Skip to main content

Backup and restore on AWS

Velero is an open-source Kubernetes backup, restore, and disaster recovery tool that captures cluster resources (manifests such as Deployments, Services, ConfigMaps, and Secrets) and, when configured, persistent volume data using CSI/EBS volume snapshots and file-level backups.

In the Virtana Platform, you can deploy Velero in the cluster through the provided Helm-based setup and configure it to store backups in an AWS S3 bucket. You can then use the Velero CLI to create namespace backups and perform restores, so you can recover an application or migrate it to another cluster or environment.

Prerequisites

Before you begin, make sure you have the following prerequisites to confirm readiness and gather required credentials:

  • AWS IAM user with permissions for S3 (bucket read/write/list) and EBS snapshots (create/delete/describe). Have the Access Key ID and Secret Access Key ready.

  • Kubernetes cluster access with permissions to create namespaces and install Helm charts.

  • Install the Velero server through Helm charts.

  • Network access from the cluster to AWS S3 and EC2 APIs for your selected region.

  • Use a dedicated IAM user or role with least-privilege policies scoped to the S3 bucket and snapshot actions needed by Velero.

Velero server installation

To install the Velero server, create a velero-values.yaml file that configures the backup storage location (S3 bucket and region), the snapshot location (EBS snapshot region), the required feature flags (for example, CSI snapshots), and the AWS credentials and plugin settings. Then deploy Velero with the official Helm chart into the velero namespace. Copy the YAML configuration into a file, update the values as described, and then run the Helm install commands.

Create velero-values file

Create a new file named velero-values.yaml with the following contents, and then customize it for your environment.

configuration:
  backupStorageLocation:
  - bucket: velero-example-bucket  
    config:
      region: us-east-2            
    name: default
    provider: aws
  volumeSnapshotLocation:
  - config:
      region: us-east-2          
    name: default
    provider: aws
  features: EnableCSI
credentials:
  extraEnvVars: {}
  secretContents:
    cloud: |
      [default]
      aws_access_key_id=XXXXXXXXXXX     
      aws_secret_access_key=XXXXXXX    
initContainers:
- image: velero/velero-plugin-for-aws:v1.10.0
  imagePullPolicy: IfNotPresent
  name: velero-plugin-for-aws
  volumeMounts:
  - mountPath: /target
    name: plugins
deployNodeAgent: true

The following table defines where Velero stores backup and volume data.

Table 112.

Field

Description

Default value

backupStorageLocation

Defines where object-store backups are stored.

bucket

The name of the S3 bucket used to store backups. Must be changed to your actual bucket name.

velero-example-bucket

config.region

The AWS region where the S3 bucket is located.

us-east-2

name

A logical name for this backup storage location.

default

provider

The cloud provider plugin to use for storage.

aws

volumeSnapshotLocation

Defines where and how volume snapshots are taken.

features

Enables the Container Storage Interface (CSI) snapshot support in Velero.

EnableCSI



The following table defines the AWS credentials Velero uses to access S3 and EC2 APIs.

Table 113.

Field

Description

extraEnvVars

A map for injecting additional environment variables into the Velero pod.

secretContents.cloud

The inline content of the AWS credentials file in INI format. It contains aws_access_key_id and aws_secret_access_key under the [default] profile.



The following table defines the init containers that run before the main Velero container starts, typically used to install provider plugins.

Table 114.

Field

Description

Default value

initContainers.image

The Docker image for the AWS plugin. This plugin enables Velero to interact with AWS services

velero/velero-plugin-for-aws:v1.10.0

imagePullPolicy

Controls when the image is pulled.

IfNotPresent

name

The name of the init container.

velero-plugin-for-aws

volumeMounts.mountPath

The path inside the init container where the plugins volume is mounted.

/target

volumeMounts.name

The name of the shared volume.

plugins

deployNodeAgent

Deploys the Velero Node Agent as a DaemonSet on every node. This enables file-system-level backups for volumes that don't support native snapshots.

true



Deploy Velero server with Helm

Deploys the Velero server-side components into your Kubernetes cluster using the official Velero Helm chart and your customized velero-values.yaml. This step is done to apply the AWS S3/EBS configuration and to create the required resources in the velero namespace.

Run the following commands in a terminal with cluster access:

helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
helm upgrade --install velero vmware-tanzu/velero --namespace velero --create-namespace -f velero-values.yaml

To verify the resources, run the following command:

kubectl -n velero get pods,deploy,ds,cm,secret

The Velero Deployment and the Node Agent DaemonSet should be running, and the logs should show successful initialization of the AWS plugin and storage locations.

Velero Client (CLI) Installation

In this step, you install the Velero command-line tool on your workstation so you can initiate and manage backup or restore operations against the Velero server running in the cluster.

This is done by downloading the appropriate Velero release tarball for your OS, extracting it, and placing the Velero binary into a directory on your PATH, typically /usr/local/bin for Ubuntu or Debian, then validating the installation with velero help. See Install the CLI for detailed instructions for other OS types.

curl -L -o /tmp/velero.tar.gz https://github.com/vmware-tanzu/velero/releases/download/v1.14.0/velero-v1.14.0-linux-amd64.tar.gz 
tar -C /tmp -xvf /tmp/velero.tar.gz
mv /tmp/velero-v1.14.0-linux-amd64/velero /usr/local/bin/velero
chmod +x /usr/local/bin/velero
velero --help

Backup and restore operations

In this section, you can interact by running Velero backup create to capture Kubernetes resources for a target namespace into the configured AWS S3 bucket, and Velero restore create to rehydrate those resources back into the cluster from a selected backup. It also includes the basic commands to check backup or restore status and review logs so you can confirm the operation completed successfully.

Create a backup

Create a backup named nginx-example-bkp for a single namespace. Upon successful completion, backups will be available in the S3 bucket of AWS.

Run the following command to take a backup with Velero:

velero backup create nginx-example-bkp --include-namespaces nginx-example

Restore from a Backup

Restores cluster state from a previously created backup. Confirm target cluster or namespace policies and quotas before restoring.

Run the following command to restore the backup taken with Velero:

velero restore create --from-backup nginx-example-bkp

Restores can overwrite existing resources if names collide. Consider using label selectors, remapping namespaces, or restoring to a clean cluster or namespace when testing.