Installing Veeam Kasten on AWS
Prerequisites
Before installing Veeam Kasten on Amazon EKS, it is important to determine the preferred authentication mechanism: either Long-term access keys or IAM Roles for service accounts. The choice of authentication mechanism will affect the necessary steps and prerequisites for the installation process.
AWS provides two types of authentication mechanisms for programmatic access:
- Long-term access keys
- IAM Roles for Service Accounts
If you opt for long-term access keys, you will need to provide the Access Key ID and Secret Access Key during the setup. In addition, you may optionally provide an additional IAM Role. The additional IAM Role allows for extra permissions to be granted to the identity authenticated with the long-term access key.
On the other hand, if you choose IAM Roles for service accounts, you would not need to provide the Access Key ID and Secret Access Key. Instead, you will need to ensure the presence of the required IAM role. Please consider the authentication mechanism that best suits your requirements and follow the appropriate steps and instructions provided to ensure a seamless authentication experience.
These mechanisms are designed to authenticate and authorize the programmatic interactions between scripts or command line interfaces and AWS services. Both authentication mechanisms provide secure programmatic access to AWS resources.
Let's dive into the details:
-
Long-term access keys: These keys are commonly used when
authenticating programmatic access to AWS resources. When creating
long-term access keys, you receive an Access key ID and a Secret
Access Key. The Access Key ID serves as the identifier for the
access key, and the Secret Access Key is a unique secret value
used for authentication. During the Helm installation process, you
are given the choice to assign a role. This role will be used
during authentication when Veeam Kasten initially authenticates
using the provided Access Key ID and Secret Access Key, along with
the additional assigned role.
-
During the Helm installation process, you can choose to
configure long-term access secret keys and key IDs by
providing the necessary key pairs:
--set secrets.awsAccessKeyId
and--set secrets.awsSecretAccessKey
. -
(Optional) In addition to the long-term access keys, you can
choose to provide an additional IAM role. This additional role
will be associated with the
secrets.awsIamRole
configuration parameter.
-
During the Helm installation process, you can choose to
configure long-term access secret keys and key IDs by
providing the necessary key pairs:
- IAM Roles for Service Accounts: IAM roles are useful in scenarios where you want to provide access to AWS services without managing or exposing long-term access keys. To know more about it, refer to IAM Roles for Service Accounts.
AWS IAM roles grant access to AWS account resources to trusted entities. The following links contain information on how to create roles and other permission-related details:
Installing Veeam Kasten
To install on AWS, you need to define two environment variables that specify your access key id and secret access key. After doing so, just run the following command to install Veeam Kasten, the Kasten platform on either AWS EKS or any other Kubernetes distribution running on EC2.
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \
--set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}"
If you want Veeam Kasten to assume an IAM Role in AWS infrastructure operations, refer to Using AWS IAM Roles with Veeam Kasten on how to create and use the role.
For IAM Roles for Service Accounts, once the setup is completed, you
will need to provide a token file to assign the role to the k10-k10
service account. With the assigned role, there is no need for Access Key
and Secret Access Key. During the Veeam Kasten installation, you can
choose to manually configure the k10-k10
service account. For
additional information, refer to Associate Service Account
Role.
In some scenarios, it is advantageous to avoid pre-configuring a service
account manually, and instead, leverage Helm's capabilities to
streamline the process. By providing a role through the Helm package
manager using the --set secrets.awsIamRole
flag, the service account
can be dynamically created.
AWS keys or IAM Roles need to have permissions that allow Veeam Kasten to perform operations on EBS and, if needed, EFS and S3. The minimal set of permissions needed by Veeam Kasten for integrating against different AWS services can be found here:
- Using Veeam Kasten with AWS EBS
- Using Veeam Kasten with AWS S3
- Using Veeam Kasten with Amazon RDS
- Using Veeam Kasten with AWS EFS
- Using Veeam Kasten with AWS Secrets Manager
- Optional KMS Permissions
The above permissions can also be used in the context of IAM Policies and Roles. Refer to Using AWS IAM Roles with Veeam Kasten for more information regarding IAM Policies and Roles.
To address any troubleshooting issues while installing Veeam Kasten on a Kubernetes platform using the Cilium Container Network Interface (CNI) setup, refer to this page. The page provides specific steps for resolving installation issues with Cilium CNI and Veeam Kasten compatibility.
Existing Secret Usage
It is possible to use an existing secret to provide the following parameters for AWS configuration:
- AWS Access Key ID Field name -
aws_access_key_id
- AWS Secret Access Key Field name -
aws_secret_access_key
- AWS IAM Role Field name -
role
To do so, the following Helm option can be used:
--set secrets.awsClientSecretName=<secret name>
Please ensure that the secret exists in the namespace where Veeam Kasten is installed. The default namespace assumed throughout this documentation is kasten-io.
apiVersion: v1
kind: Secret
metadata:
name: my-aws-creds
namespace: kasten-io
data:
aws_access_key_id: MjMzODAyNWMEXAMPLEID
aws_secret_access_key: UlVMOFF+dnpwM1EXAMPLESECRET
role: YmEwN2JhEXAMPLEROLE
type: Opaque
EKS Authentication Setup
Finally, for end-to-end instructions on how to set up token-based authentication for AWS EKS clusters, please follow the documentation here.
Elastic File System Limitation
Currently, Veeam Kasten supports backup and recovery of AWS Elastic File System (EFS) volumes. However, due to EFS limitations, cross-cluster EFS restores within the same region and across regions require manual intervention using the AWS CLI or AWS console using the below instructions.
- Using the Veeam Kasten dashboard and AWS CLI for EFS Snapshot Migration
- Using the Veeam Kasten dashboard and AWS Console for EFS Snapshot Migration
EKS IPv6 Clusters
To install Veeam Kasten on an IPv6 cluster, run the following command:
$ helm install k10 kasten/k10 --namespace=kasten-io \
--set secrets.awsAccessKeyId="${AWS_ACCESS_KEY_ID}" \
--set secrets.awsSecretAccessKey="${AWS_SECRET_ACCESS_KEY}"
--set global.network.enable_ipv6=true
This will enable IPv6 listeners for all required services. Same option can be used to enable IPv6 listeners for a dual-stack setup.
Veeam Kasten was tested in IPv6-only setup only on AWS EKS platform. Although it is expected to work on other platforms as well.
Port-forwarding to Veeam Kasten services may not work in IPv6-only setup with Dockershim CRI. Containerd CRI supports IPv6 port-forwarding since 1.5.2 release.
Validating the Install
To validate that Veeam Kasten has been installed properly, the following
command can be run in Veeam Kasten's namespace (the install default is
kasten-io
) to watch for the status of all Veeam Kasten pods:
$ kubectl get pods --namespace kasten-io --watch
It may take a couple of minutes for all pods to come up but all pods
should ultimately display the status of Running
.
$ kubectl get pods --namespace kasten-io
NAMESPACE NAME READY STATUS RESTARTS AGE
kasten-io aggregatedapis-svc-b45d98bb5-w54pr 1/1 Running 0 1m26s
kasten-io auth-svc-8549fc9c59-9c9fb 1/1 Running 0 1m26s
kasten-io catalog-svc-f64666fdf-5t5tv 2/2 Running 0 1m26s
...
In the unlikely scenario that pods that are stuck in any other state, please follow the support documentation to debug further.
Validate Dashboard Access
By default, the Veeam Kasten dashboard will not be exposed externally.
To establish a connection to it, use the following kubectl
command to
forward a local port to the Veeam Kasten ingress port:
$ kubectl --namespace kasten-io port-forward service/gateway 8080:80
The Veeam Kasten dashboard will be available at http://127.0.0.1:8080/k10/#/.
For a complete list of options for accessing the Kasten Veeam Kasten dashboard through a LoadBalancer, Ingress or OpenShift Route you can use the instructions here.