Skip to content

GCP WIF Authentication on OpenShift

Jump to bottom
Tiger Kaovilai edited this page Jun 15, 2023 · 15 revisions

Using GCP Workload Identity Federation (WIF) to authenticate OADP-Operator

Prerequisites

  • Cluster installed in manual mode with GCP Workload Identity configured.
    • This means you should now have access to ccoctl CLI from this step and access to associated workload-identity-pool.

Create Credential Request for OADP Operator

  • Create oadp-credrequest dir 
    mkdir -p oadp-credrequest
  • Create credrequest.yaml 
    echo 'apiVersion: cloudcredential.openshift.io/v1
kind: CredentialsRequest
metadata:
  name: oadp-operator-credentials
  namespace: openshift-cloud-credential-operator
spec:
  providerSpec:
    apiVersion: cloudcredential.openshift.io/v1
    kind: GCPProviderSpec
    predefinedRoles:
    - roles/compute.disks.get
    - roles/compute.disks.create
    - roles/compute.disks.createSnapshot
    - roles/compute.snapshots.get
    - roles/compute.snapshots.create
    - roles/compute.snapshots.useReadOnly
    - roles/compute.snapshots.delete
    - roles/compute.zones.get
    - roles/storage.objects.create
    - roles/storage.objects.delete
    - roles/storage.objects.get
    - roles/storage.objects.list
    - roles/iam.serviceAccounts.signBlob
    skipServiceCheck: true
  secretRef:
    name: cloud-credentials-gcp
    namespace: openshift-adp
  serviceAccountNames:
  - velero
' > oadp-credrequest/credrequest.yaml
  • Use ccoctl to create the credrequest poiting to dir oadp-credrequest 
    ccoctl gcp create-service-accounts --name=<name> \
    --project=<gcp-project-id> \
    --credentials-requests-dir=oadp-credrequest \
    --workload-identity-pool=<pool-id> \
    --workload-identity-provider=<provider-id>
    ccoctl reference This should generate manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml to use in the next step.

Apply credentials secret to openshift-adp namespace

oc create namespace openshift-adp
oc apply -f manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml

  • 4.3.4.1. Installing the OADP Operator

  • Skip to 4.3.4.5. Installing the Data Protection Application to create Data Protection Application

    Note that the key for credentials should be service_account.json instead of cloud in the official documentation example.

    apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: <dpa_sample>
  namespace: openshift-adp
spec:
  backupLocations:
    - velero:
        provider: gcp
        default: true
        credential:
          key: service_account.json
          name: cloud-credentials-gcp 
        objectStorage:
          bucket: <bucket_name> 
          prefix: <prefix> 
  # Temporary image override while https://github.com/vmware-tanzu/velero-plugin-for-gcp/pull/142 is in draft.
  unsupportedOverrides:
    gcpPluginImageFqin: ghcr.io/kaovilai/velero-plugin-for-gcp:file-wif

  • (Optional) If you hit issues with self signed certs or cpu issues you can go back to 4.3.4.4. Configuring the Data Protection Application

If you get errors when backing up ImagestreamTags, you can disable this functionality with backupImages: false

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: example
spec:
  backupImages: false
Clone this wiki locally