Install and configure Trident Protect on the DR OpenShift cluster

Trident Protect is installed with a Helm Chart, which makes the experience pretty easy.
This task is usually performed by the Kubernetes admin.

First, switch context in order to run commands on the DR cluster:

oc config use-context DR

Also make sure Trident Protect is not present:

oc get ns trident-protect
Error from server (NotFound): namespaces "trident-protect" not found

Trident Protect installation

You are now ready to proceed:

helm repo add netapp-trident-protect https://netapp.github.io/trident-protect-helm-chart/
oc create ns trident-protect
helm install trident-protect netapp-trident-protect/trident-protect --set clusterName=dr --version {ocp_dr_trident_helm_chart_version}  --namespace trident-protect

The binary tridenctl-protect is also helpful to interact with Trident Protect.

curl -L -o tridentctl-protect https://github.com/NetApp/tridentctl-protect/releases/download/{ocp_dr_trident_cli_version}/tridentctl-protect-linux-amd64
chmod +x tridentctl-protect
mv ./tridentctl-protect /home/rosa/bin/

Trident Protect verification

If everything well, you should find a new POD in the trident-protect namespace:

oc get po -n trident-protect
NAME                                                           READY   STATUS    RESTARTS   AGE
trident-protect-controller-manager-7cdff78665-brjxk            2/2     Running   0          30s

Another pod (autosupportbundle) should eventually appear.
Its role is to generate support data and send telemetry to NetApp Support.

There are also a whole list of CRD installed with Trident Protect:

oc get crd | grep protect
applications.protect.trident.netapp.io                 2025-03-17T14:23:58Z
appmirrorrelationships.protect.trident.netapp.io       2025-03-17T14:23:58Z
appmirrorupdates.protect.trident.netapp.io             2025-03-17T14:23:58Z
appvaults.protect.trident.netapp.io                    2025-03-17T14:23:58Z
autosupportbundles.protect.trident.netapp.io           2025-03-17T14:23:58Z
autosupportbundleschedules.protect.trident.netapp.io   2025-03-17T14:23:58Z
backupinplacerestores.protect.trident.netapp.io        2025-03-17T14:23:58Z
backuprestores.protect.trident.netapp.io               2025-03-17T14:23:58Z
backups.protect.trident.netapp.io                      2025-03-17T14:23:58Z
exechooks.protect.trident.netapp.io                    2025-03-17T14:23:58Z
exechooksruns.protect.trident.netapp.io                2025-03-17T14:23:58Z
kopiavolumebackups.protect.trident.netapp.io           2025-03-17T14:23:58Z
kopiavolumerestores.protect.trident.netapp.io          2025-03-17T14:23:58Z
pvccopies.protect.trident.netapp.io                    2025-03-17T14:23:58Z
pvcerases.protect.trident.netapp.io                    2025-03-17T14:23:58Z
resourcebackups.protect.trident.netapp.io              2025-03-17T14:23:58Z
resourcedeletes.protect.trident.netapp.io              2025-03-17T14:23:58Z
resourcerestores.protect.trident.netapp.io             2025-03-17T14:23:58Z
resticvolumebackups.protect.trident.netapp.io          2025-03-17T14:23:58Z
resticvolumerestores.protect.trident.netapp.io         2025-03-17T14:23:58Z
schedules.protect.trident.netapp.io                    2025-03-17T14:23:58Z
shutdownsnapshots.protect.trident.netapp.io            2025-03-17T14:23:58Z
snapshotinplacerestores.protect.trident.netapp.io      2025-03-17T14:23:58Z
snapshotrestores.protect.trident.netapp.io             2025-03-17T14:23:58Z
snapshots.protect.trident.netapp.io                    2025-03-17T14:23:58Z

According to the OpenShift Container Platform documentation:

  • In the Kubernetes API, a resource is an endpoint that stores a collection of API objects of a certain kind. For example, the built-in Pods resource contains a collection of Pod objects.

  • A custom resource definition (CRD) object defines a new, unique object type, called a kind, in the cluster and lets the Kubernetes API server handle its entire lifecycle.

For instance, Trident Protect created a new CRD called applications.protect.trident.netapp.io, which shortcut is application.
You are going use that new resource in the next module.

If multiple resources are called applications, it is wiser to use the complete name in order to retrieve the expected result.
Example with 2 different resources with the same shortcut

  • Trident Protect: applications.protect.trident.netapp.io

  • ArgoCD: applications.argoproj.io

Trident Protect AppVault creation

Trident Protect uses a S3 compatible bucket to save the application metadata, as well as the data when a backup is performed.
The CR that represent that bucket is called an AppVault.

The admin could create an AppVault used by all possible applications, or create specific ones per application (in which case you would have multiple buckets).
As we have only one bucket available, let’s create a single AppVault.

Make sure you can see the target S3 bucket. It is in the PROD AWS account, but is also readable by the DR AWS account.

aws s3 ls --profile=prod
2025-12-15 15:39:06 2n6tlotbhmn5s2sokqqh5mtciecotrp5-image-registry-us-east-1-pbsu
2025-12-15 15:54:16 bucket-rkzkg-2

To create the AppVault, you first need to create two secrets:

  • one to host the bucket keys

  • one to host a password for the repository encryption

oc create secret generic -n trident-protect aws-s3-keys --from-literal=accessKeyID={aws_access_key_id} --from-literal=secretAccessKey={aws_secret_access_key}
oc create secret generic -n trident-protect appvault-secret --from-literal=KOPIA_PASSWORD={kopia_password}
Please do not change that appvault-secret password as the same bucket is used for both production and DR environments to allow for disaster recovery/failover. The AppVault is already configured with this password on the production environment 
secret/aws-s3-keys created
secret/appvault-secret created

You are now ready to proceed with the AppVault creation, which is done in the trident-protect namespace. We will use the tridentctl-protect tool here, but you can achieve the same via declarative YAML manifests, ready to be included in your GitOps pipeline.

tridentctl-protect create appvault AWS lab-vault --secret aws-s3-keys --bucket {s3_bucket_name} --endpoint s3.{aws_default_region}.amazonaws.com --data-mover-password-secret-ref appvault-secret -n trident-protect
tridentctl-protect get appvault -n trident-protect
+-----------+----------+-----------+-------+---------+-----+
|   NAME    | PROVIDER |   STATE   | ERROR | MESSAGE | AGE |
+-----------+----------+-----------+-------+---------+-----+
| lab-vault | AWS      | Available |       |         | 2s  |
+-----------+----------+-----------+-------+---------+-----+

You might have to wait a few seconds and repeat the last command until the state is "Available".

In a production environment, the administrator may also perform the following tasks:

  • Create the user namespace

  • Create a service account that allows the creation of a Trident Protect application in that namespace

  • Grant access to AppVault objects for individual users

In a real world architecture where you want to implement a DR accross multiple regions, you may want to create a bucket & an AppVault per region. Trident Protect will take care of copying the application metadata between both buckets.

As we are going to run the whole lab as an admin, the setup of fine-grained RBAC for backup & restore is not covered. For further details on access control, please refer to this link

You are now done with this module. Please proceed with the next one.