Setting up the Velero plugin for Google Cloud Platform
Prerequisites
Create a GKE cluster
Install gcloud and gsutil CLIs locally installed in your machine
Setup
Perform the following operations to connect to the GCP project
gcloud auth login
Ensure the current project is set your specific project
gcloud config set project <PROJECT_ID>
Store the following value from the results in the environment variable:
export BUCKET= <Bucket Name>
export PROJECT_ID= <Project ID>
Create a GCS bucket
Velero requires an object storage bucket in which to store backups, preferably unique to a single Kubernetes cluster.
Create Google Service Account (GSA):
GSA_NAME=velero
gcloud iam service-accounts create $GSA_NAME \
--display-name "Velero service account"
List all service accounts:
gcloud iam service-accounts list
export SERVICE_ACCOUNT_EMAIL=<created GSA above>
Create Custom Role with Permissions for the Velero GSA:
bash
bash
ROLE_PERMISSIONS=(
compute.disks.get
compute.disks.create
compute.disks.createSnapshot
compute.snapshots.get
compute.snapshots.create
compute.snapshots.useReadOnly
compute.snapshots.delete
compute.zones.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
)
gcloud iam roles create velero.server \
--project $PROJECT_ID \
--title "<Velero.server>" \
--permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
–role projects/$PROJECT_ID/roles/velero.server
gsutil iam ch \
serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}
Create a service account key, specifying an output file (credentials-velero) in your local directory:
gcloud iam service-accounts keys create credentials-velero \
--iam-account $SERVICE_ACCOUNT_EMAIL
Create the Credentials
kubectl create secret generic -n cloudcasa-io vsl-credentials \
--from-file=gcp=/<path with the credentials file>
kubectl -n cloudcasa-io label secrets vsl-credentials