Velero Operator integrate AWS cluster

charm
, ,
1

Integrate with an AWS Kubernetes cluster

This guide describes how to back up and restore with Charmed Velero on an AWS cluster. Charmed Velero leverages the credentials provided by the s3-integrator and EBS snapshots for backing up.

Requirements

  • An AWS Juju controller.
  • AWS CLI configured.
  • AWS S3 bucket unique to the cluster.

Set permissions with an IAM user

To set permissions, create a dedicated IAM user and attach the minimum S3/EBS policy following these steps

  1. Create the user:
aws iam create-user --user-name velero
  1. Attach policies:
cat > velero-policy.json <<'EOF'
{
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "ec2:DescribeVolumes",
        "ec2:DescribeSnapshots",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot",
        "ec2:DeleteSnapshot"
      ],
      "Resource": "*"
    },
    {
      "Effect": "Allow",
      "Action": [
        "s3:GetObject",
        "s3:DeleteObject",
        "s3:PutObject",
        "s3:PutObjectTagging",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts"
      ],
      "Resource": ["arn:aws:s3:::${BUCKET}/*"]
    },
    {
      "Effect": "Allow",
      "Action": ["s3:ListBucket"],
      "Resource": ["arn:aws:s3:::${BUCKET}"]
    }
  ]
}
EOF

aws iam put-user-policy \
  --user-name velero \
  --policy-name velero \
  --policy-document file://velero-policy.json
  1. Create access keys and capture the outputs:
aws iam create-access-key --user-name velero

The result should look like:

{
  "AccessKey": {
        "UserName": "velero",
        "Status": "Active",
        "CreateDate": "2017-07-31T22:24:41.576Z",
        "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>,
        "AccessKeyId": <AWS_ACCESS_KEY_ID>
  }
}

Save AccessKeyId and SecretAccessKey for the next steps.

Deploy and configure the S3-Integrator charm

Use the credentials retrieved above to configure s3-integrator. This allows Charmed Velero to access the object and underlying storage and leverage its snapshotting capabilities.

juju deploy s3-integrator

juju config s3-integrator \
  bucket="$BUCKET" \
  path="/path/inside/bucket" \
  region="$REGION"

juju run s3-integrator/leader sync-s3-credentials \
  access-key=<AWS_ACCESS_KEY_ID> \
  secret-key=<AWS_SECRET_ACCESS_KEY>

Bucket, region and credentials are mandatory.

Deploy Velero and relate to the S3-Integrator

Deploy Charmed Velero and integrate it with s3-integrator as follows:

juju deploy velero-operator --trust
juju integrate s3-integrator velero-operator

The relation supplies the S3 endpoint (if provided), bucket, region, and credentials to Velero. Charmed Velero configures the AWS plugin accordingly. After both charms are in ready state, the cluster is ready for backup/restore.

See s3-integrator charm and Velero plugin for AWS for more details.