|
| 1 | +# Multi Cloud Test Suite Updates for Backup / Restore cases |
| 2 | + |
| 3 | +### Overview |
| 4 | +Running backup/restore test cases with cloud-provider specific snapshots enabled. |
| 5 | + |
| 6 | +The Test Suite now takes different env variables related to the cloud as flags and create the VSLs based on that cloud provider. Validating the backup / restore test cases on the same. |
| 7 | + |
| 8 | +### How multiple profiles are enabled to support Backup / Restore. |
| 9 | +In ideal cases, both the credentials / profile for BSL and VSL would be the same and usually we dont mention the separate credentials for them, but this is different in OpenShift CI environments. In a OpenShift / Prow CI environment, the cluster is provisioned in either AWS / GCP / Azure Cloud. Although we have access to the OpenShfit CI Cluster, we do not have access to the cloud, hence supporting volume backup using our credentials which is mounted in OpenShift CI Cluster is not a valid option. Hence we are using different methods to support these. |
| 10 | + |
| 11 | +#### AWS Multi Profile Support |
| 12 | + |
| 13 | +The CI Cloud credential is present at this location in OpenShift CI Cluster: |
| 14 | +`/var/run/secrets/ci.openshift.io/cluster-profile/.awscred` |
| 15 | + |
| 16 | +Our Cloud credential used for BSL is present at this location: |
| 17 | +`/var/run/oadp-credentials/new-aws-credentials` |
| 18 | + |
| 19 | +Here since they are two profiles, we are using the concept of credentialsFile in BSL config [ref] (https://github.com/vmware-tanzu/velero/issues/3428) |
| 20 | + |
| 21 | +We are also mounting credentials [here](https://github.com/openshift/oadp-operator/blob/master/pkg/credentials/credentials.go#L37) |
| 22 | + |
| 23 | +#### GCP |
| 24 | + |
| 25 | +The CI Cloud credential is present at this location in OpenShift CI Cluster: |
| 26 | +`/var/run/secrets/ci.openshift.io/cluster-profile/gce.json` |
| 27 | + |
| 28 | +Our Cloud credential used for BSL is present at this location: |
| 29 | +`/var/run/oadp-credentials/gcp-credentials` |
| 30 | + |
| 31 | +Here since they are two different credentials and not profiles, we are using the concept of credentialsFile in BSL config [ref](https://github.com/vmware-tanzu/velero/issues/3430) |
| 32 | + |
| 33 | +We are also mounting credentials [here](https://github.com/openshift/oadp-operator/blob/master/pkg/credentials/credentials.go#L47) |
| 34 | + |
| 35 | +#### [Azure](https://github.com/vmware-tanzu/velero/issues/3429) |
| 36 | + |
| 37 | +The CI Cloud credential is present at this location in OpenShift CI Cluster: |
| 38 | +`/var/run/secrets/ci.openshift.io/cluster-profile/osServicePrincipal.json` |
| 39 | + |
| 40 | +Our Cloud credential used for BSL is present at this location: |
| 41 | +`/var/run/oadp-credentials/azure-credentials` |
| 42 | + |
| 43 | +The required variables for e2e tests are |
| 44 | + |
| 45 | +For object storage with backup of registy support, We need the below credentials |
| 46 | +``` |
| 47 | +{ |
| 48 | + "subscriptionId": "xxxxx", |
| 49 | + "clientId": "xxxxx", |
| 50 | + "clientSecret": “xxxxxx”, |
| 51 | + "tenantId": "xxxx", |
| 52 | + "resourceGroup": "Deepak_Velero_Backups", |
| 53 | + "storageAccountAccessKey": "xxxxxx", |
| 54 | + "storageAccount": "velerodpk68c64591c324" |
| 55 | +} |
| 56 | +``` |
| 57 | + |
| 58 | +The below is given to the volume backup credentials in CI Environment |
| 59 | + |
| 60 | +``` |
| 61 | +{ |
| 62 | + "subscriptionId": "xxxx", |
| 63 | + "clientId": "xxxx", |
| 64 | + "clientSecret": “xxxxxx”, |
| 65 | + "tenantId": "xxxx" |
| 66 | +} |
| 67 | +``` |
| 68 | + |
| 69 | +The resource group is different in OpenShift CI environment. After some research, it was found that the resource group is same as the "<cluster_name>-rg" where the cluster group can be derived from |
| 70 | + |
| 71 | +``` |
| 72 | +sh-4.4$ cat metadata.json |
| 73 | +{"clusterName":"ci-op-w718n0np-32d40","clusterID":"6de2d426-68af-43d3-9d1a-d72666edc550","infraID":"ci-op-w718n0np-32d40-4fdtv","azure":{"cloudName":"AzurePublicCloud","region":"eastus","resourceGroupName":""}} |
| 74 | +``` |
| 75 | + |
| 76 | +In the end, for VSL all we needed was the subscriptionId and resourceGroup from the OpenShift CI environment and by default the VSL uses 'cloud-credential-\<platform>' secret for VSL. |
| 77 | + |
| 78 | +### Pre-requisites for setting up envs in various cloud from local env. |
| 79 | + |
| 80 | +``` |
| 81 | +drajds@drajds-mac oadp-operator % cat ~/.oadp-aws |
| 82 | +export CLUSTER_TYPE=aws |
| 83 | +export OADP_TEST_NAMESPACE=openshift-adp |
| 84 | +export BSL_REGION=us-east-1 |
| 85 | +export VSL_REGION=us-west-2 |
| 86 | +export CREDS_SECRET_REF=cloud-credentials |
| 87 | +export OADP_CRED_FILE=/Users/drajds/.aws/credentials |
| 88 | +export OADP_BUCKET_FILE=/Users/drajds/.aws/bucket |
| 89 | +export VELERO_INSTANCE_NAME=example-velero |
| 90 | +export BSL_AWS_PROFILE=migration-engineering |
| 91 | +export CLUSTER_PROFILE_DIR=/Users/drajds/.aws |
| 92 | +export OADP_CRED_DIR=/Users/drajds/.aws |
| 93 | +export CI_CRED_FILE=/Users/drajds/.aws/ci-credentials |
| 94 | +``` |
| 95 | + |
| 96 | +* VSL_REGION - the region the cluster is spawned on |
| 97 | +* CREDS_SECRET_REF - reference for VSL (& BSL if not using different profile) |
| 98 | +* OADP_CRED_FILE - credentials file for BSL |
| 99 | +* OADP_BUCKET_FILE - bucket file for BSL - has only the bucket name - no json |
| 100 | +* CLUSTER_PROFILE_DIR - directory containing credentials for VSL |
| 101 | +* OADP_CRED_DIR - directory containing credentials and bucket file for BSL |
| 102 | + |
| 103 | +For GCE & Azure, put your credentials file with name `${OADP_CRED_DIR}/<provider>-credentials` and bucket with name `${OADP_CRED_DIR}/azure-velero-bucket-name` |
| 104 | + |
| 105 | +#### GCP |
| 106 | + |
| 107 | +``` |
| 108 | +drajds@drajds-mac oadp-operator % cat ~/.oadp-gcp |
| 109 | +export CLUSTER_TYPE=gcp |
| 110 | +export OADP_TEST_NAMESPACE=openshift-adp |
| 111 | +export VSL_REGION=us-central1 |
| 112 | +export CREDS_SECRET_REF=cloud-credentials-gcp |
| 113 | +export OADP_CRED_FILE=aos-serviceaccount.json |
| 114 | +export OADP_BUCKET_FILE=/Users/drajds/.gcp/bucket |
| 115 | +export VELERO_INSTANCE_NAME=gcp-example-velero |
| 116 | +export CLUSTER_PROFILE_DIR=/Users/drajds/.gcp |
| 117 | +export OADP_CRED_DIR=/Users/drajds/.gcp |
| 118 | +export CI_CRED_FILE=gcp_sa.json |
| 119 | +``` |
| 120 | + |
| 121 | +#### Azure |
| 122 | + |
| 123 | +``` |
| 124 | +drajds@drajds-mac oadp-operator % cat ~/.oadp-azure |
| 125 | +export CLUSTER_TYPE=azure4 |
| 126 | +export OADP_TEST_NAMESPACE=openshift-adp |
| 127 | +export CREDS_SECRET_REF=cloud-credentials-azure |
| 128 | +export VELERO_INSTANCE_NAME=azure-example-velero |
| 129 | +export CLUSTER_PROFILE_DIR=/Users/drajds/.azure |
| 130 | +export AZURE_RESOURCE_FILE=/Users/drajds/.azure/resource.yaml |
| 131 | +export OADP_BUCKET_FILE=/Users/drajds/.azure/bucket |
| 132 | +export OADP_CRED_DIR=/Users/drajds/.azure |
| 133 | +``` |
| 134 | + |
| 135 | +* `OADP_CRED_DIR` - is a directory that contains |
| 136 | + * bsl-\<cloud>-credentials |
| 137 | + * new-velero-bucket-name |
| 138 | +* `CLUSTER_PROFILE_DIR` - is a directory that contains |
| 139 | + * vsl/ci-\<cloud>-credentials |
| 140 | +* `OADP_BUCKET_FILE` - this file contains name of the bucket in plain text. |
0 commit comments