In our previous blog we introduced you to operating Trilio for Kubernetes using Ansible. In this follow up article we take these concepts a stage further to provide instructions on using our Red Hat Certified [Login Required] and Galaxy Ansible Playbook Role for orchestrating your backup, recovery and migration steps with Trilio. In this second part of our Ansible series, we will install the role from Galaxy (or Red Hat Automation Hub), understand the trilio_kubernetes role, and provide a set of actions to configure basic authentication and run a basic check, ready for Part 3 which will cover creating targets, backup plans and backups.
Kubernetes, Trilio, Ansible, Oh my!
Kubernetes is a platform with a rich ecosystem that begs automation and orchestration. The Kubernetes platform itself automates many operational tasks such as lifecycle management of Pods and Storage, and scale-up and down features without breaking a sweat. So with such rich features of orchestration and automation, can your backup and recovery product keep pace?
Trilio is a leader for backup, with many world-class organisations and telecom providers deploying Trilio as part of their reference scale-out architecture.
Trilio is designed for Kubernetes. Trilio is designed for users of Kubernetes. Trilio is designed for orchestration. That is why we have published our Trilio Kubernetes Ansible Role that allows users to now protect and recover their environments through the control and simplicity of Ansible.
For Red Hat OpenShift customers, Trilio is a Certified OpenShift Operator and the Ansible Role is Certified on the Automation Hub!
What You Will Learn During This Series
Installation of the Galaxy (or Certified Red Hat) Role. The Certified Role is required to authenticate with OpenShift.
Understanding the available tasks with the Role
Using the example playbook to demonstrate the creation of
Secrets
Targets
Backup Plans
Backup
In this Blog post we will be using the Command Line. In a follow up Blog Post we will use Red Hat Automation Platform.
Prerequisites
To follow along with this article it is assumed you have
Kubernetes or OpenShift installed
Trilio for Kubernetes installed [Need a license? Contact Us]
Ansible available on the command line
Familiarity of Ansible and Ansible Galaxy
Installing the Trilio Kubernetes Role from Galaxy or Red Hat Automation Hub
The Trilio Galaxy Ansible Collection currently has a published role called trilio_kubernetes.
Option 1: For Galaxy Users (non-Red Hat)
To add this role to your installed Galaxy Collections, issue the following command:
ansible-galaxy collection install trilio.trilio_kubernetes
That’s it complete. You can skip to the next section: Understanding the Trilio Kubernetes Role.
Option 2: For Red Hat Users: Install redhat.openshift and Trilio Kubernetes Certified Roles from Red Hat Automation Hub
To install any Collection from Red Hat, you first need to ensure your
/etc/ansible.cfgor~/.ansible.cfgis configured with the Token provided by Red Hat Automation Hub. You find that token here (Login Required). Contact your administrator if you are unsure.Copy the Offline Token from that page and add to your
ansible.cfgor~/.ansible.cfgfile. For example:[galaxy]server_list = automation_hub[galaxy_server.automation_hub]url=https://cloud.redhat.com/api/automation-hub/auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/tokentoken=eyJhbGciOiJIUzI1NiIsIn....Install the
redhat.openshiftrole dependency by issuing the followingansible-galaxy collection install redhat.openshiftContinue with the installation of the Trilio Kubernetes role by issuing the following command:
ansible-galaxy collection install trilio.trilio_kubernetes
Galaxy Roles are installed into ~/.ansible/collections/ansible_collections
Understanding the Trilio Kubernetes Role
The trilio_kubernetes role allows you to incorporate this role into your playbooks to facilitate all the actions you expect from Trilio – from creating targets, creating backups to restoring applications.
Under the roles/trilio_kubernetes/tasks directory of the collection there are a variety of tasks such as which also have Ansible tags associated with them:
trilio_kubernetes_check.yaml | tag: checktrilio_kubernetes_create_backupplan.yaml | tag: backupplantrilio_kubernetes_create_backup.yaml | tag: backuptrilio_kubernetes_create_restore.yaml | tag: restore
etc…
And it is these tasks that you can invoke in your own playbooks when specifying the role with the FQCN (Fully Qualified Collection Name): trilio.trilio_kubernetes.trilio_kubernetes
We have provided a sample playbook that invokes the various tasks using Ansible tags, and appropriate configuration file which will be used for the remainder of this Blog Post. This playbook is designed to introduce you to using the trilio_kubernetes role and how it can be invoked.
Sample Playbook:
- name: Trilio for Kubernetes Ansible Utility
hosts: localhost
vars_files: trilio_kubernetes-config.yaml
roles:
- trilio.trilio_kubernetes.trilio_kubernetes
Copy the example trilio-utility.yaml playbook and configuration files to a working directory
There is an example playbook directory included in the
trilio.trilio_kubernetesinstallation, as well as example YAML configuration files. Copy this directory out of the Galaxy install area to some part of your computer where you will then execute the exampletrilio-utility.yamlplaybook:mkdir ~/democp -pR ~/.ansible/collections/ansible_collections/trilio/trilio_kubernetes/playbooks ~/demoYou will find an example playbook in the playbook directory, as well as configuration files
cd demo/playbooks
Setting up Kubernetes Authentication for use with the example playbook
trilio-utility.yaml is an example playbook that uses the trilio_kubernetes role. To use it with your Kubernetes or OpenShift cluster we first need to configure authentication to your cluster.With the trilio_kubernetes role you can authenticate explicitly using Kubeconfig, Username/Password or simply use existing authentication in a shell (and Ansible Automation Platform)
Option 1: Configuring Username/Password Authentication
We will create an ansible-vault encrypted YAML file that will be passed to the playbook on the command line.
The trilio_kubernetes role expects the following variables to be available for the tasks to execute:
trilio_kubernetes_auth_api:trilio_kubernetes_username:trilio_kubernetes_password:
As these involve sensitive information, but are required for the role to execute, we will store them in an ansible-vault encrypted file.
Let us suppose we have an OpenShift cluster and we will use the user kubeadmin, with the relevant password created during installation to authenticate with the Ansible tasks.
Create an
auth.encfile that we will encrypt usingansible-vault, and will have authentication details in that we will pass, on the cli, to thetrilio-utility.yamlplaybookansible-vault create ocp-dc3.encEnter a password that you will use to decrypt this file when we execute our playbook.
Add the following contents, replacing the values for your installation.
trilio_kubernetes_auth_api: https://api.your.installation.openshift:6443
trilio_kubernetes_username: kubeadmin
trilio_kubernetes_password: bUzC1-lGdSh-TbptJ-UXuN4Save and exit
The
trilio-utility.yamlplaybook always looks up a variable file, in the same directory of the playbook, calledtrilio_kubernetes-config.yaml. In here we specify which type of authentication to use. Change the following variables to betrilio_kubernetes_distro: openshifttrilio_kubernetes_auth_type: password
Note: if you were using a non-OpenShift environment, change trilio_kubernetes_distro: to be kubernetes
Additional Note: Any of the variables in this file can be placed in separate files and referenced independently on the command line using the -e option to the ansible-playbook command.
Option 2: Configuring Kubeconfig Authentication
The trilio_kubernetes role will also read in a specified Kubeconfig file to authenticate too. This is simply configured in the trilio_kubernetes-config.yaml file present in the same directory as the example trilio-utility.yaml playbook and change the following variables:
trilio_kubernetes_distro: kubernetestrilio_kubernetes_auth_type: kubeconfigkubeconfig: /home/user/cluster1-kubeconfig.yaml
Using the trilio-utility.yaml Playbook and Configuration to run basic checks
The trilio_kubernetes tasks have been created with tags, so that you can invoke those tasks from the role directly by specifying that tag.
We will use the trilio-utility.yaml playbook, and the auth.enc file, if using username and passwords, to run a basic sanity check of the environment.
To run a check issue the following:
ansible-playbook -e @auth.enc trilio-utility.yaml --tags "check"This will present output like the following:
Example trilio-utility.yaml ‘check’ output
[WARNING]: No inventory was parsed, only implicit localhost is available[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'
PLAY [Trilio for Kubernetes Ansible Utility] *****************************************************************************************************
TASK [Gathering Facts] ***************************************************************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Authentication to Kubernetes] *********************************************************************************included: /Users/kevinjackson/Trilio/Ansible/ansible_collections/trilio/trilio-ansible/roles/trilio_kubernetes/tasks/trilio_kubernetes_auth.yaml for localhost
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Authenticate to Kubernetes] ***********************************************************************************skipping: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Authenticate to OpenShift] ************************************************************************************included: /Users/kevinjackson/Trilio/Ansible/ansible_collections/trilio/trilio-ansible/roles/trilio_kubernetes/tasks/trilio_kubernetes_auth_openshift.yaml for localhost
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Configure Authentication] *************************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Log in to OpenShift (obtain access token)] ********************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Auth Fact Set] ************************************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Basic Trilio for Kubernetes Checks] ***************************************************************************included: /Users/kevinjackson/Trilio/Ansible/ansible_collections/trilio/trilio-ansible/roles/trilio_kubernetes/tasks/trilio_kubernetes_check.yaml for localhost
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Check for kubectl] ********************************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Check for oc] *************************************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for Trilio License] **********************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for CSI Drivers] *************************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for CSI Drivers (kubeconfig)] ************************************************************************skipping: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshot CRD] ******************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshot CRD (kubeconfig)] *****************************************************************skipping: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotClass CRD] *************************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotClass CRD (kubeconfig)] ************************************************************skipping: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotContent CRD] ***********************************************************************ok: [localhost]
TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotContent CRD (kubeconfig)] **********************************************************skipping: [localhost]
PLAY RECAP ***************************************************************************************************************************************localhost : ok=14 changed=0 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0
Summary
In this Part 2 of our Ansible blog posts we covered:
Installation of the trilio.trilio_kubernetes role for Kubernetes and OpenShift users
Provided an overview of the role and how to use it
Configured the variables for use with the role
Provide an example Playbook that invokes the role to do a basic checks of Trilio and its dependencies
Part 3 will cover creating Targets, Backup Plans and Backups.
