Prerequisites

• Cluster installed in manual mode [with GCP Workload Identity configured](https://access.redhat.com/documentation/en-us/openshift_container_platform/4.12/html-single/authentication_and_authorization/index#gcp-workload-identity-mode-installing).
      - This means you should now have access to `ccoctl` CLI from this step and access to associated workload-identity-pool.

1. Create Credential Request for OADP Operator

• Create oadp-credrequest dir
      ```bash
      mkdir -p oadp-credrequest
      ```
• Create credrequest.yaml
      ```bash
      echo 'apiVersion: cloudcredential.openshift.io/v1
      kind: CredentialsRequest
      metadata:
        name: oadp-operator-credentials
        namespace: openshift-cloud-credential-operator
      spec:
        providerSpec:
          apiVersion: cloudcredential.openshift.io/v1
          kind: GCPProviderSpec
          permissions:
          - compute.disks.get
          - compute.disks.create
          - compute.disks.createSnapshot
          - compute.snapshots.get
          - compute.snapshots.create
          - compute.snapshots.useReadOnly
          - compute.snapshots.delete
          - compute.zones.get
          - storage.objects.create
          - storage.objects.delete
          - storage.objects.get
          - storage.objects.list
          - iam.serviceAccounts.signBlob
          skipServiceCheck: true
        secretRef:
          name: cloud-credentials-gcp
          namespace: <OPERATOR_INSTALL_NS>
        serviceAccountNames:
        - velero
      ' > oadp-credrequest/credrequest.yaml
      ```
• Use ccoctl to create the credrequest poiting to dir `oadp-credrequest`
      ```bash
      ccoctl gcp create-service-accounts --name=<name> \
          --project=<gcp-project-id> \
          --credentials-requests-dir=oadp-credrequest \
          --workload-identity-pool=<pool-id> \
          --workload-identity-provider=<provider-id>
      ```
      [ccoctl reference](https://github.com/openshift/cloud-credential-operator/blob/master/docs/ccoctl.md#creating-iam-service-accounts)
      This should generate `manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml` to use in the next step.
  1. Apply credentials secret to openshift-adp namespace

```bash
oc create namespace openshift-adp
oc apply -f manifests/openshift-adp-cloud-credentials-gcp-credentials.yaml
```

• [4.3.4.1. Installing the OADP Operator](https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/backup_and_restore/index#oadp-installing-operator_installing-oadp-gcp)
• Skip to [4.3.4.5. Installing the Data Protection Application
  ](https://access.redhat.com/documentation/en-us/openshift_container_platform/4.10/html-single/backup_and_restore/index#oadp-installing-dpa_installing-oadp-gcp) to create Data Protection Application

    Note that the key for credentials should be `service_account.json` instead of `cloud` in the official documentation example.
    ```yaml
    apiVersion: oadp.openshift.io/v1alpha1
    kind: DataProtectionApplication
    metadata:
      name: <dpa_sample>
      namespace: openshift-adp
    spec:
      configuration:
        velero:
          defaultPlugins:
          - openshift
          - gcp
      backupLocations:
        - velero:
            provider: gcp
            default: true
            credential:
              key: service_account.json
              name: cloud-credentials-gcp
            objectStorage:
              bucket: <bucket_name>
              prefix: <prefix>
      # Temporary image override while https://github.com/vmware-tanzu/velero-plugin-for-gcp/pull/142 not cherry-picked to Openshift
      unsupportedOverrides:
        gcpPluginImageFqin: ghcr.io/kaovilai/velero-plugin-for-gcp:file-wif
    ```