This topic describes how to install Velero for backing up and restoring Tanzu Kubernetes Grid Integrated Edition (TKGI)-provisioned Kubernetes workloads on vSphere.
Ensure the following before installing Velero for backing up and restoring TKGI on vSphere:
The Velero back up procedure requires an object store as the back up destination for workload backups. Deploy and configure a MinIO Server on a Linux Ubuntu VM as the Velero backend object store. For more information, see Deploy an Object Store.
To install the Velero CLI on your workstation:
To download the Velero CLI Binary:
Download the supported version of the signed Velero binary for your version of TKGI from the TKGI product downloads page at myVMware. For more information about the currently supported Velero versions, see the Product Snapshot section of the Release Notes.
Note: You must use the Velero binary signed by VMware to be eligible for support from VMware.
To install the Velero CLI on the TKGI client or on your local machine:
Unzip the download file:
gunzip velero-linux-v1.11.1+vmware.1.gz
Grant execute permissions to the Velero CLI:
chmod +x velero-linux-v1.11.1+vmware.1
Make the Velero CLI globally available by moving it to the system path:
cp velero-linux-v1.11.1+vmware.1 /usr/local/bin/velero
Verify the installation:
velero version
For example:
$ velero version
Client:
Version: v1.11.1
To install the Velero pod on each Kubernetes cluster whose workloads you intend to back up, complete the following:
The following steps require that:
The Velero CLI context will automatically follow the kubectl context. Before running Velero CLI commands to install Velero on the target cluster, set the kubectl context:
tkgi-velero
.0XXNO8JCCGV41QZBV0RQ
and SecretKey: clZ1bf8Ljkvkmq7fHucrKCkxV39BRbcycGeXQDfx
.kubectl
works against the cluster. If needed, use tkgi get-credentials
.Set the context for the target Kubernetes cluster so that the Velero CLI knows which cluster to work:
tkgi get-credentials CLUSTER-NAME
Where CLUSTER-NAME
is the name of the cluster.
For example:
$ tkgi get-credentials cluster-1
Fetching credentials for cluster cluster-1.
Password: ********
Context set for cluster cluster-1.
You can now switch between clusters by using:
$kubectl config use-context <cluster-name>
You can also run kubectl config use-context CLUSTER-NAME
to set context.
To create a secrets file, create a file named credentials-minio
. Update the file with the MinIO server access credentials that you collected above:
[default]
aws_access_key_id = ACCESS-KEY
aws_secret_access_key = SECRET-KEY
Where:
ACCESS-KEY
is the AccessKey that you collected above.SECRET-KEY
is the SecretKey that you collected above.For example:
[default]
aws_access_key_id = 0XXNO8JCCGV41QZBV0RQ
aws_secret_access_key = clZ1bf8Ljkvkmq7fHucrKCkxV39BRbcycGeXQDfx
Save the file.
Install Velero on the target Kubernetes cluster:
velero install \
--image projects.registry.vmware.com/tkg/velero/velero:v1.11.1_vmware.1
--provider aws --bucket tkgi-velero \
--secret-file ./credentials-minio \
--plugins "projects.registry.vmware.com/tkg/velero/velero-plugin-for-aws:v1.7.1_vmware.1" \
--backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://IP-ADDRESS:PORT,publicUrl=http://IP-ADDRESS:PORT \
--snapshot-location-config region=minio
Where:
IP-ADDRESS
is the IP address that is used to connect to the MinIO server.PORT
is the number of the port that is used to connect to the MinIO server.For example:
$ velero install --image projects.registry.vmware.com/tkg/velero/velero:v1.11.1_vmware.1 --provider aws --bucket tkgi-velero --secret-file ./credentials-minio --plugins "projects.registry.vmware.com/tkg/velero/velero-plugin-for-aws:v1.7.1_vmware.1" --backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://20.20.233.44:9000,publicUrl=http://20.20.233.44:9000 --snapshot-location-config region=minio
CustomResourceDefinition/backups.velero.io: created
...
Waiting for resources to be ready in cluster...
...
Velero is installed! Use 'kubectl logs deployment/velero -n velero' to view the status.
Note: You must include the –snapshot-location-config
region configuration parameter.
Verify the installation of Velero:
kubectl logs deployment/velero -n velero
Verify the velero
namespace:
kubectl get ns
For example:
$ kubectl get ns
NAME STATUS AGE
default Active 13d
kube-node-lease Active 13d
kube-public Active 13d
kube-system Active 13d
pks-system Active 13d
velero Active 2m38s
Create the csi-vsphere.conf
file with the following details:
[Global]
cluster-id = "CLUSTER-NAME"
[VirtualCenter "IP-ADDRESS"]
user = "USERNAME"
password = "PASSWORD"
port = "443"
Where:
CLUSTER-NAME
is the name of your cluster.IP-ADDRESS
is the IP address of the vCenter Server.USERNAME
is the user name that you want to use.PASSWORD
is the user name that you want to use.Create the secret:
kubectl -n NAMESPACE create secret generic velero-vsphere-config-secret --from-file=csi-vsphere.conf
Where NAMESPACE
is the Velero namespace.
configmap.yaml
.Modify the ConfigMap file with the following:
apiVersion: v1
kind: ConfigMap
metadata:
name: velero-vsphere-plugin-config
data:
cluster_flavor: "VANILLA"
vsphere_secret_name: "SECRET-NAME"
vsphere_secret_namespace: "SECRET-NAMESPACE" #optional, default is velero
Where:
SECRET-NAME
is the name you applied to your Velero secret.SECRET-NAMESPACE
is the secret namespace. For example velero
.Save the ConfigMap file.
Apply the ConfigMap:
kubectl apply -f CONFIGMAP-FILE -n SECRET-NAMESPACE
Where:
CONFIGMAP-FILE
is the name of your ConfigMap file. For example configmap.yaml
.SECRET-NAMESPACE
is the secret namespace. For example velero
.Install the Velero plugin for vSphere:
velero plugin add projects.registry.vmware.com/tkg/velero/velero-plugin-for-vsphere:v1.5.1_vmware.1
Configure the Velero snapshot location:
velero snapshot-location create vsl-vsphere --provider velero.io/vsphere
Verify the velero
pod:
kubectl get all -n velero
For example:
$ kubectl get all -n velero
NAME READY STATUS RESTARTS AGE
pod/velero-8dc7498d9-9v7x4 1/1 Running 0 30s
Verify the snaphost plugin:
velero plugin get
Confirm the vsphere VolumeSnapshotter
plugin is included in the returned list.
For example:
$ velero plugin get
NAME KIND
velero.io/crd-remap-version BackupItemAction
velero.io/pod BackupItemAction
velero.io/pv BackupItemAction
velero.io/service-account BackupItemAction
velero.io/vsphere-pvc-backupper BackupItemAction
velero.io/vsphere-pvc-deleter DeleteItemAction
velero.io/aws ObjectStore
velero.io/add-pv-from-pvc RestoreItemAction
velero.io/add-pvc-from-pod RestoreItemAction
velero.io/change-pvc-node-selector RestoreItemAction
velero.io/change-storage-class RestoreItemAction
velero.io/cluster-role-bindings RestoreItemAction
velero.io/crd-preserve-fields RestoreItemAction
velero.io/init-restore-hook RestoreItemAction
velero.io/job RestoreItemAction
velero.io/pod RestoreItemAction
velero.io/role-bindings RestoreItemAction
velero.io/service RestoreItemAction
velero.io/service-account RestoreItemAction
velero.io/vsphere-pvc-restorer RestoreItemAction
velero.io/aws VolumeSnapshotter
velero.io/vsphere VolumeSnapshotter
Follow this step if you will back up the VCP volumes that were migrated to vSphere CSI Driver.
velero-vsphere-plugin-feature-states.yaml
ConfigMap file.Modify the ConfigMap file with the following:
apiVersion: v1
data:
csi-migrated-volume-support: "true"
decouple-vsphere-csi-driver: "true"
local-mode: "false"
kind: ConfigMap
metadata:
name: velero-vsphere-plugin-feature-states
Save the ConfigMap file.
Apply the ConfigMap:
kubectl apply -f velero-vsphere-plugin-feature-states.yaml -n velero
If your Velero back up returns status=InProgress
for many hours, increase the limits and requests memory settings. To do this:
Run the following command:
kubectl edit deployment/velero -n velero
Change the limits and request memory settings from the default of 256Mi
and 128Mi
to 512Mi
and 256Mi
:
ports:
- containerPort: 8085
name: metrics
protocol: TCP
resources:
limits:
cpu: "1"
memory: 512Mi
requests:
cpu: 500m
memory: 256Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
If you are working in an air-gapped environment, you can install Velero using an internal registry. For more information, see Air-gapped deployments in the Velero documentation.
Ensure the following before installing Velero in an air-gapped environment:
credentials-minio
file exists. For more information, see Set Up the kubectl Context above.Download the Velero CLI and Velero Plugin for vSphere images for your version of TKGI:
backup-driver-v1.5.1_vmware.1.tar.gz
data-manager-for-plugin-v1.5.1_vmware.1.tar.gz
velero-plugin-for-vsphere-v1.5.1_vmware.1.tar.gz
Note: You must use the container images signed by VMware to be eligible for support from VMware.
Push the Docker images into the internal registry. Adjust the variables as needed for your registry instance and preferences.
docker login harbor.example.com
docker load -i backup-driver-v1.5.1_vmware.1.tar.gz
docker tag vmware.io/backup-driver:v1.5.1_vmware.1 harbor.example.com/vmware-tanzu/backup-driver:v1.5.1_vmware.1
docker load -i velero-plugin-for-vsphere-v1.5.1_vmware.1.tar.gz
docker tag vmware.io/velero-plugin-for-vsphere:v1.5.1_vmware.1 harbor.example.com/vmware-tanzu/velero-plugin-for-vsphere:v1.5.1_vmware.1
docker load -i data-manager-for-plugin-v1.5.1_vmware.1.tar.gz
docker tag vmware.io/data-manager-for-plugin:v1.5.1_vmware.1 harbor.example.com/vmware-tanzu/data-manager-for-plugin:v1.5.1_vmware.1
docker push harbor.example.com/vmware-tanzu/backup-driver:v1.5.1_vmware.1
docker push harbor.example.com/vmware-tanzu/velero-plugin-for-vsphere:v1.5.1_vmware.1
docker push harbor.example.com/vmware-tanzu/data-manager-for-plugin:v1.5.1_vmware.1
Install Velero:
velero install --image harbor.example.com/vmware-tanzu/velero:v1.11.1_vmware.1 \
--plugins harbor.example.com/vmware-tanzu/velero-plugin-for-aws:v1.7.1_vmware.1 \
--provider aws --bucket tkgi-velero --secret-file ./credentials-minio \
--backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://IP-ADDRESS:PORT,publicUrl=http://IP-ADDRESS:PORT --snapshot-location-config region=minio
Where:
IP-ADDRESS
is the IP address that is used to connect to the MinIO server.PORT
is the number of the port that is used to connect to the MinIO server.For example:
$ velero install --image harbor.example.com/vmware-tanzu/harbor.example.com/vmware-tanzu/velero:v1.11.1_vmware.1 --plugins harbor.example.com/vmware-tanzu/velero-plugin-for-aws:v1.7.1_vmware.1 --provider aws --bucket tkgi-velero --secret-file ./credentials-minio --backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://20.20.224.27:9000,publicUrl=http://20.20.224.27:9000 --snapshot-location-config region=minio
Velero is installed! Use 'kubectl logs deployment/velero -n velero' to view the status.
For more information about installing Velero, see On-Premises Environments in the Velero documentation.
Complete the steps in Create the Velero vSphere Plugin Configuration File above. You must create the Velero vSphere plugin configuration file before installing the Velero plugin for vSphere.
Install the Velero plugin for vSphere:
velero plugin add harbor.example.com/vmware-tanzu/velero-plugin-for-vsphere:v1.5.1_vmware.1