Setting up the Velero plugin for Microsoft Azure

Prerequisites

1. Create at least one Azure cluster

2. Install az Azure CLI 2.0 locally

3. RUN az login

4. Change to the Azure subscription you want to create your backups in

   az account set -s <subscription id>
   

Create Azure storage account and blob container

1. Create a resource group for the backups storage account. (change the location as needed) Execute the below commands

   AZURE_BACKUP_RESOURCE_GROUP=Velero_Backups
   

   az group create -n $AZURE_BACKUP_RESOURCE_GROUP --location WestUS
   

2. Create the storage account.

   AZURE_STORAGE_ACCOUNT_ID="velero$(uuidgen | cut -d '-' -f5 | tr '[A-Z]' '[a-z]')"
   

   az storage account create \
     --name $AZURE_STORAGE_ACCOUNT_ID \
     --resource-group $AZURE_BACKUP_RESOURCE_GROUP \
     --sku Standard_GRS \
     --encryption-services blob \
     --https-only true \
     --kind BlobStorage \
     --access-tier Hot
   

3. Create the blob container named velero. Feel free to use a different name, preferably unique to a single Kubernetes cluster

   BLOB_CONTAINER=velero
   

   az storage container create -n $BLOB_CONTAINER \
     --public-access off \
     --account-name $AZURE_STORAGE_ACCOUNT_ID
   

Set permissions for Velero

1. Obtain your Azure Account Subscription ID and Tenant ID

   AZURE_SUBSCRIPTION_ID=`az account list --query '[?isDefault].id' -o tsv`
   

   AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv`
   

2. Specify the role

   There are two ways to specify the role: use the built-in role or create a custom one.

   You can use the Azure built-in role Contributor:

   AZURE_ROLE=Contributor
   

   This will have subscription-wide access, so protect the credential generated with this role. It is always best practice to assign the minimum required permissions necessary for an application to do its work. Here are the minimum required permissions needed by Velero to perform backups, restores, and deletions:

   • Storage Account

     • Microsoft.Storage/storageAccounts/listkeys/action

     • Microsoft.Storage/storageAccounts/regeneratekey/action

   • Disk Management

     • Microsoft.Compute/disks/read

     • Microsoft.Compute/disks/write

     • Microsoft.Compute/disks/endGetAccess/action

     • Microsoft.Compute/disks/beginGetAccess/action

   • Snapshot Management

     • Microsoft.Compute/snapshots/read

     • Microsoft.Compute/snapshots/write

     • Microsoft.Compute/snapshots/delete

     • Microsoft.Compute/disks/beginGetAccess/action

     • Microsoft.Compute/disks/endGetAccess/action

   Use the following commands to create a custom role which has the minimum required permissions:

   AZURE_ROLE=Velero
   

   az role definition create --role-definition '{
     "Name": "'$AZURE_ROLE'",
     "Description": "Velero related permissions to perform backups, restores and deletions",
     "Actions": [
         "Microsoft.Compute/disks/read",
         "Microsoft.Compute/disks/write",
         "Microsoft.Compute/disks/endGetAccess/action",
         "Microsoft.Compute/disks/beginGetAccess/action",
         "Microsoft.Compute/snapshots/read",
         "Microsoft.Compute/snapshots/write",
         "Microsoft.Compute/snapshots/delete",
         "Microsoft.Storage/storageAccounts/listkeys/action",
         "Microsoft.Storage/storageAccounts/regeneratekey/action"
     ],
     "AssignableScopes": ["/subscriptions/'$AZURE_SUBSCRIPTION_ID'"]
     }'
   

Create service principal

1. Obtain your Azure Account Tenant ID:

   AZURE_TENANT_ID=`az account list --query '[?isDefault].tenantId' -o tsv`
   

2. Create a service principal.

   If you’ll be using Velero to backup multiple clusters with multiple blob containers, it may be desirable to create a unique username per cluster rather than the default velero.

   Create service principal and let the CLI generate a password for you. Make sure to capture the password.

   az ad sp create-for-rbac \
     --role Velero \
     --scope /subscriptions/$ AZURE_SUBSCRIPTION_ID /resourceGroups/$AZURE_BACKUP_RESOURCE_GROUP
   

   After creating the service principal, obtain the client id.

   AZURE_CLIENT_ID=`az ad sp list \
     --display-name "velero" \
     --query '[0].appId' -o tsv`
   

3. Now you need to create a file that contains all the relevant environment variables. The command looks like the following:

   $ cat << EOF  > ./credentials-velero
   AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID}
   AZURE_TENANT_ID=${AZURE_TENANT_ID}
   AZURE_CLIENT_ID=${AZURE_CLIENT_ID}
   AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET}
   AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP}
   AZURE_CLOUD_NAME=AzurePublicCloud
   EOF
   

Creating credentials in Cloudcasa

$ kubectl create secret generic -n cloudcasa-io vsl-credentials \
  --from-file=gcp=/<path with the credentials file>

$ kubectl -n cloudcasa-io \
  label secrets vsl-credentials cloudcasa-io-provider-secret=1