Search…
2.10.X
About TVK
Welcome to TrilioVault For Kubernetes (TVK)
Compatibility Matrix
Kubernetes Application Types
Features
Use Cases
Release Notes
Getting Started
Install Options
Licensing
Management Console (UI)
Trilio APIs
Uninstall Options
Architecture
Architectural Components
Backup and Restore Details
Backup Retention Process
Permissions
Resource Requirements and Limits
APIs and Command Line Reference
Operation
Operate
Observability
Management Console UI
About the UI
UI Authentication
Configuring the UI
Navigating the UI
UI How-to Guides
Performance
Modifying Default TVK Configuration
S3 as Backup Target
Measuring Backup Performance
Ecosystem
TVK Integration with Slack using BotKube
Monitoring TVK Logs using ELK Stack
Rancher Navigation Links for TrilioVault Management Console
Optimize TVK Backups with StormForge
TVK GitHub Runner
Prometheus Metrics
AWS RDS snapshots using TVK hooks
Plugins
TVK QuickStart Plugin
TVK Preflight Checks Plugin
TVK Target Browser Plugin
TVK Log Collector Plugin
TVK Cleanup Plugin
OCP ETCD Plugin
RKE ETCD Plugin
Support
Troubleshooting Guide
Support
Appendix
Ignored Resources
OpenSource Software Disclosure
CSI Drivers
TVK Product FAQ
OpenShift OperatorHub Custom CatalogSource
Air-Gapped Install - Upstream Kubernetes
Marketplace Support
Configure OVH Object Storage as a Target
Connect TVK UI hosted with HTTPS to another cluster hosted with HTTP or vice versa
Fetch DigitalOcean Kubernetes Cluster kubeconfig for TVK UI Authentication
Force Update TVK Operator in Rancher Marketplace
Backup and Restore Virtual Machine running on OpenShift
TVK For Volumes with Generic Storage
Powered By GitBook
Configuring the UI
This page describes how to configure and access the TVK UI.

Upstream Environments

There are three steps that a user must perform to enable UI access to the cluster:
  1. 1.
    Configure Management Console access (If not done already during install).
  2. 2.
    Create a DNS record for the FQDN.
  3. 3.
    Launch the TVK UI over HTTP/HTTPS.

Step 1: Configure Management Console Access

The UI configurations for the TrilioVault Management Console are controlled by the TrilioVault Manager (TVM) Custom Resource (CR).
The TVM resource can be created as part of the TrilioVault Operator Helm Chart installation (using the values.yaml file). Refer to Helm Quickstart Installation for this method. Alternatively, it can be created manually after installation of the TrilioVault Operator Helm Chart by performing the following tasks in the TrilioVault Manager CR :
  1. 1.
    Configure the hostname (optional) for the Management Console UI.
  2. 2.
    Specify whether to use the Trilio provided ingress controller, or an existing ingress controller available in the cluster. If using the Trilio provided one, then specify setup access over NodePort or LoadBalancer.
The following TrilioVault Manager YAML shows configuration settings for the UI components.
apiVersion: triliovault.trilio.io/v1
kind: TrilioVaultManager
metadata:
labels:
triliovault: k8s
name: tvk
spec:
trilioVaultAppVersion: 2.7.0
applicationScope: Cluster
# TVK components configuration, currently supports control-plane, web, exporter, web-backend, ingress-controller, admission-webhook.
# User can configure resources for all componentes and can configure service type and host for the ingress-controller
ingressConfig:
###ingress class and annotation should be uncommented only when ingress controller is set to false below.
#ingressClass: "nginx"
#annotations:
# "key": "value"
host: "upstream-tvk.demo.presales.trilio.io"
#tlsSecretName: ssl-certs
componentConfiguration:
web-backend:
resources:
requests:
memory: "400Mi"
cpu: "200m"
limits:
memory: "2584Mi"
cpu: "1000m"
ingress-controller:
enabled: true
service:
type: NodePort
  1. 1.
    Leverage default Ingress Controller - The ingressController section specifies that the Trilio provided ingress controller will be deployed (enabled:true) (See point 4 below for using an existing ingress controller) and that access to the service is set through type: NodePort
    • Based on the type provided in the TVM CR, the ingress service (k8s-triliovault-ingress-nginx-controller) Type is set accordingly on the service resource
  2. 2.
    Configure Hostname - The ingressConfig section shows the hostname for the management console is set to: upstream-tvk.demo.presales.trilio.io
    • For test and development environments the host field can be left blank for accessing directly over the IP address. In this case, the value for host in the ingress resource will be set to '*'
  3. 3.
    HTTPS Access For HTTPS access the tlsSecretName that has the TLS information should be provided. More information on HTTPS access is provided below.
  4. 4.
    Leverage existing Ingress Controller - If using a pre-existing ingress controller, then the ingressClass and annotations parameters should be used.

Set up Access via Port Forwarding

The console can also be accessed by forwarding the traffic for the ingress service if NodePort or LoadBalancer is not an option. This is only meant to serve for evaluation purposes and not recommended for Production deployments.
kubectl port-forward --address 0.0.0.0 svc/k8s-triliovault-ingress-nginx-controller 80:80 &
The above command will start forwarding TVK management console traffic to the localhost IP of 127.0.0.1 via port 80

Step 2: Create a DNS Record

After the TVM has been configured with ingress and ingress controller information, users need to create a DNS record for the host that was set within the resource.
Note: This step can be skipped if the host value is set to ""
In this case the console can be available in a browser directly by:
  1. 1.
    LoadBalancer: using the IP address of the load balancer
  2. 2.
    NodePort: The IP address of a worker node with port number provided
  3. 3.
    PortForwarding: 127.0.0.1:<port number> if port forwarding the ingress resource

DNS enabled environments

  1. 1.
    Create an A-Record in Route53 (AWS) or Google DNS service (GCP) or any other DNS manager of your choice
  2. 2.
    Map upstream-tvk.demo.presales.trilio.io (depending on the host value specified above) to the {PUBLIC_NODE_IP} for NodePort or {LB_IP} for Load Balancer.

Non-DNS or Local environments

For local environments perform the following on your local machine:
  • edit file sudo vi /etc/hosts
  • create an entry in /etc/hosts file for the IPs, so your file should look like this
...
127.0.0.1 localhost
....
​
xx.xx.xx.xx upstream-tvk.demo.presales.trilio.io
​
# The following lines are desirable for IPv6 capable hosts
::1 ip6-localhost ip6-loopback
fe00::0 ip6-localnet
ff00::0 ip6-mcastprefix
ff02::1 ip6-allnodes
ff02::2 ip6-allrouters
If Port Forwarding the ingress service, then do the following
For access via Port Forwarding use 127.0.0.1 <FQDN from step 2>
127.0.0.1 upstream-tvk.demo.presales.trilio.io

Step 3: Launch the TVK Management Console

Users can access the console via HTTP or HTTPS:

Access over HTTP - Launch via LoadBalancer

Ports do not need to be specified for LoadBalancer based access
  • Via FQDN - if host value in TVM CR is set
    • http://upstream-tvk.demo.presales.trilio.io/ goes to port 80 (default)
  • Via External IP - if host value in TVM CR is not set
    • http://<LoadBalancer IP>/

Access over HTTP - Launch via NodePort

If using NodePort to access the management console, capture the port number from the service resource (set by either the Trilio ingress controller or the user specified ingress controller) and use that port number in the management console URL
  • Via FQDN - if host value in TVM CR is set
    • For http (port 80) -> http://upstream-tvk.demo.presales.trilio.io:31200/login
  • Via External IP - if host value in TVM CR is not set
    • http://<Node IP>:<NodePort>/

Access over HTTPS - Prerequisite

As mentioned in the previous sections, console access over HTTPS requires TLS certificates to be provided as part of the TVM CR.
k8s-triliovault-ingress-tls-certs is a default certificate generated during TVK deployment. However, users should provide a correct secret specific to their environment with TLS information as explained below.
To generate a secret and provide it as a part of ingress resource:
  1. 1.
    Create a newsecret ssl-certs using custom SSL certificate tls.crt and key tls.key in the tvk-namespacenamespace where TVK is deployed
    kubectl create secret tls ssl-certs --cert tls.crt --key tls.key -n tvk-namespace
  2. 2.
    Edit the TVM CR and set the field for tlsSecretName

Access over HTTPS - Launch via LoadBalancer

Ports do not need to be specified for LoadBalancers - https://default.k8s-tvk.com/ goes to port 443 (default).

Access over HTTPS - Launch via NodePort

For https (port 443) -> https://upstream-tvk.demo.presales.trilio.io:30452/login
After accessing the above URL in your browser, the UI Login authentication page is displayed. For more details about the UI Login, refer to UI Login.
Note: If you are facing issue while accessing the TVK UI after above setting, check the Firewall Rules on the Kubernetes cluster nodes. Here is an example to check firewall rules for Google GKE cluster.

OpenShift Environments

For OpenShift environments, as part of the install from OperatorHub, the management console access through routes, and authentication to the management console. Any proxy settings are automatically configured by reading these settings in the OpenShift cluster.

Ingress Controller

TVK uses the default ingress controller provided by OCP as a part of the cluster. TVK works with the OpenShift default ingress-controller named default, which is present in the openshift-ingress-operator. So the hostname used for the TVK Ingress host is the domain supported by this controller (refer to status.domain of the IngressController resource).
oc get ingresscontroller -n openshift-ingress-operator
NAME AGE
default 6d14h
To use the default ingress controller in the cluster, run the following command on the OCP cluster after the deployment of the Trilio Operator from OperatorHub.
oc -n openshift-ingress-operator patch ingresscontroller/default --patch '{"spec":{"routeAdmission":{"namespaceOwnership":"InterNamespaceAllowed"}}}' --type=merge

Hostname Configuration

Trilio automatically installs and creates the ingress resources with a default hostname of:
<install-namespace>.<default-ingress-controller-domain>
This value can be changed by editing the master ingress resource (k8s-triliovault-master). The minion ingress resource will automatically pick up the settings from the master ingress resource. Only the <install-namespace> portion of the host can be changed, and the domain of the ingress controller must be kept as-is. Example: abcd.<default-ingress-controller-domain>

Access over HTTPS:

By default TVK works on HTTPS. TVK uses the OpenShift default ingress-controller TLS certificates for HTTPS communication:
  • k8s-triliovault-ingress-server-certs is a default secret generated during TVK deployment which contains the Ingress-controller's TLS certificate.
  • Check host field of ingress (kubectl get ingress k8s-triliovault -n <install-namespace>), and use that host to access UI on https://custom-domain.com/ (goes to port 443 (default))
Users can use their own custom SSL certificate to generate a secret and provide it as a part of ingress resource. Create a new secret ssl-certs using custom SSL certificate tls.crt and key tls.key in the <install-namespace> namespace where TVK is deployed.
kubectl create secret tls ssl-certs --cert tls.crt --key tls.key -n <install-namespace>
To add the secretName value of SSL certificate in the ingress spec, edit the ingress resource:
kubectl edit ingress k8s-triliovault
Add the below section of tls: to the ingress resource, in parallel to the existing rules: section. Then save the updated ingress resource.
specs:
rules:
- host: <custom-domain.com>
....
....
tls:
- hosts:
- <custom-domain.com>
secretName: <tlsSecretName>
Lets Encrypt or Cert-Manager can be leveraged to generate valid SSL certificates for a domain.

Access over HTTP:

If HTTP access is required, then remove the TLS section from the k8s-triliovault Ingress resource. To remove TLS section from ingress `k8s-triliovault`, edit the ingress resource (`kubectl edit ingress k8s-triliovault`) and remove the TLS section present, as follows:
spec:
tls:
- hosts:
- <host-name>
secretName: <tlssecretName>
Then access the UI on http://custom-domain.com/

OpenShift Routes

Routes are automatically created based on the ingress settings. Users can simply click on the route for service k8s-triliovault-web to launch the management console.

Authentication

TrilioVault automatically configures authentication for OCP environments by reading the IDP settings on the cluster. As soon as the console is launched, authentication is pre-configured and is ready to use.
UI authentication options
Previous
RBAC Authentication
Next - Management Console UI
Navigating the UI
Last modified 23d ago
Copy link
Outline
Upstream Environments
Step 1: Configure Management Console Access
Step 2: Create a DNS Record
Step 3: Launch the TVK Management Console
OpenShift Environments
Ingress Controller
Hostname Configuration
Access over HTTPS:
Access over HTTP:
OpenShift Routes
Authentication