GCP WIF Authentication on OpenShift

Using WIF to authenticate OADP-Operator

Prerequisites

• Cluster installed in manual mode with GCP Workload Identity configured.
  • This means you should now have access to ccoctl CLI from this step and access to associated workload-identity-pool.

Create Credential Request for

• Create oadp-credrequest dir

  mkdir -p oadp-credrequest

• Create credrequest.yaml

  echo 'apiVersion: cloudcredential.openshift.io/v1
  kind: CredentialsRequest
  metadata:
  name: obs-gcs
  namespace: openshift-cloud-credential-operator
  spec:
  providerSpec:
      apiVersion: cloudcredential.openshift.io/v1
      kind: GCPProviderSpec
      predefinedRoles:
      - roles/compute.disks.get
      - roles/compute.disks.create
      - roles/compute.disks.createSnapshot
      - roles/compute.snapshots.get
      - roles/compute.snapshots.create
      - roles/compute.snapshots.useReadOnly
      - roles/compute.snapshots.delete
      - roles/compute.zones.get
      - roles/storage.objects.create
      - roles/storage.objects.delete
      - roles/storage.objects.get
      - roles/storage.objects.list
      - roles/iam.serviceAccounts.signBlob
      skipServiceCheck: true
  secretRef:
      name: cloud-credentials-gcp
      namespace: openshift-adp
  serviceAccountNames:
  - velero
  ' > oadp-credrequest/credrequest.yaml

• Use ccoctl to create the credrequest poiting to dir oadp-credrequest

  ccoctl gcp create-service-accounts --name=<name> --project=<gcp-project-id> --credentials-requests-dir=<path-to-directory-with-list-of-credentials-requests> --workload-identity-pool=<pool-id> --workload-identity-provider=<provider-id>

  ccoctl reference

• 4.3.4.1. Installing the OADP Operator

• Skip to 4.3.4.5. Installing the Data Protection Application to create Data Protection Application

• (Optional) If you hit issues with self signed certs or cpu issues you can go back to 4.3.4.4. Configuring the Data Protection Application