Backup and Restore AKS Clusters with Velero

# Overview Velero (formerly Heptio Ark) provides tools to back up and restore Kubernetes cluster resources and persistent volumes. Velero can be used with a cloud provider or on-premises. Velero allows you to: - Take backups of your cluster and restore in case of loss. - Migrate cluster resources to other clusters. - Replicate your production cluster to development and testing clusters. Velero consists of: - A server that runs on your cluster. - A command-line client that runs locally. # How it works Each Velero operation – on-demand backup, scheduled backup, restore – is a custom resource, defined with a Kubernetes Custom Resource Definition (CRD) and stored in etcd. Velero also includes controllers that process these custom resources to perform backups, restores, and other related operations. You can back up or restore all objects in your cluster, or filter objects by type, namespace, and/or label. # Using Velero for backup and restore In this section, we will go through the process and steps needed to install and configure the Velero client tool and server in your AKS cluster. ## Installation ### Client The installation of the Velero client tool depends on the operating system you are using. For MacOS, Velero can be installed through Homebrew: ```bash brew install velero ``` You can also download the release files from GitHub: https://github.com/vmware-tanzu/velero/releases/latest and use the extracted binary file. ### Storage account (Azure) To work with Azure, you need to create a storage account for storing Velero’s backups, as well as a dedicated service principal (Azure AD app registration) for Velero to access the storage account. First, create the storage account with the following commands: ```bash AZURE_BACKUP_RESOURCE_GROUP=<resource_group_name> AZURE_STORAGE_ACCOUNT_ID="velero$(uuidgen | cut -d '-' -f5 | tr '[A-Z]' '[a-z]')" az storage account create --name $AZURE_STORAGE_ACCOUNT_ID --resource-group $AZURE_BACKUP_RESOURCE_GROUP --sku Standard_GRS --encryption-services blob --https-only true --kind BlobStorage --access-tier Hot ``` Next, create the blob container storage for storing backup files: ```bash BLOB_CONTAINER=velero az storage container create -n $BLOB_CONTAINER --public-access off --account-name $AZURE_STORAGE_ACCOUNT_ID ``` Now, for later snapshots of persistent volumes, set the resource group containing the disks used by Kubernetes: ```bash AZURE_RESOURCE_GROUP=<NAME_OF_RESOURCE_GROUP> ``` ### Service principal for accessing the storage account Next, create a service principal for Velero to access the Azure Storage Account: ```bash AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv` AZURE_CLIENT_SECRET=`az ad sp create-for-rbac --name "velero" --role "Contributor" --query 'password' -o tsv --scopes /subscriptions/$AZURE_SUBSCRIPTION_ID` AZURE_CLIENT_ID=`az ad sp list --display-name "velero" --query '[0].appId' -o tsv` ``` Now, store all credentials in a credentials-velero file: ```bash cat << EOF > ./credentials-velero AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID} AZURE_TENANT_ID=${AZURE_TENANT_ID} AZURE_CLIENT_ID=${AZURE_CLIENT_ID} AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP} EOF ``` ### Install the server components From the Velero client tool, install the Velero server components: ```bash velero install --provider azure --plugins velero/velero-plugin-for-microsoft-azure:v1.8.0 --bucket $BLOB_CONTAINER --secret-file ./credentials-velero --backup-location-config useAAD="true",resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,storageAccount=$AZURE_STORAGE_ACCOUNT_ID,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID --snapshot-location-config apiTimeout=60m,resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,subscriptionId=$AZURE_BACKUP_SUBSCRIPTION_ID ``` You can also install it through a Helm chart, but that is more complicated. For more information, visit: https://github.com/vmware-tanzu/helm-charts/blob/main/charts/velero/README.md ## Usage ### Schedule backup To periodically back up your cluster’s resources, use the following command: ```bash velero schedule create <SCHEDULE_NAME> --schedule "0 7 * * *" ``` This uses cronjob syntax to specify the scheduled backup time. ### Restore To restore the cluster’s resources, use this command to restore from the existing backup: ```bash velero restore create --from-backup <SCHEDULE_NAME>-<TIMESTAMP> ``` ### Filtering namespaces and resources To filter namespaces for backup, use the include-namespaces flag: ```bash velero backup create <backup-name> --include-namespaces <namespace> ``` To filter resources, use the include-resources flag: ```bash velero backup create <backup-name> --include-resources deployments --include-namespaces <namespace> ``` For more filtering options, see Velero’s official documentation: https://velero.io/docs/v1.12/resource-filtering/ ## Conclusion Velero empowers Kubernetes users with a straightforward and reliable solution for backup and restoration, ensuring the safety and recoverability of critical cluster data and configurations. By following the guidelines in this documentation, you can harness the full potential of Velero to strengthen your Kubernetes environment.