4.7 KiB
Run Ark on GCP
You can run Kubernetes on Google Cloud Platform in either:
- Kubernetes on Google Compute Engine virtual machines
- Google Kubernetes Engine
If you do not have the gcloud and gsutil CLIs locally installed, follow the user guide to set them up.
Create GCS bucket
Heptio Ark requires an object storage bucket in which to store backups, preferably unique to a single Kubernetes cluster (see the FAQ for more details). Create a GCS bucket, replacing the <YOUR_BUCKET> placeholder with the name of your bucket:
BUCKET=<YOUR_BUCKET>
gsutil mb gs://$BUCKET/
Create service account
To integrate Heptio Ark with GCP, create an Ark-specific Service Account:
-
View your current config settings:
gcloud config listStore the
projectvalue from the results in the environment variable$PROJECT_ID.PROJECT_ID=$(gcloud config get-value project) -
Create a service account:
gcloud iam service-accounts create heptio-ark \ --display-name "Heptio Ark service account"If you'll be using Ark to backup multiple clusters with multiple GCS buckets, it may be desirable to create a unique username per cluster rather than the default
heptio-ark.Then list all accounts and find the
heptio-arkaccount you just created:gcloud iam service-accounts listSet the
$SERVICE_ACCOUNT_EMAILvariable to match itsemailvalue.SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \ --filter="displayName:Heptio Ark service account" \ --format 'value(email)') -
Attach policies to give
heptio-arkthe necessary permissions to function:ROLE_PERMISSIONS=( compute.disks.get compute.disks.create compute.disks.createSnapshot compute.snapshots.get compute.snapshots.create compute.snapshots.useReadOnly compute.snapshots.delete ) gcloud iam roles create heptio_ark.server \ --project $PROJECT_ID \ --title "Heptio Ark Server" \ --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")" gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role projects/$PROJECT_ID/roles/heptio_ark.server gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET} -
Create a service account key, specifying an output file (
credentials-ark) in your local directory:gcloud iam service-accounts keys create credentials-ark \ --iam-account $SERVICE_ACCOUNT_EMAIL
Credentials and configuration
If you run Google Kubernetes Engine (GKE), make sure that your current IAM user is a cluster-admin. This role is required to create RBAC objects. See the GKE documentation for more information.
In the Ark directory (i.e. where you extracted the release tarball), run the following to first set up namespaces, RBAC, and other scaffolding. To run in a custom namespace, make sure that you have edited the YAML files to specify the namespace. See Run in custom namespace.
kubectl apply -f config/common/00-prereqs.yaml
Create a Secret. In the directory of the credentials file you just created, run:
kubectl create secret generic cloud-credentials \
--namespace heptio-ark \
--from-file cloud=credentials-ark
Note: If you use a custom namespace, replace heptio-ark with the name of the custom namespace
Specify the following values in the example files:
-
In file
config/gcp/05-ark-backupstoragelocation.yaml:- Replace
<YOUR_BUCKET>. See the BackupStorageLocation definition for details.
- Replace
-
(Optional) If you run the nginx example, in file
config/nginx-app/with-pv.yaml:- Replace
<YOUR_STORAGE_CLASS_NAME>withstandard. This is GCP's defaultStorageClassname.
- Replace
-
(Optional, use only if you need to specify multiple volume snapshot locations) In
config/gcp/10-deployment.yaml:- Uncomment the
--default-volume-snapshot-locationsand replace provider locations with the values for your environment.
- Uncomment the
Start the server
In the root of your Ark directory, run:
kubectl apply -f config/gcp/05-ark-backupstoragelocation.yaml
kubectl apply -f config/gcp/06-ark-volumesnapshotlocation.yaml
kubectl apply -f config/gcp/10-deployment.yaml