Backing up and restoring applications

Red Hat OpenShift Service on AWS 4

Backing up and restoring of applications data

Red Hat OpenShift Documentation Team

Abstract

This document provides information about backing up applications.

Chapter 1. Backing up applications

You can employ OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS (ROSA) clusters to backup and restore application data. Before installing OADP, you must set up role and policy credentials for OADP so that it can use the AWS API.

This is a two stage process:

  1. Prepare AWS credentials.
  2. Install the OADP Operator and provide it with the IAM role.

1.1. Preparing AWS credentials

An AWS account must be ready to accept an OADP installation.

Procedure

  1. Create the following environment variables by running the following commands:

    Note

    Change the cluster name to match your ROSA cluster, and ensure you are logged into the cluster as an administrator. Ensure that all fields are outputted correctly before continuing. 

    $ export CLUSTER_NAME=my-cluster 1
export ROSA_CLUSTER_ID-$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id)
export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id)
export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||')
export AWS_ACCOUNT_ID='aws sts get-caller-identity --query Account --output text'
export CLUSTER_VERSION='rosa describe cluster -c ${CLUSTER_NAME} -o json | jq -r .version.raw_id | but -f -2 -d '.' '
export ROLE_NAME="${CLUSTER_NAME}-openshift-oadp-aws-cloud-credentials"
export SCRATCH="/tmp/${CLUSTER_NAME}/oadp"
mkdir -p ${SCRATCH}
echo "Cluster ID: ${ROSA_CLUSTER_ID}, Region: ${REGION}, OIDC Endpoint:
${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
    1
    Replace my-cluster with your ROSA cluster name.

  2. On the AWS account, create an IAM policy to allow access to S3.

    1. Check to see if the policy exists by running the following command: 

      $ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaOadpVer1'].{ARN:Arn}" -- output text) 1
      1
      Replace RosaOadp with your policy name.

    2. Use the following command to create the policy JSON file and then create the policy in ROSA.

      Note

      If the policy ARN is not found, the command will create the policy. If the policy ARN already exists, the if statement will intentionally skip the policy creation. 

      $ if [[ -z "${POLICY_ARN}" ]]; then
cat << EOF > ${SCRATCH}/policy.json 1
{
"Version": "2012-10-17",
"Statement": [
  {
    "Effect": "Allow",
    "Action": [
      "s3:CreateBucket",$ echo ${POLICY_ARN}
      "s3:DeleteBucket",cd openshift-docs
      "s3:PutBucketTegging",
      "s3:GetBucketTegging",
      "s3:PutEncryptionConfiguration",
      "s3:GetEncryptionConfiguration",
      "s3:PutLifecycleConfiguration",
      "s3:GetLifecycleConfiguration",
      "s3:GetBucketLocation",
      "s3:ListBucket",
      "s3:GetObject",
      "s3:PutObject",
      "s3:DeleteOgject",
      "s3:ListBucketMultipartUpLoads",
      "s3:AbortMultipartUpLoads",
      "s3:ListMultipartUpLoadParts",
      "s3:DescribeSnapshots",
      "ec2:DescribeVolumes",
      "ec2:DescribeVolumeAttribute",
      "ec2:DescribeVolumesModifications",
      "ec2:DescribeVolumeStatus",
      "ec2:CreateTags",
      "ec2:CreateVolume",
      "ec2:CreateSnapshot",
      "ec2:DeleteSnapshot",
    ]
    "Resource": "*"
  }
 ]}
EOF
POLICY_ARN=$(aws iam create-policy --policy-mane "RosaOadpVer1" \
--policy-document file:///${SCRATCH}/policy.json --query Policy.Arn \
--tags Key=rosa_openshift_version,Value=${CLUSTER_VERSION} Key-rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-oadp Key=operator_name,Value=openshift-oadp \
--output text)
fi
      1
      SCRATCH is a name for a temporary directory created for the environment variables.

    3. View the policy ARN by running the following command: 

      $ echo ${POLICY_ARN}

  3. Create an IAM role trust policy for the cluster:

    1. Create the trust policy file by running the following command: 

      $ cat <<EOF > ${SCRATCH}/trust-policy.json
{
    "Version": :2012-10-17",
    "Statement": [{
      "Effect": "Allow",
      "Principal": {
        "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
      },
      "Action": "sts:AssumeRoleWithWebIdentity",
      "Condition": {
        "StringEquals": {
          "${OIDC_ENDPOINT}:sub": [
            "system:serviceaccount:openshift-adp:openshift-adp-controller-manager",
            "system:serviceaccount:openshift-adp:velero:]
        }
      }
    }]
}
EOF

    2. Create the role by running the following command: 

      $ ROLE_ARN=$(aws iam create-role --role-name \
  "${ROLE_NAME}" \
  --assume-role-policy-document file://${SCRATCH}/trust-policy.json \
  --tags Key+rosa_cluster_id,Value=${ROSA_CLUSTER_ID}
Key=rosa_openshift_verson,Value=${CLUSTER_VERSION}
Key=rosa_role_prefix,Value=ManagedOpenShift
Key=operator_namespace,Value=openshift-adp
Key=operator_name,Value-openshift-oadp \
   --query Role.Arn --output text)

    3. View the role ARN by running the following command: 

      $ echo ${ROLE_ARN}

  4. Attach the IAM policy to the IAM role by running the following command: 

    $ aws iam attach-role-policy --role-name "${ROLE_NAME}" \
  --policy-arn ${POLICY_ARN}

Next steps

  • Continue to Installing the OADP Operator and providing the IAM role.

1.2. Installing the OADP Operator and providing the IAM role

AWS Security Token Service (AWS STS) is a global web service that provides short-term credentials for IAM or federated users. Red Hat OpenShift Service on AWS (ROSA) with STS is the recommended credential mode for ROSA clusters. This document describes how to install OpenShift API for Data Protection (OADP) on (ROSA) with AWS STS.

Important

Restic is not supported in the OADP on ROSA with AWS STS environment. Ensure the Restic service is disabled. Use native snapshots to backup volumes. See Known Issues for more information.

Prerequisites

  • A ROSA OpenShift Cluster with the required access and tokens. For instructions, see the procedure in Preparing AWS credentials.

Procedure

  1. Create an Openshift secret from your AWS token file by entering the following commands.

    1. Create the credentials file: 

      $ cat <<EOF > ${SCRATCH}/credentials
[default]
role_arn = ${ROLE_ARN}
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
EOF

    2. Create the OpenShift secret: 

      $ oc -n openshift-adp create secret generic cloud-credentials \
  --from-file=${SCRATCH}/credentials

  2. Install the OADP Operator.

    1. In the Red Hat OpenShift Service on AWS web console, navigate to Operators OperatorHub.
    2. Search for the OADP Operator, then click Install.

  3. Create AWS cloud storage using your AWS credentials: 

    $ cat << EOF | oc create -f -
apiVersion: oadp.openshift.io/v1alpha1
kind: CloudStorage
metadata:
  name: ${CLUSTER_NAME}-oadp
  namespace: openshift-adp
spec:
  creationSecret:
    key: credentials
    name: cloud-credentials
  enableSharedConfig: true
  name: ${CLUSTER_NAME}-oadp
  provider: aws
  region: $REGION
EOF

  4. Create the DataProtectionApplication resource, which is used to configure the connection to the storage where the backups and volume snapshots will be stored: 

    $ cat << EOF | oc create -f -
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: ${CLUSTER_NAME}-dpa
  namespace: openshift-adp
spec:
  backupLocations:
  - bucket:
      cloudStorageRef:
        name: ${CLUSTER_NAME}-oadp
      credential:
        key: credentials
        name: cloud-credentials
      default: true
      config:
        region: ${REGION}
  configuration:
    velero:
      defaultPlugins:
      - openshift
      - aws
      restic:
        enable: false
  snapshotLocations:
  - velero:
      config:
        credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials 1
        enableSharedConfig: "true" 2
        profile: default 3
        region: ${REGION} 4
      provider: aws
EOF
    1
    The credentialsFile is the mounted location of the bucket credential on the pod.
    2
    The enableSharedConfig allows the snapshotLocations to share or reuse the credential defined for the bucket.
    3
    Assume your Velero default for your profile: default.
    4
    Specify region as your AWS region. This must be the same as the cluster region.
    Note

    The enable parameter of restic is set to false in this configuration because OADP does not support Restic in ROSA environments.

    You are now ready to backup and restore OpenShift applications, as described in the OADP documentation.

Additional resources

1.3. Known issues

Restic is not supported or recommended

1.4. Additional resources

Legal Notice

Copyright © 2023 Red Hat, Inc.
The text of and illustrations in this document are licensed by Red Hat under a Creative Commons Attribution–Share Alike 3.0 Unported license ("CC-BY-SA"). An explanation of CC-BY-SA is available at http://creativecommons.org/licenses/by-sa/3.0/. In accordance with CC-BY-SA, if you distribute this document or an adaptation of it, you must provide the URL for the original version.
Red Hat, as the licensor of this document, waives the right to enforce, and agrees not to assert, Section 4d of CC-BY-SA to the fullest extent permitted by applicable law.
Red Hat, Red Hat Enterprise Linux, the Shadowman logo, the Red Hat logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.
Linux® is the registered trademark of Linus Torvalds in the United States and other countries.
Java® is a registered trademark of Oracle and/or its affiliates.
XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.
MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.
Node.js® is an official trademark of Joyent. Red Hat is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.
The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation's permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.
All other trademarks are the property of their respective owners.