OADP is OpenShift Application Data Protection operator. This operator sets up and installs Velero on the OpenShift platform.
- Docker/Podman
- OpenShift CLI
- Access to OpenShift cluster
Checkout this OADP Operator repository:
git clone [email protected]:konveyor/oadp-operator.git
cd oadp-operator
Build the OADP operator image and push it to a public registry (quay.io or dockerhub)
There are two ways to build the operator image:
- Using operator-sdk
operator-sdk build oadp-operator
- Using Podman/Docker
podman build -f build/Dockerfile . -t oadp-operator:latest
After successfully building the operator image, push it to a public registry.
In order to use a locally built image of the operator, please update the operator.yaml
file. Update the image
of the oadp-operator
container with the image registry URL. You can edit the file manually or use the following command( <REGISTRY_URL>
is the placeholder for your own registry url in the command):
sed -i 's|quay.io/konveyor/oadp-operator:latest|<REGISTRY_URL>|g' deploy/operator.yaml
For OSX, use the following command:
sed -i "" 's|quay.io/konveyor/oadp-operator:latest|<REGISTRY_URL>|g' deploy/operator.yaml
Before proceeding further make sure the image
is updated in the operator.yaml
file as discussed above.
To install OADP operator and the essential Velero components follow the steps given below:
- Create a new namespace named
oadp-operator
oc create namespace oadp-operator
- Switch to the
oadp-operator
namespaceoc project oadp-operator
- Create secret for the cloud provider credentials to be used. Also, the credentials file present at
CREDENTIALS_FILE_PATH
shoud be in proper format, for instance if the provider is AWS it should follow this AWS credentials templateoc create secret generic <SECRET_NAME> --namespace oadp-operator --from-file cloud=<CREDENTIALS_FILE_PATH>
- Now to create the deployment, role, role binding, service account and the cluster role binding, use the following command:
oc create -f deploy/
- Deploy the Velero custom resource definition:
oc create -f deploy/crds/konveyor.openshift.io_veleros_crd.yaml
- Finally, deploy the Velero CR:
oc create -f deploy/crds/konveyor.openshift.io_v1alpha1_velero_cr.yaml
Post completion of all the above steps, you can check if the operator was successfully installed or not, the expected result for the command oc get all -n oadp-operator
is as follows:
NAME READY STATUS RESTARTS AGE
pod/oadp-operator-7749f885f6-9nm9w 1/1 Running 0 6m6s
pod/restic-48s5r 1/1 Running 0 2m16s
pod/restic-5sr4c 1/1 Running 0 2m16s
pod/restic-bs5p2 1/1 Running 0 2m16s
pod/velero-76546b65c8-tm9vv 1/1 Running 0 2m16s
NAME TYPE CLUSTER-IP EXTERNAL-IP PORT(S) AGE
service/oadp-operator-metrics ClusterIP 172.30.21.118 <none> 8383/TCP,8686/TCP 5m51s
NAME DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
daemonset.apps/restic 3 3 3 3 3 <none> 2m17s
NAME READY UP-TO-DATE AVAILABLE AGE
deployment.apps/oadp-operator 1/1 1 1 6m7s
deployment.apps/velero 1/1 1 1 2m17s
NAME DESIRED CURRENT READY AGE
replicaset.apps/oadp-operator-7749f885f6 1 1 1 6m7s
replicaset.apps/velero-76546b65c8 1 1 1 2m17s
Note: For using the velero
CLI directly configured for the oadp-operator
namespace, you may want to use the following command:
velero client config set namespace=oadp-operator
There are mainly two categories of velero plugins that can be specified while installing Velero:
-
default-velero-plugins
:
4 types of default velero plugins can be installed - AWS, GCP, Azure and OpenShift. For installation, you need to specify them in thekonveyor.openshift.io_v1alpha1_velero_cr.yaml
file during deployment.apiVersion: konveyor.openshift.io/v1alpha1 kind: Velero metadata: name: example-velero spec: default_velero_plugins: - azure - gcp - aws - openshift
The above specification will install Velero with all the 4 default plugins.
-
custom-velero-plugin
:
For installation of custom velero plugins, you need to specify the pluginimage
and pluginname
in thekonveyor.openshift.io_v1alpha1_velero_cr.yaml
file during deployment.For instance,
apiVersion: konveyor.openshift.io/v1alpha1 kind: Velero metadata: name: example-velero spec: default_velero_plugins: - azure - gcp custom_velero_plugins: - name: custom-plugin-example image: quay.io/example-repo/custom-velero-plugin
The above specification will install Velero with 3 plugins (azure, gcp and custom-plugin-example).
By default the CSI plugin is not enabled, in order to enable the CSI plugin for velero, you need to specify a flag enable_csi_plugin
and set it to true
in the konveyor.openshift.io_v1alpha1_velero_cr.yaml
file during the installation.
For configuring the backupStorageLocations
and the volumeSnapshotLocations
we will be using the backup_storage_locations
and the volume_snapshot_locations
specs respectively in the konveyor.openshift.io_v1alpha1_velero_cr.yaml
file during the deployement.
For instance, If we want to configure aws
for backupStorageLocations
as well as volumeSnapshotLocations
pertaining to velero, our konveyor.openshift.io_v1alpha1_velero_cr.yaml
file should look something like this:
apiVersion: konveyor.openshift.io/v1alpha1
kind: Velero
metadata:
name: example-velero
spec:
default_velero_plugins:
- aws
backup_storage_locations:
- name: default
provider: aws
object_storage:
bucket: myBucket
prefix: "velero"
config:
region: us-east-1
profile: "default"
credentials_secret_ref:
name: cloud-credentials
namespace: oadp-operator
volume_snapshot_locations:
- name: default
provider: aws
config:
region: us-west-2
profile: "default"
Note:
- Be sure to use the same
secret
name you used while creating the cloud credentials secret in step 3 of Operator installation section. - Another thing to consider are the CR file specs, they should be tailored in accordance to your own cloud provider accouts, for instance
bucket
spec value should be accoring to your own bucket name and so on. - Do not configure more than one
backupStorageLocations
per cloud provider, the velero installation will fail. - Parameter reference for backupStorageLocations and volumeSnapshotLocations
In order use the upstream images for Velero deployment as well as its plugins, you need to specify a flag use_upstream_images
in the konveyor.openshift.io_v1alpha1_velero_cr.yaml
during installation of the operator.
For instance the konveyor.openshift.io_v1alpha1_velero_cr.yaml
file might look something like this:
apiVersion: konveyor.openshift.io/v1alpha1
kind: Velero
metadata:
name: example-velero
spec:
use_upstream_images: true
default_velero_plugins:
- aws
backup_storage_locations:
- name: default
provider: aws
object_storage:
bucket: shubbam-6109f5e9711c8c58131acdd2f490f451
prefix: "velero"
config:
region: us-east-1
profile: "default"
credentials_secret_ref:
name: cloud-credentials
namespace: oadp-operator
volume_snapshot_locations:
- name: default
provider: aws
config:
region: us-west-2
profile: "default"
enable_restic: true
Such a CR specification will use the upstream images for deployment.
Note: If the flag use_upstream_images
is set, the registry will be switched from quay.io
to docker.io
and v1.4.0 (current upstream version) image tag will be used for Velero
and latest
image tag will be used for the plugins
.
In order to set specific resource(cpu, memory) limits
and requests
for the Velero pod, you need use the velero_resource_allocation
specification field in the konveyor.openshift.io_v1alpha1_velero_cr.yaml
file during the deployment.
For instance, the velero_resource_allocation
can look somewhat similar to:
velero_resource_allocation:
limits:
cpu: "2"
memory: 512Mi
requests:
cpu: 500m
memory: 256Mi
Similarly, you can use the restic_resource_allocation
specification field for setting specific resource limits
and requests
for the Restic pods.
restic_resource_allocation:
limits:
cpu: "2"
memory: 512Mi
requests:
cpu: 500m
memory: 256Mi
Note:
- The values for the resource requests and limits flags follow the same format as Kubernetes resource requirements
- Also, if the
velero_resource_allocation
/restic_resource_allocation
is not defined by the user then the default resources specification for Velero/Restic pod(s) isresources: limits: cpu: "1" memory: 256Mi requests: cpu: 500m memory: 128Mi
If you are using an S3-Compatible storage provider that is secured with a self-signed certificate, connections to the object store may fail with a certificate signed by unknown authority
message. In order to proceed, you will have to specify the a base64 encoded certificate string as a value of the caCert
spec under the object_storage
configuration in the velero CR.
Your CR might look somewhat like this:
apiVersion: konveyor.openshift.io/v1alpha1
kind: Velero
metadata:
name: example-velero
spec:
use_upstream_images: true
default_velero_plugins:
- aws
- openshift
backup_storage_locations:
- name: default
provider: aws
object_storage:
bucket: velero
caCert: <base64_encoded_cert_string>
config:
region: us-east-1
profile: "default"
insecure_skip_tls_verify: "false"
signature_version: "1"
public_url: "https://m-oadp.apps.cluster-sdpampat0519.sdpampat0519.mg.dog8code.com"
s3_url: "https://m-oadp.apps.cluster-sdpampat0519.sdpampat0519.mg.dog8code.com"
s3_force_path_style: "true"
credentials_secret_ref:
name: cloud-credentials
namespace: oadp-operator
enable_restic: true
Note: Ensure that insecure_skip_tls_verify
is set to false
so that TLS is used.
For cleaning up the deployed resources, use the following commands:
oc delete -f deploy/crds/konveyor.openshift.io_v1alpha1_velero_cr.yaml
oc delete -f deploy/crds/konveyor.openshift.io_veleros_crd.yaml
oc delete -f deploy/
oc delete namespace oadp-operator
oc delete crd $(oc get crds | grep velero.io | awk -F ' ' '{print $1}')