New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
OADP-1225 Add configs to support Google WIF Authentication in OADP Operator #904
Conversation
730827f
to
80a950d
Compare
/retest |
0edb424
to
0747309
Compare
pluginSpecificMap no secret check minor fix, it was not using the short plugin name ie. `gcp` to match but the full long plugin name. NoSecret test updates
0fcf5ce
to
28d151e
Compare
providerNeedsDefaultCreds[psf.PluginName] = needDefaultCred | ||
providerNeedsDefaultCreds[string(provider)] = needDefaultCred |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This fixes the provider name used from velero-plugin-for-gcp
to gcp
which is what functions using value returned by this function expected.
/retest |
Looks like service account is not managed by OADP Operator. User can annotate them outside DPA. Velero SA is installed via OLM via the operator bundle. |
ReconcileVeleroServiceAccount ReconcileVeleroCRDs InstallVeleroCRDs ReconcileVeleroClusterRoleBinding
bdccd37
to
d122b19
Compare
@kaovilai: all tests passed! Full PR test history. Your PR dashboard. Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository. I understand the commands that are listed here. |
Ways to use WIF in clusters
|
@kaovilai so perhaps we don't need these changes iiuc? Pending feedback from customer should we hold this PR? |
yes. |
OADP-1225
We want to enable keyless cloud providers credentials like Google WIF.
SAAnnotations for Google WIF support can be added to velero SA using
oc annotate
Verification steps
make deploy-olm
against this branchopenshift-adp
as the namespace to create resources in.# TODO:
Notes:
We are using ConfigConnector to create, acquire, and/or delete bucket resources which after configconnector is installed can be done via creating
storagebuckets.storage.cnrm.cloud.google.com
CustomResourceWe create the following
If everything goes well, the configconnector updates this object to something like
This confirms configconnector is able to acquire this resource.
Acronyms:
Configure applications to use Workload identity, step 4. where we will use existing serviceaccounts by creating following resource with intended service accounts to use to access our buckets
https://cloud.google.com/kubernetes-engine/docs/how-to/workload-identity#config-connector
Perhaps this step means we can use a different GSA (team specific) to access buckets than the one used to install configconnector (admin GSA that can impersonate other lower level GSAs).
We need a cluster admin to install ConfigConnector anyways since its a clusterwide operator.
Follow their step 5.: Double check that this serviceaccount [GSA_NAME] has the roles necessary to access the bucket (and to take native snapshots?) resource.
Follow their step 6. Allow the Kubernetes service account to impersonate the IAM service account using ConfigConnector to use existing GSA with our KSA
Follow their step 7. Annotate the Kubernetes service account with the email address of the IAM service account.
Follow their step 8. Update your Pod spec to schedule the workloads on nodes that use Workload Identity and to use the annotated Kubernetes service account.
Note that the nodeSelector may not apply to us, since we are not a gke cluster, and installed configconnector
Follow their step 9. Apply the updated configuration to your cluster:
verify setup
🤞 Use Workload Identity from your code
TODO: