Documentation for version v0.3.0 is no longer actively maintained. The version you are currently viewing is a static snapshot. For up-to-date documentation, see the latest version.
Cloud Provider Specifics
While the Quickstart uses a local storage service to quickly set up Heptio Ark as a demonstration, this document details additional configurations that are required when integrating with the cloud providers below:
Setup
AWS
IAM user creation
To integrate Heptio Ark with AWS, you should follow the instructions below to create an Ark-specific IAM user.
-
If you do not have the AWS CLI locally installed, follow the user guide to set it up.
-
Create an IAM user:
aws iam create-user --user-name heptio-ark -
Attach a policy to give
heptio-arkthe necessary permissions:aws iam attach-user-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonS3FullAccess \ --user-name heptio-ark aws iam attach-user-policy \ --policy-arn arn:aws:iam::aws:policy/AmazonEC2FullAccess \ --user-name heptio-ark -
Create an access key for the user:
aws iam create-access-key --user-name heptio-arkThe result should look like:
{ "AccessKey": { "UserName": "heptio-ark", "Status": "Active", "CreateDate": "2017-07-31T22:24:41.576Z", "SecretAccessKey": <AWS_SECRET_ACCESS_KEY>, "AccessKeyId": <AWS_ACCESS_KEY_ID> } } -
Using the output from the previous command, create an Ark-specific credentials file (
credentials-ark) in your local directory that looks like the following:[default] aws_access_key_id=<AWS_ACCESS_KEY_ID> aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
Credentials and configuration
In the Ark root directory, run the following to first set up namespaces, RBAC, and other scaffolding:
kubectl apply -f examples/common/00-prereqs.yaml
Create a Secret, running this command in the local directory of the credentials file you just created:
kubectl create secret generic cloud-credentials \
--namespace heptio-ark \
--from-file cloud=credentials-ark
Now that you have your IAM user credentials stored in a Secret, you need to replace some placeholder values in the template files. Specifically, you need to change the following:
-
In file
examples/aws/00-ark-config.yaml:- Replace
<YOUR_BUCKET>,<YOUR_REGION>, and<YOUR_AVAILABILITY_ZONE>. See the Config definition for details.
- Replace
-
In file
examples/common/10-deployment.yaml:- Make sure that
spec.template.spec.containers[*].env.nameis “AWS_SHARED_CREDENTIALS_FILE”.
- Make sure that
-
(Optional) If you are running the Nginx example, in file
examples/nginx-app/with-pv.yaml:- Replace
<YOUR_STORAGE_CLASS_NAME>withgp2. This is AWS’s defaultStorageClassname.
- Replace
GCP
Service account creation
To integrate Heptio Ark with GCP, you should follow the instructions below to create an Ark-specific Service Account.
-
If you do not have the gcloud CLI locally installed, follow the user guide to set it up.
-
View your current config settings:
gcloud config listStore the
projectvalue from the results in the environment variable$PROJECT_ID. -
Create a service account:
gcloud iam service-accounts create heptio-ark \ --display-name "Heptio Ark service account"Then list all accounts and find the
heptio-arkaccount you just created:gcloud iam service-accounts listSet the
$SERVICE_ACCOUNT_EMAILvariable to match itsemailvalue. -
Attach policies to give
heptio-arkthe necessary permissions to function (replacing placeholders appropriately):gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role roles/compute.storageAdmin gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role roles/storage.admin -
Create a service account key, specifying an output file (
credentials-ark) in your local directory:gcloud iam service-accounts keys create credentials-ark \ --iam-account $SERVICE_ACCOUNT_EMAIL
Credentials and configuration
In the Ark root directory, run the following to first set up namespaces, RBAC, and other scaffolding:
kubectl apply -f examples/common/00-prereqs.yaml
Create a Secret, running this command in the local directory of the credentials file you just created:
kubectl create secret generic cloud-credentials \
--namespace heptio-ark \
--from-file cloud=credentials-ark
Now that you have your Google Cloud credentials stored in a Secret, you need to replace some placeholder values in the template files. Specifically, you need to change the following:
-
In file
examples/gcp/00-ark-config.yaml:- Replace
<YOUR_BUCKET>,<YOUR_PROJECT>and<YOUR_ZONE>. See the Config definition for details.
- Replace
-
In file
examples/common/10-deployment.yaml:- Change
spec.template.spec.containers[*].env.nameto “GOOGLE_APPLICATION_CREDENTIALS”.
- Change
-
(Optional) If you are running the Nginx example, in file
examples/nginx-app/with-pv.yaml:- Replace
<YOUR_STORAGE_CLASS_NAME>withstandard. This is GCP’s defaultStorageClassname.
- Replace
Azure
Service principal creation
To integrate Heptio Ark with Azure, you should follow the instructions below to create an Ark-specific service principal.
-
If you do not have the
azAzure CLI 2.0 locally installed, follow the user guide to set it up. Once done, run:az login -
There are seven environment variables that need to be set for Heptio Ark to work properly. The following steps detail how to acquire these, in the process of setting up the necessary RBAC.
-
List your account:
az account listSave the relevant response values into environment variables:
idcorresponds to$AZURE_SUBSCRIPTION_IDandtenantIdcorresponds to$AZURE_TENANT_ID. -
Assuming that you already have a running Kubernetes cluster on Azure, you should have a corresponding resource group as well. List your current groups to find it:
az group listGet your cluster’s group
namefrom the response, and use it to set$AZURE_RESOURCE_GROUP. (Also note thelocation–this is later used in the Azure-specific portion of the Ark Config). -
Create a service principal with the “Contributor” role:
az ad sp create-for-rbac --role="Contributor" --name="heptio-ark"From the response, save
appIdinto$AZURE_CLIENT_IDandpasswordinto$AZURE_CLIENT_SECRET. -
Login into the
heptio-arkservice principal account:az login --service-principal \ --username http://heptio-ark-test \ --password $AZURE_CLIENT_SECRET \ --tenant $AZURE_TENANT_ID -
Specify a globally-unique storage account id and save it in
$AZURE_STORAGE_ACCOUNT_ID. Then create the storage account, specifying the optional--locationflag if you do not have defaults fromaz configure:az storage account create \ --name $AZURE_STORAGE_ACCOUNT_ID \ --resource-group $AZURE_RESOURCE_GROUP \ --sku Standard_GRSYou will encounter an error message if the storage account ID is not unique; change it accordingly.
-
Get the keys for your storage account:
az storage account keys list \ --account-name $AZURE_STORAGE_ACCOUNT_ID \ --resource-group $AZURE_RESOURCE_GROUPSet
$AZURE_STORAGE_KEYto any one of thevalues returned.
Credentials and configuration
In the Ark root directory, run the following to first set up namespaces, RBAC, and other scaffolding:
kubectl apply -f examples/common/00-prereqs.yaml
Now you need to create a Secret that contains all the seven environment variables you just set. The command looks like the following:
kubectl create secret generic cloud-credentials \
--namespace heptio-ark \
--from-literal AZURE_SUBSCRIPTION_ID=${AZURE_SUBSCRIPTION_ID} \
--from-literal AZURE_TENANT_ID=${AZURE_TENANT_ID} \
--from-literal AZURE_RESOURCE_GROUP=${AZURE_RESOURCE_GROUP} \
--from-literal AZURE_CLIENT_ID=${AZURE_CLIENT_ID} \
--from-literal AZURE_CLIENT_SECRET=${AZURE_CLIENT_SECRET} \
--from-literal AZURE_STORAGE_ACCOUNT_ID=${AZURE_STORAGE_ACCOUNT_ID} \
--from-literal AZURE_STORAGE_KEY=${AZURE_STORAGE_KEY}
Now that you have your Azure credentials stored in a Secret, you need to replace some placeholder values in the template files. Specifically, you need to change the following:
-
In file
examples/azure/10-ark-config.yaml:- Replace
<YOUR_BUCKET>,<YOUR_LOCATION>, and<YOUR_TIMEOUT>. See the Config definition for details.
- Replace
Run
Ark server
Make sure that you have run kubectl apply -f examples/common/00-prereqs.yaml first (this command is incorporated in the previous setup instructions because it creates the necessary namespaces).
-
AWS and GCP
Start the Ark server itself, using the Config from the appropriate cloud-provider-specific directory:
kubectl apply -f examples/common/10-deployment.yaml kubectl apply -f examples/<CLOUD-PROVIDER>/ -
Azure
Because Azure loads its credentials differently (from environment variables rather than a file), you need to instead run:
kubectl apply -f examples/azure/
Basic example (No PVs)
Start the sample nginx app:
kubectl apply -f examples/nginx-app/base.yaml
Now create a backup with PV snapshotting:
ark backup create nginx-backup --selector app=nginx
Simulate a disaster:
kubectl delete namespaces nginx-example
Now restore your lost resources:
ark restore create nginx-backup
Snapshot example (With PVs)
NOTE: For Azure, your Kubernetes cluster needs to be version 1.7.2+ in order to support PV snapshotting of its managed disks.
Label a node so that all nginx pods end up on the same machine (avoiding PV binding issues):
nginx_node_name=$(kubectl get nodes -o jsonpath='{.items[0].metadata.name}')
kubectl label nodes $nginx_node_name app=nginx
Start the sample nginx app:
kubectl apply -f examples/nginx-app/with-pv.yaml
Because Kubernetes does not automatically transfer labels from PVCs to dynamically generated PVs, you need to do so manually:
nginx_pv_name=$(kubectl get pv -o jsonpath='{.items[?(@.spec.claimRef.name=="nginx-logs")].metadata.name}')
kubectl label pv $nginx_pv_name app=nginx
Now create a backup with PV snapshotting:
ark backup create nginx-backup --selector app=nginx --snapshot-volumes
Simulate a disaster:
kubectl delete namespaces nginx-example
kubectl delete pv $nginx_pv_name
Now restore your lost resources:
ark restore create nginx-backup
Getting Started
To help you get started, see the documentation.