Integrate with a GCP Kubernetes cluster

This guide describes how to back up and restore with Charmed Velero on a GCP cluster. Charmed Velero leverages the credentials provided by the gcs-integrator and persistent-disk (PD) snapshots for backing up.

Requirements

• A GCP Juju controller.
• A GCS bucket unique to the cluster.
• gcloud and gsutil CLI installed and configured.

Set permissions with a GCP service account

To set permissions, create a dedicated GCP service account and attach the minimum GCS/Compute policy following these steps.

1. Set environment variables:

   export PROJECT_ID=$(gcloud config get-value project)
   export BUCKET=velero
   export SA_NAME=velero
   

2. Create the service account:

   gcloud iam service-accounts create $SA_NAME \
     --display-name "Velero service account"
   

3. Create and assign the required roles:

   SA_EMAIL=$(gcloud iam service-accounts list \
     --filter="displayName:Velero service account" \
     --format="value(email)")
   
   ROLE_PERMISSIONS=(
     compute.disks.createSnapshot
     compute.disks.get
     compute.disks.setLabels
     compute.projects.get
     compute.snapshots.create
     compute.snapshots.delete
     compute.snapshots.get
     compute.snapshots.setLabels
     compute.snapshots.useReadOnly
     compute.zones.get
     iam.serviceAccounts.signBlob
     storage.objects.create
     storage.objects.delete
     storage.objects.get
     storage.objects.list
   )
   
   gcloud iam roles create velero.server \
       --project $PROJECT_ID \
       --title "Velero Server" \
       --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
   
   gcloud projects add-iam-policy-binding $PROJECT_ID \
       --member serviceAccount:$SA_EMAIL \
       --role projects/$PROJECT_ID/roles/velero.server
   

4. Create and download a JSON key file:

   gcloud iam service-accounts keys create credentials.json \
     --iam-account $SA_EMAIL
   

   Save the path to credentials.json for the next steps.

Create the GCS bucket

gsutil mb -p $PROJECT_ID gs://$BUCKET

Grant the service account access to the bucket:

gsutil iam ch serviceAccount:$SA_EMAIL:objectAdmin gs://$BUCKET

Deploy and configure the GCS-Integrator charm

Use the service account key retrieved above to configure gcs-integrator. This allows Charmed Velero to access the GCS bucket and leverage Compute Engine persistent-disk snapshots.

1. Deploy the integrator:

   juju deploy gcs-integrator --channel 1/edge
   

2. Store the service account key as a Juju secret and grant it to the integrator:

   SECRET_URI=$(juju add-secret gcs-sa-secret secret-key="$(cat credentials.json)" | tr -d '\n')
   
   juju grant-secret gcs-sa-secret gcs-integrator
   

3. Configure the bucket and credentials:

   juju config gcs-integrator \
     bucket="$BUCKET" \
     credentials="$SECRET_URI"
   

Bucket and credentials are mandatory. The integrator should reach active status once correctly configured.

Deploy Velero and relate to the GCS-Integrator

Deploy Charmed Velero and integrate it with gcs-integrator as follows:

juju deploy velero-operator --trust
juju integrate gcs-integrator velero-operator

The relation supplies the bucket name and service account credentials to Velero. Charmed Velero configures the GCP plugin accordingly. After both charms are in ready state, the cluster is ready for backup/restore.

See gcs-integrator charm and Velero plugin for GCP for more details.