Sitemap
Open in app

Sign in

Medium Logo
Write

Sign in

Installing Veeam Kasten K10 on OpenShift Bare Metal with OAuth Integration

Suraj Solanki
3 min readMay 19, 2025

--

Overview

In this guide, I walk through a full installation of Veeam Kasten K10 on an OpenShift bare-metal cluster with OpenShift OAuth integration, TLS certificate setup, and custom CA bundle configuration. This setup ensures enterprise-grade resiliency and compliance if you’re managing data protection and backup on a Kubernetes/OpenShift environment.

Step 1: Install Kasten K10 Operator

Head to the OperatorHub inside OpenShift and search for:

Veeam Kasten (Enterprise - Term)

Install the operator in a dedicated namespace:

oc new-project kasten-io

From the UI, set the installation namespace as kasten-io.

Step 2: Create OpenShift OAuth-Compatible Service Account

Create a service account annotated with a redirect URI for OAuth login via the OpenShift console:

apiVersion: v1
kind: ServiceAccount
metadata:
  name: k10-dex-sa
  namespace: kasten-io
  annotations:
    serviceaccounts.openshift.io/oauth-redirecturi.dex: https://k10-route-kasten-io.apps.<your-domain>/k10/dex/callback

Apply it:

oc apply -f k10-serviceaccount.yaml

Step 3: Create Token Secret for OAuth

This secret is required to extract the token for integration with OpenShift identity providers:

apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
  name: k10-dex-sa-secret
  namespace: kasten-io
  annotations:
    kubernetes.io/service-account.name: "k10-dex-sa"

Apply it:

oc apply -f k10-secret.yaml

Step 4: Retrieve the Token from the Secret

Now, extract the actual token:

kubectl -n kasten-io get secret k10-dex-sa-secret -o jsonpath='{.data.token}' | base64 -d && echo

Copy this token; it will be used in the K10 manifest.

Step 5: Handle OpenShift Cluster TLS Certificates

Export the OpenShift router CA:

oc get secret router-ca -n openshift-ingress-operator -o jsonpath='{.data.tls\.crt}' | base64 --decode > router-ca.pem

Export the console certificate:

openssl s_client -showcerts -connect console-openshift-console.apps.<your-domain>:443 </dev/null 2>/dev/null | \
openssl x509 -outform PEM > openshift-console-cert.pem

Combine both:

cat openshift-console-cert.pem router-ca.pem > custom-ca-bundle.pem

Create a ConfigMap:

oc -n kasten-io create configmap custom-ca-bundle-store --from-file=custom-ca-bundle.pem

Step 6: Deploy Kasten K10 Instance

Prerequistes

$ kubectl annotate volumesnapshotclass \ 
ocs-storagecluster-cephfsplugin-snapclass \
 k10.kasten.io/is-snapshot-class=true
 
$ kubectl annotate volumesnapshotclass \
ocs-storagecluster-rbdplugin-snapclass \
   k10.kasten.io/is-snapshot-class=true

Replace the placeholder token and domain values accordingly in the below YAML:

apiVersion: apik10.kasten.io/v1alpha1
kind: K10
metadata:
  name: k10
  namespace: kasten-io
  annotations:
    helm.sdk.operatorframework.io/reconcile-period: 2m
    helm.sdk.operatorframework.io/rollback-force: 'false'
  finalizers:
    - helm.sdk.operatorframework.io/uninstall-release
spec:
  auth:
    openshift:
      enabled: true
      serviceAccount: "k10-dex-sa"
      clientSecret: "<your-oauth-token>"
      dashboardURL: "https://k10-route-kasten-io.apps.<your-domain>/k10"
      openshiftURL: "https://api.<your-domain>:6443"
      insecureCA: false
  cacertconfigmap:
    name: custom-ca-bundle-store
  global:
    persistence:
      storageClass: "ocs-storagecluster-ceph-rbd"
  route:
    enabled: true
    tls:
      enabled: true

Apply:

oc apply -f k10-instance.yaml
$ kubectl annotate volumesnapshotclass
ocs-storagecluster-cephfsplugin-snapclass \
   k10.kasten.io/is-snapshot-class=true
 
$ kubectl annotate volumesnapshotclass
ocs-storagecluster-rbdplugin-snapclass \
   k10.kasten.io/is-snapshot-class=true

Validation

  • Visit the dashboard: https://k10-route-kasten-io.apps.<your-domain>/k10
  • You should be redirected to the OpenShift login screen.
  • Once authenticated, you’ll land inside the Kasten K10 UI.

Security Note

  • Make sure you restrict token permissions to minimal roles.
  • Secure the service account and limit user impersonation.
  • Keep your CA bundle updated if OpenShift ingress changes.

Conclusion

With this setup, Veeam Kasten K10 is now successfully running on your OpenShift bare metal cluster, integrated with OpenShift OAuth for secure access and custom CA certificates for TLS validation.

This forms the foundation for managing data protection, backup, and disaster recovery in your Kubernetes workloads.

Next up: In the upcoming blog, we’ll walk through how to add target backup storage such as NFS, S3-compatible object storage, or enterprise storage backends to complete the end-to-end backup solution using Kasten K10.

If you have any questions or feedback, feel free to comment.

About The Author
Suraj Solanki
Senior DevOps Engineer
LinkedIn: https://www.linkedin.com/in/suraj-solanki
Topmate: https://topmate.io/suraj_solanki

Veeam Backup Software
Openshift
Oauth
Backup And Restore
S3 Bucket

--

--

Suraj Solanki
Suraj Solanki

Written by Suraj Solanki

147 followers
34 following

Senior DevOps Engineer | Enthusiast of cloud & automation | Always learning & sharing insights | Connect me on https://www.linkedin.com/in/suraj-solanki

No responses yet

Help

Status

About

Careers

Press

Blog

Privacy

Rules

Terms

Text to speech