Merge pull request #102330 from shdeshpa07/OADP-6704-azure-not-supported

shdeshpa07 · web-flow · commit 6a872eed92a6 · 2025-12-12T15:52:24.000+05:30
Add note about restic not supported with Azure STS
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc
@@ -20,12 +20,14 @@ To install the OADP Operator in a restricted network environment, you must first
 
 
 include::modules/migration-configuring-azure.adoc[leveloffset=+1]
+
 include::modules/oadp-about-backup-snapshot-locations-secrets.adoc[leveloffset=+1]
+
 include::modules/oadp-auth-azure-methods.adoc[leveloffset=+1]
+
 include::modules/oadp-auth-azure-secret-based.adoc[leveloffset=+1]
-include::modules/oadp-auth-azure-sts.adoc[leveloffset=+1]
 
-You can configure the Data Protection Application by setting Velero resource allocations or enabling self-signed CA certificates.
+include::modules/oadp-auth-azure-sts.adoc[leveloffset=+1]
 
 include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+1]
 
@@ -34,20 +36,31 @@ include::snippets/oadp-nodeselector-snippet.adoc[]
 For more details, see xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-azure.adoc#oadp-configuring-node-agents_installing-oadp-azure[Configuring node agents and node labels].
 
 include::modules/oadp-self-signed-certificate.adoc[leveloffset=+1]
+
 include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset=+1]
 
-// include::modules/oadp-installing-dpa-1-2-and-earlier.adoc[leveloffset=+1]
 include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-node-agents.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-node-agent-load-affinity.adoc[leveloffset=+1]
+
 include::modules/oadp-node-agent-load-affinity-guidelines.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-repository-maintenance.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-velero-load-affinity.adoc[leveloffset=+1]
+
 include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1]
+
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
+
 include::modules/oadp-about-disable-node-agent-dpa.adoc[leveloffset=+2]
 
 [role="_additional-resources"]
diff --git a/modules/oadp-auth-azure-sts.adoc b/modules/oadp-auth-azure-sts.adoc
@@ -11,6 +11,10 @@ You can use Microsoft Entra Workload ID to access Azure storage for {oadp-short}
 
 To use the Azure Security Token Service (STS) configuration, you need the `credentialsMode` field set to `Manual` during cluster installation. This approach uses the Cloud Credential Operator (`ccoctl`) to set up the workload identity infrastructure, including the OpenID Connect (OIDC) provider, issuer configuration, and user-assigned managed identities.
 
+[NOTE]
+====
+{oadp-short} with Azure STS configuration does not support `restic` File System Backups (FSB) and restores. 
+====
 
 .Prerequisites
 
@@ -173,9 +177,9 @@ spec:
   backupLocations:
   - bucket:
       cloudStorageRef:
-        name: <cloud_storage_cr> # <1>
+        name: <cloud_storage_cr>
       config:
-        storageAccount: <storage_account_name> # <2>
+        storageAccount: <storage_account_name>
         useAAD: "true"
       credential:
         key: azurekey
@@ -195,18 +199,21 @@ spec:
   - name: default
     velero:
       config:
-        resourceGroup: <resource_group> # <3>
-        subscriptionId: <subscription_ID> # <4>
+        resourceGroup: <resource_group>
+        subscriptionId: <subscription_ID>
       credential:
         key: azurekey
         name: cloud-credentials-azure
       provider: azure
 EOF
 ----
-<1> Specify the `CloudStorage` CR name.
-<2> Specify the Azure storage account name.
-<3> Specify the resource group.
-<4> Specify the subscription ID.
++
+where:
+
+<cloud_storage_cr>:: Specify the `CloudStorage` CR name.
+<storage_account_name>:: Specify the Azure storage account name.
+<resource_group>:: Specify the resource group.
+<subscription_ID>:: Specify the subscription ID.
 
 .Verification
 
