You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
What steps did you take and what happened:
On AKS, we backup persistent volumes backed by Azure Disk via CSI snapshot data movement.
Authentication against the object storage (Azure blob) used to upload backup metadata and CSI snapshot data is performed via Workload Identity.
Starting with HELM chart version 8.0.0 (i.e. Velero 1.15) the data upload jobs, to my understanding, were moved outside of the node agent into dedicated pods. These pods, however, do not inherit the podLabels set via this HELM chart's values.yml file.
Azure Workload identity requires the label azure.workload.identity/use: "true" to be set such that the pod can source the client id from the service account.
As a consequence, authentication against Azure blob fails and the data upload cannot be completed.
What did you expect to happen:
The CSI snapshot is restored into a temporary PVC and uploaded towards Azure Blob.
The output of the following commands will help us better understand what's going on:
(Pasting long output into a GitHub gist or other pastebin is fine.)
Anything else you would like to add:
Environment:
helm version (use helm version):
helm chart version and app version (use helm list -n <YOUR NAMESPACE>):
Kubernetes version (use kubectl version): 1.29.x
Kubernetes installer & version:
Cloud provider or hardware configuration:
OS (e.g. from /etc/os-release):
The text was updated successfully, but these errors were encountered:
What steps did you take and what happened:
On AKS, we backup persistent volumes backed by Azure Disk via CSI snapshot data movement.
Authentication against the object storage (Azure blob) used to upload backup metadata and CSI snapshot data is performed via Workload Identity.
Starting with HELM chart version 8.0.0 (i.e. Velero 1.15) the data upload jobs, to my understanding, were moved outside of the node agent into dedicated pods. These pods, however, do not inherit the podLabels set via this HELM chart's values.yml file.
Azure Workload identity requires the label
azure.workload.identity/use: "true"to be set such that the pod can source the client id from the service account.As a consequence, authentication against Azure blob fails and the data upload cannot be completed.
What did you expect to happen:
The CSI snapshot is restored into a temporary PVC and uploaded towards Azure Blob.
The output of the following commands will help us better understand what's going on:
(Pasting long output into a GitHub gist or other pastebin is fine.)
Anything else you would like to add:
Environment:
helm version):helm list -n <YOUR NAMESPACE>):kubectl version): 1.29.x/etc/os-release):The text was updated successfully, but these errors were encountered: