Skip to content

Instantly share code, notes, and snippets.

@tioxy
Last active December 19, 2019 16:28
Show Gist options
  • Star 0 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
  • Save tioxy/9e08663bdebfdde7448a890f988753c7 to your computer and use it in GitHub Desktop.
Save tioxy/9e08663bdebfdde7448a890f988753c7 to your computer and use it in GitHub Desktop.
Configuring Velero for a Kubernetes cluster hosted in GCP
# Configuring Velero for a Kubernetes cluster hosted in GCP
# For in depth details, check https://heptio.github.io/velero/master/gcp-config.html
export VELERO_FOLDER=/opt/velero
export BUCKET_NAME=k8s-cluster-velero # Use a different name
export PROJECT_ID=$(gcloud config get-value project)
# Create a GS bucket to store Object backups
gsutil mb gs://$BUCKET_NAME/
# Create GCP Service Account
gcloud iam service-accounts create velero \
--display-name "Velero service account"
SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:Velero service account" \
--format 'value(email)')
# Create IAM Role
ROLE_PERMISSIONS=(
compute.disks.get
compute.disks.create
compute.disks.createSnapshot
compute.snapshots.get
compute.snapshots.create
compute.snapshots.useReadOnly
compute.snapshots.delete
compute.zones.get
)
gcloud iam roles create velero.server \
--project $PROJECT_ID \
--title "Velero Server" \
--permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
# Bind IAM policy
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
--role projects/$PROJECT_ID/roles/velero.server
# Change IAM permissions
gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://$BUCKET_NAME
# Create "credentials-velero" file
gcloud iam service-accounts keys create $VELERO_FOLDER/credentials-velero \
--iam-account $SERVICE_ACCOUNT_EMAIL
@iborba
Copy link

iborba commented Dec 16, 2019

Hello, i've made some changes in your file, because when I was trying to use it, i've faced some problems.
The changes are in double asterisk

Hoped to help

# Configuring Velero for a Kubernetes cluster hosted in GCP
# For in depth details, check https://heptio.github.io/velero/master/gcp-config.html

export VELERO_FOLDER=/opt/velero
export BUCKET_NAME=k8s-cluster-velero # Use a different name
export PROJECT_ID=$(gcloud config get-value project)

# Create a GS bucket to store Object backups
gsutil mb gs://$BUCKET_NAME/

# Create GCP Service Account
gcloud iam service-accounts create velero --display-name "Velero service account"

SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
   --filter="displayName:Velero service account" \
   --format 'value(email)')

# Create IAM Role
gcloud **beta** iam roles create velero.server \
     --project $PROJECT_ID \
     --title "Velero Server" \
     --permissions compute.disks.get,compute.disks.create,compute.disks.createSnapshot,compute.snapshots.get,compute.snapshots.create,compute.snapshots.useReadOnly,compute.snapshots.delete,compute.zones.get

# Bind IAM policy
gcloud projects add-iam-policy-binding $PROJECT_ID --member serviceAccount:$SERVICE_ACCOUNT_EMAIL --role projects/$PROJECT_ID/roles/velero.server


# Change IAM permissions
gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin **gs://$BUCKET_NAME**

# Create "credentials-velero" file
gcloud iam service-accounts keys create $VELERO_FOLDER/credentials-velero --iam-account $SERVICE_ACCOUNT_EMAIL

@tioxy
Copy link
Author

tioxy commented Dec 19, 2019

Thank you @iborba

Pushed your Change IAM permissions change, but seems kind of weird that beta was required to create the following role.

$ gcloud iam roles create velero.server \
>      --project $PROJECT_ID \
>      --title "Velero Server" \
>      --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
Created role [velero.server].
...
stage: ALPHA
title: Velero Server

$ gcloud version
Google Cloud SDK 274.0.0
alpha 2019.12.17
beta 2019.12.17
bq 2.0.51
core 2019.12.17
gsutil 4.46
kubectl 2019.12.17

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment