Setup and Configure Velero on AKS
This article will help you to setup Velero easily on AKS, limiting access to the minimum needed resource group instead of subscription level access.
CORE
·
Join the DZone community and get the full member experience.
Join For FreeWhat Is Velero?
Velero is an open source tool to safely back up and restore, perform disaster recovery, and migrate Kubernetes cluster resources and persistent volumes
Velero consists of:
- A server that runs on your cluster.
- A command-line client that runs locally.
Azure Kubernetes Service (AKS)
Azure Kubernetes Service (AKS) is a managed container orchestration service, based on the Kubernetes system and available on the Microsoft Azure public cloud. AKS is used to deploy, scale and manage both Docker containers and container-based applications across a cluster of container hosts.
Prerequisite
Create resource group and AKS cluster under Azure portal, you can choose the name you like. I created with following details
Create Resource Group:
xxxxxxxxxx
$ az group create --name myResourceGroup --location eastus
Create Kubernetes Cluster:
xxxxxxxxxx
$ az aks create --resource-group myResourceGroup --name myAKSCluster --node-count 1 --enable-addons monitoring --generate-ssh-keys
Get the Cluster Credentials:
xxxxxxxxxx
$ az aks get-credentials --resource-group myResourceGroup --name myAKSCluster
Dynamic Resource Group
Azure created the MC_myresourcegroup_myakscluster_eastus resource group to hold dynamic resources created for my Kubernetes cluster. For example, agent pools, dynamic disks for persistent volumes.
Once it is done next step is to setup a storage account.
Setup Storage Account
xxxxxxxxxx
$ az storage account create --name mystoragevelero --resource-group myResourceGroup --sku Standard_GRS --encryption-services blob --https-only true --kind BlobStorage --access-tier Hot
Create blob container inside the storage account:
x
$ az storage container create -n velero --public-access off --account-name mystoragevelero
Get your subscription and tenant ID:
xxxxxxxxxx
$ az account list --query '[?isDefault].id' -o tsv
XXXX-XXXX-XXX-XXX-XXXX-XXXXXXXX
$ az account list --query '[?isDefault].tenantId' -o tsv
XXXX-XXXX-XXX-XXX-XXXX-XXXXXXXX
Create a service principal with contributor access:
xxxxxxxxxx
$ export SUBSCRIPTION_ID=XXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX
$ export STORAGE_RESOURCE_GROUP=myResourceGroup
$ export MC_RESOURCE_GROUP=MC_myresourcegroup_myakscluster_eastus
$ az ad sp create-for-rbac \
--name "velero" \
--role "Contributor" \
--query 'password' \
-o tsv \
--scopes /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$STORAGE_RESOURCE_GROUP /subscriptions/$SUBSCRIPTION_ID/resourceGroups/$MC_RESOURCE_GROUP
Save the password that you got while creating the service principal.
Get the app ID for the service principal:
xxxxxxxxxx
$ az ad sp list --display-name "velero" --query '[0].appId' -o tsv
Create a credentials file credentials-velero for Velero, make sure to update the values of subscription id, tenant id, a client id (SP app id), client secret (SP password), and resource group name.
xxxxxxxxxx
$ cat credentails-velero
AZURE_SUBSCRIPTION_ID=XXXX-XXXX-XXX-XXX-XXXX-XXXXXXXX
AZURE_TENANT_ID=XXXX-XXXX-XXX-XXX-XXXX-XXXXXXXX
AZURE_CLIENT_ID=SERVICE_PRINCIPAL_APPID
AZURE_CLIENT_SECRET=SERVICE_PRINCIPAL_PASSWORD
AZURE_RESOURCE_GROUP=MC_myresourcegroup_myakscluster_eastus
AZURE_CLOUD_NAME=AzurePublicCloud
Download the Velero client, you can download it from the below URL and setup in your PATH variable:
https://github.com/vmware-tanzu/velero/releases/tag/v1.5.1
Download the Helm client, you can download it from the below URL and setup in your PATH variable:
https://github.com/helm/helm/releases
Once you are done with the above steps, the next step is to install Velero on Kubernetes using helm charts.
Install Velero
xxxxxxxxxx
$ helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
# Make sure you are setting the values correctly
# --set-file credentials.secretContents.cloud=./credentials-velero
# this file has SP details for velero
# --set configuration.backupStorageLocation.config.resourceGroup=myResourceGroup \
# --set configuration.backupStorageLocation.config.storageAccount=mystoragevelero \
# the above 2 configurations will save kubernetes objects tar in storage account.
$ helm install --name velero vmware-tanzu/velero --namespace velero \
--set-file credentials.secretContents.cloud=./credentials-velero \
--set configuration.provider=azure \
--set configuration.backupStorageLocation.name=azure \
--set configuration.backupStorageLocation.bucket='velero' \
--set configuration.backupStorageLocation.config.resourceGroup=myResourceGroup \
--set configuration.backupStorageLocation.config.storageAccount=mystoragevelero \
--set snapshotsEnabled=true \
--set deployRestic=true \
--set configuration.volumeSnapshotLocation.name=azure \
--set image.repository=velero/velero \
--set image.pullPolicy=Always \
--set initContainers[0].name=velero-plugin-for-microsoft-azure \
--set initContainers[0].image=velero/velero-plugin-for-microsoft-azure:master \
--set initContainers[0].volumeMounts[0].mountPath=/target \
--set initContainers[0].volumeMounts[0].name=plugins
NAME: velero
LAST DEPLOYED: Thu Nov 28 18:10:04 2020
NAMESPACE: velero
STATUS: deployed
REVISION: 1
TEST SUITE: None
NOTES:
Check that the velero is up and running:
kubectl get deployment/velero -n velero
Check that the secret has been created:
kubectl get secret/velero -n velero
Once velero server is up and running you need the client before you can use it
1. wget https://github.com/vmware-tanzu/velero/releases/download/v1.5.2/velero-v1.5.2-darwin-amd64.tar.gz
2. tar -xvf velero-v1.5.2-darwin-amd64.tar.gz -C velero-client
More info on the official site: https://velero.io/docs
$ kubectl get pods -n velero
NAME READY STATUS RESTARTS AGE
restic-86ty8 1/1 Running 0 1d
restic-kdr5t 1/1 Running 0 1d
restic-pjbhn 1/1 Running 0 1d
velero-742b785c76-j8bcf 1/1 Running 0 1d
Once you are done with the configuration, now it is time to take up the backup and snapshots.
Velero by default takes the snapshots of all the persistent volumes mounted in a particular namespace.
Backup and Snapshot
Check the backup location:
x
$ velero backup-location get
NAME PROVIDER BUCKET/PREFIX PHASE LAST VALIDATED ACCESS MODE
azure azure velero Available 2021-03-19 20:09:54 +0530 IST ReadWrite
Install WordPress:
x
$ kubectl create ns wp
namespace/wp created
$ helm install my-app bitnami/wordpress --namespace wp
NAME: my-app
LAST DEPLOYED: Fri Mar 19 19:53:36 2021
NAMESPACE: wp
STATUS: deployed
REVISION: 1
NOTES:
** Please be patient while the chart is being deployed **
Your WordPress site can be accessed through the following DNS name from within your cluster:
my-app-wordpress.wp.svc.cluster.local (port 80)
To access your WordPress site from outside the cluster follow the steps below:
1. Get the WordPress URL by running these commands:
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
Watch the status with: 'kubectl get svc --namespace wp -w my-app-wordpress'
export SERVICE_IP=$(kubectl get svc --namespace wp my-app-wordpress --template "{{ range (index .status.loadBalancer.ingress 0) }}{{.}}{{ end }}")
echo "WordPress URL: http://$SERVICE_IP/"
echo "WordPress Admin URL: http://$SERVICE_IP/admin"
2. Open a browser and access WordPress using the obtained URL.
3. Login with the following credentials below to see your blog:
echo Username: user
echo Password: $(kubectl get secret --namespace wp my-app-wordpress -o jsonpath="{.data.wordpress-password}" | base64 --decode)
$ kubectl get svc --namespace wp -w my-app-wordpress
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
my-app-wordpress LoadBalancer 10.30.0.125 22.67.23.109 80:30017/TCP,443:31863/TCP 2m58s
# port forward it to local to see the wordpress website
$ kubectl port-forward services/my-app-wordpress -n wp 3000:80
Open https://localhost:3000/admin and add a post Post1.
Backup the namespace:
xxxxxxxxxx
$ velero backup create wp-backup --include-namespaces wp --storage-location azure --wait
$ velero get backup
NAME STATUS ERRORS WARNINGS CREATED EXPIRES STORAGE LOCATION SELECTOR
wp-backup1 Completed 0 0 2021-03-19 20:07:22 +0530 IST 29d azure <none>
$ velero backup describe wp-backup
Name: wp-backup
Namespace: velero
Labels: velero.io/storage-location=azure
Annotations: velero.io/source-cluster-k8s-gitversion=v1.19.3
velero.io/source-cluster-k8s-major-version=1
velero.io/source-cluster-k8s-minor-version=19
Phase: Completed
Errors: 0
Warnings: 0
Namespaces:
Included: wp
Excluded: <none>
Resources:
Included: *
Excluded: <none>
Cluster-scoped: auto
Label selector: <none>
Storage Location: azure
Velero-Native Snapshot PVs: auto
TTL: 720h0m0s
Hooks: <none>
Backup Format Version: 1.1.0
Started: 2021-03-19 20:07:22 +0530 IST
Completed: 2021-03-19 20:07:26 +0530 IST
Expiration: 2021-04-18 20:07:22 +0530 IST
Total items to be backed up: 50
Items backed up: 50
Velero-Native Snapshots: 2
Kubernetes objects will be saved under storage account in Azure storage account:
Delete the namespace:
xxxxxxxxxx
$ kubectl delete ns wp
$ kubectl get pods -n wp
No resources found in wp namespace.
$ kubectl get pv -A
No resources found
Restore the namespace using Velero:
xxxxxxxxxx
$ velero restore create --from-backup wp-backup
Restore request "wp-backup-20210319201629" submitted successfully.
Run `velero restore describe wp-backup-20210319201629` or `velero restore logs wp-backup-20210319201629` for more details.
$ velero restore describe wp-backup-20210319201629
Name: wp-backup-20210319201629
Namespace: velero
Labels: <none>
Annotations: <none>
Phase: Completed
Started: 2021-03-19 20:16:31 +0530 IST
Completed: 2021-03-19 20:16:36 +0530 IST
Backup: wp-backup
Namespaces:
Included: all namespaces found in the backup
Excluded: <none>
Resources:
Included: *
Excluded: nodes, events, events.events.k8s.io, backups.velero.io, restores.velero.io, resticrepositories.velero.io
Cluster-scoped: auto
Namespace mappings: <none>
Label selector: <none>
Restore PVs: auto
Check the restored namespace wp:
xxxxxxxxxx
$ kubectl get pods -n wp
NAME READY STATUS RESTARTS AGE
my-app-mariadb-0 1/1 Running 0 80s
my-app-wordpress-75477f4f6c-cj7zk 1/1 Running 0 80s
Persistent volumes will be restored from the snapshots taken by Velero.
Conclusion
This article will help you to setup Velero easily on AKS, limiting access to the minimum needed resource group instead of subscription level access.
Opinions expressed by DZone contributors are their own.
Comments