To backup and restore workloads running on TKG clusters on Supervisor, create a data store and install Velero with Restic on the Kubernetes cluster.


TKG 2.2 clusters run on virtual machine nodes. To backup and restore TKG cluster workloads, you install Velero and Restic on the cluster.


Ensure that your environment meets the following prerequisites for installing Velero and Restic to back up and restore workloads running on Tanzu Kubernetes clusters.
  • A Linux VM with sufficient storage to store several workload backups. You will install MinIO on this VM.
  • A Linux VM where the Kubernetes CLI Tools for vSphere are installed, including the vSphere Plugin for kubectl and kubectl. You will install the Velero CLI on this client VM. If you do not have such a VM, you can install the Velero CLI locally, but you must adjust the installation steps accordingly.
  • The Kubernetes environment has internet access and can be reached by the client VM.

Install and Configure MinIO Object Store

Velero requires an S3-compatible object store as the destination for Kubernetes workload backups. Velero supports several such object store providers. For simplicity, these instructions use MinIO, an S3-compatible storage service that runs locally on the object store VM.
  1. Install MinIO.
  2. Grant execute permissions to MinIO.
    chmod +x minio
  3. Create a directory on the file system for MinIO.
    mkdir /DATA-MINIO
  4. Start the MinIO server.
    ./minio server /DATA-MINIO
  5. After the MinIO server starts, you are provided with important data store instance details, including the Endpoint URL, AccessKey, and SecretKey. Record the Endpoint URL, AccessKey, and SecretKey in the table.
    Data Store Metadata Value
    Endpoint URL
  6. Browse to the MinIO data store by opening a browser to the MinIO server endpoint URL.
  7. Log in to the MinIO server and provide the AccessKey and SecretKey.
  8. To enable MinIO as a service, configure MinIO for automatic start-up by download the minio.service script.
    curl -O
  9. Edit the minio.service script and add the following value for ExecStart.
    ExecStart=/usr/local/bin/minio server /DATA-MINIO path
  10. Save the revised script.
  11. Configure the MinIO service by running the following commands.
    cp minio.service /etc/systemd/system 
    cp minio /usr/local/bin/ 
    systemctl daemon-reload 
    systemctl start minio 
    systemctl status minio 
    systemctl enable minio
  12. Create a MinIO bucket for backup and restore by launching the MinIO browser and logging in to your object store.
  13. Click the Create Bucket icon.
  14. Enter the bucket name, for example: my-cluster-backups.
  15. Verify that the bucket was created.
  16. By default, a new MinIO bucket is read-only. For Velero standalone backup and restore, the MinIO bucket must be read-write. To set the bucket to read-write, select the bucket and click on the ellipses (dots) link.
  17. Select Edit Policy.
  18. Change the policy to Read and Write.
  19. Click Add.
  20. To close the dialog box, click X.

Install the Velero CLI

Install the Velero CLI on the VM client or on your local machine.

The version used for this documentation is Velero 1.9.7 for Tanzu Kubernetes Grid 2.2.0.
  1. Download Velero from the Tanzu Kubernetes Grid product download page at the VMware Customer Connect portal.
    Note: You must use the Velero binary signed by VMware to be eligible for support from VMware.
  2. Open a command line and change directory to the Velero CLI download.
  3. Unzip the download file. For example:
    gunzip velero-linux-vX.X.X_vmware.1.gz
  4. Check for the Velero binary.
    ls -l
  5. Grant execute permissions to the Velero CLI.
    chmod +x velero-linux-vX.X.X_vmware.1 
  6. Make the Velero CLI globally available by moving it to the system path:
    cp velero-linux-vX.X.X_vmware.1 /usr/local/bin/velero 
  7. Verify the installation.
    velero version

Install Velero and Restic on the Tanzu Kubernetes Cluster

The Velero CLI context will automatically follow the kubectl context. Before running Velero CLI commands to install Velero and Restic on the target cluster, set the kubectl context.
  1. Retrieve the name of the MinIO bucket. For example, my-cluster-backups.
  2. Get the AccessKey and SecretKey for the MinIO bucket.
  3. Set the context for the target Kubernetes cluster so that the Velero CLI knows which cluster to work on.
    kubectl config use-context tkgs-cluster-name
  4. Create a secrets file named credentials-minio. Update the file with the MinIO server access credentials that you collected. For example:
    aws_access_key_id = 0XXNO8JCCGV41QZBV0RQ
    aws_secret_access_key = clZ1bf8Ljkvkmq7fHucrKCkxV39BRbcycGeXQDfx
    Note: If you receive an error message "Error getting a backup store" with the description "NoCredentialProviders: no valid providers in chain," prepend the line [default] to the beginning of the credentials file. For example:
    aws_access_key_id = 0XXNO8JCCGV41QZBV0RQ
    aws_secret_access_key = clZ1bf8Ljkvkmq7fHucrKCkxV39BRbcycGeXQDfx
  5. Save the file and verify that the file is in place.
  6. Run the following command to install Velero and Restic on the target Kubernetes cluster. Replace both URLs with the URL of your MinIO instance.
    velero install \
    --provider aws \
    --plugins velero/velero-plugin-for-aws:v1.0.0 \
    --bucket tkgs-velero \
    --secret-file ./credentials-minio \
    --use-volume-snapshots=false \
    --use-restic \
    --backup-location-config \
  7. Verify the installation of Velero and Restic.
    kubectl logs deployment/velero -n velero
  8. Verify the velero namespace.
    kubectl get ns
  9. Verify the velero and restic pods.
    kubectl get all -n velero

Troubleshoot Restic DaemonSet (If Necessary)

To run the three-pod Restic DaemonSet on a Kubernetes cluster, you may have to update the Restic DaemonSet spec and modify the hostPath. For more information about this issue, see Restic Integration in the Velero documentation.
  1. Verify the three-pod Restic DaemonSet.
    kubectl get pod -n velero

    If the pods are in a CrashLoopBackOff status, edit them as follows.

  2. Run the edit command.
    kubectl edit daemonset restic -n velero
  3. Change hostPath from /var/lib/kubelet/pods to /var/vcap/data/kubelet/pods.
    - hostPath:
        path: /var/vcap/data/kubelet/pods
  4. Save the file.
  5. Verify the three-pod Restic DaemonSet.
    kubectl get pod -n velero
    NAME                      READY   STATUS    RESTARTS   AGE
    restic-5jln8              1/1     Running   0          73s
    restic-bpvtq              1/1     Running   0          73s
    restic-vg8j7              1/1     Running   0          73s
    velero-72c84322d9-le7bd   1/1     Running   0          10m

Adjust Velero Memory Limits (If Necessary)

If your Velero backup returns status=InProgress for many hours, increase the limits and requests memory settings.
  1. Run the following command.
    kubectl edit deployment/velero -n velero
  2. Change the limits and request memory settings from the default of 256Mi and 128Mi to 512Mi and 256Mi.
    - containerPort: 8085
      name: metrics
      protocol: TCP
        cpu: "1"
        memory: 512Mi
        cpu: 500m
        memory: 256Mi
    terminationMessagePath: /dev/termination-log
    terminationMessagePolicy: File