Ensuring resiliency with TrilioVault for Kubernetes

Need resiliency? You have plenty of options…

Whether you’re managing a corporate Kubernetes cluster on premises, or hosting a K8s-backed SaaS application in the public cloud, it’s essential to have a data protection plan for backing up and restoring your cluster's resources and persistent volumes. In any enterprise-grade K8s environment, the onus is on you to provide options for ensuring a Recovery Point Objective (RPO) and/or Recovery Time Objective (RTO) for your application consumers.

As anyone with firsthand experience evaluating and using backup and restore solutions knows, this is a deep and complex topic. Data protection solutions range over a 'resiliency spectrum' from local high availability (HA), to backup and restore, to disaster recovery (DR), based on the comprehensiveness of their functionality.

A multitude of popular open source solutions exist to address parts of this space, including Velero, Stash, and OpenEBS, plus closed-source players including Trilio, Kasten by Veeam, Portworx, and Rancher Longhorn, to name but a few.

How do you choose the right resiliency solution?

There are many factors to consider when evaluating backup and restore solutions, but we recommend these five as a great place to start:

• **Backup granularity: **Can you configure backups for individual applications and/or volumes? Or are you limited by namespace/label?
• Configurable restoration policies: Can you customize/override configuration values from your backups at restore time?
• **Scalability/Performance: **Does your data protection strategy have bottlenecks? How efficient is its deduplication approach?
• **Usability: **Can you configure and monitor everything you need via a UI? CLI? Declaratively via CRDs?
• Reliability and support: Does your data protection vendor offer adequate support SLAs?

The answers to these questions are what differentiates open source offerings from proprietary backup/restore solutions. For example, in many enterprise organizations, reliability and 24/7 support is a must have. However, rather than spending weeks researching the backup/restore space and performing internal requirements gathering, nothing beats a hands on product evaluation for identifying shortcomings and establishing a strong case for change within your organization.

Today, Spectro Cloud already provides an inbuilt native Velero integration with every cluster, and we highly rate Velero’s capabilities. But we are always seeking to expand our repertoire of offerings. As such, we are excited to announce the arrival of our latest K8s backup/restore integration: TrilioVault for Kubernetes (TVK).

Why Trilio?

In addition to ticking all of the aforementioned boxes, TVK leverages some of the latest and greatest native Kubernetes features to work its magic, including Volume Snapshots and the CSI Snapshotter. If you’re interested, check out the Kubernetes.io blog post detailing exactly what volume snapshots are and why you might be interested in using them.

The TVK architecture is split into a Helm-based operator and an application layer (managed by the TVK operator). The TVK application supports a rich feature set for backing up and restoring both persistent volumes and Kubernetes metadata. All operations can be performed via their user interface or orchestrated programmatically. TVK supports both “full” and “incremental” backups. Volume snapshot contents are first converted into QCOW2 images, then synchronized with remote storage (NFS, AWS S3, or any S3-compatible storage provider); however, if taking an incremental backup, the delta between snapshots is computed and the new QCOW2 image containing only what changed is linked to the original “full” image. Pretty cool!

TrilioVault for Kubernetes Architecture

Check out these animations to see how TrilioVault works, both in the full backup process and the incremental.

Time for a demo

Without further ado, here is how you can take TVK for a test drive in your own Kubernetes environment. Or, if you want to check out how easy it is using Spectro Cloud Palette, you can skip ahead

Steps

Although TVK works with many different K8s distros, AWS EKS is a very common environment and a great place to take it for a spin — so in the following sections, we'll assume you're hands on in AWS. Feel free to adapt to your distro of choice!

Pre-requisites:

• An AWS EKS cluster running Kubernetes >= v1.19 and a valid kubeconfig to access it.

Additionally, the following CSI components must be installed:

• EBS CSI Driver. Installation instructions are out of scope, but you can grab a Helm chart here.
• External Snapshotter. Note: you can skip installing the CRDs, as the TVK quick start plugin will do it for you. Only the Snapshot Controller and CSI Snapshotter are strictly required. You can grab the Snapshot Controller manifests from the latest stable release and the CSI Snapshotter manifests from the latest stable release.
• Utilities on your local system: bash version v3.2.x or newer, krew, kubectl, S3cm, and yq v4 or newer.

Step 1: Install and run the TVK quick start kubectl plugin

TVK provides a comprehensive quick start plugin for kubectl. It is highly recommended that you install this kubectl extension and use it to validate your environment before proceeding with an installation of the TrilioVault operator.

 
   kubectl krew index add tvk-interop-plugin https://github.com/trilioData/tvk-interop-plugins.git
kubectl krew install tvk-interop-plugin/tvk-quickstart
	

Step 2: Perform preflight validation

Assuming all prerequisites are met, the following validation should succeed. See here for details regarding exactly what the preflight validation is checking for.

 
   kubectl tvk-quickstart -p
	

Step 3: Install the TVK operator

If you're comfortable accepting all the defaults, simply execute the following:

 
   kubectl tvk-quickstart -i
	

Or, if you'd prefer to customize each option, there's also a declarative config approach. Details for each parameter can be found here).

 
   https://raw.githubusercontent.com/trilioData/tvk-interop-plugins/main/tests/tvk-quickstart/input_config -O
# customize away, then invoke the quick start install as follows:
kubectl tvk-quickstart -n input_config
	

Step 4: Access the TVM UI

Regardless of how you chose to configure ingress for TrilioVault, a port-forward is a quick option to validate the UI:

 
   kubectl -n  port-forward service/k8s-triliovault-ingress-nginx-controller 8443:http
# navigate to localhost:8443 in your browser
	

The TVM UI requires a kubeconfig to log in. Sadly, it does not yet support aws-iam-authenticator, so if you're using IAM, you'll first need create a sufficiently privileged K8s service account and corresponding kubeconfig:

 
   kubectl -n kube-system create serviceaccount trilio-cluster-admin

cat << EOF | kubectl apply -f -
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
  name: trilio-cluster-admin
roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
subjects:
- kind: ServiceAccount
  name: trilio-cluster-admin
  namespace: kube-system
EOF

USER_TOKEN_NAME=$(kubectl -n kube-system get serviceaccount trilio-cluster-admin -o=jsonpath='{.secrets[0].name}')
USER_TOKEN_VALUE=$(kubectl -n kube-system get secret/${USER_TOKEN_NAME} -o=go-template='{{.data.token}}' | base64 --decode)
CURRENT_CONTEXT=$(kubectl config current-context)
CURRENT_CLUSTER=$(kubectl config view --raw -o=go-template='{{range .contexts}}{{if eq .name "'''${CURRENT_CONTEXT}'''"}}{{ index .context "cluster" }}{{end}}{{end}}')
CLUSTER_CA=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}"{{with index .cluster "certificate-authority-data" }}{{.}}{{end}}"{{ end }}{{ end }}')
CLUSTER_SERVER=$(kubectl config view --raw -o=go-template='{{range .clusters}}{{if eq .name "'''${CURRENT_CLUSTER}'''"}}{{ .cluster.server }}{{end}}{{ end }}')

cat << EOF > tvk-admin-config
apiVersion: v1
kind: Config
current-context: ${CURRENT_CONTEXT}
contexts:
- name: ${CURRENT_CONTEXT}
  context:
	cluster: ${CURRENT_CONTEXT}
	user: trilio-cluster-admin
clusters:
- name: ${CURRENT_CONTEXT}
  cluster:
	certificate-authority-data: ${CLUSTER_CA}
	server: ${CLUSTER_SERVER}
users:
- name: trilio-cluster-admin
  user:
	token: ${USER_TOKEN_VALUE}
EOF
	

Step 5: Explore

You'll probably want to:

• Configure a backup target (either NFS or ObjectStorage)
• Configure a backup plan, preferably one that involves both K8s resources and 1 or more persistent volumes
• Create a backup
• Test restoring your backup (you may know the old saying: “it's not a backup until you test it!”)

The TVK Management Console documentation is an excellent resource.

Demoing TrilioVault for Kubernetes on Spectro Cloud

Using Spectro Cloud Palette, you can easily construct a Cluster Profile to deploy a K8s cluster containing each of the essential components listed above. Spectro Cloud’s public pack registry contains everything you’ll need: OS, K8s distribution, CNI, CSI, CSI Snapshotter, and, last but not least, TrilioVault for Kubernetes.

TrilioVault for Kubernetes Cluster Profile

As you construct your Cluster Profile, you’re welcome to accept the defaults (you’ll be required to specify a target namespace, but that’s it!), or you can fully customize TVK to suit your needs.

Replace this with the following image: 70-image3.png

TVK pack: Advanced Configuration

If you’re having any issues whatsoever connecting to your cloud account, configuring a Cluster Profile, or deploying a cluster, please take a look at our docs, or feel free to reach out. Once your cluster is up and running, you’ll be able to download your kubeconfig and access the TrilioVault for Kubernetes UI right away!

Conclusion

Maintaining resilient systems is no simple task. There is a rich ecosystem of tools to help simplify the matter, but the process of identifying, evaluating, and deploying them can be daunting in and of itself. And after you’ve committed to a particular backup/restore solution, the journey is only beginning. For long-term success, you’ll need to build knowledge, produce playbooks, and encode processes within your organization so that your teams can react immediately when a P1 incident hits.

Here at Spectro Cloud we are enabling organizations to abstract away the complexity of Kubernetes lifecycle management and providing users with the comfort of knowing that they are building upon a solid, best practices foundation — so that they can focus on business-critical concerns. We hope you found this helpful, and thanks for reading!