Ransomware attackers specifically target and attempt to destroy backup systems to increase the probability of payment. Hardening your system is critical. Please ensure you have reviewed your platform security using the Security Hardening Checklist
Cohesity

COHESITY Documentation

Explore our documentation to get started, discover products & new features, access troubleshooting guides, register sources, platforms support.

Products
Data Security Alliance
Visit Cohesity.com
Demos
Support
Blogs
Developers
Partner Portals
Cohesity Community
© 2026 Cohesity, Inc. All Rights Reserved.
Terms of Use|
Privacy Policy|
Legal|
  1. Home
  2. NetBackup™ Deployment Guide for Kubernetes Clusters
  3. Section I. Configurations
  4. Configurations
  5. Initial configurations
NetBackup™ Deployment Guide for Kubernetes Clusters

Initial configurations

Creating Secrets

Perform the following steps to create Secrets

  1. Create a Kubernetes namespace where your new NetBackup environment will run. Run the command:

    kubectl create namespace nb-example

    Where, nb-example is the name of the namespace. The Primary, Media, and MSDP Scaleout application namespace must be different from the one used by the operators. It is recommended to use two namespaces. One for the operators, and a second one for the applications.

  2. Create a secret to hold the primary server credentials. Those credentials are configured in the NetBackup primary server, and other resources in the NetBackup environment use them to communicate with and configure the primary server. The secret must include fields for `username` and `password`. If you are creating the secret by YAML, the type should be opaque or basic-auth. For example:
    apiVersion: v1
           kind: Secret
           metadata:
             name: primary-credentials
             namespace: nb-example
           type: kubernetes.io/basic-auth
           stringData:
             username: nbuser
             password: p@ssw0rd

    You can also use this command to create a secret.

    $ kubectl create secret generic primary-credentials --namespace nb-example --from-literal=username='nbuser' --from-literal=password='p@ssw0rd'

  3. Create a KMS DB secret to hold Host Master Key ID (`HMKID`), Host Master Key passphrase (`HMKpassphrase`), Key Protection Key ID (`KPKID`), and Key Protection Key passphrase (`KPKpassphrase`) for NetBackup Key Management Service. If creating the secret by YAML, the type should be _opaque_. For example:
     apiVersion: v1
           kind: Secret
           metadata:
             name: example-key-secret
             namespace: nb-example
           type: Opaque
           stringData:
             HMKID: HMKID
             HMKpassphrase: HMKpassphrase
             KPKID: KPKID
             KPKpassphrase: KPKpassphrase

    You can also create a secret using kubectl from the command line:

    $ kubectl create secret generic example-key-secret --namespace nb-namespace --from-literal=HMKID="HMKID" --from-literal=HMKpassphrase="HMKpassphrase" --from-literal=KPKID="KPKID" --from-literal=KPKpassphrase="KPKpassphrase"

    For more details on NetBackup deduplication engine credential rules, see: https://support.cohesity.com/s/article/article-100048511

  4. Create a secret to hold the MSDP Scaleout credentials for the storage server. The secret must include fields for `username` and `password` and must be located in the same namespace as the Environment resource. If creating the secret by YAML, the type should be _opaque_ or _basic-auth_. For example:
    apiVersion: v1
           kind: Secret
           metadata:
             name: msdp-secret1
             namespace: nb-example
           type: kubernetes.io/basic-auth
           stringData:
             username: nbuser
             password: p@ssw0rd

    You can also create a secret using kubectl from the command line:

    $ kubectl create secret generic msdp-secret1 --namespace nb-example --from-literal=username='nbuser' --from-literal=password='p@ssw0rd'

    Note:

    You can use the same secret for the primary server credentials (from step 2) and the MSDP Scaleout credentials, so the following step is optional. However, to use the primary server secret in an MSDP Scaleout, you must set the credential.autoDelete property to false. The sample file includes an example of setting the property. The default value is true, in which case the secret may be deleted before all parts of the environment have finished using it.

  5. (Optional) Create a secret to hold the KMS key details. Specify KMS Key only if the KMS Key Group does not already exist and you need to create.

    Note:

    When reusing storage from previous deployment, the KMS Key Group and KMS Key may already exist. In this case, provide KMS Key Group only.

    If creating the secret by YAML, the type should be _opaque_. For example:

    apiVersion: v1
           kind: Secret
           metadata:
             name: example-key-secret
             namespace: nb-example
           type: Opaque
           stringData:
             username: nbuser
             passphrase: 'test passphrase'

    You can also create a secret using kubectl from the command line:

    $ kubectl create secret generic example-key-secret --namespace nb-example --from-literal=username="nbuser" --from-literal=passphrase="test passphrase"

    You may need this key for future data recovery. After you have successfully deployed and saved the key details. It is recommended that you delete this secret and the corresponding key info secret.

  6. Create a secret to hold the MSDP S3 root credentials if you need MSDP S3 service. The secret must include accessKey and secretKey, and must be located in the same namespace as the Environment resource.
    • accessKey must match the regex pattern ^[\w]+$ and has the length in the range [16, 128].

    • secretKey must match the regex pattern ^[\w+\/]+$ and has the length in the range [32, 128].

    It is recommended that you generate random S3 root credentials. Run the following command:

    $ kubectl msdp generate-s3-secret --namespace nb-example --s3secret s3-secret1

    Save the generated S3 root credentials at a secure place for later use.

  7. Create the Snapshot Manager server secret using kubectl from the command line:

    kubectl create secret generic cp-creds --namespace netbackup --from-literal=username="admin" --from-literal=password="CloudPoint@123"

Creating storage class

The following storage classes (disk & file based) are created automatically during helm installation: <storage class names>

  • nb-file-premium

  • nb-disk-standard

  • nb-disk-standardssd

  • nb-disk-premium

For more information refer to the following section:

More Information

Installing Cloud Scale environment

Feedback

Was this page helpful?
Previous

Contents of the TAR file

Next

Configuring the environment.yaml file

Feedback

Was this page helpful?