1

I have an Azure Kubernetes cluster with Velero installed. A Service Principal was created for Velero, per option 1 of the instructions.

Velero was working fine until the credentials for the Service Principal were reset. Now the scheduled backups are failing.

NAME                                    STATUS      ERRORS   WARNINGS   CREATED                         EXPIRES   STORAGE LOCATION   SELECTOR
daily-entire-cluster-20210727030055     Failed      0        0          2021-07-26 23:00:55 -0000       13d       default            <none>

How can I update the secret for Velero?

Codebling
  • 10,764
  • 2
  • 38
  • 66
  • Anything useful in `--secret-file ./credentials-velero`? It uses this location to start the `velero` - [install and start Velero](https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/tree/master#install-and-start-velero) – moonkotte Jul 28 '21 at 07:36
  • @moonkotte I have a secret file, but it looks like I can only use that option when installing. Doesn't seem to be a way to change the secrets. Re-install it is, I guess. – Codebling Jul 28 '21 at 15:18
  • Another option is to check secrets in cluster if it's run within it. Otherwise it's a good case to reach out to Velero support. Sort of unlikely StackOverflow community will be able to answer question for them. – moonkotte Jul 29 '21 at 07:13
  • 1
    @moonkotte I was wrong -- it looks like the secret called `cloud-credentials` contains exactly the contents of the credentials file. I'll try to write an answer – Codebling Jul 29 '21 at 16:53

1 Answers1

3

1. Update credentials file

First, update your credentials file (for most providers, this is credentials-velero and the contents are described in the plugin installation instructions: AWS, Azure, GCP)

2. Update secret

Now update the velero secret. On linux:

kubectl patch -n velero secret cloud-credentials -p '{"data": {"cloud": "'$(base64 -w 0 credentials-velero)'"}}'
  • patch tells kubectl to update a resource by merging the provided data
  • -n velero tells kubectl to use the velero namespace
  • secret is the resource type
  • cloud-credentials is the name of the secret used by Velero to store credentials
  • -p specifies that the next word is the patch data. It's more common to patch using JSON rather than YAML
  • '{"data": {"cloud": "<your-base64-encoded-secret-will-go-here>"}}' this is the JSON data that matches the existing structure of the Velero secret in Kubernetes. <your-base64-encoded-secret-will-go-here> is a placeholder for the command we'll insert.
  • $(base64 -w 0 credentials-velero) reads the file credentials-velero in the current directory, turns off word wrapping of the output (-w 0), BASE64-encodes the contents of the file, and inserts the result in the data.
Codebling
  • 10,764
  • 2
  • 38
  • 66