openshift/openshift-docs
1
0
Fork 0
mirror of https://github.com/openshift/openshift-docs.git synced 2026-02-05 12:46:18 +01:00
Code Issues Releases Activity
Files
cef577401311e24b1b88fcc46f31e8fbbd99a894
openshift-docs/modules/migration-configuring-gcp.adoc
Ben Scott 0ca20e31a1 gcp-first replacement
2025-10-28 14:54:43 -04:00

148 lines
3.6 KiB
Plaintext
Raw Blame History

// Module included in the following assemblies:
//
// * migrating_from_ocp_3_to_4/installing-3-4.adoc
// * migration_toolkit_for_containers/installing-mtc.adoc
// * backup_and_restore/application_backup_and_restore/installing/installing-oadp-gcp.adoc
:_mod-docs-content-type: PROCEDURE
[id="migration-configuring-gcp_{context}"]
= Configuring {gcp-full}
[role="_abstract"]
ifdef::installing-3-4,installing-mtc[]
You configure a {gcp-first} storage bucket as a replication repository for the {mtc-first}.
endif::[]
ifdef::installing-oadp-gcp[]
You configure {gcp-first} for the OpenShift API for Data Protection (OADP).
endif::[]
.Prerequisites
* You must have the `gcloud` and `gsutil` CLI tools installed. See the link:https://cloud.google.com/sdk/docs/[Google cloud documentation] for details.
ifdef::installing-3-4,installing-mtc[]
* The {gcp-short} storage bucket must be accessible to the source and target clusters.
* If you are using the snapshot copy method:
** The source and target clusters must be in the same region.
** The source and target clusters must have the same storage class.
** The storage class must be compatible with snapshots.
endif::[]
.Procedure
. Log in to {gcp-short}:
+
[source,terminal]
----
$ gcloud auth login
----
. Set the `BUCKET` variable:
+
[source,terminal]
----
$ BUCKET=<bucket> <1>
----
<1> Specify your bucket name.
. Create the storage bucket:
+
[source,terminal]
----
$ gsutil mb gs://$BUCKET/
----
. Set the `PROJECT_ID` variable to your active project:
+
[source,terminal]
----
$ PROJECT_ID=$(gcloud config get-value project)
----
. Create a service account:
+
[source,terminal]
----
$ gcloud iam service-accounts create velero \
--display-name "Velero service account"
----
. List your service accounts:
+
[source,terminal]
----
$ gcloud iam service-accounts list
----
. Set the `SERVICE_ACCOUNT_EMAIL` variable to match its `email` value:
+
[source,terminal]
----
$ SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:Velero service account" \
--format 'value(email)')
----
. Attach the policies to give the `velero` user the minimum necessary permissions:
+
[source,terminal]
----
$ ROLE_PERMISSIONS=(
compute.disks.get
compute.disks.create
compute.disks.createSnapshot
compute.snapshots.get
compute.snapshots.create
compute.snapshots.useReadOnly
compute.snapshots.delete
compute.zones.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
iam.serviceAccounts.signBlob
)
----
. Create the `velero.server` custom role:
+
[source,terminal]
----
$ gcloud iam roles create velero.server \
--project $PROJECT_ID \
--title "Velero Server" \
--permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
----
. Add IAM policy binding to the project:
+
[source,terminal]
----
$ gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
--role projects/$PROJECT_ID/roles/velero.server
----
. Update the IAM service account:
+
[source,terminal]
----
$ gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}
----
. Save the IAM service account keys to the `credentials-velero` file in the current directory:
+
[source,terminal]
----
$ gcloud iam service-accounts keys create credentials-velero \
--iam-account $SERVICE_ACCOUNT_EMAIL
----
ifdef::installing-3-4,installing-mtc[]
+
You use the `credentials-velero` file to add {gcp-short} as a replication repository.
endif::[]
ifdef::installing-oadp-gcp[]
+
You use the `credentials-velero` file to create a `Secret` object for {gcp-short} before you install the Data Protection Application.
endif::[]
View Git Blame Copy Permalink