Integrate with an Azure Kubernetes cluster

This guide describes how to back up and restore with Charmed Velero on an Azure Kubernetes (AKS) cluster. Charmed Velero leverages the credentials provided by the azure-storage-integrator and azure-auth-integrator and Azure snapshots of the managed disks for backing up.

Requirements

• An AKS Juju controller.
• Azure CLI configured.

Create the storage account and Blob container

Charmed Velero needs a storage account and a Blob container to store the backups. Follow these steps to create them.

1. Set up the environment variables and choose the region for backups:

AZURE_BACKUP_RESOURCE_GROUP=Velero_Backups
AZURE_REGION=westus
AZURE_STORAGE_ACCOUNT_ID="velero$(uuidgen | cut -d '-' -f5 | tr 'A-Z' 'a-z')"
BLOB_CONTAINER=velero

2. Create the storage account using the variables set above:

az group create -n $AZURE_BACKUP_RESOURCE_GROUP --location $AZURE_REGION

az storage account create \
  --name $AZURE_STORAGE_ACCOUNT_ID \
  --resource-group $AZURE_BACKUP_RESOURCE_GROUP \
  --sku Standard_GRS \
  --encryption-services blob \
  --https-only true \
  --min-tls-version TLS1_2 \
  --kind BlobStorage \
  --access-tier Hot

3. Now create a Blob container and get the access key for azure-storage-integrator:

az storage container create \
  -n $BLOB_CONTAINER \
  --public-access off \
  --account-name $AZURE_STORAGE_ACCOUNT_ID

AZURE_STORAGE_ACCOUNT_ACCESS_KEY=$(
  az storage account keys list \
    --account-name $AZURE_STORAGE_ACCOUNT_ID \
    --query "[0].value" -o tsv
)

Create a Service Principal for snapshots

Charmed Velero needs Service Principal credentials (secret-based) to make snapshots of the Persistent Volume claims. To create them, follow these steps.

1. Set up the environment variables:

AZURE_SUBSCRIPTION_ID=$(az account list --query '[?isDefault].id' -o tsv)
AZURE_TENANT_ID=$(az account list --query '[?isDefault].tenantId' -o tsv)
AZURE_ROLE=Velero

2. Create a role with related permissions to allow Charmed Velero to make backups, restores and deletions:

az role definition create --role-definition '{
   "Name": "'$AZURE_ROLE'",
   "Description": "Velero related permissions to perform backups, restores and deletions",
   "Actions": [
       "Microsoft.Compute/disks/read",
       "Microsoft.Compute/disks/write",
       "Microsoft.Compute/disks/endGetAccess/action",
       "Microsoft.Compute/disks/beginGetAccess/action",
       "Microsoft.Compute/snapshots/read",
       "Microsoft.Compute/snapshots/write",
       "Microsoft.Compute/snapshots/delete",
       "Microsoft.Storage/storageAccounts/listkeys/action",
       "Microsoft.Storage/storageAccounts/regeneratekey/action",
       "Microsoft.Storage/storageAccounts/read",
       "Microsoft.Storage/storageAccounts/blobServices/containers/delete",
       "Microsoft.Storage/storageAccounts/blobServices/containers/read",
       "Microsoft.Storage/storageAccounts/blobServices/containers/write",
       "Microsoft.Storage/storageAccounts/blobServices/generateUserDelegationKey/action"
   ],
   "DataActions" :[
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/delete",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/read",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/write",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/move/action",
     "Microsoft.Storage/storageAccounts/blobServices/containers/blobs/add/action"
   ],
   "AssignableScopes": ["/subscriptions/'$AZURE_SUBSCRIPTION_ID'"]
   }'

3. Retrieve the Service Principal client secret and client ID for the azure-auth-integrator:

AZURE_CLIENT_SECRET=$(
  az ad sp create-for-rbac \
    --name "velero" \
    --role "$AZURE_ROLE" \
    --scopes "/subscriptions/$AZURE_SUBSCRIPTION_ID" \
    --query 'password' -o tsv
)
AZURE_CLIENT_ID=$(
  az ad sp list --display-name "velero" --query '[0].appId' -o tsv
)

Deploy and configure the integrator charms

azure-storage-integrator

To configure the azure-storage-integrator, you need the storage account and access key retrieved in the previous section. The integrator provides the credentials for Charmed Velero to access the Blob storage.

juju deploy azure-storage-integrator

juju add-secret velero-azure-storage secret-key="$AZURE_STORAGE_ACCOUNT_ACCESS_KEY"
juju grant-secret velero-azure-storage azure-storage-integrator

juju config azure-storage-integrator \
  storage-account="$AZURE_STORAGE_ACCOUNT_ID" \
  container="$BLOB_CONTAINER" \
  resource-group="$AZURE_BACKUP_RESOURCE_GROUP" \
  path="/path/inside/bucket" \
  connection-protocol="https" \
  credentials=<JUJU_SECRET_URI>

azure-auth-integrator

To configure the azure-auth-integrator, use the Service Principal credentials retrieved above. These credentials give access to the underlying storage and snapshotting capabilities.

juju deploy azure-auth-integrator --channel 1/edge

juju add-secret velero-azure-auth \
  client-id="$AZURE_CLIENT_ID" \
  client-secret="$AZURE_CLIENT_SECRET"
juju grant-secret velero-azure-auth azure-auth-integrator

juju config azure-auth-integrator \
  subscription-id="$AZURE_SUBSCRIPTION_ID" \
  tenant-id="$AZURE_TENANT_ID" \
  credentials=<JUJU_SECRET_URI>

Deploy Velero and relate to the integrators

Deploy Charmed Velero and integrate it with azure-storage-integrator and azure-auth-integrator as follows:

juju deploy velero-operator --trust

juju integrate azure-storage-integrator velero-operator
juju integrate azure-auth-integrator velero-operator

The relations supply container, object storage, Resource Group, Storage Account, and Service Principal credentials to Velero. The Charmed Velero configures the Azure plugin accordingly. After all charms are in the ready state, the cluster is ready for backup/restore.

For more information, please see azure-storage-integrator charm, azure-auth-integrator charm and Velero plugin for Azure.