Skip to content

Design for NonAdmin short-lived cloud credentials#2143

Draft
kaovilai wants to merge 7 commits intoopenshift:oadp-devfrom
kaovilai:OADP-7660-nonadmin-short-lived-credentials-design
Draft

Design for NonAdmin short-lived cloud credentials#2143
kaovilai wants to merge 7 commits intoopenshift:oadp-devfrom
kaovilai:OADP-7660-nonadmin-short-lived-credentials-design

Conversation

@kaovilai
Copy link
Copy Markdown
Member

@kaovilai kaovilai commented Mar 27, 2026
edited
Loading

Summary

  • Design document for enabling NonAdminBSL to use short-lived, cloud-native credentials (AWS STS, GCP WIF, Azure Workload Identity) with per-namespace isolation
  • Comprehensive security analysis with impersonation risk assessment for all three cloud providers

Upstream Prerequisite

Key Design Points

  • Strategy: Per-BSL credential files with shared Velero SA token, cloud-scoped roles
  • Admin provisions per-namespace cloud identities scoped to specific bucket/prefix
  • Non-admin users create NonAdminBSL without touching credentials — controller injects the right credential by namespace mapping
  • Isolation: Credential selection by namespace (not user input) + prefix enforcement + cloud-side IAM scoping
  • AWS STS: Works today with per-BSL INI profiles
  • GCP WIF: Works today with per-BSL external_account JSON
  • Azure WI: Requires upstream Velero fix (see above)

Test plan

  • Review design document for completeness
  • Review security analysis for all three cloud providers
  • Validate credential flow diagrams against Velero code paths

Note

Responses generated with Claude

Generated with Claude Code
via Happy

@kaovilai @claude @happy-otter
OADP-7660: design for NonAdmin short-lived cloud credentials
3731dcf 
Add design documents for enabling NonAdminBSL to use short-lived,
cloud-native credentials (AWS STS, GCP WIF, Azure Workload Identity)
with per-namespace isolation.

Includes:
- Main design doc with admin/non-admin workflows, per-provider
  credential formats, API changes, security analysis with
  impersonation risk assessment for all three cloud providers
- Upstream Velero Azure fix proposal for per-BSL Workload Identity
  credential support (pkg/util/azure/credential.go)

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@openshift-ci-robot openshift-ci-robot added the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 27, 2026
@openshift-ci openshift-ci bot added the do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress. label Mar 27, 2026
@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 27, 2026

Skipping CI for Draft Pull Request.
If you want CI signal for your change, please convert it to an actual PR.
You can still manually trigger a test run with /test all

@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 27, 2026
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-7660 which is a valid jira issue.

Details

In response to this:

Summary

  • Design document for enabling NonAdminBSL to use short-lived, cloud-native credentials (AWS STS, GCP WIF, Azure Workload Identity) with per-namespace isolation
  • Upstream Velero Azure fix proposal for per-BSL Workload Identity credential support (pkg/util/azure/credential.go)
  • Comprehensive security analysis with impersonation risk assessment for all three cloud providers

Key Design Points

  • Strategy: Per-BSL credential files with shared Velero SA token, cloud-scoped roles
  • Admin provisions per-namespace cloud identities scoped to specific bucket/prefix
  • Non-admin users create NonAdminBSL without touching credentials — controller injects the right credential by namespace mapping
  • Isolation: Credential selection by namespace (not user input) + prefix enforcement + cloud-side IAM scoping
  • AWS STS: Works today with per-BSL INI profiles
  • GCP WIF: Works today with per-BSL external_account JSON
  • Azure WI: Requires upstream Velero fix (included as separate design doc)

Documents

File Description
docs/design/nonadmin-short-lived-credentials_design.md Main design document
docs/design/upstream-velero-azure-per-bsl-workload-identity_design.md Upstream Velero Azure fix proposal

Test plan

  • Review design document for completeness
  • Review security analysis for all three cloud providers
  • Review upstream Azure fix proposal for correctness
  • Validate credential flow diagrams against Velero code paths

[!Note]
Responses generated with Claude

Generated with Claude Code
via Happy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@coderabbitai
Copy link
Copy Markdown
Contributor

coderabbitai bot commented Mar 27, 2026
edited
Loading

Important

Review skipped

Auto reviews are limited based on label configuration.

🚫 Excluded labels (none allowed) (1)
  • do-not-merge/work-in-progress

Please check the settings in the CodeRabbit UI or the .coderabbit.yaml file in this repository. To trigger a single review, invoke the @coderabbitai review command.

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: e4308f84-4bed-4cf2-a150-0c53cca650a5

You can disable this status message by setting the reviews.review_status to false in the CodeRabbit configuration file.

Use the checkbox below for a quick retry:

  • 🔍 Trigger review
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Comment @coderabbitai help to get the list of available commands and usage tips.

@openshift-ci
Copy link
Copy Markdown

openshift-ci bot commented Mar 27, 2026

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: kaovilai

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Mar 27, 2026
kaovilai and others added 4 commits March 27, 2026 15:53
@kaovilai @claude @happy-otter
OADP-7660: add BSL YAML example to Azure upstream design doc
0ef3515 
Show the BSL and Secret YAML for per-BSL Azure Workload Identity
credential usage, including required useAAD config.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai @claude @happy-otter
OADP-7660: add permalink hyperlinks to code references
baaf5b0 
Link all code path references to GitHub permalinks using commit SHAs
for both the OADP operator and upstream Velero repositories.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai @claude @happy-otter
OADP-7660: explain why creds map enables per-BSL isolation
94f03f4 
Add section explaining the per-BSL credential pipeline and why
reading from the creds map (per-BSL) instead of env vars (per-process)
is required for multi-tenant Azure Workload Identity support.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai @claude @happy-otter
OADP-7660: remove upstream Velero Azure design doc
860b953 
Moved to upstream Velero issue:
vmware-tanzu/velero#9657

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 27, 2026
edited by openshift-ci bot
Loading

@kaovilai: This pull request references OADP-7660 which is a valid jira issue.

Details

In response to this:

Summary

  • Design document for enabling NonAdminBSL to use short-lived, cloud-native credentials (AWS STS, GCP WIF, Azure Workload Identity) with per-namespace isolation
  • Comprehensive security analysis with impersonation risk assessment for all three cloud providers

Upstream Prerequisite

Key Design Points

  • Strategy: Per-BSL credential files with shared Velero SA token, cloud-scoped roles
  • Admin provisions per-namespace cloud identities scoped to specific bucket/prefix
  • Non-admin users create NonAdminBSL without touching credentials — controller injects the right credential by namespace mapping
  • Isolation: Credential selection by namespace (not user input) + prefix enforcement + cloud-side IAM scoping
  • AWS STS: Works today with per-BSL INI profiles
  • GCP WIF: Works today with per-BSL external_account JSON
  • Azure WI: Requires upstream Velero fix (see above)

Test plan

  • Review design document for completeness
  • Review security analysis for all three cloud providers
  • Validate credential flow diagrams against Velero code paths

[!Note]
Responses generated with Claude

Generated with Claude Code
via Happy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

kaovilai and others added 2 commits March 27, 2026 16:02
@kaovilai @claude @happy-otter
OADP-7660: link upstream Velero issue in design doc
0814277 
Link vmware-tanzu/velero#9657 in the upstream prerequisites section.

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai @claude @happy-otter
OADP-7660: Move per-namespace SA tokens to Alternatives Considered
a733e6f 
Move per-namespace SA token approach to Alternatives Considered section
with rejection rationale: operator-managed token refresh adds too much
complexity. Add token refresh responsibility comparison table showing
kubelet (automatic) vs OADP operator (manual lifecycle management).

Generated with [Claude Code](https://claude.ai/code)
via [Happy](https://happy.engineering)

Co-Authored-By: Claude <noreply@anthropic.com>
Co-Authored-By: Happy <yesreply@happy.engineering>
Signed-off-by: Tiger Kaovilai <tkaovila@redhat.com>
@kaovilai kaovilai changed the title OADP-7660: design for NonAdmin short-lived cloud credentials Design for NonAdmin short-lived cloud credentials Mar 28, 2026
@openshift-ci-robot openshift-ci-robot removed the jira/valid-reference Indicates that this PR references a valid Jira ticket of any type. label Mar 28, 2026
@openshift-ci-robot
Copy link
Copy Markdown

openshift-ci-robot commented Mar 28, 2026

@kaovilai: No Jira issue is referenced in the title of this pull request.
To reference a jira issue, add 'XYZ-NNN:' to the title of this pull request and request another refresh with /jira refresh.

Details

In response to this:

Summary

  • Design document for enabling NonAdminBSL to use short-lived, cloud-native credentials (AWS STS, GCP WIF, Azure Workload Identity) with per-namespace isolation
  • Comprehensive security analysis with impersonation risk assessment for all three cloud providers

Upstream Prerequisite

Key Design Points

  • Strategy: Per-BSL credential files with shared Velero SA token, cloud-scoped roles
  • Admin provisions per-namespace cloud identities scoped to specific bucket/prefix
  • Non-admin users create NonAdminBSL without touching credentials — controller injects the right credential by namespace mapping
  • Isolation: Credential selection by namespace (not user input) + prefix enforcement + cloud-side IAM scoping
  • AWS STS: Works today with per-BSL INI profiles
  • GCP WIF: Works today with per-BSL external_account JSON
  • Azure WI: Requires upstream Velero fix (see above)

Test plan

  • Review design document for completeness
  • Review security analysis for all three cloud providers
  • Validate credential flow diagrams against Velero code paths

[!Note]
Responses generated with Claude

Generated with Claude Code
via Happy

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the openshift-eng/jira-lifecycle-plugin repository.

@kaovilai kaovilai mentioned this pull request Mar 28, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Awaiting requested review from Copilot Copilot will automatically review once the pull request is marked ready for review

At least 2 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. do-not-merge/work-in-progress Indicates that a PR should not merge because it is a work in progress.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Azure: Enable per-BSL Workload Identity credentials by reading from creds map

2 participants

@kaovilai @openshift-ci-robot