Wyssmann Engineering
Wyssmann Engineering
  • English

Velero using Azure Managed Identity

Posted in cloud on January 20, 2025 by Adrian Wyssmann ‐ 2 min read

cloud managed identity azure velero container platform kubernetes

What is velero?

velero is a backup and restore tha allows you to

  • Take backups of your cluster and restore in case of loss.
  • Migrate cluster resources to other clusters.
  • Replicate your production cluster to development and testing clusters.

What we want to do?

We are currently running velero. However we want to use Azure Managed Identity. Currently our setup is that we have 2 different resource groups

  • 1 for the storage account
  • 1 for aks (disk snaphost).

Looking trough the documentation, it is not very clear to me on how to specify different resource groups using ./credentials-velero. Actually it’s quite simple. So if you are installing velero with helm you need to define the following in the values.yaml

  1. Define the service account in
serviceAccount:
  server:
    create: true
    name: velero-server
    annotations:
      azure.workload.identity/client-id: xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
  1. Set podLables to use azure identity
podLabels:
  azure.workload.identity/use: "true"
  1. Define backupstorage and ensure you set configuration.backupStorageLocation[0].config.useAAD
configuration:
  backupStorageLocation:
    - name: "backup-velero" # Name for the velero backup location object, where backups should be stored.
      provider: azure
      bucket: "velero-backup" # The bucket/blob container in which to store backups.
      default: true
      validationFrequency:
      accessMode: ReadWrite
      config:
        resourceGroup: "rg-velero"       # Name of the resource group containing the storage account for this backup storage location.
        subscriptionId: "xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx" # ID of the subscription for this backup storage location
        storageAccount: "velero"                   # Name of the storage account for this backup storage location
        useAAD: "true"
  1. Define volumeSnapshotLocation
  2. Define cloud credentials
credentials:
  useSecret: true
  name: azure
  secretContents:
    cloud: |
      AZURE_TENANT_ID={{ .AZURE_TENANT_ID }}
      AZURE_CLIENT_ID={{ .AZURE_CLIENT_ID }}
      AZURE_SUBSCRIPTION_ID=xxxxxxxx-xxxx-xxxx-xxxx-xxxxxxxxxxxx
      AZURE_RESOURCE_GROUP=rg-aks-pool
      AZURE_CLOUD_NAME=AzurePublicCloud
← DevOps vs. Platform Engineering
Copy of Failed to get the data key required to decrypt the SOPS file: The provided grant has expired due to it being revoked →