Velero backup to PowerScale S3 Bucket

By on ・ Sauvegarde Velero vers un PowerScale S3 ・

Use Velero backup with PowerScale S3 Bucket

Introduction

Velero is one of the most popular tools for backup and restoring of Kubernetes resources.

You can use Velero for different backup options to protect your Kubernetes cluster. The three modes are:

  1. Protect the Kubernetes resource objects like Pod, Namespace, etc., and CRDs included
  2. Protect the PersistentVolume data with the help VolumeSnapshot
  3. Protect the content of the PVs with the help of restic

In all cases, Velero syncs the information (YAML & Restic data) to an object storage.

PowerScale is Dell leading scale-out NAS solution, supports many different access protocols like NFS, SMB, HTTP, FTP, HDFS, and, in the case that interests us, S3 !

For a simple backup solution of a few terabytes of Kubernetes data, PowerScale & Velero are a perfect duo.

PowerScale is not 100% compatible with S3 protocol per AWS (cf. https://infohub.delltechnologies.com/section-assets/h18293-powerscale-onefs-s3-api-guide). Nonetheless, Velero is not using these unsupported calls to work; this make PowerScale S3 a product-grade solution with Velero.

Deployment

PowerScale S3 configuration

To prepare the PowerScale to be a target for the backup, a few steps are needed :

  1. Make sure the S3 protocol is enabled ; you can check that from the GUI under Protocols > Object Storage (S3) > Global Settings or the CLI: 
    PS1-1% isi s3 settings global view
      HTTP Port: 9020
     HTTPS Port: 9021
     HTTPS only: No
S3 Service Enabled: Yes

    Image

  2. Create a bucket with the permission to write objects at bare-minimum, that action can be done from the GUI or CLI also

Image

  1. Create a key for the user that will be used to upload the objects ; it is important to note that
  2. The username is the one indicated in the interface, not the one from the file system or provider (e.g. here, admin user is 1_admin_accid S3 user)
  3. The key is only displayed upon creation, and it is not possible to get it back after ; be sure to copy it right away

Image

Now that PowerScale is ready, we can proceed with the Velero deployment.

Velero installation

We assume that the Velero binary is installed and has access to the Kubernetes cluster. If not, please refer to the official doc for the deployment.

The steps to configure Velero are :

  1. Create a file with the credentials obtained before from PowerScale 
    $ cat ~/credentials-velero
[default]
aws_access_key_id = 1_admin_accid
aws_secret_access_key = 0sncWaAsVWycj4LFTPnxi2k8RPdi

  2. Optionally, obtain the PowerScale SSL certificate. In our case, the HTTPS endpoint uses a self-signed certificate, so we have to get it and pass it to Velero. Note that we can use HTTP protocol, and that step can be skipped at the cost of plain text data transit. For more information on the self-signed certificates in the context of Velero, you can check https://velero.io/docs/v1.9/self-signed-certificates/

  3. Install Velero itself. We use a similar method to what you will do with a provider like MinIO 
    $ velero install \
 --provider aws \
 --plugins velero/velero-plugin-for-aws:v1.5.1 \
 --bucket velero-backup \
 --secret-file ./credentials-velero \
 --use-volume-snapshots=false \
 --cacert ./ps2-cacert.pem \
 --backup-location-config region=powerscale,s3ForcePathStyle="true",s3Url=https://192.168.1.21:9021

    The above command shows how to use Velero most simplistically and securely.

It is possible to add parameters to enable protection with snapshots. Every Dell CSI drivers has snapshot support, to take advantage of it the install command will be the same with the addition of :

velero install \
--features=EnableCSI \
--plugins=velero/velero-plugin-for-aws:v1.5.1,velero/velero-plugin-for-csi:v0.3.0 \
--use-volume-snapshots=true
...

And for Restic add --use-restic.

You can also note that we are using the velero/velero-plugin-for-aws:v1.5.1 image, which is the latest available at the time of the publication of that article. You can obtain the current version from the github repo : https://github.com/vmware-tanzu/velero-plugin-for-aws

After installation is done, you check everything is correct with : kubectl logs -n velero deployment/velero. If you have an error with the certificates you should see it quickly.

You can now back up and restore your Kubernetes resources with the usual Velero commands.

You can check the actual content directly from PowerScale File Explorer :

Image

Demo ! TODO

Conclusion

For a small and easy protection of Kubernetes clusters Velero & and PowerScale S3 are a perfect duo. If you are looking for broader features (amount of data, more destinations, go beyond Kubernetes) and state of the art data protection Dell solution is PowerProtect Data Manager.

Interestingly Dell PPDM participates to the Velero eco-system ;-)

References

Dell PowerScale OneFS S3 Overview

https://velero.io/