Velero Installation Overview

Velero is a Kubernetes utility used for backing up and restoring Kubernetes cluster resources and persistent volumes.

Velero will be installed on 🟢 Management 🟦 Non-Production Workload 🟥 Production Workload Clusters.

Installation

The following steps describe how to install Velero on a Kubernetes cluster, utilizing SeaweedFS HA as the S3-compatible backend storage.

Connect to the Kubernetes Cluster ; _i.e w/ Kubeconfig File.

Ensure you have defined and loaded your Global Shell Variables as described in Shell Variables.
Terminal window
```
source $HOME/opstella-installation/shell-values/kubernetes/YOUR-KUBERNETES-CLUSTER.vars.sh
```
Terminal window
```
export KUBECONFIG="/PATH/TO/YOUR/KUBECONFIG"
```

Export Required Shell Variables

Export the variables needed for S3 authentication and endpoint configuration.

# S3 Credentials and Endpoint
export SEAWEEDFS_HA_S3_VELERO_PASSWORD="CHANGEME"
export SEAWEEDFS_HA_API_DOMAIN="seaweedfs-s3.${BASE_DOMAIN}"

Create Namespace for Velero

kubectl create namespace cluster-utilities

Create S3 Storage Credential Secret

This secret contains the AWS-style credentials formatted for Velero to connect to SeaweedFS.

cat <<EOF > $HOME/opstella-installation/kubernetes-manifests/velero.yaml
---
apiVersion: v1
kind: Secret
type: Opaque
metadata:
  name: velero-object-storage-credentials
  namespace: cluster-utilities
stringData:
  cloud: |
    [default]
    aws_access_key_id=velero
    aws_secret_access_key=${SEAWEEDFS_HA_S3_VELERO_PASSWORD}
EOF

kubectl apply -f velero.yaml

Add Velero Helm Repository

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts/
helm repo update

Create Velero Helm Values

cat <<EOF > $HOME/opstella-installation/helm-values/velero-values.yaml
fullnameOverride: velero
nameOverride: velero

# Whether to deploy the node-agent daemonset.
deployNodeAgent: true

# Exclude Velero from Backing up itself
podLabels:
  velero.io/exclude-from-backup: "true"
labels:
  velero.io/exclude-from-backup: "true"

# SecurityContext to use for the Velero deployment. Optional.
# Set fsGroup for `AWS IAM Roles for Service Accounts`
# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
podSecurityContext:
  fsGroup: 1000

# Container Level Security Context for the 'velero' container of the Velero deployment. Optional.
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext:
  allowPrivilegeEscalation: false
  runAsNonRoot: true
  runAsUser: 1000
  capabilities:
    drop: ["ALL"]
    add: []
  readOnlyRootFilesystem: true
  seccompProfile:
    type: RuntimeDefault

# Install Velero Plugins
initContainers:
  - name: velero-plugin-for-aws
    image: velero/velero-plugin-for-aws:v1.13.2
    securityContext:
      allowPrivilegeEscalation: false
      runAsNonRoot: true
      runAsUser: 1000
      capabilities:
        drop: ["ALL"]
        add: []
      readOnlyRootFilesystem: true
      seccompProfile:
        type: RuntimeDefault
    volumeMounts:
      - mountPath: /target
        name: plugins

upgradeCRDs: true

# This job is meant primarily for cleaning up CRDs on CI systems.
# Using this on production systems, especially those that have multiple releases of Velero, will be destructive.
cleanUpCRDs: false

kubectl:
  image:
    repository: bitnamilegacy/kubectl
    tag: "1.33.4"
  containerSecurityContext:
    allowPrivilegeEscalation: false
    runAsNonRoot: true
    runAsUser: 1000
    capabilities:
      drop: ["ALL"]
      add: []
    readOnlyRootFilesystem: true
    seccompProfile:
      type: RuntimeDefault

# Use Pre-created Kubernetes Secret Credential
configuration:
  # logLevel: debug
  namespace: cluster-utilities
  backupStorageLocation:
    - name: default
      default: true
      provider: aws
      bucket: k8s-velero-backups
      prefix: opstella-cluster
      config:
        region: us-east-1
        s3ForcePathStyle: true
        s3Url: "https://${SEAWEEDFS_HA_API_DOMAIN}/"

# Use Pre-created Kubernetes Secret Credential
credentials:
  existingSecret: velero-object-storage-credentials

# Whether to create volumesnapshotlocation crd, if false => disable snapshot feature
snapshotsEnabled: false

# Setup Scheduled Backup
schedules:
  backup-daily:
    schedule: "@daily"
    template:
      # Opt-In Approach
      includedNamespaces:
      - '*'
      ttl: 336h
      # defaultVolumesToFsBackup: true # Opt-Out Approach

# Enable Restore Helper Container
configMaps:
  fs-restore-action-config:
    labels:
      velero.io/plugin-config: ""
      velero.io/pod-volume-restore: RestoreItemAction
    data:
      image: velero/velero:v1.17.1
      cpuRequest: 200m
      memRequest: 128Mi
      cpuLimit: 200m
      memLimit: 128Mi
      secCtx: |
        capabilities:
          drop:
          - ALL
          add: []
        allowPrivilegeEscalation: false
        readOnlyRootFilesystem: true
        runAsNonRoot: true
        runAsUser: 1001
        runAsGroup: 999
EOF

Install Velero Helm Release

Install Velero into the cluster-utilities namespace using the provided values.

helm upgrade --install velero vmware-tanzu/velero \
    --namespace cluster-utilities \
    --version 11.3.2 \
    -f $HOME/opstella-installation/helm-values/velero-values.yaml

Post-Installation

Verify Pod Status

kubectl get pods -n cluster-utilities -l app.kubernetes.io/name=velero

💡 The Velero pod should be Running:

NAME                      READY   STATUS    RESTARTS   AGE
velero-XXXXXXXXXX-YYYYY   1/1     Running   0          ...

Verify Backup Storage Location

Check that Velero has successfully connected to the SeaweedFS S3 bucket.
Terminal window
```
kubectl get backupstoragelocation -n cluster-utilities
```
The status should show Available.

Finished?

Use the below navigation to proceed

Previous
Installation Next
Overview