PBM-1727 Oracle Cloud Storage#377
Conversation
There was a problem hiding this comment.
Pull request overview
Adds a new documentation page describing how to configure Percona Backup for MongoDB (PBM) to use Oracle Cloud Infrastructure (OCI) Object Storage as a remote backup destination, including both user principal and instance principal authentication flows.
Changes:
- Introduces a new OCI Object Storage guide with CLI setup, IAM policy guidance, and example PBM configurations.
- Documents both
userPrincipal(API signing keys) andinstancePrincipal(keyless, on-OCI) authentication options.
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
rasika-chivate
temporarily deployed
to
PBM-1727-Oracle-Cloud-Storage - pbm-release-branch-docs PR #377
Render
Destroyed
…rcona/pbm-docs into PBM-1727-Oracle-Cloud-Storage
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
Co-authored-by: Copilot Autofix powered by AI <175728472+Copilot@users.noreply.github.com>
jcechace
left a comment
jcechace
left a comment
There was a problem hiding this comment.
Mostly looking good. We ought to reconsider what content goes under oci-storage.md and what goes under oci-wif.md.
Currently there are overlap (userPrinciapl and instancePrinciapl are in both, userPrinciapl is technically not wif).
Missing documentation for Server Side Encryption.
| Before configuring PBM, ensure that you have: | ||
|
|
||
| - An active OCI tenancy with at least one subscribed region | ||
| - The OCI CLI installed and configured (`oci setup config`). |
There was a problem hiding this comment.
This is not strictly required, all required steps can be equally performed via OCI web console
| for installation instructions | ||
| - An OCI user with permission to create compartments, buckets, | ||
| dynamic groups, and IAM policies in your tenancy | ||
| - An OCI API signing key pair: private key on the host running |
There was a problem hiding this comment.
Strictly speaking, for PBM runtime, private key does not have to be present "on the host running PBM". The key is stored within PBM configuration (same as other storages)
| ```sh | ||
| export HOME_REGION=<your-home-region> # e.g. us-ashburn-1 | ||
| export BUCKET_REGION=<your-bucket-region> # e.g. eu-frankfurt-1 | ||
| export COMPARTMENT_NAME=pbm-backup |
|
|
||
| ## Create a compartment | ||
|
|
||
| Create a compartment for PBM backup resources: |
There was a problem hiding this comment.
While OCI resources always require a compartment, creating one is optional and using the root compartment is perfectly valid. It is however a good practice to use them
| to manage objects in the PBM compartment. Replace | ||
| `<OCI_GROUP_NAME>` with the name of the group containing | ||
| your PBM user: | ||
|
|
||
| ```sh | ||
| oci iam policy create \ | ||
| --region "$HOME_REGION" \ | ||
| --compartment-id "$TENANCY_OCID" \ | ||
| --name pbm-user-access \ | ||
| --description "Allow PBM user group to manage backup objects" \ | ||
| --statements "[\"Allow group <OCI_GROUP_NAME> to manage object-family in compartment $COMPARTMENT_NAME\"]" |
There was a problem hiding this comment.
Where does this come from? Technically if the user owns the bucket, this is not required.
Not against it, but it might be slightly confusing since we haven't assigned the user to a group in any of the previous steps
| You need: | ||
|
|
||
| - An OCI user account with access to the target bucket | ||
| - An [API signing key pair :octicons-link-external-16:](https://docs.oracle.com/en-us/iaas/Content/API/Concepts/apisigningkey.htm){:target="_blank"} (private key file and its fingerprint) |
There was a problem hiding this comment.
Again, this is required only for the setup using the CLI. Not for PBM runtime when using instancePrincipal or okeWorkloadIdentity
| 2. **Configure PBM authentication** | ||
|
|
||
| In your PBM configuration, set the storage type to `oci` and the credentials type to `userPrincipal`. Provide the API signing key private key in PEM format. | ||
|
|
||
| ```yaml | ||
| storage: | ||
| type: oci | ||
| oci: | ||
| region: <bucket_region> | ||
| namespace: <namespace> | ||
| bucket: <bucket_name> | ||
| prefix: <path_prefix> | ||
| credentials: | ||
| type: userPrincipal | ||
| userPrincipal: | ||
| tenancy: <tenancy_ocid> | ||
| user: <user_ocid> | ||
| fingerprint: <key_fingerprint> | ||
| privateKey: | | ||
| -----BEGIN PRIVATE KEY----- | ||
| ... | ||
| -----END PRIVATE KEY----- | ||
| ``` |
There was a problem hiding this comment.
I'm a bit confused as why this is here, since userPrincipal is not classified as workload identity (an actual user identity is used, not the workload -- cluster / instance identity)
This PR contains documentation for the following:
For details, see the following tickets:
https://perconadev.atlassian.net/browse/PBM-1727
https://perconadev.atlassian.net/browse/PBM-1728