Skip to content

GCP WIF Authentication on OpenShift

Tiger Kaovilai edited this page Oct 18, 2024 · 15 revisions

Using GCP Workload Identity Federation (WIF) to authenticate OADP-Operator

Known Issues

  • File System Backup
  • Velero Built-in Data Mover
  • VolumeSnapshotLocation

CSI is working for volume backup.

Prerequisites

  • Cluster installed in manual mode with GCP Workload Identity configured.
    • This means you should now have access to ccoctl CLI from this step and access to associated workload-identity-pool.

Create Credential Request for OADP Operator

  • Create oadp-credrequest dir
    mkdir -p oadp-credrequest
  • Create credrequest.yaml
    echo 'apiVersion: cloudcredential.openshift.io/v1
    kind: CredentialsRequest
    metadata:
      name: oadp-operator-credentials
      namespace: openshift-cloud-credential-operator
    spec:
      providerSpec:
        apiVersion: cloudcredential.openshift.io/v1
        kind: GCPProviderSpec
        permissions:
        - compute.disks.get
        - compute.disks.create
        - compute.disks.createSnapshot
        - compute.snapshots.get
        - compute.snapshots.create
        - compute.snapshots.useReadOnly
        - compute.snapshots.delete
        - compute.zones.get
        - storage.objects.create
        - storage.objects.delete
        - storage.objects.get
        - storage.objects.list
        - iam.serviceAccounts.signBlob
        skipServiceCheck: true
      secretRef:
        name: cloud-credentials-gcp
        namespace: openshift-adp
      serviceAccountNames:
      - velero
    ' > oadp-credrequest/credrequest.yaml
  • Use ccoctl to create the credrequest poiting to dir oadp-credrequest
    ccoctl gcp create-service-accounts --name=<name> \
        --project=<gcp-project-id> \
        --credentials-requests-dir=oadp-credrequest \
        --workload-identity-pool=<pool-id> \
        --workload-identity-provider=<provider-id>
    ccoctl reference This should generate manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml to use in the next step.

Apply credentials secret to openshift-adp namespace

oc create namespace openshift-adp
oc apply -f manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml

We expect imagestream backup to work with GCP WIF. However, if you get errors when backing up ImagestreamTags, you can disable this functionality with backupImages: false

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: example
spec:
  backupImages: false