Add check for AZURE_FEDERATED_TOKEN_FILE environment variable in Velero deployment test

Signed-off-by: Tiger Kaovilai <[email protected]>

Author: kaovilai

api/v1alpha1/cloudstorage_types.go

@@ -42,8 +42,11 @@ type CloudStorageSpec struct {
 	// region for the bucket to be in, will be us-east-1 if not set.
 	Region string `json:"region,omitempty"`
 	// provider is the provider of the cloud storage
-	// +kubebuilder:validation:Enum=aws
+	// +kubebuilder:validation:Enum=aws;azure;gcp
 	Provider CloudStorageProvider `json:"provider"`
+	// config is provider-specific configuration options
+	// +kubebuilder:validation:Optional
+	Config map[string]string `json:"config,omitempty"`
 
 	// https://pkg.go.dev/github.com/Azure/azure-sdk-for-go/sdk/storage/[email protected]#section-readme
 	// azure blob primary endpoint

api/v1alpha1/zz_generated.deepcopy.go

@@ -39,6 +39,11 @@ spec:
             type: object
           spec:
             properties:
+              config:
+                additionalProperties:
+                  type: string
+                description: config is provider-specific configuration options
+                type: object
               creationSecret:
                 description: creationSecret is the secret that is needed to be used
                   while creating the bucket.
@@ -75,6 +80,8 @@ spec:
                 description: provider is the provider of the cloud storage
                 enum:
                 - aws
+                - azure
+                - gcp
                 type: string
               region:
                 description: region for the bucket to be in, will be us-east-1 if

bundle/manifests/oadp.openshift.io_cloudstorages.yaml

@@ -39,6 +39,11 @@ spec:
             type: object
           spec:
             properties:
+              config:
+                additionalProperties:
+                  type: string
+                description: config is provider-specific configuration options
+                type: object
               creationSecret:
                 description: creationSecret is the secret that is needed to be used
                   while creating the bucket.
@@ -75,6 +80,8 @@ spec:
                 description: provider is the provider of the cloud storage
                 enum:
                 - aws
+                - azure
+                - gcp
                 type: string
               region:
                 description: region for the bucket to be in, will be us-east-1 if

config/crd/bases/oadp.openshift.io_cloudstorages.yaml

@@ -539,13 +539,15 @@ This enhancement eliminates the need to manually configure the region in the sec
 ### Azure Workload Identity Implementation
 
 #### Azure Environment Variables
+
 ```go
 ClientIDEnvKey      = "AZURE_CLIENT_ID"       // Azure managed identity client ID
 TenantIDEnvKey      = "AZURE_TENANT_ID"       // Azure tenant ID
 SubscriptionIDEnvKey = "AZURE_SUBSCRIPTION_ID" // Azure subscription ID
 ```
 
 #### Azure Prerequisites
+
 1. **OpenShift cluster with Azure Workload Identity enabled**
    - Cluster must be installed with manual credentials mode
    - Reference: [Installing a cluster on Azure with short-term credentials](https://docs.redhat.com/en/documentation/openshift_container_platform/latest/html-single/installing_on_azure/#installing-azure-with-short-term-creds_installing-azure-customizations)
@@ -585,6 +587,7 @@ The OADP operator automatically patches the Azure credentials secret with the `A
 **Important**: The standardized flow only supports the first BSL configuration. Additional BSLs with different resource groups require separate credentials and should not use the standardized flow secret.
 
 #### Azure DPA Configuration
+
 ```yaml
 apiVersion: oadp.openshift.io/v1alpha1
 kind: DataProtectionApplication
@@ -615,6 +618,7 @@ spec:
 ### GCP Workload Identity Federation Implementation
 
 #### GCP Environment Variables
+
 ```go
 ProjectNumberEnvKey       = "PROJECT_NUMBER"        // GCP project number
 PoolIDEnvKey              = "POOL_ID"               // Workload identity pool ID
@@ -623,6 +627,7 @@ ServiceAccountEmailEnvKey = "SERVICE_ACCOUNT_EMAIL" // Service account email to
 ```
 
 #### GCP Prerequisites
+
 1. **OpenShift cluster with GCP Workload Identity Federation enabled**
    - Cluster must be installed with manual credentials mode
    - Workload Identity Pool and Provider must be configured
@@ -674,6 +679,7 @@ ServiceAccountEmailEnvKey = "SERVICE_ACCOUNT_EMAIL" // Service account email to
    ```
 
 #### GCP Secret Creation
+
 The `CreateOrUpdateSTSGCPSecret` function creates a Secret with the required GCP WIF configuration:
 
 ```go
@@ -701,11 +707,13 @@ func CreateOrUpdateSTSGCPSecret(setupLog logr.Logger, serviceAccountEmail, proje
 ```
 
 #### GCP Secret Format
+
 - **Secret Name**: `cloud-credentials-gcp`
 - **Secret Key**: `service_account.json`
 - **Content**: GCP external account JSON following Google's external account format
 
 #### GCP DPA Configuration
+
 ```yaml
 apiVersion: oadp.openshift.io/v1alpha1
 kind: DataProtectionApplication

docs/standardized-flow-implementation.md

@@ -2579,6 +2579,9 @@ func TestDPAReconciler_buildVeleroDeploymentWithAzureWorkloadIdentity(t *testing
 				if !foundClientIDEnvVar {
 					t.Errorf("Expected AZURE_CLIENT_ID environment variable to be set")
 				}
+				if !foundTokenFileEnvVar {
+					t.Errorf("Expected AZURE_FEDERATED_TOKEN_FILE environment variable to be set")
+				}
 			} else {
 			}
 		})

internal/controller/velero_test.go

@@ -147,10 +147,6 @@ func (a awsBucketClient) getS3Client() (s3iface.S3API, error) {
 	return s3.New(s), nil
 }
 
-func (a awsBucketClient) ForceCredentialRefresh() error {
-	return fmt.Errorf("force credential refresh is not yet implemented")
-}
-
 func (a awsBucketClient) Delete() (bool, error) {
 	s3Client, err := a.getS3Client()
 	if err != nil {