Backup and restore on AWS
Velero is an open-source Kubernetes backup, restore, and disaster recovery tool that captures cluster resources (manifests such as Deployments, Services, ConfigMaps, and Secrets) and, when configured, persistent volume data using CSI/EBS volume snapshots and file-level backups.
In the Virtana Platform, you can deploy Velero in the cluster through the provided Helm-based setup and configure it to store backups in an AWS S3 bucket. You can then use the Velero CLI to create namespace backups and perform restores, so you can recover an application or migrate it to another cluster or environment.
Prerequisites
Before you begin, make sure you have the following prerequisites to confirm readiness and gather required credentials:
AWS IAM user with permissions for S3 (bucket read/write/list) and EBS snapshots (create/delete/describe). Have the Access Key ID and Secret Access Key ready.
Kubernetes cluster access with permissions to create namespaces and install Helm charts.
Install the Velero server through Helm charts.
Network access from the cluster to AWS S3 and EC2 APIs for your selected region.
Use a dedicated IAM user or role with least-privilege policies scoped to the S3 bucket and snapshot actions needed by Velero.
Velero server installation
To install the Velero server, create a velero-values.yaml file that configures the backup storage location (S3 bucket and region), the snapshot location (EBS snapshot region), the required feature flags (for example, CSI snapshots), and the AWS credentials and plugin settings. Then deploy Velero with the official Helm chart into the velero namespace. Copy the YAML configuration into a file, update the values as described, and then run the Helm install commands.
Create velero-values file
Create a new file named velero-values.yaml with the following contents, and then customize it for your environment.
configuration:
backupStorageLocation:
- bucket: velero-example-bucket
config:
region: us-east-2
name: default
provider: aws
volumeSnapshotLocation:
- config:
region: us-east-2
name: default
provider: aws
features: EnableCSI
credentials:
extraEnvVars: {}
secretContents:
cloud: |
[default]
aws_access_key_id=XXXXXXXXXXX
aws_secret_access_key=XXXXXXX
initContainers:
- image: velero/velero-plugin-for-aws:v1.10.0
imagePullPolicy: IfNotPresent
name: velero-plugin-for-aws
volumeMounts:
- mountPath: /target
name: plugins
deployNodeAgent: trueThe following table defines where Velero stores backup and volume data.
Field | Description | Default value |
|---|---|---|
| Defines where object-store backups are stored. | |
| The name of the S3 bucket used to store backups. Must be changed to your actual bucket name. |
|
| The AWS region where the S3 bucket is located. |
|
| A logical name for this backup storage location. |
|
| The cloud provider plugin to use for storage. |
|
| Defines where and how volume snapshots are taken. | |
| Enables the Container Storage Interface (CSI) snapshot support in Velero. |
|
The following table defines the AWS credentials Velero uses to access S3 and EC2 APIs.
Field | Description |
|---|---|
| A map for injecting additional environment variables into the Velero pod. |
| The inline content of the AWS credentials file in INI format. It contains |
The following table defines the init containers that run before the main Velero container starts, typically used to install provider plugins.
Field | Description | Default value |
|---|---|---|
| The Docker image for the AWS plugin. This plugin enables Velero to interact with AWS services |
|
| Controls when the image is pulled. |
|
| The name of the init container. |
|
| The path inside the init container where the plugins volume is mounted. |
|
| The name of the shared volume. |
|
| Deploys the Velero Node Agent as a DaemonSet on every node. This enables file-system-level backups for volumes that don't support native snapshots. |
|
Deploy Velero server with Helm
Deploys the Velero server-side components into your Kubernetes cluster using the official Velero Helm chart and your customized velero-values.yaml. This step is done to apply the AWS S3/EBS configuration and to create the required resources in the velero namespace.
Run the following commands in a terminal with cluster access:
helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts helm upgrade --install velero vmware-tanzu/velero --namespace velero --create-namespace -f velero-values.yaml
To verify the resources, run the following command:
kubectl -n velero get pods,deploy,ds,cm,secret
The Velero Deployment and the Node Agent DaemonSet should be running, and the logs should show successful initialization of the AWS plugin and storage locations.
Velero Client (CLI) Installation
In this step, you install the Velero command-line tool on your workstation so you can initiate and manage backup or restore operations against the Velero server running in the cluster.
This is done by downloading the appropriate Velero release tarball for your OS, extracting it, and placing the Velero binary into a directory on your PATH, typically /usr/local/bin for Ubuntu or Debian, then validating the installation with velero help. See Install the CLI for detailed instructions for other OS types.
curl -L -o /tmp/velero.tar.gz https://github.com/vmware-tanzu/velero/releases/download/v1.14.0/velero-v1.14.0-linux-amd64.tar.gz tar -C /tmp -xvf /tmp/velero.tar.gz mv /tmp/velero-v1.14.0-linux-amd64/velero /usr/local/bin/velero chmod +x /usr/local/bin/velero velero --help
Backup and restore operations
In this section, you can interact by running Velero backup create to capture Kubernetes resources for a target namespace into the configured AWS S3 bucket, and Velero restore create to rehydrate those resources back into the cluster from a selected backup. It also includes the basic commands to check backup or restore status and review logs so you can confirm the operation completed successfully.
Create a backup
Create a backup named nginx-example-bkp for a single namespace. Upon successful completion, backups will be available in the S3 bucket of AWS.
Run the following command to take a backup with Velero:
velero backup create nginx-example-bkp --include-namespaces nginx-example
Restore from a Backup
Restores cluster state from a previously created backup. Confirm target cluster or namespace policies and quotas before restoring.
Run the following command to restore the backup taken with Velero:
velero restore create --from-backup nginx-example-bkp
Restores can overwrite existing resources if names collide. Consider using label selectors, remapping namespaces, or restoring to a clean cluster or namespace when testing.