Installing and deploying Kubernetes Backup Support images in the Kubernetes environment

Before you can back up and restore persistent volumes that are attached to your containers in a Kubernetes cluster environment, you must install and deploy Kubernetes Backup Support images.

Before you begin

You can install Kubernetes Backup Support by using one of the following methods:
By downloading and installing the Helm package from IBM® Helm Charts Repository and IBM Entitled Registry
The Helm package is smaller in size and therefore takes less time to download. Internet access is required to pull containers at deployment time. You can download the Helm package file named ibm-spectrum-protect-plus-prod-1.0.0.tgz at https://github.com/IBM/charts/tree/master/repo/entitled.
For instructions on installing the Helm chart, see the product README file at https://github.com/IBM/charts/tree/master/entitled/ibm-spectrum-protect-plus-prod.
By downloading and installing the product package from IBM Passport Advantage® Online
The installation package from IBM Passport Advantage is a larger but self-contained package. Internet access is not required at deployment time. Instructions for downloading and installing the package are provided in this topic.

Complete the following tasks to download the installation package from IBM Passport Advantage:

  • Ensure that your system environment meets the requirements that are described in Kubernetes Backup Support requirements and Prerequisites for Kubernetes Backup Support.
  • Download the installation file SPP_V10.1.6_for_Containers.tar.gz from Passport Advantage® Online. For information about downloading files, see technote 5693313.
  • Validate the downloaded file by using one of the following methods:
    • Verify the MD5 checksum of the downloaded installation file. Ensure that the generated checksum matches the one provided in the MD5 Checksum file, which is part of the software download.
    • Verify the signed file that is associated with the installation package by issuing the following command:
      openssl dgst -sha256 -verify IBMSPSignCertificatePublic -signature ./SPP_V10.1.6_for_Containers.tar.gz.sig ./SPP_V10.1.6_for_Containers.tar.gz
Restrictions:
  • A rollback to a previous version of Kubernetes Backup Support is not supported. In other words, you cannot use Kubernetes Backup Support V10.1.5 to restore data that was backed up by Kubernetes Backup Support V10.1.6.
  • Upgrading the product from Kubernetes Backup Support V10.1.5 is not supported.
  • Due to underlying changes in the BaasReq object, you cannot use Kubernetes Backup Support V10.1.6 to restore data that was backed up by Kubernetes Backup Support V10.1.5.

About this task

During the installation and deployment procedure, you must update the baas_config.cfg configuration file with specifications for your environment, and then run the installation script baas_install.sh. When you run the installation script, an appropriate Helm Chart is automatically called to deploy Kubernetes Backup Support in your environment.

Procedure

Complete the following steps on the command line in the Kubernetes environment:

  1. Log in to the target cluster as a user with cluster-admin privileges.
  2. Unpack the installation package (SPP_V10.1.6_for_Containers.tar.gz) by entering the following command: 
    tar -xvf SPP_V10.1.6_for_Containers.tar.gz
    This command extracts a folder that is named installer.
  3. Go to the installer directory by entering the following command: 
    cd installer
  4. Run the following command to obtain the Classless Inter-Domain Routing (CIDR) method for the cluster. The values are used in Step 6. 
    kubectl cluster-info dump | grep -m 1 cluster-cidr
    The CIDR is provided in the output in the following format:
    --cluster-cidr=xxx.yyy.0.0/zz
    Tip: If the command does not return the CIDR, change the grep expression to look for the combination of "cluster" and "CIDR" and run the command again.
    The CIDR is similar to the following example: 
    198.51.0.0/24
  5. Run the following command to obtain the cluster and the IP address and port for the cluster API server. The values are used in Step 6. 
    kubectl config view|awk '/cluster\:/,/server\:/' | grep server\: | awk '{print $2}'
    The result is a URL that is composed of an IP address and port number, as shown in the following example:
    https://192.0.2.0:6443
    where 192.0.2.0 is the cluster API server IP address and 6443 is the port address.
  6. Edit the baas_config.cfg file with a text editor and modify the configuration parameters by providing the appropriate values for your environment. Enclose the values in quotation marks, as shown in the following example. 
    BAAS_ADMIN="sppadmin"

    The following table contains the parameters that you must modify:

    Table 1. Specifications for the baas_config.cfg configuration file
    Parameter Description
    BAAS_ADMIN The user ID of the IBM Spectrum Protect Plus administrator.
    BAAS_PASSWORD The IBM Spectrum Protect Plus password.

    For increased security, specify an empty string (""). You are prompted for the password when you run the deployment script. If you must specify a password in the configuration file for automated test deployments, ensure that the file is stored in a secure location.
    CLUSTER_NAME The unique cluster name that is used to register the application host to the IBM Spectrum Protect Plus server.
    CLUSTER_CIDR The CIDR for the cluster. Enter the CDIR that was obtained in Step 4.
    CLUSTER_API_SERVER_IP_ADDRESS The IP address or fully qualified domain name (FQDN) for the cluster API server. Enter the IP address or FQDN that was obtained in Step 5.
    CLUSTER_API_SERVER_PORT The port address for the cluster API server. Enter the port address that was obtained in Step 5.
    LICENSE The product license for Kubernetes Backup Support. The English license file is located in the installer/licenses/LA_en directory that is included in the installation package. Versions of the license in other languages are available at License Information documents.

    Review the license information, and specify ACCEPTED to accept the license during installation without being prompted.

    The default value is NOTACCEPTED. If you do not change the default value, you are prompted to accept the license during installation. Otherwise, the installation fails.
    SPP_AGENT_SERVICE_NODEPORT The SSH port for the connection from IBM Spectrum Protect Plus from to the Kubernetes Backup Support agent container service.

    If you do not specify a value for this port, a random port within the NodePort range is assigned by the NodePort service in Kubernetes. The default range is 30000 - 32767.

    If you specify a value for this port, use a port number within the NodePort range that is set up by the Kubernetes administrator. Ensure that the port is not already in use by the cluster. If the port is already in use, the installation process fails with an error that shows which NodePorts are already in use.
    SPP_IP_ADDRESSES The IBM Spectrum Protect Plus server IP address or FQDN.
    PRODUCT_IMAGE_REGISTRY The Docker registry address and port that hosts the containers.

    Enter the address in the ip_address:port format.
    PRODUCT_IMAGE_REGISTRY_NAMESPACE The Docker registry namespace that hosts the containers.
    PRODUCT_IMAGE_REGISTRY_SECRET_NAME The name of the Kubernetes image-pull secret that contains the credentials for the registry. The secret must be in the namespace that is specified by the PRODUCT_IMAGE_REGISTRY_NAMESPACE parameter.

    If you are using an internal registry, enter an empty string ("").

    For the data mover container to run, the image-pull secret must be in every namespace of each persistent volume claim (PVC) to be backed up and restored.

    For instructions about creating the image-pull secret, see Creating an image-pull secret for use with an external registry.
    PRODUCT_LOGLEVEL The trace levels for troubleshooting issues with the Kubernetes Backup Support transaction manager, controller, and scheduler components. The following trace levels are available: INFO, WARNING, DEBUG, or ERROR.

    Default: INFO
    Restrictions:
    • The following parameters and values are reserved for Kubernetes Backup Support. Keep them as is.
      PRODUCT_NAMESPACE="baas"
OPERATOR_NAMESPACE="default"
PRODUCT_TARGET_PLATFORM="K8S"
    • The SPP_PORT value specifies the port for the IBM Spectrum Protect Plus user interface. Do not change the default value of 443.
    • Kubernetes Backup Support is available only in English in IBM Spectrum Protect Plus V10.1.6. For this reason, do not change the PRODUCT_LOCALIZATION="en_US" setting.
    Your specifications are automatically inserted into the ConfigMap (baas-configmap) during the deployment.
  7. Start the installation and deployment by issuing the following command. 
    ./baas_install.sh -i

    When prompted, enter yes to continue.

  8. During the installation process, you are prompted for the following information:
    1. Enter the IBM Spectrum Protect Plus administrator ID and password when prompted.
    2. When prompted to verify the connectivity to the IBM Spectrum Protect Plus server, enter yes to continue.

      If you enter no, the installation continues without verifying the connectivity to the IBM Spectrum Protect Plus server.

      If you enter yes and the connectivity test fails, the installation terminates with the following error message:
      ERROR: Could not connect to IBM Spectrum Protect Plus server with provided credentials.

    Depending on your environment, it might take several minutes to load and deploy the package.

  9. To verify that the Kubernetes Backup Support components are properly installed, issue the following command: 
    ./baas_install.sh -s

    If the installation fails, the missing components are listed in the MISSING section of the output.

    Tip: You can also check the status of the installation with the ./helm status baas command.

Results

When all pods are running, the deployment is completed. To verify that all pods are in the Running state and no components are missing, issue the following command:
kubectl get pods -n baas
or
kubectl describe pod pod_name -n baas
The output is similar to the following example:
kubcectl get pods -n baas
NAME                                        READY   STATUS    RESTARTS   AGE
baas-controller-768869468c-crtd4            1/1     Running   0          4m24s
baas-kafka-68d7ff8455-m96cc                 1/1     Running   0          4m24s
baas-scheduler-656978d87f-thqv2             1/1     Running   1          4m24s
baas-spp-agent-cdb784466-v9tnz              1/1     Running   0          4m24s
baas-transaction-manager-657db7bb8b-6dgqb   1/1     Running   2          4m24s
------------------------------------------------------------------------
All pods are running.
All resources are installed successfully.
Installation is completed.
Product release >>baas<< version 10.1.6 has been isntalled in namespace >>baas<< at Wed May 20 17:58:02 MST 2020.
Script baas_install.sh finished at Wed May 20 17:58:02 MST 2020. A log of this transaction has been written to /tmp
/baas_installation.sh_20200520-175605.log .

If the data mover container is not listed in the output, the data mover container is deployed at run time.

You can show the Kubernetes Backup Support services that are set up by issuing the following command:
kubectl get services -n baas
The output is similar to the following example:
NAME                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)             AGE
baas-kafka-svc             ClusterIP   10.110.116.210   <none>        9092/TCP,2181/TCP   4m27s
baas-scheduler             ClusterIP   10.96.38.170     <none>        8000/TCP            4m27s
baas-spp-agent             NodePort    10.110.164.151   <none>        22:30412/TCP        4m27s
baas-transaction-manager   ClusterIP   10.108.42.194    <none>        5000/TCP            4m27s

The baas-datamover service is deployed at runtime with type NodePort instead of the ClusterIP range with the TCP protocol.

You can show the Kubernetes Backup Support network policies that are deployed by issuing the following command:
kubectl get networkpolicies -n baas
The output is similar to the following example:
NAME                       POD SELECTOR                                                                                                   AGE
baas-ctl-networkpolicy     app.kubernetes.io/component=controller,app.kubernetes.io/name=baas,app.kubernetes.io/version=10.1.6            4m30s
baas-kafka                 app.kubernetes.io/component=kafka,app.kubernetes.io/name=baas,app.kubernetes.io/version=10.1.6                 4m30s
baas-scheduler             app.kubernetes.io/component=scheduler,app.kubernetes.io/name=baas,app.kubernetes.io/version=10.1.6             4m30s
baas-spp-agent             app.kubernetes.io/component=spp-agent,app.kubernetes.io/name=baas,app.kubernetes.io/version=10.1.6             4m30s
baas-transaction-manager   app.kubernetes.io/component=transaction-manager,app.kubernetes.io/name=baas,app.kubernetes.io/version=10.1.6   4m30s

The network policy for the data mover is deployed at runtime with the pod-selector app.kubernetes.io/name=baas,app.kubernetes.io/component=datamover,version=10.1.6.

What to do next

After the deployment is completed, the application host for the Kubernetes Backup Support container is automatically registered upon startup of the cluster host in Kubernetes. However, if the automatic registration was unsuccessful, you can manually register the cluster by using the IBM Spectrum Protect Plus user interface. For instructions, see Registering a Kubernetes cluster.

If you want to update the existing configuration or to upgrade an existing installation of Kubernetes Backup Support, modify the parameters in the baas_config.cfg file as required for your environment, and issue the following command: 
./baas_install.sh -u