feat: add Velero to EKS

Author: matihost

terraform/aws/aws-eks/README.md

@@ -10,6 +10,7 @@ In particular it creates:
 - Cloud Watch, EFS, CSI Snapshots, Kube Server, Kube State Metrics addons
 - K8S metrics server on `system` nodepool
 - ExternalDNS
+- Velero - for backup - scheduled backups for each configured namespaces and cluster-backup
 - Private DNS Route53 zone
 - Configure storage, ingress, node pool classes
 - Configure app namespaces (quota, limits, networkpolicies)
@@ -99,3 +100,34 @@ k9s
 ```bash
 make list-pod-identity-associations [ENV=dev]
 ```
+
+### Backups
+
+```bash
+# create instant backup from scheduled backup
+velero backup create cluster-daily-backup1 --from-schedule cluster-daily-backup
+velero backup create learning-backup1 --from-schedule learning-daily-backup
+
+# list backups
+velero get backups
+velero backup get
+
+# list schedules
+velero get schedules
+velero schedule get
+
+# describe particular backup
+velero backup describe learning-backup1
+# get list of object, details about CSI snapshots etc
+velero backup describe learning-backup1 --details
+
+# get log happenned during backup
+velero backup log learning-backup1
+
+
+# delete particular backup
+velero backup delete learning-backup1 --confirm
+
+# delete all backups
+velero backup delete --all --confirm
+```

terraform/aws/aws-eks/module/backup.tf

@@ -0,0 +1,102 @@
+resource "aws_s3_bucket" "backup" {
+  bucket              = "${local.account_id}-${local.prefix}-velero-backups"
+  force_destroy       = "true"
+  object_lock_enabled = "false"
+}
+
+
+resource "aws_s3_bucket_server_side_encryption_configuration" "backup_enc" {
+  bucket = aws_s3_bucket.backup.id
+
+  rule {
+    apply_server_side_encryption_by_default {
+      sse_algorithm = "AES256"
+    }
+
+    bucket_key_enabled = "true"
+  }
+}
+
+
+resource "aws_s3_bucket_versioning" "backup_versioning" {
+  bucket = aws_s3_bucket.backup.id
+  versioning_configuration {
+    status = "Disabled"
+  }
+}
+
+
+data "aws_iam_policy_document" "backup_irsa_trust_policy" {
+  statement {
+    effect  = "Allow"
+    actions = ["sts:AssumeRoleWithWebIdentity"]
+    principals {
+      type        = "Federated"
+      identifiers = [aws_iam_openid_connect_provider.oidc_provider.arn]
+    }
+    condition {
+      test     = "StringEquals"
+      variable = "${aws_iam_openid_connect_provider.oidc_provider.url}:sub"
+      values   = ["system:serviceaccount:velero:velero-server"]
+    }
+  }
+}
+
+
+resource "aws_iam_role" "backup_irsa" {
+  name               = "${local.prefix}-velero-irsa"
+  assume_role_policy = data.aws_iam_policy_document.backup_irsa_trust_policy.json
+}
+
+resource "aws_iam_role_policy_attachment" "backup_irsa" {
+  policy_arn = aws_iam_policy.velero-policy.arn
+  role       = aws_iam_role.backup_irsa.name
+}
+
+
+resource "aws_iam_policy" "velero-policy" {
+  description = "Allow pass ReadOnlyAccess role to Tools"
+  name        = "${local.prefix}-velero-irsa"
+
+  policy = <<EOF
+{
+    "Version": "2012-10-17",
+    "Statement": [
+        {
+            "Effect": "Allow",
+            "Action": [
+                "ec2:DescribeVolumes",
+                "ec2:DescribeSnapshots",
+                "ec2:CreateTags",
+                "ec2:CreateVolume",
+                "ec2:CreateSnapshot",
+                "ec2:DeleteSnapshot"
+            ],
+            "Resource": "*"
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:GetObject",
+                "s3:DeleteObject",
+                "s3:PutObject",
+                "s3:AbortMultipartUpload",
+                "s3:ListMultipartUploadParts"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${aws_s3_bucket.backup.bucket}/*"
+            ]
+        },
+        {
+            "Effect": "Allow",
+            "Action": [
+                "s3:ListBucket"
+            ],
+            "Resource": [
+                "arn:aws:s3:::${aws_s3_bucket.backup.bucket}"
+            ]
+        }
+    ]
+}
+EOF
+}

terraform/aws/aws-eks/module/cluster-config-chart/templates/storage-classes.yaml

@@ -26,3 +26,16 @@ metadata:
 provisioner: efs.csi.aws.com
 reclaimPolicy: Delete
 volumeBindingMode: Immediate
+---
+apiVersion: snapshot.storage.k8s.io/v1
+kind: VolumeSnapshotClass
+metadata:
+  name: ebs-csi
+  labels:
+    velero.io/csi-volumesnapshot-class: "true"
+driver: ebs.csi.eks.amazonaws.com
+# flag does not matter as
+# per
+# https://github.com/vmware-tanzu/velero/blob/release-1.16/design/clean_artifacts_in_csi_flow.md
+# VolumeSnapshot and VolumeSnapshotContent are deleted when Backup is created automatically either way
+deletionPolicy: Retain # or Delete

terraform/aws/aws-eks/module/configure-cluster.sh

@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-ACCOUNT_ID="${1:?CLUSTER_NAME is required}"
+ACCOUNT_ID="${1:?ACCOUNT_ID is required}"
 CLUSTER_NAME="${2:?CLUSTER_NAME is required}"
 REGION="${3:?REGION is required}"
 NAMESPACES="${4:?NAMESPACES is required}"
@@ -107,6 +107,8 @@ spec:
       useClusterChecksRunners: true
     orchestratorExplorer:
       enabled: true
+    npm:
+      enabled: true
     usm:
         enabled: true
     apm:
@@ -168,13 +170,64 @@ EOF
   }
 }
 
+function ensure-backup() {
+  helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
+  helm repo update
+  helm upgrade --install velero -n velero --create-namespace vmware-tanzu/velero -f "${DIRNAME}/velero.yaml" \
+    --set configuration.backupStorageLocation[0].name="default" \
+    --set configuration.backupStorageLocation[0].provider="aws" \
+    --set configuration.backupStorageLocation[0].bucket="${ACCOUNT_ID}-${CLUSTER_NAME}-velero-backups" \
+    --set configuration.backupStorageLocation[0].config.region="${REGION}" \
+    --set configuration.volumeSnapshotLocation[0].name="default" \
+    --set configuration.volumeSnapshotLocation[0].provider="aws" \
+    --set configuration.volumeSnapshotLocation[0].config.region="${REGION}" \
+    --set serviceAccount.server.annotations."eks\\.amazonaws\\.com/role-arn"="arn:aws:iam::${ACCOUNT_ID}:role/${CLUSTER_NAME}-velero-irsa"
+
+  for NAMESPACE in $(echo "${NAMESPACES}" | jq -cr '.[]'); do
+
+    NS="$(echo "${NAMESPACE}" | jq -r ".name")"
+
+    cat <<EOF | oc apply -f -
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: ${NS}-daily-backup
+  namespace: velero
+spec:
+  schedule: "0 1 * * *"  # Daily at 1 AM, so RPO is 24h
+  template:
+    includedNamespaces:
+      - ${NS}
+    ttl: 168h0m0s  # 7 days retention
+EOF
+  done
+
+  NAMESPACES_NAMES="$(echo "${NAMESPACES}" | jq -cr '[.[].name]')"
+  cat <<EOF | oc apply -f -
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: cluster-daily-backup
+  namespace: velero
+spec:
+  schedule: "0 2 * * *"  # Daily at 2 AM, RPO = 24h
+  template:
+    includedNamespaces:
+      - "*"  # all namespaces
+    excludedNamespaces: ${NAMESPACES_NAMES}
+    includeClusterResources: true
+    ttl: 168h                          # 7 days retention
+EOF
+
+}
 # Main
 login-to-eks
 ensure-cluster-config
 ensure-datadog-agent
 configure-namespaces
 ensure-nginx
 ensure-externaldns
+ensure-backup
 
 # TODO install SecretManager integration
 # https://github.com/aws/secrets-store-csi-driver-provider-aws

terraform/aws/aws-eks/module/eks.tf

@@ -234,5 +234,6 @@ resource "null_resource" "cluster-config" {
     aws_eks_access_entry.admin,
     aws_eks_access_policy_association.admin,
     aws_eks_pod_identity_association.externaldns,
+    aws_iam_role_policy_attachment.backup_irsa,
   ]
 }

terraform/aws/aws-eks/module/velero.yaml

@@ -0,0 +1,84 @@
+# helm show values vmware-tanzu/velero
+
+image:
+  repository: velero/velero
+  tag: latest
+  pullPolicy: Always
+
+
+nodeSelector:
+  karpenter.sh/nodepool: "system"
+
+tolerations:
+  - key: "CriticalAddonsOnly"
+    operator: "Exists"
+  - effect: "NoExecute"
+    operator: "Exists"
+    tolerationSeconds: 300
+
+# For AWS
+# configuration:
+#   backupStorageLocation:
+#   - bucket: $BUCKET
+#     provider: aws
+#   volumeSnapshotLocation:
+#   - config:
+#       region: $REGION
+#     provider: aws
+# Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required.
+# If the value is a string then it is evaluated as a template.
+initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:latest
+    imagePullPolicy: Always
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+
+credentials:
+  # Whether a secret should be used. Set to false if, for examples:
+  # - using kube2iam or kiam to provide AWS IAM credentials instead of providing the key file. (AWS only)
+  # - using workload identity instead of providing the key file. (Azure/GCP only)
+  useSecret: false
+
+# IRSA for Velero
+# serviceAccount:
+#   server:
+#     annotations:
+#       eks.amazonaws.com/role-arn: "arn:aws:iam::${ACCOUNT}:role/eks-velero-backup"
+
+# init container uses bitnamilegacy image - but it is no more working
+kubectl:
+  image:
+    repository: docker.io/bitnamilegacy/kubectl
+    tag: latest
+
+configuration:
+  # Must have to
+  features: EnableCSI
+  # When POD has no annotation like: backup.velero.io/backup-volumes: <<name-of-volume-in-the-pod>>
+  # then if it is EBS and VolumeSnapshotClass with
+  # label velero.io/csi-volumesnapshot-class=true exists
+  # velero will use it to snapshot EBS volumes.
+  # Otherwise EFS volumes will be skipped in backup.
+  #
+  # If defaultVolumesToFsBackup is true then all volumes
+  # without the annotation will be treated as FS volumes. EBS volumes will not be snapshotted.
+  defaultVolumesToFsBackup: false
+
+# For FS backups (like EGS)
+deployNodeAgent: true
+nodeAgent:
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      cpu: 1000m
+      memory: 512Mi
+  tolerations:
+    - key: "CriticalAddonsOnly"
+      operator: "Exists"
+    - effect: "NoExecute"
+      operator: "Exists"
+      tolerationSeconds: 300