Note

As of March 5, 2024, "Azure Active Directory" has been renamed as "Microsoft Entra ID." Throughout this documentation, references to "Azure Active Directory" will be updated to use both the new and old names. Both names will be used for a while, after which the documentation will be updated to use only the new name.

Installing Veeam Kasten on Azure

Prerequisites

Before installing Veeam Kasten on Azure Kubernetes Service (AKS), please ensure that the install prerequisites are met.

Installing Veeam Kasten

Veeam Kasten supports multiple options to authenticate with Microsoft Entra ID (formerly Azure Active Directory), including Azure Service Principal, Azure Managed Identity with a specific Client ID, and Azure Managed Identity with the default ID. Please select one of these options if you wish to provide Azure credentials through helm. If multiple credential sets are provided, the installation will fail.

Installing Veeam Kasten with Service Principal

To install on Azure with Service Principal, you need to specify Client Secret credentials including your Azure tenant, service principal client ID and service principal client secret.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set secrets.azureTenantId=<tenantID> \
    --set secrets.azureClientId=<azureclient_id> \
    --set secrets.azureClientSecret=<azureclientsecret>

Installing Veeam Kasten on Azure Stack with Service Principal

To install on Azure Stack, you need to specify your -

  • Azure tenant: the Azure Stack tenant ID (you'll find it in global azure portal > Azure Directory > Properties)

  • Service principal client ID: client ID of the app that was used to create the Kubernetes cluster (you'll find it in global azure portal > Azure Directory > App registration)

  • Service principal client secret: client-secret of the app that was used to create the Kubernetes cluster (you'll find it in global azure portal > Azure Directory > App registration > Certificate and secrets)

  • Azure Resource Group: name of the Resource Group that was created for the Kubernetes cluster

  • Azure subscription ID: a valid subscription in your Azure Stack tenant (if your az client has its default cloud set to your Azure Stack instance, you can obtain the first subscription ID with az account list | jq '.[0].id')

  • Azure Resource Manager endpoint: the resource management endpoint for this Azure Stack instance (if your az client has its default cloud set to your Azure Stack instance, you can obtain it with az cloud show | jq '.endpoints.resourceManager'. e.g., https://management.ppe5.example.com)

  • Active Directory endpoint: the active directory login endpoint (if your az client has its default cloud set to your Azure Stack instance, you can obtain it with az cloud show | jq '.endpoints.activeDirectory'. e.g., https://login.microsoftonline.com/)

  • Active Directory resource ID: the resource ID to obtain AD tokens (if your az client has its default cloud set to your Azure Stack instance, you can obtain it with az cloud show | jq '.endpoints.activeDirectoryResourceId. e.g., https://management.example.com/71fb132f-xxxx-4e60-yyyy-example47e19)

You can find more information for creating a Kubernetes cluster on Azure Stack in this Microsoft tutorial

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set secrets.azureTenantId=<tenantID> \
    --set secrets.azureClientId=<azureclientID> \
    --set secrets.azureClientSecret=<azureclientsecret> \
    --set secrets.azureResourceGroup=<resourceGroup> \
    --set secrets.azureSubscriptionID=<subscriptionID> \
    --set secrets.azureResourceMgrEndpoint=<resourceManagerEndpoint> \
    --set secrets.azureADEndpoint=<activeDirectoryEndpoint> \
    --set secrets.azureADResourceID=<activeDirectoryResourceID> \
    --set services.dashboardbff.hostNetwork=true

Existing Secret Usage

It is possible to use an existing secret to provide the following parameters for Azure configuration:

  • Azure tenant

    Field name - azure_tenant_id

  • Service principal client ID

    Field name - azure_client_id

  • Service principal client secret

    Field name - azure_client_secret

To do so, the following Helm option can be used:

--set secrets.azureClientSecretName=<secret name>

Note

Please ensure that the secret exists in the namespace where Veeam Kasten is installed. The default namespace assumed throughout this documentation is kasten-io.

apiVersion: v1
kind: Secret
metadata:
  name: my-azure-creds
  namespace: kasten-io
data:
  azure_client_id: MjMzODAyNWMEXAMPLEID
  azure_client_secret: UlVMOFF+dnpwM1EXAMPLESECRET
  azure_tenant_id: YmEwN2JhEXAMPLETENANTID
type: Opaque

Installing Veeam Kasten with Managed Identity

Before installing Veeam Kasten with Azure Managed Identity, you need to ensure that Managed Identity is enabled on your cluster. Please note that Veeam Kasten supports only single-identity nodes at the moment.

When installing Veeam Kasten with Managed Identity, you have an option of installing with a specific Client ID, or to use the default ID.

To install on Azure using a specific client ID, you need to specify the client ID.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set secrets.azureClientId=<azureclient_id> \

To install on Azure using the default Managed Identity, you need to set azure.useDefaultMSI to true.

$ helm install k10 kasten/k10 --namespace=kasten-io \
    --set azure.useDefaultMSI=true \

Installing Veeam Kasten on Azure US Government Cloud (...and others)

To install Veeam Kasten on Microsoft Azure US Government cloud, make sure to set the following helm options:

--set secrets.azureCloudEnvID=AzureUSGovernmentCloud

This will ensure that Veeam Kasten points to appropriate endpoints. These options can also be used to specify other clouds like AzureChinaCloud.

Validating the Install

To validate that Veeam Kasten has been installed properly, the following command can be run in Veeam Kasten's namespace (the install default is kasten-io) to watch for the status of all Veeam Kasten pods:

$ kubectl get pods --namespace kasten-io --watch

It may take a couple of minutes for all pods to come up but all pods should ultimately display the status of Running.

$ kubectl get pods --namespace kasten-io
NAMESPACE     NAME                                    READY   STATUS    RESTARTS   AGE
kasten-io     aggregatedapis-svc-b45d98bb5-w54pr      1/1     Running   0          1m26s
kasten-io     auth-svc-8549fc9c59-9c9fb               1/1     Running   0          1m26s
kasten-io     catalog-svc-f64666fdf-5t5tv             2/2     Running   0          1m26s
...

In the unlikely scenario that pods that are stuck in any other state, please follow the support documentation to debug further.

Validate Dashboard Access

By default, the Veeam Kasten dashboard will not be exposed externally. To establish a connection to it, use the following kubectl command to forward a local port to the Veeam Kasten ingress port:

$ kubectl --namespace kasten-io port-forward service/gateway 8080:80

The Veeam Kasten dashboard will be available at http://127.0.0.1:8080/k10/#/.

For a complete list of options for accessing the Kasten Veeam Kasten dashboard through a LoadBalancer, Ingress or OpenShift Route you can use the instructions here.