Merge pull request #66071 from CarmiWisemon/OADP1309GCPWIF

kcarmichael08 · web-flow · commit da01de95652b · 2023-11-21T08:47:39.000-05:00
diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
@@ -31,6 +31,8 @@ You can configure the Data Protection Application by setting Velero resource all
 include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+2]
 include::modules/oadp-self-signed-certificate.adoc[leveloffset=+2]
 
+include::modules/oadp-gcp-wif-cloud-authentication.adoc[leveloffset=+1]
+
 include::modules/oadp-installing-dpa.adoc[leveloffset=+1]
 include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2]
 
diff --git a/modules/oadp-gcp-wif-cloud-authentication.adoc b/modules/oadp-gcp-wif-cloud-authentication.adoc
@@ -0,0 +1,95 @@
+// Module included in the following assemblies:
+//
+// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
+
+:_content-type: PROCEDURE
+[id="oadp-gcp-wif-cloud-authentication_{context}"]
+= Google workload identity federation cloud authentication
+
+Applications running outside Google Cloud use service account keys, such as usernames and passwords, to gain access to Google Cloud resources. These service account keys might become a security risk if they are not properly managed.
+
+With Google's workload identity federation you can use Identity and Access Management (IAM) to offer external identities IAM roles, including the ability to impersonate service accounts. This eliminates the maintenance and security risks associated with service account keys.
+
+Workload identity federation handles encrypting and decrypting certificates, extracting user attributes, and validation. Identity federation externalizes authentication, passing it over to Security Token Services (STS), and reduces the demands on individual developers. Authorization and controlling access to resources remain the responsibility of the application.
+
+[NOTE]
+====
+Google workload identity federation is available for OADP 1.3.x and later.
+====
+
+If you do not use Google workload identity federation cloud authentication, continue to _Installing the Data Protection Application_.
+
+.Prerequisites
+
+* You have installed a cluster in manual mode with link:https://docs.openshift.com/container-platform/4.14/installing/installing_gcp/installing-gcp-customizations.html#installing-gcp-with-short-term-creds_installing-gcp-customizations[GCP Workload Identity configured].
+* You have access to the Cloud Credential Operator utility (`ccoctl`) and to the associated workload identity pool.
+
+.Procedure
+
+. Create an `oadp-credrequest` directory by running the following command:
++
+[source,terminal]
+----
+$ mkdir -p oadp-credrequest
+----
+. Create a `CredentialsRequest.yaml` file as following:
++
+[source,yaml]
+----
+echo 'apiVersion: cloudcredential.openshift.io/v1
+kind: CredentialsRequest
+metadata:
+  name: oadp-operator-credentials
+  namespace: openshift-cloud-credential-operator
+spec:
+  providerSpec:
+    apiVersion: cloudcredential.openshift.io/v1
+    kind: GCPProviderSpec
+    permissions:
+    - compute.disks.get
+    - compute.disks.create
+    - compute.disks.createSnapshot
+    - compute.snapshots.get
+    - compute.snapshots.create
+    - compute.snapshots.useReadOnly
+    - compute.snapshots.delete
+    - compute.zones.get
+    - storage.objects.create
+    - storage.objects.delete
+    - storage.objects.get
+    - storage.objects.list
+    - iam.serviceAccounts.signBlob
+    skipServiceCheck: true
+  secretRef:
+    name: cloud-credentials-gcp
+    namespace: <OPERATOR_INSTALL_NS>
+  serviceAccountNames:
+  - velero
+' > oadp-credrequest/credrequest.yaml
+----
+. Use the `ccoctl` utility to process the `CredentialsRequest` objects in the `oadp-credrequest` directory by running the following command:
++
+[source,terminal]
+----
+$ ccoctl gcp create-service-accounts \
+    --name=<name> \
+    --project=<gcp_project_id> \
+    --credentials-requests-dir=oadp-credrequest \
+    --workload-identity-pool=<pool_id> \
+    --workload-identity-provider=<provider_id>
+----
+The `manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml` file is now available to use in the following steps.
+. Create a namespace by running the following command:
++
+[source,terminal]
+----
+$ oc create namespace <OPERATOR_INSTALL_NS>
+----
+. Apply the credentials to the namespace by running the following command:
++
+[source,terminal]
+----
+$ oc apply -f manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml
+----
+
+
diff --git a/modules/oadp-installing-dpa.adoc b/modules/oadp-installing-dpa.adoc
@@ -181,28 +181,29 @@ spec:
         provider: {provider}
         default: true
         credential:
-          key: cloud
-          name: {credentials} <5>
+          key: cloud <5>
+          name: {credentials} <6>
         objectStorage:
-          bucket: <bucket_name> <6>
-          prefix: <prefix> <7>
-  snapshotLocations: <8>
+          bucket: <bucket_name> <7>
+          prefix: <prefix> <8>
+  snapshotLocations: <9>
     - velero:
         provider: {provider}
         default: true
         config:
           project: <project>
-          snapshotLocation: us-west1 <9>
+          snapshotLocation: us-west1 <10>
 ----
 <1> The `openshift` plugin is mandatory.
 <2> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m.
 <3> Set this value to `false` if you want to disable the Restic installation. Restic deploys a daemon set, which means that Restic pods run on each working node. In OADP version 1.2 and later, you can configure Restic for backups by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. In OADP version 1.1, add `spec.defaultVolumesToRestic: true` to the `Backup` CR.
 <4> Specify on which nodes Restic is available. By default, Restic runs on all nodes.
-<5> If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location.
-<6> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
-<7> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes.
-<8> Specify a snapshot location, unless you use CSI snapshots or Restic to back up PVs.
-<9> The snapshot location must be in the same region as the PVs.
+<5> Secret key that contain credentials. For Google workload identity federation cloud authentication use `service_account.json`.
+<6> Secret name that contains credentials. If you do not specify this value, the default name, `{credentials}`, is used.
+<7> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix.
+<8> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes.
+<9> Specify a snapshot location, unless you use CSI snapshots or Restic to back up PVs.
+<10> The snapshot location must be in the same region as the PVs.
 endif::[]
 ifdef::installing-oadp-mcg[]
 +
