Preparing the Azure Kubernetes Service cluster to back up the DevOps Test Hub data

When you want to back up the IBM® DevOps Test Hub (Test Hub) data, you must prepare your Azure Kubernetes Service (AKS) cluster to store the backed-up data.

You must have completed the following tasks:

  • Ensure that you have an Azure subscription along with an Owner or Contributor and User-Access Administrator role on the Azure subscription.

    You can create a subscription from Microsoft Azure if you do not have a valid subscription.

  • Downloaded the Velero 1.14.x from the Velero repository.

    CAUTION: The instructions provided in this procedure are an example of how an AKS cluster can be configured to use Velero 1.14.x Microsoft Azure plugin for backing up and restoring the Test Hub data. The procedures to backup and restore the server data might be not valid in all the scenarios.
  • Copied the Velero executable file into one of the directories in the PATH environment variable.

  • Installed Azure Command-Line Interface (CLI). For more information, refer to the Azure CLI documentation.

Velero is one of the tools that is available to back up and restore the server data. You must prepare your AKS cluster where you installed Test Hub before you back up the data by using Velero.

  1. Run the following command to log in to AKS interactively:
    az login
    The command-line interface opens a browser and displays the Log-in page of AKS.
  2. Sign in with your AKS account credentials.
  3. Run the following command to set your active subscription:
    az account set --subscription <subscription_name>

    You must replace <subscription_name> with the name of your active Azure subscription.

  4. Run the following command to set the location of your AKS cluster:
    az configure --defaults location=<location_name>

    For example, az configure --defaults location=eastus2

    Tip: You can run the following command to get the list of all the available locations:
    az account list-locations --query "[].{DisplayName:displayName, Name:name}" -o table
  5. Run the following commands to deploy the velero backup template for taking the backup of files:
    RESOURCE_GROUP=devops
    INSTANCE=devops0
    IDENTITY_NAME=velero
    BLOB_CONTAINER=velero
    AZURE_BACKUP_RESOURCE_GROUP=Velero_Backups
    AZURE_STORAGE_ACCOUNT_ID="velero$(date -u +%s)"
    MANAGED_CLUSTER_RESOURCE_GROUP=$(az aks show -g $RESOURCE_GROUP -n $INSTANCE -o tsv --query nodeResourceGroup)
    cd hcl-devops/azure/    #Navigate to the directory where you have the installation files
    az group create -n $AZURE_BACKUP_RESOURCE_GROUP --location  <location_name>
    az deployment group create -g $MANAGED_CLUSTER_RESOURCE_GROUP --template-file azure/backup.bicep --parameters backupResourceGroupName=$AZURE_BACKUP_RESOURCE_GROUP identityName=$IDENTITY_NAME storageAccountId=$AZURE_STORAGE_ACCOUNT_ID blobContainerName=$BLOB_CONTAINER
    Note: You must replace <location_name> with the name of your location of the AKS cluster.
  6. Run the following commands to create service account and cluster role binding:
    AZURE_SUBSCRIPTION_ID=$(az account list --query '[?isDefault].id' -o tsv)
    AZURE_TENANT_ID=$(az account show -s $AZURE_SUBSCRIPTION_ID --query tenantId -o tsv)
    
    IDENTITY_CLIENT_ID="$(az identity show -g $MANAGED_CLUSTER_RESOURCE_GROUP -n $IDENTITY_NAME --subscription $AZURE_SUBSCRIPTION_ID --query clientId -o tsv)"
    
    kubectl create namespace velero
    
    cat <<EOF | kubectl apply -n velero -f -
    apiVersion: v1
    kind: ServiceAccount
    metadata:
      annotations:
        azure.workload.identity/client-id: $IDENTITY_CLIENT_ID
      name: velero
    ---
    apiVersion: rbac.authorization.k8s.io/v1
    kind: ClusterRoleBinding
    metadata:
      name: velero-cluster-admin
    subjects:
    - kind: ServiceAccount
      name: velero
      namespace: velero
    roleRef:
      kind: ClusterRole
      name: cluster-admin
      apiGroup: rbac.authorization.k8s.io
    EOF
  7. Run the following commands to establish federated identity credential between the identity and the service account issuer & subject:
    SERVICE_ACCOUNT_ISSUER=$(az aks show --resource-group $RESOURCE_GROUP --name $INSTANCE --query oidcIssuerProfile.issuerUrl -o tsv)
    
    az identity federated-credential create \
      --name kubernetes-federated-credential \
      --identity-name "$IDENTITY_NAME" \
      --resource-group "$MANAGED_CLUSTER_RESOURCE_GROUP" \
      --issuer "$SERVICE_ACCOUNT_ISSUER" \
      --subject system:serviceaccount:velero:velero
  8. Run the following command to create the velero credentials file that contains all the relevant environment variables:
    cat << EOF  > ./credentials-velero
    AZURE_SUBSCRIPTION_ID=$AZURE_SUBSCRIPTION_ID
    AZURE_RESOURCE_GROUP=$MANAGED_CLUSTER_RESOURCE_GROUP
    AZURE_CLOUD_NAME=AzurePublicCloud
    EOF
  9. Run the following command to install velero:
    velero install \
        --provider azure \
        --plugins=velero/velero-plugin-for-microsoft-azure:v1.10.1 \
        --service-account-name velero \
        --pod-labels azure.workload.identity/use=true \
        --bucket $BLOB_CONTAINER \
        --secret-file ./credentials-velero \
        --backup-location-config useAAD="true",storageAccountURI="https://$AZURE_STORAGE_ACCOUNT_ID.blob.core.windows.net",resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,storageAccount=$AZURE_STORAGE_ACCOUNT_ID,subscriptionId=$AZURE_SUBSCRIPTION_ID \
        --snapshot-location-config apiTimeout=5m,resourceGroup=$AZURE_BACKUP_RESOURCE_GROUP,subscriptionId=$AZURE_SUBSCRIPTION_ID \
        --wait
  10. To verify that the velero installation is complete, run the following command and verify that the pods are running.
    kubectl get pod -n velero
You have prepared your cluster to back up the server data.
You can back up the server data. See Backing up the DevOps Test Hub data on Azure Kubernetes Service