备份和恢复应用程序
Red Hat OpenShift Service on AWS 4
备份和恢复应用程序数据
Red Hat OpenShift Documentation Team
摘要
本文档提供有关备份应用程序的信息。
第 1 章 备份应用程序
您可以将 OpenShift API 用于 Red Hat OpenShift Service on AWS (ROSA) 集群的数据保护 (OADP) 来备份和恢复应用程序数据。在安装 OADP 前,您必须为 OADP 设置角色和策略凭证,以便可以使用 AWS API。
这是一个包括两个阶段的过程:
- 准备 AWS 凭证。
- 安装 OADP Operator,并将其提供给 IAM 角色。
1.1. 准备 AWS 凭证
AWS 帐户必须准备好接受 OADP 安装。
流程
运行以下命令来创建以下环境变量:
注意更改集群名称来匹配您的 ROSA 集群,并确保以管理员身份登录到集群。在继续操作前,确保所有字段被正常输出。
$ export CLUSTER_NAME=my-cluster 1 export ROSA_CLUSTER_ID-$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id) export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id) export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||') export AWS_ACCOUNT_ID='aws sts get-caller-identity --query Account --output text' export CLUSTER_VERSION='rosa describe cluster -c ${CLUSTER_NAME} -o json | jq -r .version.raw_id | but -f -2 -d '.' ' export ROLE_NAME="${CLUSTER_NAME}-openshift-oadp-aws-cloud-credentials" export SCRATCH="/tmp/${CLUSTER_NAME}/oadp" mkdir -p ${SCRATCH} echo "Cluster ID: ${ROSA_CLUSTER_ID}, Region: ${REGION}, OIDC Endpoint: ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"- 1
- 将
my-cluster替换为您的 ROSA 集群名称。
在 AWS 帐户上,创建一个 IAM 策略以允许访问 S3。
运行以下命令,检查策略是否存在:
$ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaOadpVer1'].{ARN:Arn}" -- output text) 1- 1
- 将
RosaOadp替换为您的策略名称。
使用以下命令来创建策略 JSON 文件,然后在 ROSA 中创建策略。
注意如果没有找到策略 ARN,该命令将创建策略。如果策略 ARN 已存在,则
if语句将跳过策略创建。$ if [[ -z "${POLICY_ARN}" ]]; then cat << EOF > ${SCRATCH}/policy.json 1 { "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": [ "s3:CreateBucket",$ echo ${POLICY_ARN} "s3:DeleteBucket",cd openshift-docs "s3:PutBucketTegging", "s3:GetBucketTegging", "s3:PutEncryptionConfiguration", "s3:GetEncryptionConfiguration", "s3:PutLifecycleConfiguration", "s3:GetLifecycleConfiguration", "s3:GetBucketLocation", "s3:ListBucket", "s3:GetObject", "s3:PutObject", "s3:DeleteOgject", "s3:ListBucketMultipartUpLoads", "s3:AbortMultipartUpLoads", "s3:ListMultipartUpLoadParts", "s3:DescribeSnapshots", "ec2:DescribeVolumes", "ec2:DescribeVolumeAttribute", "ec2:DescribeVolumesModifications", "ec2:DescribeVolumeStatus", "ec2:CreateTags", "ec2:CreateVolume", "ec2:CreateSnapshot", "ec2:DeleteSnapshot", ] "Resource": "*" } ]} EOF POLICY_ARN=$(aws iam create-policy --policy-mane "RosaOadpVer1" \ --policy-document file:///${SCRATCH}/policy.json --query Policy.Arn \ --tags Key=rosa_openshift_version,Value=${CLUSTER_VERSION} Key-rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-oadp Key=operator_name,Value=openshift-oadp \ --output text) fi- 1
SCRATCH是为环境变量创建的临时目录的名称。
运行以下命令来查看策略 ARN:
$ echo ${POLICY_ARN}
为集群创建 IAM 角色信任策略:
运行以下命令来创建信任策略文件:
$ cat <<EOF > ${SCRATCH}/trust-policy.json { "Version": :2012-10-17", "Statement": [{ "Effect": "Allow", "Principal": { "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}" }, "Action": "sts:AssumeRoleWithWebIdentity", "Condition": { "StringEquals": { "${OIDC_ENDPOINT}:sub": [ "system:serviceaccount:openshift-adp:openshift-adp-controller-manager", "system:serviceaccount:openshift-adp:velero:] } } }] } EOF运行以下命令来创建角色:
$ ROLE_ARN=$(aws iam create-role --role-name \ "${ROLE_NAME}" \ --assume-role-policy-document file://${SCRATCH}/trust-policy.json \ --tags Key+rosa_cluster_id,Value=${ROSA_CLUSTER_ID} Key=rosa_openshift_verson,Value=${CLUSTER_VERSION} Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-adp Key=operator_name,Value-openshift-oadp \ --query Role.Arn --output text)运行以下命令来查看角色 ARN:
$ echo ${ROLE_ARN}
运行以下命令,将 IAM 策略附加到 IAM 角色:
$ aws iam attach-role-policy --role-name "${ROLE_NAME}" \ --policy-arn ${POLICY_ARN}
后续步骤
- 继续安装 OADP Operator 并提供 IAM 角色。
1.2. 安装 OADP Operator 并提供 IAM 角色
AWS 安全令牌服务 (AWS STS) 是一个全局 Web 服务,它为 IAM 或联邦用户提供简短凭证。使用 STS 的 Red Hat OpenShift Service on AWS (ROSA) 是 ROSA 集群的建议凭证模式。本文档论述了如何使用 AWS STS 为 Data Protection (OADP) on (ROSA) with AWS STS 安装 OpenShift API for Data Protection (OADP)。
重要
使用 AWS STS 环境的 OADP on ROSA 不支持 Restic。确保禁用 Restic 服务。使用原生快照备份卷。如需更多信息,请参阅 已知问题。
先决条件
- 具有所需访问权限和令牌的 ROSA OpenShift 集群。具体步骤请参阅准备 AWS 凭证。
流程
输入以下命令,从 AWS 令牌文件创建 Openshift secret。
创建凭证文件:
$ cat <<EOF > ${SCRATCH}/credentials [default] role_arn = ${ROLE_ARN} web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token EOF创建 OpenShift secret:
$ oc -n openshift-adp create secret generic cloud-credentials \ --from-file=${SCRATCH}/credentials
安装 OADP Operator。
- 在 Red Hat OpenShift Service on AWS web 控制台中进入 Operators → OperatorHub。
- 搜索 OADP Operator,然后点 Install。
使用 AWS 凭证创建 AWS 云存储:
$ cat << EOF | oc create -f - apiVersion: oadp.openshift.io/v1alpha1 kind: CloudStorage metadata: name: ${CLUSTER_NAME}-oadp namespace: openshift-adp spec: creationSecret: key: credentials name: cloud-credentials enableSharedConfig: true name: ${CLUSTER_NAME}-oadp provider: aws region: $REGION EOF创建
DataProtectionApplication 资源,用于配置与要存储备份和卷快照的存储的连接:$ cat << EOF | oc create -f - apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: ${CLUSTER_NAME}-dpa namespace: openshift-adp spec: backupLocations: - bucket: cloudStorageRef: name: ${CLUSTER_NAME}-oadp credential: key: credentials name: cloud-credentials default: true config: region: ${REGION} configuration: velero: defaultPlugins: - openshift - aws restic: enable: false snapshotLocations: - velero: config: credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials 1 enableSharedConfig: "true" 2 profile: default 3 region: ${REGION} 4 provider: aws EOF注意此配置中的
restic的enable参数设置为false,因为 OADP 不支持 ROSA 环境中的 Restic。现在,您可以备份和恢复 OpenShift 应用程序,如 OADP 文档所述。
其他资源
1.3. 已知问题
不支持或推荐 Restic
- CloudStorage: openshift-adp-controller-manager crashloop seg fault with Restic enabled
- Cloudstorage API: CSI Backup of an app with internal images partially fails with plugin panicked error
- (只有 OADP 1.1.x_ 受影响): CloudStorage: bucket is removed on CS CR delete, although it doesn’t have "oadp.openshift.io/cloudstorage-delete": "true"
1.4. 其他资源
法律通告
Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.