Installing K10 with Google Workload Identity Federation

Google Workload Identity Federation uses service account impersonation for authentication and authorization, thereby avoiding the use of Google Service Account keys with extended lifespans. It is compatible with various identity providers such as AWS, Azure, or Kubernetes. An example of implementing Google Workload Identity Federation on an OpenShift cluster on GKE with Kubernetes as the identity provider can be found here.

K10 supports the use of Google Workload Identity Federation with Kubernetes as the Identity Provider both during the export of applications and in K10 DR Backup and Restore processes.

Installing K10

When Kubernetes is used as the Identity Provider, workloads can use the Kubernetes service account tokens to authenticate to Google Cloud. These tokens are made available to workloads through the service account token volume projection , which requires some additional Helm settings to be set.

To install K10 with Google Workload Identity Federation, use the following commands:

--set google.workloadIdentityFederation.enabled=true \
--set google.workloadIdentityFederation.idp.type=kubernetes \
--set google.workloadIdentityFederation.idp.aud=<audience>

With <audience> is the Audience set up for the Workload Identity Pool.

Creating a Location Profile with Google Workload Identity Federation

Instructions on how to create a Location Profile with Google Workload Identity Federation can be found here.

Restoring K10 with Google Workload Identity Federation

K10 supports the use of Google Workload Identity Federation with Kubernetes as the Identity Provider during K10 DR Backup and Restore process. For more information on K10 DR Backup and Restore, please see here.

Please note that it is possible to restore K10 with Google Workload Identity Federation, regardless of the authentication mechanism used for the Google Location Profile selected while enabling K10 disaster recovery on the source cluster.

The restore process will require a Location Profile with Google Workload Identity Federation. Please refer back to this section for instructions on how to install K10 on the target cluster with Google Workload Identity Federation, and the Google Cloud Storage Location Profile configuration section for instructions on how to create a Location Profile.

Following that, K10 can be restored using Google Workload Identity Federation credentials by executing the command below:

# Install the helm chart that creates the K10 restore job and wait for completion of the `k10-restore` job
# Assumes that K10 is installed in 'kasten-io' namespace.
$ helm install k10-restore kasten/k10restore --namespace=kasten-io \
         --set=google.workloadIdentityFederation.enabled=true \
         --set=google.workloadIdentityFederation.idp.type=kubernetes \
         --set=google.workloadIdentityFederation.idp.aud=<audience> \
         --set sourceClusterID=<source-clusterID> \
         --set profile.name=<location-profile-name>

<audience> is the Audience set up for the Workload Identity Pool of the target cluster.

<location-profile-name> is the profile on target cluster that contains the credential configuration file.