Velero GCP Cluster Installation

How to set up Velero with a GCP Kubernetes cluster

The following instructions are based on the Velero Plugin for Google Cloud Platform (GCP) instructions.

These steps assume the user has installed the gcloud Command-Line Interface (CLI) and gsutil tool and has the necessary permissions to perform the steps below.

The following items are required to create the Velero bucket via a GCP Bucket:

Google Cloud Platform (GCP) Project ID: The project ID for where commands are performed from.
Google Cloud Storage (GCS) Bucket: The object storage bucket where backups are stored.
Google Service Account (GSA): A Velero specific Google Service Account to backup and restore the Wallaroo instance when required.
Either a Google Service Account Key or Workload Identity: Either of these methods are used by the Velero service to authenticate to GCP for its backup and restore tasks.

If these items are already complete, jump to the step Install Velero In the Wallaroo GCP Kubernetes Cluster.

Create GCS Bucket

Create the GCS bucket for storing the Wallaroo backup and restores with the following command. Replace the variable $BUCKET_NAME based on your organization’s requirements.

BUCKET_NAME=<YOUR_BUCKET>

gsutil mb gs://$BUCKET_NAME/

Create Google Service Account for Velero

Create the Google Service Account for the Velero service using the following commands:

Retrieve your organization’s GCP Project ID and store it in the PROJECT_ID variable. Note that this will retrieve the default project ID for the gcloud configuration. Replace with the actual GCP Project ID as required.
```
PROJECT_ID=$(gcloud config get-value project)
```

Create the service account. Update the $GSA_NAME variable based on the organization’s requirements.

GSA_NAME=velero
gcloud iam service-accounts create $GSA_NAME \
    --display-name "Velero service account"

Use gcloud iam service-accounts list to list out the services.

gcloud iam service-accounts list
DISPLAY NAME                            EMAIL                                                                       DISABLED
Velero service account                  veleroexample.iam.gserviceaccount.com                  False

Select the email address for the new Velero service account and set the variable SERVICE_ACCOUNT_EMAIL equal to the accounts email address:
```
SERVICE_ACCOUNT_EMAIL=veleroexample.iam.gserviceaccount.com
```

Create a Custom Role with the following minimum positions, and bind it to the new Velero service account. The ROLE needs to be unique and DNS compliant.

ROLE="velero.server"
TITLE="Velero Server"

ROLE_PERMISSIONS=(
    compute.disks.get
    compute.disks.create
    compute.disks.createSnapshot
    compute.snapshots.get
    compute.snapshots.create
    compute.snapshots.useReadOnly
    compute.snapshots.delete
    compute.zones.get
    storage.objects.create
    storage.objects.delete
    storage.objects.get
    storage.objects.list
    iam.serviceAccounts.signBlob
)

gcloud iam roles create $ROLE \
    --project $PROJECT_ID \
    --title $TITLE \
    --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
    --role projects/$PROJECT_ID/roles/$ROLE

Bind the bucket to the new Service Account:

gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET_NAME}

Grant Velero Service GCP Access

There are multiple methods of granting the Velero service GCP access as detailed in the Plugins for Google Cloud Platform (GCP) Grant access to Velero steps. The following examples will use the Service Account Key method.

Create the Google Service Account Key, and store it in a secure location. In this example, it is stored in ~/.credentials-velero-gcp:

gcloud iam service-accounts keys create ~/.credentials-velero-gcp \
    --iam-account $SERVICE_ACCOUNT_EMAIL

Install Velero In the Wallaroo GCP Kubernetes Cluster

The following steps assume that the Google Service Account Key method was used in the Grant Velero Service GCP Access. See the Plugins for Google Cloud Platform (GCP) Grant access to Velero for other methods.

To install the Velero service into the Kubernetes cluster hosting the Wallaroo service:

Verify the connection to the GCP Kubernetes cluster hosting the Wallaroo instance.

kubectl get nodes
NAME                                             STATUS   ROLES    AGE   VERSION
gke-wallaroodocs-ce-default-pool-5dd3c344-fxs3   Ready    <none>   31s   v1.23.14-gke.1800
gke-wallaroodocs-ce-default-pool-5dd3c344-q95a   Ready    <none>   25d   v1.23.14-gke.1800
gke-wallaroodocs-ce-default-pool-5dd3c344-scmc   Ready    <none>   31s   v1.23.14-gke.1800
gke-wallaroodocs-ce-default-pool-5dd3c344-wnkn   Ready    <none>   31s   v1.23.14-gke.1800

Install Velero into the GCP Kubernetes cluster. This assumes the $BUCKET_NAME variable from earlier, and the Google Service Account Key are stored in ~/.credentials-velero-gcp

velero install \
--provider gcp \
--plugins velero/velero-plugin-for-gcp:v1.6.0 \
--bucket $BUCKET_NAME \
--secret-file ~/.credentials-velero-gcp \
--use-volume-snapshots=false \
--use-node-agent --wait

Once complete, verify the installation is complete by checking for the velero namespace in the Kubernetes cluster:

kubectl get namespaces
NAME              STATUS   AGE
default           Active   222d
kube-node-lease   Active   222d
kube-public       Active   222d
kube-system       Active   222d
velero            Active   5m32s
wallaroo          Active   7d23h

If using Kubernetes taints and tolerations for the Wallaroo installation, update the velero namespace to accept all pods:

kubectl -n velero patch ds node-agent -p='{"spec": {"template": {"spec": {"tolerations":[{"operator": "Exists"}]}}}}'