn.microsoft.com/en-us/azure/aks/use-azure-ad-pod-identity#run-a-sample-application ) on the backup pod, or specific annotations ( https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview#pod-annotations ). Currently we are not able to control those, as the CronJob is generated by CAO, and we cannot add any additional labels&annotations the backup pods.  

            People

              gilad.kalchheim Gilad Kalchheim
              carlos.gonzalez Carlos Gonzalez Betancort (Inactive)
              Votes:
              0 Vote for this issue
              Watchers:
              8 Start watching this issue

              Dates

                Created:
                Updated:
                Resolved:

                Gerrit Reviews

                  PagerDuty