Skip to content

Installation

This guide covers detailed installation instructions for deploying Velero Dashboard with Helm.

Prerequisites

Required

  • Kubernetes Cluster with Velero installed
  • Helm 3+ installed
  • kubectl configured with cluster access
  • Cluster Access: Kubeconfig files or service account tokens with permissions to read/write Velero resources

Optional

  • OIDC Provider: Dex (bundled), Keycloak, Auth0, Okta, etc.
  • Ingress Controller: nginx, Traefik, or similar
  • Cert Manager: For automatic TLS certificates

Velero Cluster Permissions

The Velero Dashboard needs a service account or kubeconfig with these permissions:

apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: velero-dashboard-role
rules:
  # Velero resources
  - apiGroups: ["velero.io"]
    resources:
      - backups
      - restores
      - schedules
      - backupstoragelocations
      - volumesnapshotlocations
      - backuprepositories
      - resticrepositories
    verbs: ["get", "list", "create", "update", "delete", "patch"]

  # Backup logs
  - apiGroups: ["velero.io"]
    resources:
      - backups/logs
      - restores/logs
    verbs: ["get"]

  # Pod logs for debugging
  - apiGroups: [""]
    resources: ["pods", "pods/log"]
    verbs: ["get", "list"]

  # Namespaces (for listing)
  - apiGroups: [""]
    resources: ["namespaces"]
    verbs: ["get", "list"]

Step 1: Login to Helm Registry

helm registry login https://registry.velerodash.com -u <username>

Step 2: Create Custom Values

Create values.yaml:

global:
  domain: "velerodash.example.com"

dashboard:
  # License (required)
  license:
    licenseData: |
      {
        "algo": "Ed25519",
        "payload": {
          "license_id": "your-license-id",
          "customer": "Your Company",
          "issued_at": "2025-01-01T00:00:00Z",
          "expires_at": "2026-01-01T00:00:00Z",
          "features": ["pro"]
        },
        "signature": "your-license-signature"
      }

  # Cluster configuration
  clusters: |
    clusters:
      - name: prod-cluster-1
        description: Production Cluster 1
        environment: production
        velero_namespace: velero
        auth_method: kubeconfig
        kubeconfig_path: /etc/kubeconfig/prod-cluster-1.yaml
        is_active: true

      - name: prod-cluster-2
        description: Production Cluster 2
        environment: production
        velero_namespace: velero
        auth_method: kubeconfig
        kubeconfig_path: /etc/kubeconfig/prod-cluster-2.yaml
        is_active: true

  # RBAC permissions (Casbin policy format)
  permissions: |
    p, velero.admin, *, *, .*
    p, velero.operator, *, backup, (view|list|create|delete|logs)
    p, velero.operator, *, restore, (view|list|create|logs)
    p, velero.operator, *, schedule, (view|list|create|delete)
    p, velero.viewer, *, *, (view|list|logs)

    g, admin, velero.admin
    g, devops-team, velero.operator
    g, developers, velero.viewer

# Dex OIDC Provider
dex:
  enabled: true
  config:
    staticPasswords:
      - email: "admin@example.com"
        # Generate with: htpasswd -nbBC 10 admin yourpassword | cut -d: -f2
        hash: "$2y$10$0t4vrdQDaMu2W0wAz5R3DOqzxUSf1o1x53wuwkIxm6bcr8jOY85SS"
        username: "admin"
        userID: "08a8684b-db88-4b73-90a9-3cd1661f5466"
        groups:
          - "admin"

# Ingress
ingress:
  enabled: true
  className: "nginx"
  annotations:
    cert-manager.io/cluster-issuer: "letsencrypt-prod"
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
  tls:
    - secretName: velerodash-tls
      hosts:
        - velerodash.example.com

Step 3: Install

# Install with Helm
helm install velerodash oci://registry.velerodash.com/release/velerodash \
  --version 1.0.0 \
  -f values.yaml \
  --namespace velerodash \
  --create-namespace

# Or upgrade if already installed
helm upgrade velerodash oci://registry.velerodash.com/release/velerodash \
  --version 1.0.0 \
  -f values.yaml \
  --namespace velerodash

Step 4: Verify Installation

# Check pods
kubectl get pods -n velerodash

# Check services
kubectl get svc -n velerodash

# Check ingress
kubectl get ingress -n velerodash

# Check logs
kubectl logs -n velerodash -l app.kubernetes.io/name=velerodash --tail=100 -f

Step 5: Access Dashboard

# If using Ingress
echo "Access at: https://$(kubectl get ingress -n velerodash velerodash -o jsonpath='{.spec.rules[0].host}')"

Post-Installation

1. Verify Cluster Connectivity

Log in to the dashboard and check:

  • Navigate to "Clusters" page
  • Verify all clusters show "Connected" status
  • Check if Velero version is displayed for each cluster

2. Test Permissions

  • Create a test backup
  • View backup logs
  • Try accessing different namespaces
  • Verify RBAC policies are enforced

3. Configure Backup (Optional)

Create a Velero schedule to backup the dashboard configuration:

velero schedule create velerodash-config \
  --schedule="0 2 * * *" \
  --include-namespaces velerodash \
  --ttl 720h

Next Steps