GCP WIF Authentication on OpenShift

Using GCP Workload Identity Federation (WIF) to authenticate OADP-Operator

Prerequisites

• Cluster installed in manual mode with GCP Workload Identity configured.
  • This means you should now have access to ccoctl CLI from this step and access to associated workload-identity-pool.

Create Credential Request for

• Create oadp-credrequest dir

  mkdir -p oadp-credrequest

• Create credrequest.yaml

  echo 'apiVersion: cloudcredential.openshift.io/v1
  kind: CredentialsRequest
  metadata:
    name: oadp-operator-credentials
    namespace: openshift-cloud-credential-operator
  spec:
    providerSpec:
      apiVersion: cloudcredential.openshift.io/v1
      kind: GCPProviderSpec
      predefinedRoles:
      - roles/compute.disks.get
      - roles/compute.disks.create
      - roles/compute.disks.createSnapshot
      - roles/compute.snapshots.get
      - roles/compute.snapshots.create
      - roles/compute.snapshots.useReadOnly
      - roles/compute.snapshots.delete
      - roles/compute.zones.get
      - roles/storage.objects.create
      - roles/storage.objects.delete
      - roles/storage.objects.get
      - roles/storage.objects.list
      - roles/iam.serviceAccounts.signBlob
      skipServiceCheck: true
    secretRef:
      name: cloud-credentials-gcp
      namespace: openshift-adp
    serviceAccountNames:
    - velero
  ' > oadp-credrequest/credrequest.yaml

• Use ccoctl to create the credrequest poiting to dir oadp-credrequest

  ccoctl gcp create-service-accounts --name=<name> \
      --project=<gcp-project-id> \
      --credentials-requests-dir=oadp-credrequest \
      --workload-identity-pool=<pool-id> \
      --workload-identity-provider=<provider-id>

  ccoctl reference

Apply credentials secret to openshift-adp namespace

oc create namespace openshift-adp
oc apply -f manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml

• 4.3.4.1. Installing the OADP Operator

• Skip to 4.3.4.5. Installing the Data Protection Application to create Data Protection Application

  Note that the key for credentials should be service_account.json instead of cloud in the official documentation example.

  apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionApplication
  metadata:
    name: <dpa_sample>
    namespace: openshift-adp
  spec:
    backupLocations:
      - velero:
          provider: gcp
          default: true
          credential:
            key: service_account.json
            name: cloud-credentials-gcp 
          objectStorage:
            bucket: <bucket_name> 
            prefix: <prefix> 

• (Optional) If you hit issues with self signed certs or cpu issues you can go back to 4.3.4.4. Configuring the Data Protection Application

If you get errors when backing up ImagestreamTags, you can disable this functionality with backupImages: false

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: example
spec:
  backupImages: false