/velero-plugin-for-microsoft-azure

Plugins to support Velero on Microsoft Azure

Primary LanguageGoApache License 2.0Apache-2.0

Build Status

Velero plugins for Microsoft Azure

Overview

This repository contains these plugins to support running Velero on Microsoft Azure:

  • An object store plugin for persisting and retrieving backups on Azure Blob Storage. Content of backup is log files, warning/error files, restore logs.

  • A volume snapshotter plugin for creating snapshots from volumes (during a backup) and volumes from snapshots (during a restore) on Azure Managed Disks.

Compatibility

Below is a listing of plugin versions and respective Velero versions that are compatible.

Plugin Version Velero Version
v1.1.x v1.4.x
v1.0.x v1.3.x
v1.0.x v1.2.0

Kubernetes cluster prerequisites

Ensure that the VMs for your agent pool allow Managed Disks. If I/O performance is critical, consider using Premium Managed Disks, which are SSD backed.

Setup

To set up Velero on Azure, you:

If you do not have the az Azure CLI 2.0 installed locally, follow the install guide to set it up.

Run:

az login

Setup Azure storage account and blob container

(Optional) Change to the Azure subscription you want to create your backups in

By default, Velero will store backups in the same Subscription as your VMs and disks and will not allow you to restore backups to a Resource Group in a different Subscription. To enable backups/restore across Subscriptions you will need to specify the Subscription ID to backup to.

Use az to switch to the Subscription the backups should be created in.

First, find the Subscription ID by name.

AZURE_BACKUP_SUBSCRIPTION_NAME=<NAME_OF_TARGET_SUBSCRIPTION>
AZURE_BACKUP_SUBSCRIPTION_ID=$(az account list --query="[?name=='$AZURE_BACKUP_SUBSCRIPTION_NAME'].id | [0]" -o tsv)

Second, change the Subscription.

az account set -s $AZURE_BACKUP_SUBSCRIPTION_ID

Execute the next step – creating an storage account and blob container – using the active Subscription.

Create Azure storage account and blob container

Velero requires a storage account and blob container in which to store backups.

The storage account can be created in the same Resource Group as your Kubernetes cluster or separated into its own Resource Group. The example below shows the storage account created in a separate Velero_Backups Resource Group.

The storage account needs to be created with a globally unique id since this is used for dns. In the sample script below, we're generating a random name using uuidgen, but you can come up with this name however you'd like, following the Azure naming rules for storage accounts. The storage account is created with encryption at rest capabilities (Microsoft managed keys) and is configured to only allow access via https.

Create a resource group for the backups storage account. Change the location as needed.

AZURE_BACKUP_RESOURCE_GROUP=Velero_Backups
az group create -n $AZURE_BACKUP_RESOURCE_GROUP --location WestUS

Create the storage account.

AZURE_STORAGE_ACCOUNT_ID="velero$(uuidgen | cut -d '-' -f5 | tr '[A-Z]' '[a-z]')"
az storage account create \
    --name $AZURE_STORAGE_ACCOUNT_ID \
    --resource-group $AZURE_BACKUP_RESOURCE_GROUP \
    --sku Standard_GRS \
    --encryption-services blob \
    --https-only true \
    --kind BlobStorage \
    --access-tier Hot

Create the blob container named velero. Feel free to use a different name, preferably unique to a single Kubernetes cluster. See the FAQ for more details.

BLOB_CONTAINER=velero
az storage container create -n $BLOB_CONTAINER --public-access off --account-name $AZURE_STORAGE_ACCOUNT_ID

Get resource group containing your VMs and disks

(Optional) If you decided to backup to a different Subscription, make sure you change back to the Subscription of your cluster's resources before continuing.

  1. Set the name of the Resource Group that contains your Kubernetes cluster's virtual machines/disks.

    WARNING: If you're using AKS, AZURE_RESOURCE_GROUP must be set to the name of the auto-generated resource group that is created when you provision your cluster in Azure, since this is the resource group that contains your cluster's virtual machines/disks.

    AZURE_RESOURCE_GROUP=<NAME_OF_RESOURCE_GROUP>

    If you are unsure of the Resource Group name, run the following command to get a list that you can select from. Then set the AZURE_RESOURCE_GROUP environment variable to the appropriate value.

    az group list --query '[].{ ResourceGroup: name, Location:location }'

    Get your cluster's Resource Group name from the ResourceGroup value in the response, and use it to set $AZURE_RESOURCE_GROUP.

Set permissions for Velero

There are several ways Velero can authenticate to Azure: (1) by using a Velero-specific service principal; (2) by using AAD Pod Identity; or (3) by using a storage account access key.

If you plan to use Velero to take Azure snapshots of your persistent volume managed disks, you must use the service principal or AAD Pod Identity method.

If you don't plan to take Azure disk snapshots, any method is valid.

Option 1: Create service principal

Create service principal

  1. Obtain your Azure Account Subscription ID and Tenant ID:

    AZURE_SUBSCRIPTION_ID=`az account list --query '[?isDefault].id' -o tsv`
    AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv`
  2. Create a service principal with Contributor role. This will have subscription-wide access, so protect this credential.

    If you'll be using Velero to backup multiple clusters with multiple blob containers, it may be desirable to create a unique username per cluster rather than the default velero.

    Create service principal and let the CLI generate a password for you. Make sure to capture the password.

    (Optional) If you are using a different Subscription for backups and cluster resources, make sure to specify both subscriptions in the az command using --scopes.

    AZURE_CLIENT_SECRET=`az ad sp create-for-rbac --name "velero" --role "Contributor" --query 'password' -o tsv \
      --scopes  /subscriptions/$AZURE_SUBSCRIPTION_ID[ /subscriptions/$AZURE_BACKUP_SUBSCRIPTION_ID]`

    NOTE: Ensure that value for --name does not conflict with other service principals/app registrations.

    After creating the service principal, obtain the client id.

    AZURE_CLIENT_ID=`az ad sp list --display-name "velero" --query '[0].appId' -o tsv`
  3. Now you need to create a file that contains all the relevant environment variables. The command looks like the following:

    cat << EOF  > ./credentials-velero
    AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
    AZURE_TENANT_ID=${AZURE_TENANT_ID}
    AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
    AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
    AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP}
    AZURE_CLOUD_NAME=AzurePublicCloud
    EOF

    available AZURE_CLOUD_NAME values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud

Option 2: Use AAD Pod Identity

These instructions have been adapted from the aad-pod-identity documentation.

Before proceeding, ensure that you have installed and configured aad-pod-identity for your cluster.

Create identity

  1. Obtain your Azure Account Subscription ID:

    AZURE_SUBSCRIPTION_ID=`az account list --query '[?isDefault].id' -o tsv`
  2. Create an identity for Velero:

    export IDENTITY_NAME=velero
    
    az identity create \
        --subscription $AZURE_SUBSCRIPTION_ID \
        --resource-group $AZURE_RESOURCE_GROUP \
        --name $IDENTITY_NAME
    
    export IDENTITY_CLIENT_ID="$(az identity show -g $AZURE_RESOURCE_GROUP -n $IDENTITY_NAME --subscription $AZURE_SUBSCRIPTION_ID --query clientId -otsv)"
    export IDENTITY_RESOURCE_ID="$(az identity show -g $AZURE_RESOURCE_GROUP -n $IDENTITY_NAME --subscription $AZURE_SUBSCRIPTION_ID --query id -otsv)"    

    If you'll be using Velero to backup multiple clusters with multiple blob containers, it may be desirable to create a unique identity name per cluster rather than the default velero.

  3. Assign the identity a role:

    export IDENTITY_ASSIGNMENT_ID="$(az role assignment create --role Contributor --assignee $IDENTITY_CLIENT_ID --scope /subscriptions/$AZURE_SUBSCRIPTION_ID --query id -otsv)"
  4. In the cluster, create an AzureIdentity and AzureIdentityBinding:

    cat <<EOF | kubectl apply -f -
    apiVersion: "aadpodidentity.k8s.io/v1"
    kind: AzureIdentity
    metadata:
      name: $IDENTITY_NAME
    spec:
      type: 0
      resourceID: $IDENTITY_RESOURCE_ID
      clientID: $IDENTITY_CLIENT_ID
    EOF
    
    cat <<EOF | kubectl apply -f -
    apiVersion: "aadpodidentity.k8s.io/v1"
    kind: AzureIdentityBinding
    metadata:
      name: $IDENTITY_NAME-binding
    spec:
      azureIdentity: $IDENTITY_NAME
      selector: $IDENTITY_NAME
    EOF
  5. Create a file that contains all the relevant environment variables:

    cat << EOF  > ./credentials-velero
    AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
    AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP}
    AZURE_CLOUD_NAME=AzurePublicCloud
    EOF

    available AZURE_CLOUD_NAME values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud

Option 3: Use storage account access key

Note: this option is not valid if you are planning to take Azure snapshots of your managed disks with Velero.

  1. Obtain your Azure Storage account access key:

    AZURE_STORAGE_ACCOUNT_ACCESS_KEY=`az storage account keys list --account-name $AZURE_STORAGE_ACCOUNT_ID --query "[?keyName == 'key1'].value" -o tsv`
  2. Now you need to create a file that contains all the relevant environment variables. The command looks like the following:

    cat << EOF  > ./credentials-velero
    AZURE_STORAGE_ACCOUNT_ACCESS_KEY=${AZURE_STORAGE_ACCOUNT_ACCESS_KEY}
    AZURE_CLOUD_NAME=AzurePublicCloud
    EOF

    available AZURE_CLOUD_NAME values: AzurePublicCloud, AzureUSGovernmentCloud, AzureChinaCloud, AzureGermanCloud

Install and start Velero

Download Velero

Install Velero, including all prerequisites, into the cluster and start the deployment. This will create a namespace called velero, and place a deployment named velero in it.

If using service principal or AAD Pod Identity:

velero install \
    --provider azure \
    --plugins velero/velero-plugin-for-microsoft-azure:v1.1.0 \
    --bucket $BLOB_CONTAINER \
    --secret-file ./credentials-velero \
    --backup-location-config resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,storageAccount=$AZURE_STORAGE_ACCOUNT_ID[,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID] \
    --snapshot-location-config apiTimeout=<YOUR_TIMEOUT>[,resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID]

If you're using AAD Pod Identity, you now need to add the aadpodidbinding=$IDENTITY_NAME label to the Velero pod(s), preferably through the Deployment's pod template.

If using storage account access key and no Azure snapshots:

velero install \
    --provider azure \
    --plugins velero/velero-plugin-for-microsoft-azure:v1.1.0 \
    --bucket $BLOB_CONTAINER \
    --secret-file ./credentials-velero \
    --backup-location-config resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,storageAccount=$AZURE_STORAGE_ACCOUNT_ID,storageAccountKeyEnvVar=AZURE_STORAGE_ACCOUNT_ACCESS_KEY[,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID] \
    --use-volume-snapshots=false

Additionally, you can specify --use-restic to enable restic support, and --wait to wait for the deployment to be ready.

Optional installation steps

  1. Specify additional configurable parameters for the --backup-location-config flag.
  2. Specify additional configurable parameters for the --snapshot-location-config flag.
  3. Customize the Velero installation further to meet your needs.
  4. Velero does not officially support for Windows containers. If your cluster has both Windows and Linux agent pool, add a node selector to the velero deployment to run Velero only on the Linux nodes. This can be done using the below command.
    kubectl patch deploy velero --namespace velero --type merge --patch '{ \"spec\": { \"template\": { \"spec\": { \"nodeSelector\": { \"beta.kubernetes.io/os\": \"linux\"} } } } }'

For more complex installation needs, use either the Helm chart, or add --dry-run -o yaml options for generating the YAML representation for the installation.