How to Enable Changed Block Tracking for Guest Cluster on vSphere with Tanzu

Patch VM Operator Config Map

In vSphere 7.0.3 and higher, the VM Operator does not allow the Velero vSphere Operator service account to enable changed block tracking on VMs.  To use CBT, the vmware-system-tkg-system-service-accounts config map needs to be modified.

1. Determine the namespace of the Velero vSphere Operator
   
   From the vCenter UI, the Velero vSphere Operator namespace will be visible as a namespace in the Supervisor cluster.  The name will begin with svc-velero-vsphere
   
   The namespace can also be found using kubectl from the Supervisor Cluster.
   
   This information will be used in step 4.

2. Login to vCenter Service Appliance using ssh.
   
   If ssh access to VCSA is not enabled, please follow VMware Documentation to 'Enable or Disable SSH and Bash Shell Access'.
3. Decrypt the password for the Supervisor Control Plane VM
   /usr/lib/vmware-wcp/decryptK8Pwd.py
   
   The output will show the password and IP address of the Supervisor Control Plane VM.  For multiple Supervisor Clusters, select the appropriate one from the list.

   Read key from file
   Connected to PSQL
   Cluster: domain-c106:6519bc6a-e519-4df9-84e1-da0a75598c05
   IP: <Supervisor Control Plane IP>
   PWD: <Supervisor Control Plane VM password>
   

   Connect over SSH to the Supervisor Control Plane VM (This can be performed from the VCSA shell or another system that has connectivity).

   Use the password obtained above to login.

4. Add the default service account for the Velero vSphere Operator’s namespace to the config map.
   Use the Velero vSphere Operator namespace name obtained in step 1.

5. Restart the TKG Controller Manager

Logging in to vSphere with Tanzu

Follow the instructions here on logging into the vSphere with Tanzu using the kubectl command and vSphere plugin.

Enable Changed Block Tracking (CBT) by Installing Velero With the Appropriate Options

Veeam Kasten for Kubernetes only leverages Velero to interact with the Velero vSphere Operator to be able to enable CBT and does not use Velero for any part of the backup or restore process.

Part 1: Create a namespace for the tool via the vSphere UI

1. Go to Workload Management, select the Namespaces tab
2. Click “New Namespace”
3. Using the vsphere-backup-infra namespace for this install is recommended, as this is not going to be a fully configured Velero install and will not be used (or work) for any actual backup operations using Velero.

Part 2: Use Velero Plugin to Enable CBT

Run the following velero-sphere command to enable CBT on guest cluster VMs:

This “installation” of Velero is only used to enable CBT.  This is the minimum install with only the Velero Plugin for vSphere and no other options. 

If Velero is already installed in Supervisor Cluster, enable CBT with this command, where <guest cluster namespace> is the name of the Guest Cluster. This commands needs to be executed while connected to the Supervisor Cluster:

How to Verify Changed Block Tracking (CBT) has Been Enabled

A Guest Cluster runs on multiple VMs managed by the Supervisor Cluster.  Verify that CBT has been turned on for those VMs by checking the status.changeblocktracking field of the virtualmachine resource in the Supervisor Cluster namespace where the Guest Cluster was created.

While connected to the Supervisor cluster:

1. List VMs

2. Check the virtual machines using the following command.
   This will return true if Changed Block Tracking has been successfully enabled on the VM.