Skip to content

Configure storage for backups

You can configure storage for backups in the backup.storages subsection of the Custom Resource, using the deploy/cr.yaml configuration file.

You should also create the Kubernetes Secret object with credentials needed to access the storage.

Amazon S3 or S3-compatible storage

  1. To store backups on the Amazon S3, you need to create a Secret with the following values:

    • the metadata.name key is the name which you will further use to refer your Kubernetes Secret,
    • the data.AWS_ACCESS_KEY_ID and data.AWS_SECRET_ACCESS_KEY keys are base64-encoded credentials used to access the storage (obviously these keys should contain proper values to make the access possible).

    Create the Secrets file with these base64-encoded keys following the deploy/backup-s3.yaml example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: my-cluster-name-backup-s3
    type: Opaque
    data:
      AWS_ACCESS_KEY_ID: UkVQTEFDRS1XSVRILUFXUy1BQ0NFU1MtS0VZ
      AWS_SECRET_ACCESS_KEY: UkVQTEFDRS1XSVRILUFXUy1TRUNSRVQtS0VZ
    

    Note

    You can use the following command to get a base64-encoded string from a plain text one:

    $ echo -n 'plain-text-string' | base64 --wrap=0
    
    $ echo -n 'plain-text-string' | base64
    

    Once the editing is over, create the Kubernetes Secret object as follows:

    $ kubectl apply -f deploy/backup-s3.yaml
    
  2. Put the data needed to access the S3-compatible cloud into the backup.storages subsection of the Custom Resource.

    • storages.<NAME>.type should be set to s3 (substitute the part with some arbitrary name you will later use to refer this storage when making backups and restores).

    • storages.<NAME>.s3.credentialsSecret key should be set to the name used to refer your Kubernetes Secret (my-cluster-name-backup-s3 in the last example).

    • storages.<NAME>.s3.bucket and storages.<NAME>.s3.region should contain the S3 bucket and region. Also you can use storages.<NAME>.s3.prefix option to specify the path (sub-folder) to the backups inside the S3 bucket. If prefix is not set, backups are stored in the root directory.

    • if you use some S3-compatible storage instead of the original Amazon S3, add the endpointURL key in the s3 subsection, which should point to the actual cloud used for backups. This value and is specific to the cloud provider. For example, using Google Cloud involves the following endpointUrl:

      endpointUrl: https://storage.googleapis.com
      

    The options within the storages.<NAME>.s3 subsection are further explained in the Operator Custom Resource options.

    Here is an example of the deploy/cr.yaml configuration file which configures Amazon S3 storage for backups:

    ...
    backup:
      ...
      storages:
        s3-us-west:
          type: s3
          s3:
            bucket: S3-BACKUP-BUCKET-NAME-HERE
            region: us-west-2
            credentialsSecret: my-cluster-name-backup-s3
      ...
    
    Using AWS EC2 instances for backups makes it possible to automate access to AWS S3 buckets based on IAM roles for Service Accounts with no need to specify the S3 credentials explicitly.

    Following steps are needed to turn this feature on:

    • Create the IAM instance profile and the permission policy within where you specify the access level that grants the access to S3 buckets.
    • Attach the IAM profile to an EC2 instance.
    • Configure an S3 storage bucket and verify the connection from the EC2 instance to it.
    • Do not provide s3.credentialsSecret for the storage in deploy/cr.yaml.

Microsoft Azure Blob storage

  1. To store backups on the Azure Blob storage, you need to create a Secret with the following values:

    • the metadata.name key is the name which you wll further use to refer your Kubernetes Secret,
    • the data.AZURE_STORAGE_ACCOUNT_NAME and data.AZURE_STORAGE_ACCOUNT_KEY keys are base64-encoded credentials used to access the storage (obviously these keys should contain proper values to make the access possible).

    Create the Secrets file with these base64-encoded keys following the deploy/backup-azure.yaml example:

    apiVersion: v1
    kind: Secret
    metadata:
      name: my-cluster-azure-secret
    type: Opaque
    data:
      AZURE_STORAGE_ACCOUNT_NAME: UkVQTEFDRS1XSVRILUFXUy1BQ0NFU1MtS0VZ
      AZURE_STORAGE_ACCOUNT_KEY: UkVQTEFDRS1XSVRILUFXUy1TRUNSRVQtS0VZ
    

    Note

    You can use the following command to get a base64-encoded string from a plain text one:

    $ echo -n 'plain-text-string' | base64 --wrap=0
    
    $ echo -n 'plain-text-string' | base64
    

    Once the editing is over, create the Kubernetes Secret object as follows:

    $ kubectl apply -f deploy/backup-azure.yaml
    
  2. Put the data needed to access the Azure Blob storage into the backup.storages subsection of the Custom Resource.

    • storages.<NAME>.type should be set toazure` (substitute the part with some arbitrary name you will later use to refer this storage when making backups and restores).

    • storages.<NAME>.azure.credentialsSecret key should be set to the name used to refer your Kubernetes Secret (my-cluster-azure-secret in the last example).

    • storages.<NAME>.azure.container option should contain the name of the Azure container. Also you can use storages.<NAME>.azure.prefix option to specify the path (sub-folder) to the backups inside the container. If prefix is not set, backups are stored in the root directory of the container.

    These and other options within the storages.<NAME>.azure subsection are further described in the Operator Custom Resource options.

    Here is an example of the deploy/cr.yaml configuration file which configures Azure Blob storage for backups:

    ...
    backup:
      ...
      storages:
        azure-blob:
          type: azure
          azure:
            container: <your-container-name>
            prefix: psmdb
            credentialsSecret: my-cluster-azure-secret
          ...
    

Last update: 2024-09-15