July 13, 2022

Ensuring resiliency with TrilioVault for Kubernetes

Tyler Gillson
Tyler Gillson
Principal Software Engineer

Need resiliency? You have plenty of options…

Whether you’re managing a corporate Kubernetes cluster on premises, or hosting a K8s-backed SaaS application in the public cloud, it’s essential to have a data protection plan for backing up and restoring your cluster's resources and persistent volumes. In any enterprise-grade K8s environment, the onus is on you to provide options for ensuring a Recovery Point Objective (RPO) and/or Recovery Time Objective (RTO) for your application consumers.

As anyone with firsthand experience evaluating and using backup and restore solutions knows, this is a deep and complex topic. Data protection solutions range over a 'resiliency spectrum' from local high availability (HA), to backup and restore, to disaster recovery (DR), based on the comprehensiveness of their functionality.

A multitude of popular open source solutions exist to address parts of this space, including Velero, Stash, and OpenEBS, plus closed-source players including Trilio, Kasten by Veeam, Portworx, and Rancher Longhorn, to name but a few.

How do you choose the right resiliency solution?

There are many factors to consider when evaluating backup and restore solutions, but we recommend these five as a great place to start:

  • **Backup granularity: **Can you configure backups for individual applications and/or volumes? Or are you limited by namespace/label?
  • Configurable restoration policies: Can you customize/override configuration values from your backups at restore time?
  • **Scalability/Performance: **Does your data protection strategy have bottlenecks? How efficient is its deduplication approach?
  • **Usability: **Can you configure and monitor everything you need via a UI? CLI? Declaratively via CRDs?
  • Reliability and support: Does your data protection vendor offer adequate support SLAs?

The answers to these questions are what differentiates open source offerings from proprietary backup/restore solutions. For example, in many enterprise organizations, reliability and 24/7 support is a must have. However, rather than spending weeks researching the backup/restore space and performing internal requirements gathering, nothing beats a hands on product evaluation for identifying shortcomings and establishing a strong case for change within your organization.

Today, Spectro Cloud already provides an inbuilt native Velero integration with every cluster, and we highly rate Velero’s capabilities. But we are always seeking to expand our repertoire of offerings. As such, we are excited to announce the arrival of our latest K8s backup/restore integration: TrilioVault for Kubernetes (TVK).

Why Trilio?

In addition to ticking all of the aforementioned boxes, TVK leverages some of the latest and greatest native Kubernetes features to work its magic, including Volume Snapshots and the CSI Snapshotter. If you’re interested, check out the blog post detailing exactly what volume snapshots are and why you might be interested in using them.

The TVK architecture is split into a Helm-based operator and an application layer (managed by the TVK operator). The TVK application supports a rich feature set for backing up and restoring both persistent volumes and Kubernetes metadata. All operations can be performed via their user interface or orchestrated programmatically. TVK supports both “full” and “incremental” backups. Volume snapshot contents are first converted into QCOW2 images, then synchronized with remote storage (NFS, AWS S3, or any S3-compatible storage provider); however, if taking an incremental backup, the delta between snapshots is computed and the new QCOW2 image containing only what changed is linked to the original “full” image. Pretty cool!

TVK components Trilio

TrilioVault for Kubernetes Architecture

Check out these animations to see how TrilioVault works, both in the full backup process and the incremental.

Time for a demo

Without further ado, here is how you can take TVK for a test drive in your own Kubernetes environment. Or, if you want to check out how easy it is using Spectro Cloud Palette, you can skip ahead


Although TVK works with many different K8s distros, AWS EKS is a very common environment and a great place to take it for a spin — so in the following sections, we'll assume you're hands on in AWS. Feel free to adapt to your distro of choice!


  • An AWS EKS cluster running Kubernetes >= v1.19 and a valid kubeconfig to access it.

Additionally, the following CSI components must be installed:

Step 1: Install and run the TVK quick start kubectl plugin

TVK provides a comprehensive quick start plugin for kubectl. It is highly recommended that you install this kubectl extension and use it to validate your environment before proceeding with an installation of the TrilioVault operator.

   kubectl krew index add tvk-interop-plugin
kubectl krew install tvk-interop-plugin/tvk-quickstart

Step 2: Perform preflight validation

Assuming all prerequisites are met, the following validation should succeed. See here for details regarding exactly what the preflight validation is checking for.

   kubectl tvk-quickstart -p

Step 3: Install the TVK operator

If you're comfortable accepting all the defaults, simply execute the following:

   kubectl tvk-quickstart -i

Or, if you'd prefer to customize each option, there's also a declarative config approach. Details for each parameter can be found here). -O
# customize away, then invoke the quick start install as follows:
kubectl tvk-quickstart -n input_config

Step 4: Access the TVM UI

Regardless of how you chose to configure ingress for TrilioVault, a port-forward is a quick option to validate the UI:

   kubectl -n  port-forward service/k8s-triliovault-ingress-nginx-controller 8443:http
# navigate to localhost:8443 in your browser

The TVM UI requires a kubeconfig to log in. Sadly, it does not yet support aws-iam-authenticator, so if you're using IAM, you'll first need create a sufficiently privileged K8s service account and corresponding kubeconfig:

   kubectl -n kube-system create serviceaccount trilio-cluster-admin

cat << EOF | kubectl apply -f -
kind: ClusterRoleBinding
  name: trilio-cluster-admin
  kind: ClusterRole
  name: cluster-admin
- kind: ServiceAccount
  name: trilio-cluster-admin
  namespace: kube-system

USER_TOKEN_NAME=$(kubectl -n kube-system get serviceaccount trilio-cluster-admin -o=jsonpath='{.secrets[0].name}')
USER_TOKEN_VALUE=$(kubectl -n kube-system get secret/${USER_TOKEN_NAME} -o=go-template='{{.data.token}}' | base64 --decode)
CURRENT_CONTEXT=$(kubectl config current-context)
CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')

cat << EOF > tvk-admin-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
	cluster: ${CURRENT_CONTEXT}
	user: trilio-cluster-admin
	certificate-authority-data: ${CLUSTER_CA}
	server: ${CLUSTER_SERVER}
- name: trilio-cluster-admin

Step 5: Explore

You'll probably want to:

  • Configure a backup target (either NFS or ObjectStorage)
  • Configure a backup plan, preferably one that involves both K8s resources and 1 or more persistent volumes
  • Create a backup
  • Test restoring your backup (you may know the old saying: “it's not a backup until you test it!”)

The TVK Management Console documentation is an excellent resource.

Demoing TrilioVault for Kubernetes on Spectro Cloud

Using Spectro Cloud Palette, you can easily construct a Cluster Profile to deploy a K8s cluster containing each of the essential components listed above. Spectro Cloud’s public pack registry contains everything you’ll need: OS, K8s distribution, CNI, CSI, CSI Snapshotter, and, last but not least, TrilioVault for Kubernetes.

Demoing TrilioVault for Kubernetes on Spectro Cloud

TrilioVault for Kubernetes Cluster Profile

As you construct your Cluster Profile, you’re welcome to accept the defaults (you’ll be required to specify a target namespace, but that’s it!), or you can fully customize TVK to suit your needs.

TrilioVault for Kubernetes Cluster Profile

Replace this with the following image: 70-image3.png

TVK pack: Advanced Configuration

If you’re having any issues whatsoever connecting to your cloud account, configuring a Cluster Profile, or deploying a cluster, please take a look at our docs, or feel free to reach out. Once your cluster is up and running, you’ll be able to download your kubeconfig and access the TrilioVault for Kubernetes UI right away!


Maintaining resilient systems is no simple task. There is a rich ecosystem of tools to help simplify the matter, but the process of identifying, evaluating, and deploying them can be daunting in and of itself. And after you’ve committed to a particular backup/restore solution, the journey is only beginning. For long-term success, you’ll need to build knowledge, produce playbooks, and encode processes within your organization so that your teams can react immediately when a P1 incident hits.

Here at Spectro Cloud we are enabling organizations to abstract away the complexity of Kubernetes lifecycle management and providing users with the comfort of knowing that they are building upon a solid, best practices foundation — so that they can focus on business-critical concerns. We hope you found this helpful, and thanks for reading!

Enterprise Scale
How to
Subscribe to our newsletter
By signing up, you agree with our Terms of Service and our Privacy Policy