Note
As of March 5, 2024, "Azure Active Directory" has been renamed as "Microsoft Entra ID." Throughout this documentation, references to "Azure Active Directory" will be updated to use both the new and old names. Both names will be used for a while, after which the documentation will be updated to use only the new name.
Installing Veeam Kasten on Azure
Prerequisites
Before installing Veeam Kasten on Azure Kubernetes Service (AKS), please ensure that the install prerequisites are met.
Installing Veeam Kasten
Veeam Kasten supports multiple options to authenticate with Microsoft Entra
ID (formerly Azure Active Directory), including Azure Service Principal,
Azure Managed Identity with a specific Client ID, and Azure Managed Identity
with the default ID. Please select one of these options if you wish to
provide Azure credentials through helm
. If multiple credential sets
are provided, the installation will fail.
Installing Veeam Kasten with Service Principal
To install on Azure with Service Principal, you need to specify Client Secret credentials including your Azure tenant, service principal client ID and service principal client secret.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.azureTenantId=<tenantID> \
--set secrets.azureClientId=<azureclient_id> \
--set secrets.azureClientSecret=<azureclientsecret>
Installing Veeam Kasten on Azure Stack with Service Principal
To install on Azure Stack, you need to specify your -
Azure tenant: the Azure Stack tenant ID (you'll find it in global azure portal > Azure Directory > Properties)
Service principal client ID: client ID of the app that was used to create the Kubernetes cluster (you'll find it in global azure portal > Azure Directory > App registration)
Service principal client secret: client-secret of the app that was used to create the Kubernetes cluster (you'll find it in global azure portal > Azure Directory > App registration > Certificate and secrets)
Azure Resource Group: name of the Resource Group that was created for the Kubernetes cluster
Azure subscription ID: a valid subscription in your Azure Stack tenant (if your az client has its default cloud set to your Azure Stack instance, you can obtain the first subscription ID with
az account list | jq '.[0].id'
)Azure Resource Manager endpoint: the resource management endpoint for this Azure Stack instance (if your az client has its default cloud set to your Azure Stack instance, you can obtain it with
az cloud show | jq '.endpoints.resourceManager'
. e.g., https://management.ppe5.example.com)Active Directory endpoint: the active directory login endpoint (if your az client has its default cloud set to your Azure Stack instance, you can obtain it with
az cloud show | jq '.endpoints.activeDirectory'
. e.g.,https://login.microsoftonline.com/
)Active Directory resource ID: the resource ID to obtain AD tokens (if your az client has its default cloud set to your Azure Stack instance, you can obtain it with
az cloud show | jq '.endpoints.activeDirectoryResourceId
. e.g., https://management.example.com/71fb132f-xxxx-4e60-yyyy-example47e19)
You can find more information for creating a Kubernetes cluster on Azure Stack in this Microsoft tutorial
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.azureTenantId=<tenantID> \
--set secrets.azureClientId=<azureclientID> \
--set secrets.azureClientSecret=<azureclientsecret> \
--set secrets.azureResourceGroup=<resourceGroup> \
--set secrets.azureSubscriptionID=<subscriptionID> \
--set secrets.azureResourceMgrEndpoint=<resourceManagerEndpoint> \
--set secrets.azureADEndpoint=<activeDirectoryEndpoint> \
--set secrets.azureADResourceID=<activeDirectoryResourceID> \
--set services.dashboardbff.hostNetwork=true
Existing Secret Usage
It is possible to use an existing secret to provide the following parameters for Azure configuration:
- Azure tenant
Field name -
azure_tenant_id
- Service principal client ID
Field name -
azure_client_id
- Service principal client secret
Field name -
azure_client_secret
To do so, the following Helm option can be used:
--set secrets.azureClientSecretName=<secret name>
Note
Please ensure that the secret exists in the namespace where Veeam Kasten is installed. The default namespace assumed throughout this documentation is kasten-io.
apiVersion: v1
kind: Secret
metadata:
name: my-azure-creds
namespace: kasten-io
data:
azure_client_id: MjMzODAyNWMEXAMPLEID
azure_client_secret: UlVMOFF+dnpwM1EXAMPLESECRET
azure_tenant_id: YmEwN2JhEXAMPLETENANTID
type: Opaque
Installing Veeam Kasten with Managed Identity
Before installing Veeam Kasten with Azure Managed Identity, you need to ensure that Managed Identity is enabled on your cluster. Please note that Veeam Kasten supports only single-identity nodes at the moment.
When installing Veeam Kasten with Managed Identity, you have an option of installing with a specific Client ID, or to use the default ID.
To install on Azure using a specific client ID, you need to specify the client ID.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.azureClientId=<azureclient_id> \
To install on Azure using the default Managed Identity, you need to set
azure.useDefaultMSI
to true.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set azure.useDefaultMSI=true \
Installing Veeam Kasten on Azure US Government Cloud (...and others)
To install Veeam Kasten on Microsoft Azure US Government cloud, make sure to set the following helm options:
--set secrets.azureCloudEnvID=AzureUSGovernmentCloud
This will ensure that Veeam Kasten points to appropriate endpoints. These options can also be used to specify other clouds like AzureChinaCloud.
Validating the Install
To validate that Veeam Kasten has been installed properly, the
following command can be run in Veeam Kasten's namespace (the
install default is kasten-io
) to watch for the status of
all Veeam Kasten pods:
$ kubectl get pods --namespace kasten-io --watch
It may take a couple of minutes for all pods to come up but all pods
should ultimately display the status of Running
.
$ kubectl get pods --namespace kasten-io
NAMESPACE NAME READY STATUS RESTARTS AGE
kasten-io aggregatedapis-svc-b45d98bb5-w54pr 1/1 Running 0 1m26s
kasten-io auth-svc-8549fc9c59-9c9fb 1/1 Running 0 1m26s
kasten-io catalog-svc-f64666fdf-5t5tv 2/2 Running 0 1m26s
...
In the unlikely scenario that pods that are stuck in any other state, please follow the support documentation to debug further.
Validate Dashboard Access
By default, the Veeam Kasten dashboard will not be exposed externally.
To establish a connection to it, use the following kubectl
command
to forward a local port to the Veeam Kasten ingress port:
$ kubectl --namespace kasten-io port-forward service/gateway 8080:80
The Veeam Kasten dashboard will be available at http://127.0.0.1:8080/k10/#/.
For a complete list of options for accessing the Kasten Veeam Kasten dashboard through a LoadBalancer, Ingress or OpenShift Route you can use the instructions here.