Enhance documentation for OADP CloudStorage API, including installation instructions via OpenShift web console and provider-specific configurations for AWS, Azure, and GCP.

Signed-off-by: Tiger Kaovilai <[email protected]>

Author: kaovilai

docs/config/aws/oadp-aws-sts-cloud-authentication.adoc

@@ -205,20 +205,43 @@ oc annotate serviceaccount openshift-adp-controller-manager -n openshift-adp \
     eks.amazonaws.com/role-arn="${ROLE_ARN}" --overwrite
 ----
 
+[id="oadp-aws-console-installation_{context}"]
+== Installing OADP Operator via OpenShift Web Console
+
+When installing the OADP operator through the OpenShift web console with tokenized authentication support, you will be presented with cloud provider-specific configuration fields.
+
+[NOTE]
+====
+For OpenShift 4.15 and later, the web console supports tokenized authentication during operator installation, allowing you to provide cloud credentials directly through the installation form.
+====
+
+.Console Installation Fields for AWS
+
+During operator installation, the web console will display the following field:
+
+*role ARN*::
+**Field Label:** "role ARN"
++
+**Help Text:** "The role ARN required for the operator to access the cloud API."
++
+**Value to Enter:** Use the `ROLE_ARN` value from the prerequisite setup steps above (e.g., `arn:aws:iam::123456789012:role/openshift-adp-controller-manager`).
+
+This field corresponds to the IAM role you created in the prerequisite steps. The role ARN format is `arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}`.
+
 [id="oadp-aws-cloud-storage-api_{context}"]
 == Alternative: Using Cloud Storage API for Automated Bucket Management
 
-Instead of manually creating S3 buckets, you can use the OADP Cloud Storage API to automatically manage bucket creation and configuration. This approach requires OADP operator version with Cloud Storage API support.
+Instead of manually creating S3 buckets, you can use the OADP CloudStorage API to automatically manage bucket creation and configuration.
 
-.Prerequisites for Cloud Storage API
+[NOTE]
+====
+For comprehensive documentation on the CloudStorage API, including detailed configuration options, troubleshooting, and advanced usage, see link:../oadp-cloudstorage-api.html[OADP CloudStorage API].
+====
 
-* OADP operator with Cloud Storage API functionality enabled
-* The same AWS STS configuration as above
+.AWS-Specific CloudStorage Configuration
 
-.Procedure for Cloud Storage API
+For AWS, create a CloudStorage resource with the following configuration:
 
-. Create a CloudStorage resource instead of manually creating buckets:
-+
 [source,yaml]
 ----
 cat <<EOF | oc apply -f -
@@ -238,8 +261,8 @@ spec:
 EOF
 ----
 
-. Create the DataProtectionApplication with Cloud Storage API reference:
-+
+Then configure your DataProtectionApplication to use the CloudStorage resource:
+
 [source,yaml]
 ----
 cat <<EOF | oc apply -f -
@@ -258,7 +281,6 @@ spec:
   backupLocations:
     - name: default
       bucket:
-        # Reference the CloudStorage resource instead of direct bucket
         cloudStorageRef:
           name: aws-backup-storage
         prefix: velero
@@ -280,16 +302,10 @@ spec:
 EOF
 ----
 
-. Verify the CloudStorage resource status:
-+
-[source,bash]
-----
-oc get cloudstorage aws-backup-storage -n openshift-adp -o yaml
-oc describe cloudstorage aws-backup-storage -n openshift-adp
-----
+.AWS-Specific Verification
+
+Verify the S3 bucket was created:
 
-. Wait for bucket creation and verify:
-+
 [source,bash]
 ----
 # Check if bucket was created in S3
@@ -299,51 +315,6 @@ aws s3 ls s3://${VELERO_BUCKET_NAME}/
 aws s3api get-bucket-policy --bucket ${VELERO_BUCKET_NAME}
 ----
 
-. Monitor the CloudStorage controller logs:
-+
-[source,bash]
-----
-# Check operator logs for CloudStorage operations
-oc logs -n openshift-adp deployment/oadp-operator-controller-manager | grep -i cloudstorage
-
-# Check for AWS-specific operations
-oc logs -n openshift-adp deployment/oadp-operator-controller-manager | grep -i aws
-----
-
-[WARNING]
-====
-CloudStorage resources are protected by a finalizer (`oadp.openshift.io/bucket-protection`) to prevent accidental deletion of buckets containing backup data. To delete a CloudStorage resource, you must first add the deletion annotation:
-
-[source,bash]
-----
-# Add deletion annotation before attempting to delete
-oc annotate cloudstorage aws-backup-storage -n openshift-adp \
-    oadp.openshift.io/cloudstorage-delete=true --overwrite
-
-# Then delete the CloudStorage resource
-oc delete cloudstorage aws-backup-storage -n openshift-adp
-----
-
-Without this annotation, the deletion will hang indefinitely as the finalizer prevents removal.
-
-Alternatively, if you want to remove the CloudStorage resource from OpenShift without deleting the S3 bucket in AWS, you can manually remove the finalizer:
-
-[source,bash]
-----
-# Remove finalizer to delete CloudStorage CR without deleting the S3 bucket
-oc patch cloudstorage aws-backup-storage -n openshift-adp --type json \
-    -p='[{"op": "remove", "path": "/metadata/finalizers"}]'
-----
-====
-
-The CloudStorage API will automatically:
-
-* Create the S3 bucket if it doesn't exist (with `creationPolicy: CreateIfNotExists`)
-* Configure appropriate bucket policies for the IAM role
-* Set up regional configuration based on the specified region
-* Handle authentication through the referenced credential secret
-* Protect bucket resources with finalizers to prevent accidental deletion
-
 == Standard Configuration (Manual Bucket Creation)
 
 . Create the DataProtectionApplication configuration for manual bucket setup:

docs/config/aws/oadp-rosa-sts-cloud-authentication.adoc

@@ -260,17 +260,17 @@ echo "Created and configured S3 bucket: ${VELERO_BUCKET_NAME}"
 [id="oadp-rosa-cloud-storage-api_{context}"]
 == Alternative: Using Cloud Storage API for Automated Bucket Management
 
-The OADP Cloud Storage API can automatically manage S3 bucket creation and configuration for ROSA STS clusters.
+The OADP CloudStorage API can automatically manage S3 bucket creation and configuration for ROSA STS clusters.
 
-.Prerequisites for Cloud Storage API
+[NOTE]
+====
+For comprehensive documentation on the CloudStorage API, including detailed configuration options, troubleshooting, and advanced usage, see link:../oadp-cloudstorage-api.html[OADP CloudStorage API].
+====
 
-* OADP operator with Cloud Storage API functionality enabled
-* The same ROSA STS configuration as above
+.ROSA-Specific CloudStorage Configuration
 
-.Procedure for Cloud Storage API
+For ROSA, create a CloudStorage resource with the following configuration:
 
-. Create a CloudStorage resource for ROSA:
-+
 [source,yaml]
 ----
 cat <<EOF | oc apply -f -
@@ -290,8 +290,8 @@ spec:
 EOF
 ----
 
-. Create the DataProtectionApplication with Cloud Storage API reference:
-+
+Then configure your DataProtectionApplication with ROSA-specific settings:
+
 [source,yaml]
 ----
 cat <<EOF | oc apply -f -
@@ -332,21 +332,12 @@ spec:
 EOF
 ----
 
-. Verify the CloudStorage resource status:
-+
-[source,bash]
-----
-oc get cloudstorage rosa-backup-storage -n openshift-adp -o yaml
-oc describe cloudstorage rosa-backup-storage -n openshift-adp
-----
+.ROSA-Specific Verification
+
+Verify the S3 bucket was created:
 
-. Monitor CloudStorage operations:
-+
 [source,bash]
 ----
-# Check CloudStorage controller logs
-oc logs -n openshift-adp deployment/oadp-operator-controller-manager | grep -i cloudstorage
-
 # Verify S3 bucket creation
 aws s3 ls s3://${VELERO_BUCKET_NAME}/
 ----
@@ -358,6 +349,15 @@ aws s3 ls s3://${VELERO_BUCKET_NAME}/
 [NOTE]
 ====
 For OpenShift 4.15 and later, you can provide the role ARN directly during operator installation through the web console, which will automatically create the necessary credentials secret.
+
+When installing through the web console with tokenized authentication support, you will see the following field:
+
+**role ARN**
+- **Field Label:** "role ARN"
+- **Help Text:** "The role ARN required for the operator to access the cloud API."
+- **Value to Enter:** Use the `ROLE_ARN` value from the prerequisite setup steps above (e.g., `arn:aws:iam::123456789012:role/your-cluster-openshift-oadp-aws-cloud-credentials`).
+
+This corresponds to the IAM role created in the prerequisite steps with the format `arn:aws:iam::${AWS_ACCOUNT_ID}:role/${ROLE_NAME}`.
 ====
 
 . Create the DataProtectionApplication for standard ROSA STS setup:

docs/config/azure/oadp-azure-sts-cloud-authentication.adoc

@@ -184,20 +184,57 @@ oc annotate serviceaccount openshift-adp-controller-manager -n openshift-adp \
     azure.workload.identity/client-id="$IDENTITY_CLIENT_ID" --overwrite
 ----
 
+[id="oadp-azure-console-installation_{context}"]
+== Installing OADP Operator via OpenShift Web Console
+
+When installing the OADP operator through the OpenShift web console with tokenized authentication support, you will be presented with cloud provider-specific configuration fields.
+
+[NOTE]
+====
+For OpenShift 4.15 and later, the web console supports tokenized authentication during operator installation, allowing you to provide cloud credentials directly through the installation form.
+====
+
+.Console Installation Fields for Azure
+
+During operator installation, the web console will display the following fields:
+
+*Azure Client ID*::
+**Field Label:** "Azure Client ID"
++
+**Help Text:** "The Azure Client ID required for the operator to access the cloud API."
++
+**Value to Enter:** Use the `IDENTITY_CLIENT_ID` value from the prerequisite setup steps above.
+
+*Azure Tenant ID*::
+**Field Label:** "Azure Tenant ID"
++
+**Help Text:** "The Azure Tenant ID required for the operator to access the cloud API."
++
+**Value to Enter:** Use the `AZURE_TENANT_ID` value from the prerequisite setup steps above.
+
+*Azure Subscription ID*::
+**Field Label:** "Azure Subscription ID"
++
+**Help Text:** "The Azure Subscription ID required for the operator to access the cloud API."
++
+**Value to Enter:** Use the `AZURE_SUBSCRIPTION_ID` value from the prerequisite setup steps above.
+
+These fields correspond to the managed identity and Azure subscription information you configured in the prerequisite steps for Microsoft Entra Workload ID authentication.
+
 [id="oadp-azure-cloud-storage-api_{context}"]
 == Alternative: Using Cloud Storage API for Automated Container Management
 
-Instead of manually creating storage containers, you can use the OADP Cloud Storage API to automatically manage container creation and configuration. This approach requires OADP operator version with Cloud Storage API support.
+Instead of manually creating storage containers, you can use the OADP CloudStorage API to automatically manage container creation and configuration.
 
-.Prerequisites for Cloud Storage API
+[NOTE]
+====
+For comprehensive documentation on the CloudStorage API, including detailed configuration options, troubleshooting, and advanced usage, see link:../oadp-cloudstorage-api.html[OADP CloudStorage API].
+====
 
-* OADP operator with Cloud Storage API functionality enabled
-* The same Microsoft Entra Workload ID configuration as above
+.Azure-Specific CloudStorage Configuration
 
-.Procedure for Cloud Storage API
+For Azure, create a CloudStorage resource with the following configuration:
 
-. Create a CloudStorage resource instead of manually creating containers:
-+
 [source,yaml]
 ----
 cat <<EOF | oc apply -f -
@@ -218,8 +255,8 @@ spec:
 EOF
 ----
 
-. Create the DataProtectionApplication with Cloud Storage API reference:
-+
+Then configure your DataProtectionApplication to use the CloudStorage resource:
+
 [source,yaml]
 ----
 cat <<EOF | oc apply -f -
@@ -237,15 +274,19 @@ spec:
         - csi
   backupLocations:
     - name: default
-      bucket:
-        # Reference the CloudStorage resource instead of direct container
-        cloudStorageRef:
-          name: azure-backup-storage
-        prefix: velero
+      velero:
+        provider: azure
+        default: true
         credential:
           name: cloud-credentials-azure
           key: azurekey
-        default: true
+        objectStorage:
+          cloudStorageRef:
+            name: azure-backup-storage
+          prefix: velero
+        config:
+          resourceGroup: ${CLUSTER_RESOURCE_GROUP}
+          subscriptionId: ${AZURE_SUBSCRIPTION_ID}
   snapshotLocations:
     - name: default
       velero:
@@ -259,16 +300,10 @@ spec:
 EOF
 ----
 
-. Verify the CloudStorage resource status:
-+
-[source,bash]
-----
-oc get cloudstorage azure-backup-storage -n openshift-adp -o yaml
-oc describe cloudstorage azure-backup-storage -n openshift-adp
-----
+.Azure-Specific Verification
+
+Verify the storage container was created:
 
-. Wait for container creation and verify:
-+
 [source,bash]
 ----
 # Check if container was created in Azure Storage
@@ -278,51 +313,6 @@ az storage container list --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode log
 az storage container show --name ${CONTAINER_NAME} --account-name ${STORAGE_ACCOUNT_NAME} --auth-mode login
 ----
 
-. Monitor the CloudStorage controller logs:
-+
-[source,bash]
-----
-# Check operator logs for CloudStorage operations
-oc logs -n openshift-adp deployment/oadp-operator-controller-manager | grep -i cloudstorage
-
-# Check for Azure-specific operations
-oc logs -n openshift-adp deployment/oadp-operator-controller-manager | grep -i azure
-----
-
-[WARNING]
-====
-CloudStorage resources are protected by a finalizer (`oadp.openshift.io/bucket-protection`) to prevent accidental deletion of containers containing backup data. To delete a CloudStorage resource, you must first add the deletion annotation:
-
-[source,bash]
-----
-# Add deletion annotation before attempting to delete
-oc annotate cloudstorage azure-backup-storage -n openshift-adp \
-    oadp.openshift.io/cloudstorage-delete=true --overwrite
-
-# Then delete the CloudStorage resource
-oc delete cloudstorage azure-backup-storage -n openshift-adp
-----
-
-Without this annotation, the deletion will hang indefinitely as the finalizer prevents removal.
-
-Alternatively, if you want to remove the CloudStorage resource from OpenShift without deleting the Azure storage container, you can manually remove the finalizer:
-
-[source,bash]
-----
-# Remove finalizer to delete CloudStorage CR without deleting the Azure container
-oc patch cloudstorage azure-backup-storage -n openshift-adp --type json \
-    -p='[{"op": "remove", "path": "/metadata/finalizers"}]'
-----
-====
-
-The CloudStorage API will automatically:
-
-* Create the storage container if it doesn't exist (with `creationPolicy: CreateIfNotExists`)
-* Configure appropriate access permissions for the managed identity
-* Handle authentication through the referenced credential secret
-* Manage container lifecycle and cleanup operations
-* Protect container resources with finalizers to prevent accidental deletion
-
 == Standard Configuration (Manual Container Creation)
 
 . Create the DataProtectionApplication configuration for manual container setup: