Velero AWS Cluster Installation

How to set up Velero with a AWS Kubernetes cluster

The following instructions are based on the Velero Plugin for AWS instructions.

These steps assume the user has installed the AWS Command-Line Interface (CLI) and has the necessary permissions to perform the steps below.

The following items are required to create the Velero bucket via a AWS S3 Storage:

S3 Bucket Name: The name of the S3 bucket used to store Wallaroo backups.
Amazon Web Services Region: The region where the Velero bucket is stored. This should be in the same region as the Wallaroo Kubernetes cluster.
Authentication Method: A method of authenticating to AWS for the Velero service either with an IAM user or kube2iam as defined in the Velero plugins for AWS Set permissions for Velero.

If these steps are complete, jump to the Install the Velero Service into the AWS Wallaroo Cluster.

Create AWS Bucket for Velero

Create the S3 bucket used for Velero based backups and restores with the following command, replacing the variables AWS_BUCKET_NAME and AWS_REGION based on your organization’s requirements. In the command below, if the region is us-east-1, remove the --create-bucket-configuration option.

AWS_BUCKET_NAME=<YOUR_BUCKET>
AWS_REGION=<YOUR_REGION>
aws s3api create-bucket \
    --bucket $AWS_BUCKET_NAME \
    --region $AWS_REGION \
    --create-bucket-configuration LocationConstraint=$AWS_REGION

Set Permissions for AWS Velero

There are multiple options for setting permissions for the Velero service in an AWS Kubernetes cluster as detailed in the Velero plugins for AWS Set permissions for Velero. The following examples assume the IAM user method as follows.

Create the IAM user. In this example, the name is velero.
```
aws iam create-user --user-name velero
```

Attach the following AWS policies to the new velero AWS user.

cat > velero-policy.json <<EOF
{
    "Version": "2012-10-17",
    "Statement": [
        {
            "Effect": "Allow",
            "Action": [
                "ec2:DescribeVolumes",
                "ec2:DescribeSnapshots",
                "ec2:CreateTags",
                "ec2:CreateVolume",
                "ec2:CreateSnapshot",
                "ec2:DeleteSnapshot"
            ],
            "Resource": "*"
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:GetObject",
                "s3:DeleteObject",
                "s3:PutObject",
                "s3:AbortMultipartUpload",
                "s3:ListMultipartUploadParts"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}/*"
            ]
        },
        {
            "Effect": "Allow",
            "Action": [
                "s3:ListBucket"
            ],
            "Resource": [
                "arn:aws:s3:::${BUCKET}"
            ]
        }
    ]
}
EOF

Create an access key for the velero user:

aws iam create-access-key --user-name velero

This creates the following sample output:

{
"AccessKey": {
        "UserName": "velero",
        "Status": "Active",
        "CreateDate": "2017-07-31T22:24:41.576Z",
        "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>,
        "AccessKeyId": <AWS_ACCESS_KEY_ID>
}
}

Store the SecretAccessKey and AccessKeyID for the next step. In this case, the file ~/.credentials-velero-aws:
```
[default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
```

Install the Velero Service into the AWS Wallaroo Cluster

The following procedure will install the Velero service into the AWS Kubernetes cluster hosting the Wallaroo instance.

Verify the connection to the GCP Kubernetes cluster hosting the Wallaroo instance.

kubectl get nodes
NAME                                             STATUS   ROLES    AGE   VERSION
aws-ce-default-pool-5dd3c344-fxs3   Ready    <none>   31s   v1.23.14-gke.1800
aws-ce-default-pool-5dd3c344-q95a   Ready    <none>   25d   v1.23.14-gke.1800
aws-ce-default-pool-5dd3c344-scmc   Ready    <none>   31s   v1.23.14-gke.1800
aws-ce-default-pool-5dd3c344-wnkn   Ready    <none>   31s   v1.23.14-gke.1800

Install Velero into the AWS Kubernetes cluster. This assumes the $BUCKET_NAME and $REGION variables from earlier, and the AWS velero user credentials are stored in ~/.credentials-velero-aws

velero install \
--provider aws \
--plugins velero/velero-plugin-for-aws:v1.6.0 \
--bucket $BUCKET_NAME \
--backup-location-config region=$REGION \
--secret-file ./credentials-velero-aws \
--use-volume-snapshots=false \
--use-node-agent --wait

Once complete, verify the installation is complete by checking for the velero namespace in the Kubernetes cluster:

kubectl get namespaces
NAME              STATUS   AGE
default           Active   222d
kube-node-lease   Active   222d
kube-public       Active   222d
kube-system       Active   222d
velero            Active   5m32s
wallaroo          Active   7d23h

If using Kubernetes taints and tolerations for the Wallaroo installation, update the velero namespace to accept all pods:

kubectl -n velero patch ds node-agent -p='{"spec": {"template": {"spec": {"tolerations":[{"operator": "Exists"}]}}}}'

Next: Velero Azure Cluster Installation