-
Notifications
You must be signed in to change notification settings - Fork 72
GCP WIF Authentication on OpenShift
Tiger Kaovilai edited this page Apr 10, 2023
·
15 revisions
- Cluster installed in manual mode with GCP Workload Identity configured.
- This means you should now have access to
ccoctlCLI from this step and access to associated workload-identity-pool.
- This means you should now have access to
-
Create oadp-credrequest dir
mkdir -p oadp-credrequest
-
Create credrequest.yaml
echo 'apiVersion: cloudcredential.openshift.io/v1 kind: CredentialsRequest metadata: name: obs-gcs namespace: openshift-cloud-credential-operator spec: providerSpec: apiVersion: cloudcredential.openshift.io/v1 kind: GCPProviderSpec predefinedRoles: - roles/compute.disks.get - roles/compute.disks.create - roles/compute.disks.createSnapshot - roles/compute.snapshots.get - roles/compute.snapshots.create - roles/compute.snapshots.useReadOnly - roles/compute.snapshots.delete - roles/compute.zones.get - roles/storage.objects.create - roles/storage.objects.delete - roles/storage.objects.get - roles/storage.objects.list - roles/iam.serviceAccounts.signBlob skipServiceCheck: true secretRef: name: cloud-credentials-gcp namespace: openshift-adp serviceAccountNames: - velero ' > oadp-credrequest/credrequest.yaml
-
Use ccoctl to create the credrequest poiting to dir
oadp-credrequestccoctl gcp create-service-accounts --name=<name> --project=<gcp-project-id> --credentials-requests-dir=oadp-credrequest --workload-identity-pool=<pool-id> --workload-identity-provider=<provider-id>
-
Skip to 4.3.4.5. Installing the Data Protection Application to create Data Protection Application
-
(Optional) If you hit issues with self signed certs or cpu issues you can go back to 4.3.4.4. Configuring the Data Protection Application
If you get errors when backing up ImagestreamTags, you can disable this functionality with backupImages: false
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: example
spec:
backupImages: false