Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

conductor: Add support for Azure Backup and Restore #980

Merged
merged 47 commits into from
Oct 21, 2024
Merged

conductor: Add support for Azure Backup and Restore #980

merged 47 commits into from
Oct 21, 2024

Conversation

ianstanton
Copy link
Member

@ianstanton ianstanton commented Sep 26, 2024
edited
Loading

This PR adds steps for creating the Azure 'IAM' resources necessary for instances to perform backup / restore with Azure Blob Storage.

When an instance using Azure is created:

  • Creates User Assigned Managed Identity
  • Creates Role Assignment
  • Creates Federated Credentials
  • Passes relevant info as part of the CoreDB spec

When an instance using Azure is deleted:

  • Deletes the User Assigned Managed Identity

Note: This only supports the backup archive bucket at the moment. We'll add support for the storage archive bucket as a follow-up

@ianstanton
Add init_azure_storage_workload_identity
e26ec86 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add scratch uami_builder
e54ea75 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Updatescratch uami_builder
ed3c480 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add UAMI create example
357654d 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Merge branch 'slf-113' into slf-113-conductor
f13731b
@ianstanton
Create role assignment
8c7e9b8 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Refactor uami and role assignment functions
6b1666b 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Update parameters for create_uami
7f7ff0d 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add get_credentials
1dd3e2e 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Use workload identity credentials
58c5540 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add create_federated_identity_credentials
37272f2 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Set federated identity properties
9c897c9 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add todo
13e88f3 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Delete UAMI
76ee7e1 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Generate random UUID for Role Assignment
11b2ca5 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Get role definition id
56588b7 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add Azure environment variables
fd3b335 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Set scope for get_role_definition_id
5c50c29 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add get_storage_account_id
d2109d0 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Return AzureError in relevant functions
569b4db 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add get_cluster_issuer
a4b9107 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Use REST API in get_cluster_issuer
1402002 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Drop azure_mgmt_hybridkubernetes
6968daf 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Call from main
89815e0 
Signed-off-by: Ian Stanton <ian@tembo.io>
@nhudson nhudson marked this pull request as ready for review October 16, 2024 21:13
@ianstanton ianstanton marked this pull request as draft October 16, 2024 21:19
@ianstanton ianstanton marked this pull request as ready for review October 17, 2024 19:45
@ianstanton ianstanton requested review from shahadarsh and removed request for ChuckHend October 17, 2024 19:48
@ianstanton
Remove extra arg
442b014 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Fix parameter order
e81f4e1 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Temp hardcode storage rg
d859b46 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Pass azure_storage_account
a70da0e 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Temp hardcode cluster name
fd1e304 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Check if role assignment exists
54fdef7 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Print role assignment details
a92fb61 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Update scope for role assignment list
82c9412 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
List role assignments for subscription
c9759cb 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Pass uami principal id
8e75193 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Clean up role assignment info
c5a11d8 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Set ServiceAccountTemplate
2060555 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Add CloudProvider Azure
4c064bb 
Signed-off-by: Ian Stanton <ian@tembo.io>
nhudson
nhudson requested changes Oct 18, 2024
View reviewed changes
Copy link
Collaborator

@nhudson nhudson left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Might be good to add a check like these to make sure you can't set aws or gcp also at the same time. Other than that LGTM! Great work!

    // Error and exit if both IS_CLOUD_FORMATION and IS_GCP are set to true
    if is_cloud_formation && is_gcp {
        panic!("Cannot have both IS_CLOUD_FORMATION and IS_GCP set to true");
    }

    // Error and exit if IS_GCP is true and GCP_PROJECT_ID or GCP_PROJECT_NUMBER are not set
    if is_gcp && (gcp_project_id.is_empty() || gcp_project_number.is_empty()) {
        panic!("GCP_PROJECT_ID and GCP_PROJECT_NUMBER must be set if IS_GCP is true");
    }

@ianstanton
Check only one cloud provider is true
a4b9cd5 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Copy link
Member Author

Might be good to add a check like these to make sure you can't set aws or gcp also at the same time. Other than that LGTM! Great work!

    // Error and exit if both IS_CLOUD_FORMATION and IS_GCP are set to true
    if is_cloud_formation && is_gcp {
        panic!("Cannot have both IS_CLOUD_FORMATION and IS_GCP set to true");
    }

    // Error and exit if IS_GCP is true and GCP_PROJECT_ID or GCP_PROJECT_NUMBER are not set
    if is_gcp && (gcp_project_id.is_empty() || gcp_project_number.is_empty()) {
        panic!("GCP_PROJECT_ID and GCP_PROJECT_NUMBER must be set if IS_GCP is true");
    }

Thanks, good suggestion! Addressed here a4b9cd5

@ianstanton
Use prefix for working with multiple resource groups
81a4c71 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Format cluster name
75160e6 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Clean up returns and info
bb32a04 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Check for required azure env vars
0b93513 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton
Cleanup
1895bdf 
Signed-off-by: Ian Stanton <ian@tembo.io>
@ianstanton ianstanton merged commit 34a3442 into slf-113 Oct 21, 2024
9 checks passed
@ianstanton ianstanton deleted the slf-113-conductor branch October 21, 2024 20:42
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@nhudson nhudson nhudson approved these changes

@vrmiguel vrmiguel vrmiguel approved these changes

@shahadarsh shahadarsh Awaiting requested review from shahadarsh

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
3 participants
@ianstanton @nhudson @vrmiguel