Velero: Question/documentation: migration -- how to "point to location used by cluster 1" on EKS w/ service role
I have two clusters, and would like to migrate from one to the other. They are setup using velero EKS config with service roles.
The documentation states:
(Cluster 2) Configure BackupStorageLocations and VolumeSnapshotLocations, pointing to the locations used by Cluster 1, using velero backup-location create and velero snapshot-location create.
How do I do this? The clusters have separate service roles, and the snapshot location of cluster 1 is simply listed as "default" by velero snapshot-location get. Perhaps I can hack the S3 permissions and/or the service role setup so that cluster 2 can read the cluster 1 bucket, but how do I "point to" the snapshot location (which is where??) and give cluster 2 permissions?
More extensive documentation would be useful.
shaunc
All 6 comments
@shaunc
The instruction you are referring to is asking you to create backup storage location and volume snapshot locations in cluster 2 with the same data as those in cluster 1, where you want to migrate from.
The idea is that cluster 2 should be allowed/able to read backups taken from cluster 1. This will let Velero in cluster 2, read the backups and volumesnapshots taken as part of backups from cluster 1 as part of restoring backup from cluster 1 into cluster 2.
I hope this answers your question.
ashish-amarnath
on 6 Aug 2020
@ashish-amarnath -- in fact, that much I figured out. The question is how to set this up for EKS with service roles & ISRA. In fact, I ended up reconfiguring cluster 2 to have the same service account and S3 bucket as cluster 1. However, in general it would be good to have instructions on how to add an additional location, as often when you migrate you don't want to affect the target cluster's own backups.
It would seem that the snapshot location works by "magic" ... no setup seems necessary. I wonder how this would work if I wanted a permission boundary between the two clusters.
shaunc
on 6 Aug 2020
@shaunc From my, rather limited, understanding of service roles and ISRA. It seems like a feature to associate Kubernetes service accounts with IAM role policies. You might find this link useful https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts-cni-walkthrough.html
You can use the velero CLI to create new backup storage location and volume snapshot location
$ velero create --help | grep "location"
backup-location Create a backup storage location
snapshot-location Create a volume snapshot location
We have some of what you are looking for documented at https://velero.io/docs/v1.4/locations/#additional-use-cases and https://velero.io/docs/v1.4/disaster-case/.
ashish-amarnath
on 24 Aug 2020
Thanks! ... If I understood this stuff better myself, I'd open a PR. Unfortunately, documentation is a bit either thin or not necessarily relevant.
shaunc
on 24 Aug 2020
@shaunc Glad, you were able to figure this out!
We'd appreciate a PR with the docs.
If you are unable to submit a PR atm, please add some pointers, to resources you found helpful, into this issue that will help us update our documentation or can help another user.
ashish-amarnath
on 24 Aug 2020
So -- as I indicated above, my main workaround was to change the 2nd cluster service account to be the same as the first, so I didn't have to figure out the IRSA reconfigurations. I didn't know about velar create snapshot-location which might have helped out with the issues I was running into. (Though really I need "set snapshot-location") But I like to provision with terraform, so would prefer a terraform-provider-compatible way of specifying snapshot locations and their linked roles (and not just use blanket EC2 permissions).
Next time I "cycle" on this (when I set up a new cluster), I'll see if I can do this more systematically.
shaunc
on 24 Aug 2020
Related issues
my1990
路
3Comments
ncdc
路
3Comments
MeghanaSrinath
路
4Comments
onedr0p
路
3Comments
vitobotta
路
3Comments