OADP-3307: Add Azure and GCP CloudStorage API provider implementations

Signed-off-by: Tiger Kaovilai <[email protected]>
Co-Authored-By: Claude <[email protected]>

Author: kaovilai

api/v1alpha1/cloudstorage_types.go

@@ -42,8 +42,11 @@ type CloudStorageSpec struct {
 	// region for the bucket to be in, will be us-east-1 if not set.
 	Region string `json:"region,omitempty"`
 	// provider is the provider of the cloud storage
-	// +kubebuilder:validation:Enum=aws
+	// +kubebuilder:validation:Enum=aws;azure;gcp
 	Provider CloudStorageProvider `json:"provider"`
+	// config is provider-specific configuration options
+	// +kubebuilder:validation:Optional
+	Config map[string]string `json:"config,omitempty"`
 
 	// https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/[email protected]#section-readme
 	// azure blob primary endpoint

api/v1alpha1/zz_generated.deepcopy.go

@@ -39,6 +39,11 @@ spec:
             type: object
           spec:
             properties:
+              config:
+                additionalProperties:
+                  type: string
+                description: config is provider-specific configuration options
+                type: object
               creationSecret:
                 description: creationSecret is the secret that is needed to be used
                   while creating the bucket.
@@ -75,6 +80,8 @@ spec:
                 description: provider is the provider of the cloud storage
                 enum:
                 - aws
+                - azure
+                - gcp
                 type: string
               region:
                 description: region for the bucket to be in, will be us-east-1 if

bundle/manifests/oadp.openshift.io_cloudstorages.yaml

@@ -39,6 +39,11 @@ spec:
             type: object
           spec:
             properties:
+              config:
+                additionalProperties:
+                  type: string
+                description: config is provider-specific configuration options
+                type: object
               creationSecret:
                 description: creationSecret is the secret that is needed to be used
                   while creating the bucket.
@@ -75,6 +80,8 @@ spec:
                 description: provider is the provider of the cloud storage
                 enum:
                 - aws
+                - azure
+                - gcp
                 type: string
               region:
                 description: region for the bucket to be in, will be us-east-1 if

config/crd/bases/oadp.openshift.io_cloudstorages.yaml

@@ -19,6 +19,15 @@ import (
 // - AZURE_CLIENT_ID
 // - AZURE_TENANT_ID
 // - AZURE_FEDERATED_TOKEN_FILE
+//
+// Unlike AWS and GCP which use credential files, Azure uses environment variables for
+// workload identity authentication. This design choice is driven by compatibility with
+// the Velero project's Azure credential handling, avoiding the need for upstream changes.
+// The Velero project expects these specific environment variables for Azure authentication,
+// and by providing them directly, we maintain seamless integration.
+//
+// The secret created here is injected into both Velero and NodeAgent pods via envFrom,
+// eliminating the need for temporary credential files as used by AWS/GCP providers.
 func (r *DataProtectionApplicationReconciler) ReconcileAzureWorkloadIdentitySecret(log logr.Logger) (bool, error) {
 	dpa := r.dpa
 	azureClientID := os.Getenv(stsflow.ClientIDEnvKey)

internal/controller/stsflow.go

@@ -2559,6 +2559,22 @@ func TestDPAReconciler_buildVeleroDeploymentWithAzureWorkloadIdentity(t *testing
 				if !foundAzureSecretRef {
 					t.Errorf("Expected %s secret reference in envFrom", stsflow.AzureWorkloadIdentitySecretName)
 				}
+
+				// Check that Azure environment variables are NOT set directly
+				// They should come from the secret referenced in envFrom
+				for _, container := range tt.veleroDeployment.Spec.Template.Spec.Containers {
+					if container.Name == common.Velero {
+						for _, env := range container.Env {
+							if env.Name == "AZURE_CLIENT_ID" {
+								t.Errorf("AZURE_CLIENT_ID should not be set directly, it should come from the secret")
+							}
+							if env.Name == "AZURE_FEDERATED_TOKEN_FILE" {
+								t.Errorf("AZURE_FEDERATED_TOKEN_FILE should not be set directly, it should come from the secret")
+							}
+						}
+						break
+					}
+				}
 			} else {
 			}
 		})

internal/controller/velero_test.go

@@ -147,10 +147,6 @@ func (a awsBucketClient) getS3Client() (s3iface.S3API, error) {
 	return s3.New(s), nil
 }
 
-func (a awsBucketClient) ForceCredentialRefresh() error {
-	return fmt.Errorf("force credential refresh is not yet implemented")
-}
-
 func (a awsBucketClient) Delete() (bool, error) {
 	s3Client, err := a.getS3Client()
 	if err != nil {