Velero: Stable/Velero Helm Chart readme instructions unclear about format of credentials.secretContents

Created on 31 May 2019 · 8Comments · Source: vmware-tanzu/velero

Describe the solution you'd like
I'm trying to install the stable Velero helmchart in an AWS environment, but the readme file's description of the credentials.secretContents is extremely lacking:
If specified and useSecret is true, contents for the credentials secret

What are these contents? Does it vary based on cloud provider?

There no mention of how to the format expected in the environment setup guide.

After spending about an hour reading the helm chart and the source repo, I think the correct solution for AWS is:
credentials.secretContents.cloud:

I managed to find this information about structure in a debugging guide that I didn't see reference to anywhere in the docs.

This info is so basic to how to use the chart that I feel it's absence in the core documentation is a huge problem.

I propose three changes to resolve this:

Helm Chart Documentation should be updated to make it clear exactly what Velero is expecting the value of credentials.secretContents to be
Website documentation regarding cloud provider setups should be updated to include the information about how to configure the credentials when installing via helm.

Anything else you would like to add:
The biggest issue i've had so far with the helm chart is the limited documentation around it, all of the guides on the assume I'm using the velero client to install, with no guided documentation around the helm chart. Adding setup documentation for the helm chart would massively reduce the difficulty for newcomers to get started.

Environment:

Velero version (use velero version): 1.0.0 from helm/charts
Kubernetes version (use kubectl version): 1.11.8-eks-7c34c0
Kubernetes installer & version:
Cloud provider or hardware configuration: AWS
OS (e.g. from /etc/os-release):

AreDocumentation Bug

Source

AlexMichaelJonesNC

👍3

Most helpful comment

For GCP, this is what I have:

credentials:
  # Whether a secret should be used as the source of IAM account
  # credentials. Set to false if, for example, using kube2iam or
  # kiam to provide IAM credentials for the Velero pod.
  useSecret: true
  # Name of a pre-existing secret (if any) in the Velero namespace
  # that should be used to get IAM account credentials. Optional.
  existingSecret:
  # Data to be stored in the Velero secret, if `useSecret` is
  # true and `existingSecret` is empty. This should be the contents
  # of your IAM credentials file.
  secretContents:
    cloud: |
      {
        "type": "service_account",
        "project_id": "myproject",
        "private_key_id": "d7c4e4227da8bf21b9eb287d97fcc0776d123f0c",
        "private_key": "-----BEGIN PRIVATE KEY-----\nMY KEY GOES HERE-----END PRIVATE KEY-----\n",
        "client_email": "[email protected]",
        "client_id": "104942721841221688318",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/velero%myproject.iam.gserviceaccount.com"
      }

For AWS, I think it would look like this:

credentials:
  # Whether a secret should be used as the source of IAM account
  # credentials. Set to false if, for example, using kube2iam or
  # kiam to provide IAM credentials for the Velero pod.
  useSecret: true
  # Name of a pre-existing secret (if any) in the Velero namespace
  # that should be used to get IAM account credentials. Optional.
  existingSecret:
  # Data to be stored in the Velero secret, if `useSecret` is
  # true and `existingSecret` is empty. This should be the contents
  # of your IAM credentials file.
  secretContents:
    cloud: |
      [default]
      aws_access_key_id=MYKEYID
      aws_secret_access_key=MYKEYCONTENTS

I don't know what Azure would look like off the top of my head, but I think it would have to be the cloud key with the environment variable key/value pairs properly indented.

nrb on 4 Jun 2019

👍9

All 8 comments

@nrb do you know off the top of your head how this should work?

skriss on 4 Jun 2019

For GCP, this is what I have:

credentials:
  # Whether a secret should be used as the source of IAM account
  # credentials. Set to false if, for example, using kube2iam or
  # kiam to provide IAM credentials for the Velero pod.
  useSecret: true
  # Name of a pre-existing secret (if any) in the Velero namespace
  # that should be used to get IAM account credentials. Optional.
  existingSecret:
  # Data to be stored in the Velero secret, if `useSecret` is
  # true and `existingSecret` is empty. This should be the contents
  # of your IAM credentials file.
  secretContents:
    cloud: |
      {
        "type": "service_account",
        "project_id": "myproject",
        "private_key_id": "d7c4e4227da8bf21b9eb287d97fcc0776d123f0c",
        "private_key": "-----BEGIN PRIVATE KEY-----\nMY KEY GOES HERE-----END PRIVATE KEY-----\n",
        "client_email": "[email protected]",
        "client_id": "104942721841221688318",
        "auth_uri": "https://accounts.google.com/o/oauth2/auth",
        "token_uri": "https://oauth2.googleapis.com/token",
        "auth_provider_x509_cert_url": "https://www.googleapis.com/oauth2/v1/certs",
        "client_x509_cert_url": "https://www.googleapis.com/robot/v1/metadata/x509/velero%myproject.iam.gserviceaccount.com"
      }

For AWS, I think it would look like this:

credentials:
  # Whether a secret should be used as the source of IAM account
  # credentials. Set to false if, for example, using kube2iam or
  # kiam to provide IAM credentials for the Velero pod.
  useSecret: true
  # Name of a pre-existing secret (if any) in the Velero namespace
  # that should be used to get IAM account credentials. Optional.
  existingSecret:
  # Data to be stored in the Velero secret, if `useSecret` is
  # true and `existingSecret` is empty. This should be the contents
  # of your IAM credentials file.
  secretContents:
    cloud: |
      [default]
      aws_access_key_id=MYKEYID
      aws_secret_access_key=MYKEYCONTENTS

I don't know what Azure would look like off the top of my head, but I think it would have to be the cloud key with the environment variable key/value pairs properly indented.

nrb on 4 Jun 2019

👍9

Adding this to the v1.1 milestone, will get documentation done.

nrb on 4 Jun 2019

👍2

thanks @nrb! BTW, what you wrote re: Azure sounds right to me, as long as everything else in the chart is set up to allow the Azure secret to be provided as a file that gets mounted into the velero pod.

skriss on 4 Jun 2019

@nrb Your examples are perfect and essential for everyone who wants to use the values.yaml file instead of the helm cli command with the --set-file credentials.secretContents.cloud=<FULL PATH TO FILE> argument. Could these examples please be included here: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero#provider-credentials

Would be also nice to have the helm chart README included here in the docs or as a separate item in the Install section of the sidebar.

mamiu on 25 Oct 2020

@nrb Your examples are perfect and essential for everyone who wants to use the values.yaml file instead of the helm cli command with the --set-file credentials.secretContents.cloud=<FULL PATH TO FILE> argument. Could these examples please be included here: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero#provider-credentials

Would be also nice to have the helm chart README included here in the docs or as a separate item in the Install section of the sidebar.

jenting on 26 Oct 2020

👍1

For Azure, I currently create a text file as follows and deploy Velero using Helm by setting values using --set:

AZURE_STORAGE_ACCOUNT_ACCESS_KEY=REDACTED
AZURE_CLOUD_NAME=AzurePublicCloud

I want to use values.yaml file which contains all values in it including the aforementioned KV pairs. Where in the Velero values.yaml file do I need to specify these?