OADP-5973, OADP-3340, OADP-6212: AWS, GCP, Azure Standardized Flow Implementation #1712

kaovilai · 2025-04-14T21:42:39Z

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 is allowing us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around adding region to secret from BSL in the future.
Azure STS (OADP-3340) will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
    --project=gc-acm-demo \
    --role=roles/iam.serviceAccountTokenCreator \
    --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

Tip

The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: gcp-standardized-flow
  namespace: openshift-adp
spec:
  backupLocations:
    - velero:
        provider: gcp
        default: true
        credential:
          key: service_account.json
          name: cloud-credentials-gcp 
        objectStorage:
          bucket: tkaovila-bucket
          prefix: gcp-standardized-flow
  configuration:
    velero:
      defaultPlugins:
          - gcp
          - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
  resourceVersion: '16976596'
  name: gcp-standardized-flow-1
  uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
  creationTimestamp: '2025-05-23T17:39:15Z'
  generation: 4
  namespace: openshift-adp
  ownerReferences:
    - apiVersion: oadp.openshift.io/v1alpha1
      blockOwnerDeletion: true
      controller: true
      kind: DataProtectionApplication
      name: gcp-standardized-flow
      uid: 04613474-736e-4dec-81c7-bee8716c7413
  labels:
    app.kubernetes.io/component: bsl
    app.kubernetes.io/instance: gcp-standardized-flow-1
    app.kubernetes.io/managed-by: oadp-operator
    app.kubernetes.io/name: oadp-operator-velero
    openshift.io/oadp: 'True'
    openshift.io/oadp-registry: 'True'
spec:
  credential:
    key: service_account.json
    name: cloud-credentials-gcp
  default: true
  objectStorage:
    bucket: tkaovila-bucket
    prefix: gcp-standardized-flow2
  provider: gcp
status:
  lastSyncedTime: '2025-05-23T17:40:02Z'
  lastValidationTime: '2025-05-23T17:40:22Z'
  phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
  annotations:
    velero.io/resource-timeout: 10m0s
    velero.io/source-cluster-k8s-gitversion: v1.32.3
    velero.io/source-cluster-k8s-major-version: '1'
    velero.io/source-cluster-k8s-minor-version: '32'
  resourceVersion: '16977187'
  name: backup
  uid: 05607af6-73d7-462d-b296-65d1417ac649
  creationTimestamp: '2025-05-23T17:41:46Z'
  generation: 6
  namespace: openshift-adp
  labels:
    velero.io/storage-location: gcp-standardized-flow-1
spec:
  csiSnapshotTimeout: 10m0s
  defaultVolumesToFsBackup: false
  includedNamespaces:
    - default
  itemOperationTimeout: 4h0m0s
  snapshotMoveData: false
  storageLocation: gcp-standardized-flow-1
  ttl: 720h0m0s
status:
  completionTimestamp: '2025-05-23T17:41:50Z'
  expiration: '2025-06-22T17:41:46Z'
  formatVersion: 1.1.0
  hookStatus: {}
  phase: Completed
  progress:
    itemsBackedUp: 33
    totalItems: 33
  startTimestamp: '2025-05-23T17:41:46Z'
  version: 1

openshift-ci · 2025-04-14T21:42:43Z

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

openshift-ci · 2025-04-14T21:42:53Z

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Needs approval from an approver in each of these files:

~~OWNERS~~ [kaovilai]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

kaovilai · 2025-04-14T21:58:38Z

/test ci/prow/unit-test

openshift-ci · 2025-04-14T21:58:42Z

@kaovilai: The specified target(s) for /test were not found.
The following commands are available to trigger required jobs:

/test 4.19-ci-index

/test 4.19-e2e-test-aws

/test 4.19-e2e-test-kubevirt-aws

/test 4.19-images

/test images

/test unit-test

The following commands are available to trigger optional jobs:

/test 4.19-e2e-test-hcp-aws

/test 4.19-e2e-test-hcp-aws-periodic

Use /test all to run all jobs.

In response to this:

/test ci/prow/unit-test

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository.

kaovilai · 2025-04-14T21:58:48Z

/test unit-test

docs/gcp-wif-support-implementation.md

pkg/common/common.go

cmd/main.go

weshayutin · 2025-04-29T00:43:06Z

let's keep pushing on this please

openshift-ci-robot · 2025-04-29T21:47:32Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-04-29T23:10:01Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made
make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-04-29T23:12:27Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made
make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0
go to $(oc whoami --show-console)/operatorhub/ns/openshift-adp?keyword=oadp&details-item=oadp-operator-oadp-operator-catalog-openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-04-29T23:54:45Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.19.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account with following roles
compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
Note its email for next steps.
make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0
$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP
Enter requested info

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

kaovilai · 2025-05-20T15:19:15Z

/hold for further testing
but code structure overall had been refactored and ready for first pass 👀

Now aligns with openshift/enhancements#1800 and not using credentialsRequest CR

kaovilai · 2025-05-23T17:55:33Z

Got a valid backup and available bsl..

/unhold

TODO: validate azure and aws also works

openshift-ci-robot · 2025-05-23T17:58:45Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:11:50Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 allowed us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around region from BSL in the future.
Azure STS will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:11:54Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 allowed us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around region from BSL in the future.
Azure STS will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:14:24Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 allowed us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around region from BSL in the future.
Azure STS will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:14:55Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 allowed us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around region from BSL in the future.
Azure STS will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:18:08Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 is allowing us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around region from BSL in the future.
Azure STS will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:18:38Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 is allowing us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around adding region to secret from BSL in the future.
Azure STS will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:20:00Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 is allowing us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around adding region to secret from BSL in the future.
Azure STS (OADP-3340) will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

openshift-ci-robot · 2025-05-23T18:20:04Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 is allowing us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around adding region to secret from BSL in the future.
Azure STS (OADP-3340) will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Add make targets sts-flow testing Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

kaovilai · 2025-05-28T21:12:36Z

/hold

While the work on GCP seem successful, this PR will be further enhanced with

region for AWS
- from dpa cloudstorage or backupstoragelocation
resource group for Azure
- from dpa cloudstorage or backupstoragelocation

openshift-ci-robot · 2025-05-28T21:39:56Z

@kaovilai: This pull request references OADP-5973 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OADP-3340 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

This pull request references OADP-6212 which is a valid jira issue.

Warning: The referenced jira issue has an invalid target version for the target branch this PR targets: expected the story to target the "4.20.0" version, but no target version was set.

In response to this:

Signed-off-by: Tiger Kaovilai tkaovila@redhat.com

Why the changes were made

openshift/enhancements#1800 is allowing us to pursue direct secret creation using fields from Standardized Flow Operator Install.

This PR implements direct secret creation from Standardized Flow user inputs for GCP, Azure, and refactored AWS to do the same for convenience.

The dev testing in this PR however covers only GCP for OADP-5973.

AWS will have further enhancements around adding region to secret from BSL in the future.
Azure STS (OADP-3340) will be tested separately and may not need another code PR if all goes well.

Further, this PR is not intended to cover CloudStorage API enablement for GCP and Azure which will also by proxy test the functionality here.

How to test the changes made

Create GCP WIF cluster
Prepare following information from cluster
GCP Project Number
workload-identity-pool
workload-identity-provider

Create a service account (SA) with following roles

compute.disks.create
compute.disks.createSnapshot
compute.disks.get
compute.snapshots.create
compute.snapshots.delete
compute.snapshots.get
compute.snapshots.useReadOnly
compute.zones.get
iam.serviceAccounts.signBlob
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list

Note SA email for next steps.

Grant velero k8s SA system:serviceaccount:openshift-adp:velero roles/iam.serviceAccountTokenCreator role to the GCP SA email above like so.

gcloud iam service-accounts add-iam-policy-binding <SA email> \
   --project=gc-acm-demo \
   --role=roles/iam.serviceAccountTokenCreator \
   --member="principal://iam.googleapis.com/projects/<GCP Project Number>/locations/global/workloadIdentityPools/<workload-identity-pool>/subject/system:serviceaccount:openshift-adp:velero

make deploy-olm && oc delete csv -n openshift-adp oadp-operator.v99.0.0

$(BROWSER) $(oc whoami --show-console)/operatorhub/subscribe?pkg=oadp-operator&catalog=oadp-operator-catalog&catalogNamespace=openshift-adp&targetNamespace=openshift-adp&channel=operator-sdk-run-bundle&version=99.0.0&tokenizedAuth=GCP

[!TIP]
The url contains &tokenizedAuth=GCP and so you can actually test the secret creation functionality on a non GCP WIF cluster.
You can input dummy data and see secret created.

Enter requested info

create dpa

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: gcp-standardized-flow
 namespace: openshift-adp
spec:
 backupLocations:
   - velero:
       provider: gcp
       default: true
       credential:
         key: service_account.json
         name: cloud-credentials-gcp 
       objectStorage:
         bucket: tkaovila-bucket
         prefix: gcp-standardized-flow
 configuration:
   velero:
     defaultPlugins:
         - gcp
         - openshift

bsl is available

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
 resourceVersion: '16976596'
 name: gcp-standardized-flow-1
 uid: febdb8be-7912-4ea7-beb2-894093e3f5d9
 creationTimestamp: '2025-05-23T17:39:15Z'
 generation: 4
 namespace: openshift-adp
 ownerReferences:
   - apiVersion: oadp.openshift.io/v1alpha1
     blockOwnerDeletion: true
     controller: true
     kind: DataProtectionApplication
     name: gcp-standardized-flow
     uid: 04613474-736e-4dec-81c7-bee8716c7413
 labels:
   app.kubernetes.io/component: bsl
   app.kubernetes.io/instance: gcp-standardized-flow-1
   app.kubernetes.io/managed-by: oadp-operator
   app.kubernetes.io/name: oadp-operator-velero
   openshift.io/oadp: 'True'
   openshift.io/oadp-registry: 'True'
spec:
 credential:
   key: service_account.json
   name: cloud-credentials-gcp
 default: true
 objectStorage:
   bucket: tkaovila-bucket
   prefix: gcp-standardized-flow2
 provider: gcp
status:
 lastSyncedTime: '2025-05-23T17:40:02Z'
 lastValidationTime: '2025-05-23T17:40:22Z'
 phase: Available

run backup, successful.

apiVersion: velero.io/v1
kind: Backup
metadata:
 annotations:
   velero.io/resource-timeout: 10m0s
   velero.io/source-cluster-k8s-gitversion: v1.32.3
   velero.io/source-cluster-k8s-major-version: '1'
   velero.io/source-cluster-k8s-minor-version: '32'
 resourceVersion: '16977187'
 name: backup
 uid: 05607af6-73d7-462d-b296-65d1417ac649
 creationTimestamp: '2025-05-23T17:41:46Z'
 generation: 6
 namespace: openshift-adp
 labels:
   velero.io/storage-location: gcp-standardized-flow-1
spec:
 csiSnapshotTimeout: 10m0s
 defaultVolumesToFsBackup: false
 includedNamespaces:
   - default
 itemOperationTimeout: 4h0m0s
 snapshotMoveData: false
 storageLocation: gcp-standardized-flow-1
 ttl: 720h0m0s
status:
 completionTimestamp: '2025-05-23T17:41:50Z'
 expiration: '2025-06-22T17:41:46Z'
 formatVersion: 1.1.0
 hookStatus: {}
 phase: Completed
 progress:
   itemsBackedUp: 33
   totalItems: 33
 startTimestamp: '2025-05-23T17:41:46Z'
 version: 1

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

- Label STS-created secrets with "oadp.openshift.io/secret-type": "sts-credentials" - Implement automatic region patching for AWS STS secrets from BSL configuration - Implement automatic resource group patching for Azure STS secrets from BSL configuration - Ensure only STS-created secrets are patched by checking for specific keys: - AWS: "credentials" key with role_arn and web_identity_token_file content - Azure: "azurekey" key with AZURE_CLIENT_ID but no AZURE_CLIENT_SECRET - Add comprehensive test coverage for all patching scenarios - Update documentation to reflect dynamic configuration capabilities This enhancement allows the first BSL to automatically configure region (AWS) or resource group (Azure) in STS secrets, eliminating manual configuration needs.

kaovilai · 2025-06-06T20:31:28Z

Makefile

+deploy-olm-stsflow-aws: deploy-olm-stsflow ## Deploy via OLM with AWS STS standardized flow and create subscription with AWS env vars
+	@if [ -n "$(AWS_ROLE_ARN)" ]; then \
+		echo "Creating subscription with AWS STS environment variables..."; \
+		$(call create-sts-subscription,/tmp/oadp-aws-subscription.yaml); \
+		echo "    - name: ROLEARN" >> /tmp/oadp-aws-subscription.yaml; \
+		echo "      value: \"$(AWS_ROLE_ARN)\"" >> /tmp/oadp-aws-subscription.yaml; \
+		$(call apply-sts-subscription,/tmp/oadp-aws-subscription.yaml,AWS STS); \
+	else \
+		echo ""; \
+		echo "AWS STS environment variable not set. Please set:"; \
+		echo "  AWS_ROLE_ARN"; \
+		echo ""; \
+		echo "Example:"; \
+		echo "  make deploy-olm-stsflow-aws AWS_ROLE_ARN=arn:aws:iam::123456789012:role/my-oadp-role"; \
+	fi


AWS secret creation works

Creating subscription with AWS STS environment variables... subscription.operators.coreos.com/oadp-operator created Subscription created with AWS STS environment variables. Waiting for operator to be ready... Waiting for InstallPlan to be created... ....InstallPlan install-kmnzr found Waiting for CSV to exist... CSV oadp-operator.v99.0.0 found Waiting for CSV to be ready... clusterserviceversion.operators.coreos.com/oadp-operator.v99.0.0 condition met Operator is ready! NAME PACKAGE SOURCE CHANNEL oadp-operator oadp-operator oadp-operator-catalog operator-sdk-run-bundle NAME DISPLAY VERSION REPLACES PHASE oadp-operator.v99.0.0 OADP Operator 99.0.0 Succeeded ~/oadp-operator-cco-flow-gcp cco-flow-gcp 2m 2s ❯ oc get secrets -n openshift-adp NAME TYPE DATA AGE builder-dockercfg-4fhws kubernetes.io/dockercfg 1 9m12s cloud-credentials Opaque 1 30s default-dockercfg-46hxm kubernetes.io/dockercfg 1 9m12s deployer-dockercfg-pqs7b kubernetes.io/dockercfg 1 9m12s non-admin-controller-dockercfg-z8sdp kubernetes.io/dockercfg 1 32s openshift-adp-controller-manager-dockercfg-2tv74 kubernetes.io/dockercfg 1 33s velero-dockercfg-kz5vt kubernetes.io/dockercfg 1 32s

dev verified that this PR secret allows for CloudStorage API for aws sts to create bucket and bsl is available.

enhancing with secret region patching to close https://issues.redhat.com/browse/CCO-625
and remove https://issues.redhat.com/browse/OADP-5354 workaround.

secret region from bsl is now working

The BSL controller patches AWS secrets with region information by modifying the Data field directly, but the STS flow was completely replacing StringData which caused region patches to be overridden. This change preserves existing Data when updating STS secrets by only updating specific StringData fields rather than clearing all existing data.

openshift-ci · 2025-06-07T00:40:10Z

@kaovilai: all tests passed!

Full PR test history. Your PR dashboard.

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes-sigs/prow repository. I understand the commands that are listed here.

kaovilai · 2025-06-08T05:47:08Z

Makefile

+	fi
+
+.PHONY: deploy-olm-stsflow-azure
+deploy-olm-stsflow-azure: deploy-olm-stsflow ## Deploy via OLM with Azure Workload Identity standardized flow and create subscription with Azure env vars


Currently blocked from verifying azure.

openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Apr 14, 2025

openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Apr 14, 2025

mateusoliveira43 reviewed Apr 15, 2025

View reviewed changes

docs/gcp-wif-support-implementation.md Outdated Show resolved Hide resolved

mateusoliveira43 reviewed Apr 15, 2025

View reviewed changes

pkg/common/common.go Outdated Show resolved Hide resolved

mateusoliveira43 reviewed Apr 15, 2025

View reviewed changes

pkg/common/common.go Outdated Show resolved Hide resolved

mateusoliveira43 reviewed Apr 15, 2025

View reviewed changes

cmd/main.go Outdated Show resolved Hide resolved

kaovilai changed the title ~~GCP CCO Implementation~~ OADP-5973: GCP CCO Implementation Apr 29, 2025

openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Apr 29, 2025

kaovilai force-pushed the cco-flow-gcp branch from b013731 to 65e229c Compare April 30, 2025 00:20

kaovilai changed the title ~~OADP-5973: GCP CCO Implementation~~ OADP-5973: GCP Standardized Flow Implementation May 15, 2025

kaovilai force-pushed the cco-flow-gcp branch 7 times, most recently from 1f8aa7e to 381a1dc Compare May 20, 2025 05:31

kaovilai marked this pull request as ready for review May 20, 2025 15:19

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 20, 2025

kaovilai force-pushed the cco-flow-gcp branch from 3efa83b to 3ef2a5d Compare May 23, 2025 17:54

openshift-ci bot removed the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 23, 2025

kaovilai force-pushed the cco-flow-gcp branch from 3ef2a5d to 5584674 Compare May 23, 2025 18:04

kaovilai changed the title ~~OADP-5973: GCP Standardized Flow Implementation~~ OADP-5973: GCP Standardized Flow Implementation, unCCO AWS. May 23, 2025

kaovilai force-pushed the cco-flow-gcp branch 5 times, most recently from a10818c to 3cf7182 Compare May 27, 2025 22:03

AWS, GCP, Azure Standardized Flow Secret Creation

d256883

Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com> Add make targets sts-flow testing Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>

kaovilai force-pushed the cco-flow-gcp branch from 3cf7182 to d256883 Compare May 28, 2025 02:37

openshift-ci bot added the do-not-merge/hold Indicates that a PR should not merge because someone has issued a /hold command. label May 28, 2025

kaovilai changed the title ~~OADP-5973: GCP Standardized Flow Implementation, unCCO AWS.~~ OADP-5973, OADP-3340, OADP-6212: AWS, GCP, Azure Standardized Flow Implementation May 28, 2025

kaovilai commented Jun 6, 2025

View reviewed changes

kaovilai commented Jun 8, 2025

View reviewed changes

OADP-5973, OADP-3340, OADP-6212: AWS, GCP, Azure Standardized Flow Implementation #1712

Are you sure you want to change the base?

OADP-5973, OADP-3340, OADP-6212: AWS, GCP, Azure Standardized Flow Implementation #1712

Conversation

kaovilai commented Apr 14, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci bot commented Apr 14, 2025

Uh oh!

openshift-ci bot commented Apr 14, 2025

Uh oh!

kaovilai commented Apr 14, 2025

Uh oh!

openshift-ci bot commented Apr 14, 2025

Uh oh!

kaovilai commented Apr 14, 2025

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

weshayutin commented Apr 29, 2025

Uh oh!

openshift-ci-robot commented Apr 29, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented Apr 29, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented Apr 29, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented Apr 29, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

kaovilai commented May 20, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

kaovilai commented May 23, 2025 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

openshift-ci-robot commented May 23, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented May 23, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented May 23, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented May 23, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented May 23, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

Uh oh!

openshift-ci-robot commented May 23, 2025 • edited by openshift-ci bot Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Why the changes were made

How to test the changes made

kaovilai commented Apr 14, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Apr 29, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Apr 29, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Apr 29, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented Apr 29, 2025 •

edited by openshift-ci bot

Loading

kaovilai commented May 20, 2025 •

edited

Loading

kaovilai commented May 23, 2025 •

edited

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 23, 2025 •

edited by openshift-ci bot

Loading

openshift-ci-robot commented May 28, 2025 •

edited by openshift-ci bot

Loading