OADP-6675: Update Azure registry configuration for workload identity support

[kaovilai]

Why the changes were made

This PR updates the Azure registry configuration to support workload identity authentication. These changes are required to work with the updated OADP operator that now supports Azure workload identity for the image registry component.

Without these changes, the openshift-velero-plugin cannot consume the new secret format created by the OADP operator when using Azure workload identity.

How to test the changes made

Prerequisites

• OADP operator with Azure workload identity support (PR #1952)
• OpenShift cluster with Azure workload identity configured
• Test instructions follow those in the OADP operator PR

Testing Steps

1. Deploy OADP operator with Azure workload identity support from PR #1952

2. Build and deploy this version of openshift-velero-plugin:

# Build the plugin
make build

# Update the velero deployment to use the new plugin version
oc set image deployment/velero -n openshift-adp \
  velero=<your-registry>/openshift-velero-plugin:latest

3. Verify secret consumption:

# Check that the registry secret is created with new format
oc get secret -n openshift-adp oadp-<bsl-name>-azure-registry-secret -o yaml

# Verify the secret contains the new credential keys:
# - credentials_type (should be "default_credentials" for workload identity)
# - client_id_key  
# - client_secret_key (empty for workload identity)
# - tenant_id_key

# Verify Velero has Azure workload identity env vars
oc exec -n openshift-adp deployment/velero -- env | grep AZURE
# Should show: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE

4. Test image backup/restore following the test plan in OADP operator PR #1952

Verification Points

• [ ] Plugin correctly reads Azure credentials from new secret format
• [ ] Environment variables are properly mapped (CREDENTIALS_* instead of SPN_*)
• [ ] Registry authentication succeeds with workload identity
• [ ] Image backup and restore operations complete successfully
• [ ] No errors related to missing SPN environment variables

Technical Details

Azure Workload Identity Environment Setup

The OADP operator injects Azure workload identity environment variables into the Velero container through a secret (azure-workload-identity-env). This secret contains:

• AZURE_CLIENT_ID: The managed identity client ID
• AZURE_TENANT_ID: The Azure tenant ID
• AZURE_FEDERATED_TOKEN_FILE: Path to the federated token (/var/run/secrets/openshift/serviceaccount/token)

These environment variables are injected into the Velero deployment using envFrom (see oadp-operator internal/controller/velero.go:642-655), ensuring they're available to both Velero and its plugins.

Registry Authentication with Workload Identity

The registry component (docker-distribution) supports Azure AD authentication through the default_credentials type. When this type is set in the registry secret, the Azure storage driver:

1. Uses the Azure SDK's DefaultAzureCredential
2. Automatically detects the workload identity environment variables (inherited from Velero container)
3. Reads the federated token from the mounted service account token path
4. Exchanges it for Azure AD tokens
5. Authenticates to Azure Blob Storage

The plugin doesn't need to explicitly handle AZURE_FEDERATED_TOKEN_FILE because:

• It's already set in the Velero container environment
• The registry process inherits the environment from its parent container
• The Azure SDK automatically uses these variables for authentication

Changes Summary

• Replaced deprecated SPN_* environment variable constants with CREDENTIALS_* format
• Updated getAzureRegistryEnvVars() to reference new secret keys matching OADP operator
• Added support for credentials_type field from secret
• Fixed BSL spec references (using ObjectStorage instead of StorageType.ObjectStorage)

Dependencies

This PR depends on: openshift/oadp-operator#1952

Both PRs must be merged together for Azure workload identity support to function properly. The OADP operator PR handles creating and injecting the workload identity environment variables, while this PR ensures the plugin correctly consumes the new secret format.

🤖 Generated with Claude Code

[openshift-ci[bot]]

Skipping CI for Draft Pull Request. If you want CI signal for your change, please convert it to an actual PR. You can still manually trigger a test run with /test all

[openshift-ci[bot]]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

• ~~OWNERS~~ [kaovilai]

Approvers can indicate their approval by writing /approve in a comment Approvers can cancel approval by writing /approve cancel in a comment

[openshift-ci-robot]

@kaovilai: This pull request references OADP-6675 which is a valid jira issue.

In response to this:

Why the changes were made

This PR updates the Azure registry configuration to support workload identity authentication. These changes are required to work with the updated OADP operator that now supports Azure workload identity for the image registry component.

Without these changes, the openshift-velero-plugin cannot consume the new secret format created by the OADP operator when using Azure workload identity.

How to test the changes made

Prerequisites

• OADP operator with Azure workload identity support (PR #1952)
• OpenShift cluster with Azure workload identity configured
• Test instructions follow those in the OADP operator PR

Testing Steps

1. Deploy OADP operator with Azure workload identity support from PR #1952

2. Build and deploy this version of openshift-velero-plugin:

# Build the plugin
make build

# Update the velero deployment to use the new plugin version
oc set image deployment/velero -n openshift-adp \
 velero=<your-registry>/openshift-velero-plugin:latest

3. Verify secret consumption:

# Check that the registry secret is created with new format
oc get secret -n openshift-adp oadp-<bsl-name>-azure-registry-secret -o yaml

# Verify the secret contains the new credential keys:
# - credentials_type (should be "default_credentials" for workload identity)
# - client_id_key  
# - client_secret_key (empty for workload identity)
# - tenant_id_key

# Verify Velero has Azure workload identity env vars
oc exec -n openshift-adp deployment/velero -- env | grep AZURE
# Should show: AZURE_CLIENT_ID, AZURE_TENANT_ID, AZURE_FEDERATED_TOKEN_FILE

4. Test image backup/restore following the test plan in OADP operator PR #1952

Verification Points

• [ ] Plugin correctly reads Azure credentials from new secret format
• [ ] Environment variables are properly mapped (CREDENTIALS_* instead of SPN_*)
• [ ] Registry authentication succeeds with workload identity
• [ ] Image backup and restore operations complete successfully
• [ ] No errors related to missing SPN environment variables

Technical Details

Azure Workload Identity Environment Setup

The OADP operator injects Azure workload identity environment variables into the Velero container through a secret (azure-workload-identity-env). This secret contains:

• AZURE_CLIENT_ID: The managed identity client ID
• AZURE_TENANT_ID: The Azure tenant ID
• AZURE_FEDERATED_TOKEN_FILE: Path to the federated token (/var/run/secrets/openshift/serviceaccount/token)

These environment variables are injected into the Velero deployment using envFrom (see oadp-operator internal/controller/velero.go:642-655), ensuring they're available to both Velero and its plugins.

Registry Authentication with Workload Identity

The registry component (docker-distribution) supports Azure AD authentication through the default_credentials type. When this type is set in the registry secret, the Azure storage driver:

1. Uses the Azure SDK's DefaultAzureCredential
2. Automatically detects the workload identity environment variables (inherited from Velero container)
3. Reads the federated token from the mounted service account token path
4. Exchanges it for Azure AD tokens
5. Authenticates to Azure Blob Storage

The plugin doesn't need to explicitly handle AZURE_FEDERATED_TOKEN_FILE because:

• It's already set in the Velero container environment
• The registry process inherits the environment from its parent container
• The Azure SDK automatically uses these variables for authentication

Changes Summary

• Replaced deprecated SPN_* environment variable constants with CREDENTIALS_* format
• Updated getAzureRegistryEnvVars() to reference new secret keys matching OADP operator
• Added support for credentials_type field from secret
• Fixed BSL spec references (using ObjectStorage instead of StorageType.ObjectStorage)

Dependencies

This PR depends on: openshift/oadp-operator#1952

Both PRs must be merged together for Azure workload identity support to function properly. The OADP operator PR handles creating and injecting the workload identity environment variables, while this PR ensures the plugin correctly consumes the new secret format.

🤖 Generated with Claude Code

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.