-
Notifications
You must be signed in to change notification settings - Fork 75
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Add Volume Project setting to support the scenario describe in issue #92
Signed-off-by: Xun Jiang <[email protected]>
- Loading branch information
Xun Jiang
committed
Sep 20, 2023
1 parent
b24ffe1
commit 5b8e5e8
Showing
5 changed files
with
137 additions
and
11 deletions.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -1,3 +1,4 @@ | ||
# Examples | ||
|
||
- [Restore snapshots from GCP across projects](./gcp-projects.md) | ||
- [Backup at project B, and restore at project A](./backup_at_b_restore_at_a.md) | ||
- [Velero at project A, backup and restore at other projects](./velero_at_a_br_at_other.md) |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
@@ -0,0 +1,51 @@ | ||
# Velero at project A, backup and restore at other projects | ||
|
||
This scenario is introduced in [issue 4806](https://github.com/vmware-tanzu/velero/issues/4806). | ||
|
||
Assume the following... | ||
|
||
- Project A [project-a]: The project where the Velero's service account is located, and the Velero service account is granted to have enough permission to do backup and restore in the other projects. | ||
- Project B [project-b]: The GCP project we want to restore TO. | ||
- Project C [project-c]: The GCP project we want to restore FROM. | ||
|
||
## Set up Velero with permission in projects | ||
* In **project-a** | ||
* Create "Velero Server" IAM role **role-a** with required role permissions. | ||
* Create ServiceAccount **sa-a**. | ||
* Assign **sa-a** with **role-a**. | ||
* Assign **sa-a** with **role-b**(need to run after role-b created in project-b). | ||
* Assign **sa-a** with **role-c**(need to run after role-c created in project-c). | ||
* Create a bucket **bucket-a**. | ||
* Assign [sa-a] "Storage Object Admin" permissions to [bucket-a] | ||
* Assign [sa-b] "Storage Object Admin" permissions to [bucket-a](need to run after sa-b created in project-b) | ||
* Assign [sa-c] "Storage Object Admin" permissions to [bucket-a](need to run after sa-c created in project-c) | ||
|
||
|
||
* In **project-b** | ||
* Add the ServiceAccount **sa-a** into project **project-b** according to [Granting service accounts access to your projects](https://cloud.google.com/marketplace/docs/grant-service-account-access). | ||
* Create ServiceAccount **sa-b**. | ||
* Create "Velero Server" IAM role **role-b** with required role permissions. | ||
* Assign **sa-b** with **role-b**. | ||
|
||
* In **project-c** | ||
* Add the ServiceAccount **sa-a** into project **project-c** according to [Granting service accounts access to your projects](https://cloud.google.com/marketplace/docs/grant-service-account-access). | ||
* Create ServiceAccount **sa-c**. | ||
* Create "Velero Server" IAM role **role-c** with required role permissions. | ||
* Assign **sa-c** with **role-c**. | ||
|
||
## Backup at project C | ||
* In **project-c** | ||
* Install Velero on the k8s cluster in this project with configurations: | ||
* SecretFile: **sa-a** | ||
* SnapshotLocation: project=**project-a** and volumeProject=**project-c** | ||
* Bucket: **bucket-a** | ||
* Create Velero backup **backup-c** with the PVC snapshots desired. | ||
|
||
## Restore at project B | ||
* In **project-b** | ||
* NOTE: Make sure to disable any scheduled backups. | ||
* Install Velero on the k8s cluster in this project with configurations | ||
* SecretFile: **sa-a** | ||
* SnapshotLocation: project=**project-a** and volumeProject=**project-b** | ||
* Bucket: **bucket-a** | ||
* Create Velero restore **restore-b** from backup **backup-c** |
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -18,6 +18,7 @@ package main | |
|
||
import ( | ||
"encoding/json" | ||
"os" | ||
"strings" | ||
"testing" | ||
|
||
|
@@ -354,3 +355,69 @@ func TestRegionHelpers(t *testing.T) { | |
}) | ||
} | ||
} | ||
|
||
func TestInit(t *testing.T) { | ||
credential_file_name := "./credential_file" | ||
default_credential_file_name := "./default_credential" | ||
os.Setenv("GOOGLE_APPLICATION_CREDENTIALS", default_credential_file_name) | ||
credential_content := `{"type": "service_account","project_id": "project-a","private_key_id":"id","private_key":"key","client_email":"[email protected]","client_id":"id","auth_uri":"uri","token_uri":"uri","auth_provider_x509_cert_url":"url","client_x509_cert_url":"url"}` | ||
f, err := os.Create(credential_file_name) | ||
require.NoError(t, err) | ||
_, err = f.Write([]byte(credential_content)) | ||
require.NoError(t, err) | ||
|
||
f, err = os.Create(default_credential_file_name) | ||
require.NoError(t, err) | ||
_, err = f.Write([]byte(credential_content)) | ||
require.NoError(t, err) | ||
|
||
tests := []struct { | ||
name string | ||
config map[string]string | ||
expectedVolumeSnapshotter VolumeSnapshotter | ||
}{ | ||
{ | ||
name: "Init with Credential files.", | ||
config: map[string]string{ | ||
"project": "project-a", | ||
"credentialsFile": credential_file_name, | ||
"snapshotLocation": "default", | ||
"volumeProject": "project-b", | ||
}, | ||
expectedVolumeSnapshotter: VolumeSnapshotter{ | ||
snapshotLocation: "default", | ||
volumeProject: "project-b", | ||
snapshotProject: "project-a", | ||
}, | ||
}, | ||
{ | ||
name: "Init without Credential files.", | ||
config: map[string]string{ | ||
"project": "project-a", | ||
"snapshotLocation": "default", | ||
"volumeProject": "project-b", | ||
}, | ||
expectedVolumeSnapshotter: VolumeSnapshotter{ | ||
snapshotLocation: "default", | ||
volumeProject: "project-b", | ||
snapshotProject: "project-a", | ||
}, | ||
}, | ||
} | ||
|
||
for _, test := range tests { | ||
t.Run(test.name, func(t *testing.T) { | ||
volumeSnapshotter := newVolumeSnapshotter(logrus.StandardLogger()) | ||
err := volumeSnapshotter.Init(test.config) | ||
require.NoError(t, err) | ||
require.Equal(t, test.expectedVolumeSnapshotter.snapshotLocation, volumeSnapshotter.snapshotLocation) | ||
require.Equal(t, test.expectedVolumeSnapshotter.volumeProject, volumeSnapshotter.volumeProject) | ||
require.Equal(t, test.expectedVolumeSnapshotter.snapshotProject, volumeSnapshotter.snapshotProject) | ||
}) | ||
} | ||
|
||
err = os.Remove(credential_file_name) | ||
require.NoError(t, err) | ||
err = os.Remove(default_credential_file_name) | ||
require.NoError(t, err) | ||
} |