Reference Guide: Optimizing Backup Strategies for Red Hat OpenShift Virtualization

Automate your Kubernetes backups with Trilio and Ansible: Part 2

Table of Contents

Subscribe to Newsletter

ansible kubernetes trilio

In our previous blog we introduced you to operating Trilio for Kubernetes using Ansible. In this follow up article we take these concepts a stage further to provide instructions on using our Red Hat Certified [Login Required] and Galaxy Ansible Playbook Role for orchestrating your backup, recovery and migration steps with Trilio. In this second part of our Ansible series, we will install the role from Galaxy (or Red Hat Automation Hub), understand the trilio_kubernetes role, and provide a set of actions to configure basic authentication and run a basic check, ready for Part 3 which will cover creating targets, backup plans and backups.

Kubernetes, Trilio, Ansible, Oh my!

Kubernetes is a platform with a rich ecosystem that begs automation and orchestration. The Kubernetes platform itself automates many operational tasks such as lifecycle management of Pods and Storage, and scale-up and down features without breaking a sweat. So with such rich features of orchestration and automation, can your backup and recovery product keep pace?

Trilio is a leader for backup, with many world-class organisations and telecom providers deploying Trilio as part of their reference scale-out architecture.

Trilio is designed for Kubernetes. Trilio is designed for users of Kubernetes. Trilio is designed for orchestration. That is why we have published our Trilio Kubernetes Ansible Role that allows users to now protect and recover their environments through the control and simplicity of Ansible.

For Red Hat OpenShift customers, Trilio is a Certified OpenShift Operator and the Ansible Role is Certified on the Automation Hub!

What You Will Learn During This Series

  • Installation of the Galaxy (or Certified Red Hat) Role. The Certified Role is required to authenticate with OpenShift.

  • Understanding the available tasks with the Role

  • Using the example playbook to demonstrate the creation of

    • Secrets

    • Targets

    • Backup Plans

    • Backup

In this Blog post we will be using the Command Line. In a follow up Blog Post we will use Red Hat Automation Platform.

Prerequisites

To follow along with this article it is assumed you have

Installing the Trilio Kubernetes Role from Galaxy or Red Hat Automation Hub

The Trilio Galaxy Ansible Collection currently has a published role called trilio_kubernetes.

Option 1: For Galaxy Users (non-Red Hat)

  1. To add this role to your installed Galaxy Collections, issue the following command:

    ansible-galaxy collection install trilio.trilio_kubernetes

That’s it complete. You can skip to the next section: Understanding the Trilio Kubernetes Role.

Option 2: For Red Hat Users: Install redhat.openshift and Trilio Kubernetes Certified Roles from Red Hat Automation Hub

  1. To install any Collection from Red Hat, you first need to ensure your /etc/ansible.cfg or ~/.ansible.cfg is configured with the Token provided by Red Hat Automation Hub. You find that token here (Login Required). Contact your administrator if you are unsure.

  2. Copy the Offline Token from that page and add to your ansible.cfg or ~/.ansible.cfg file. For example:

    [galaxy]
    server_list = automation_hub

    [galaxy_server.automation_hub]
    url=https://cloud.redhat.com/api/automation-hub/
    auth_url=https://sso.redhat.com/auth/realms/redhat-external/protocol/openid-connect/token

    token=eyJhbGciOiJIUzI1NiIsIn....

  3. Install the redhat.openshift role dependency by issuing the following
    ansible-galaxy collection install redhat.openshift

  4. Continue with the installation of the Trilio Kubernetes role by issuing the following command:
    ansible-galaxy collection install trilio.trilio_kubernetes

Galaxy Roles are installed into ~/.ansible/collections/ansible_collections

Understanding the Trilio Kubernetes Role

The trilio_kubernetes role allows you to incorporate this role into your playbooks to facilitate all the actions you expect from Trilio – from creating targets, creating backups to restoring applications.

Under the roles/trilio_kubernetes/tasks directory of the collection there are a variety of tasks such as which also have Ansible tags associated with them:

trilio_kubernetes_check.yaml | tag: check
trilio_kubernetes_create_backupplan.yaml | tag: backupplan
trilio_kubernetes_create_backup.yaml | tag: backup
trilio_kubernetes_create_restore.yaml | tag: restore
etc…

And it is these tasks that you can invoke in your own playbooks when specifying the role with the FQCN (Fully Qualified Collection Name): trilio.trilio_kubernetes.trilio_kubernetes

We have provided a sample playbook that invokes the various tasks using Ansible tags, and appropriate configuration file which will be used for the remainder of this Blog Post. This playbook is designed to introduce you to using the trilio_kubernetes role and how it can be invoked.

Sample Playbook:

- name: Trilio for Kubernetes Ansible Utility
hosts: localhost
vars_files: trilio_kubernetes-config.yaml
roles:
- trilio.trilio_kubernetes.trilio_kubernetes

Copy the example trilio-utility.yaml playbook and configuration files to a working directory

  1. There is an example playbook directory included in the trilio.trilio_kubernetes installation, as well as example YAML configuration files. Copy this directory out of the Galaxy install area to some part of your computer where you will then execute the example trilio-utility.yaml playbook:

    mkdir ~/demo
    cp -pR ~/.ansible/collections/ansible_collections/trilio/trilio_kubernetes/playbooks ~/demo

  2. You will find an example playbook in the playbook directory, as well as configuration files

    cd demo/playbooks

Setting up Kubernetes Authentication for use with the example playbook

The trilio-utility.yaml is an example playbook that uses the trilio_kubernetes role. To use it with your Kubernetes or OpenShift cluster we first need to configure authentication to your cluster.

With the trilio_kubernetes role you can authenticate explicitly using Kubeconfig, Username/Password or simply use existing authentication in a shell (and Ansible Automation Platform)

Option 1: Configuring Username/Password Authentication

We will create an ansible-vault encrypted YAML file that will be passed to the playbook on the command line.

The trilio_kubernetes role expects the following variables to be available for the tasks to execute:

trilio_kubernetes_auth_api:
trilio_kubernetes_username:
trilio_kubernetes_password:

As these involve sensitive information, but are required for the role to execute, we will store them in an ansible-vault encrypted file.

  1. Let us suppose we have an OpenShift cluster and we will use the user kubeadmin, with the relevant password created during installation to authenticate with the Ansible tasks.

    Create an auth.enc file that we will encrypt using ansible-vault, and will have authentication details in that we will pass, on the cli, to the trilio-utility.yaml playbook

    ansible-vault create ocp-dc3.enc

  2. Enter a password that you will use to decrypt this file when we execute our playbook.

  3. Add the following contents, replacing the values for your installation.

    trilio_kubernetes_auth_api: https://api.your.installation.openshift:6443
    trilio_kubernetes_username: kubeadmin
    trilio_kubernetes_password: bUzC1-lGdSh-TbptJ-UXuN4

  4. Save and exit

  5. The trilio-utility.yaml playbook always looks up a variable file, in the same directory of the playbook, called trilio_kubernetes-config.yaml. In here we specify which type of authentication to use. Change the following variables to be

    trilio_kubernetes_distro: openshift
    trilio_kubernetes_auth_type: password

Note: if you were using a non-OpenShift environment, change trilio_kubernetes_distro: to be kubernetes

Additional Note: Any of the variables in this file can be placed in separate files and referenced independently on the command line using the -e option to the ansible-playbook command.

Option 2: Configuring Kubeconfig Authentication

The trilio_kubernetes role will also read in a specified Kubeconfig file to authenticate too. This is simply configured in the trilio_kubernetes-config.yaml file present in the same directory as the example trilio-utility.yaml playbook and change the following variables:

trilio_kubernetes_distro: kubernetes
trilio_kubernetes_auth_type: kubeconfig
kubeconfig: /home/user/cluster1-kubeconfig.yaml

 

Using the trilio-utility.yaml Playbook and Configuration to run basic checks

The trilio_kubernetes tasks have been created with tags, so that you can invoke those tasks from the role directly by specifying that tag.

We will use the trilio-utility.yaml playbook, and the auth.enc file, if using username and passwords, to run a basic sanity check of the environment.

  1. To run a check issue the following:

    ansible-playbook -e @auth.enc trilio-utility.yaml --tags "check"

  2. This will present output like the following:

Example trilio-utility.yaml ‘check’ output

[WARNING]: No inventory was parsed, only implicit localhost is available
[WARNING]: provided hosts list is empty, only localhost is available. Note that the implicit localhost does not match 'all'

PLAY [Trilio for Kubernetes Ansible Utility] *****************************************************************************************************

TASK [Gathering Facts] ***************************************************************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Authentication to Kubernetes] *********************************************************************************
included: /Users/kevinjackson/Trilio/Ansible/ansible_collections/trilio/trilio-ansible/roles/trilio_kubernetes/tasks/trilio_kubernetes_auth.yaml for localhost

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Authenticate to Kubernetes] ***********************************************************************************
skipping: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Authenticate to OpenShift] ************************************************************************************
included: /Users/kevinjackson/Trilio/Ansible/ansible_collections/trilio/trilio-ansible/roles/trilio_kubernetes/tasks/trilio_kubernetes_auth_openshift.yaml for localhost

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Configure Authentication] *************************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Log in to OpenShift (obtain access token)] ********************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Auth Fact Set] ************************************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Basic Trilio for Kubernetes Checks] ***************************************************************************
included: /Users/kevinjackson/Trilio/Ansible/ansible_collections/trilio/trilio-ansible/roles/trilio_kubernetes/tasks/trilio_kubernetes_check.yaml for localhost

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Check for kubectl] ********************************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Check for oc] *************************************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for Trilio License] **********************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for CSI Drivers] *************************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for CSI Drivers (kubeconfig)] ************************************************************************
skipping: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshot CRD] ******************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshot CRD (kubeconfig)] *****************************************************************
skipping: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotClass CRD] *************************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotClass CRD (kubeconfig)] ************************************************************
skipping: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotContent CRD] ***********************************************************************
ok: [localhost]

TASK [trilio.trilio_kubernetes.trilio_kubernetes : Checking for VolumeSnapshotContent CRD (kubeconfig)] **********************************************************
skipping: [localhost]

PLAY RECAP ***************************************************************************************************************************************
localhost : ok=14 changed=0 unreachable=0 failed=0 skipped=5 rescued=0 ignored=0

Summary

In this Part 2 of our Ansible blog posts we covered:

  • Installation of the trilio.trilio_kubernetes role for Kubernetes and OpenShift users

  • Provided an overview of the role and how to use it

  • Configured the variables for use with the role

  • Provide an example Playbook that invokes the role to do a basic checks of Trilio and its dependencies

Part 3 will cover creating Targets, Backup Plans and Backups.

Sharing

Author

Picture of Kevin Jackson

Kevin Jackson

Related Articles

Copyright © 2024 by Trilio

Powered by Trilio