Backups¶
The backup script run daily and upload backups files to a cloud storage. Currently 3 providers are supported (AWS / GCE / Azure). You can request support for another storage provider via Trisotech Support (support@trisotech.com). The script creates an archive for each vhost available and the root instance. The cloud storage provider is selected by environment variables defined in the des-backup secret.
AWS S3¶
Variable |
Definition |
|---|---|
AWS_ACCESS_KEY_ID |
the AWS access key id given on user creation |
AWS_SECRET_ACCESS_KEY |
the AWS secret associated to the access key |
BUCKET |
the name of the s3 bucket |
cat << EOF > des-backup.yaml
apiVersion: v1
kind: Secret
metadata:
name: des-backup
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: <AWS_ACCESS_KEY_ID>
AWS_SECRET_ACCESS_KEY: <AWS_SECRET_ACCESS_KEY>
BUCKET: <BUCKET>
EOF
kubectl apply -f des-backup.yaml -n <NAMESPACE>
GCE GS (using service account key)¶
Variable |
Definition |
|---|---|
GCE_SERVICEACCOUNT |
base 64 of the service account json file |
BUCKET |
the name of the Google Storage bucket |
cat << EOF > des-backup.yaml
apiVersion: v1
kind: Secret
metadata:
name: des-backup
type: Opaque
stringData:
GCE_SERVICEACCOUNT: <GCE_SERVICEACCOUNT>
BUCKET: <BUCKET>
EOF
kubectl apply -f des-backup.yaml -n <NAMESPACE>
GCE GS (using kubernetes service account)¶
Using a kubernetes service account avoid exposing keys in a secret and offer a more secure way to access Google Cloud Storage. You must have a valid Workload Identity Federation configuration in your cluster. Here are the commands to create the service account and bind the IAM role to the principal:
Variable |
Definition |
|---|---|
BUCKET |
the name of the Google Storage bucket |
NAMESPACE |
the kubernetes namespace |
PROJECT_NUMBER |
The Google Cloud project number (gcloud projects list) |
PROJECT_ID |
The Google Cloud project id (gcloud projects list) |
SERVICE_ACCOUNT |
The name of the service account (e.g. backup-sa) |
IMAGE_PULL_SECRET |
The secret used to pull images from the container registry (optional) |
kubectl create serviceaccount <SERCICE_ACCOUNT> --namespace <NAMESPACE>
# [OPTIONAL] Required only if you are using the default service account to login the Container Image Registry
kubectl patch -n <NAMESPACE> serviceaccount <SERCICE_ACCOUNT> -p '{"imagePullSecrets": [{"name": "<IMAGE_PULL_SECRET>"}]}'
gcloud storage buckets add-iam-policy-binding gs://<BUCKET> \
--role=roles/storage.objectCreator \
--member=principal://iam.googleapis.com/projects/<PROJECT_NUMBER>/locations/global/workloadIdentityPools/<PROJECT ID>.svc.id.goog/subject/ns/<NAMESPACE>/sa/<SERVICE_ACCOUNT> \
--condition=None
Apply the changes to the DES deployment:
Variable |
Definition |
|---|---|
NAME |
The helm deployment name (helm ls -n <NAMESPACE>) |
CHART |
The helm chart file (e.g. des-12.7.0.tgz) |
cat << EOF | kubectl apply -f - -n <NAMESPACE>
apiVersion: v1
kind: ConfigMap
metadata:
name: des-backup
data:
BUCKET: <BUCKET>
EOF
helm upgrade <NAME> <CHART> \
--namespace <NAMESPACE> \
--reuse-values \
--set backup.enabled=true \
--set backup.serviceAccountName=<SERVICE_ACCOUNT>
Azure Storage Blob¶
Variable |
Description |
|---|---|
AZURE_STORAGE_CONNECTION_STRING |
the Azure connection string (https://learn.microsoft.com/en-us/azure/storage/common/storage-configure-connection-string) |
BUCKET |
the name of the azure storage container |
Note
The AZURE_STORAGE_CONNECTION_STRING should have DefaultEndpointsProtocol, AccountName, AccountKey and EndpointSuffix defined.
cat << EOF > des-backup.yaml
apiVersion: v1
kind: Secret
metadata:
name: des-backup
type: Opaque
stringData:
AZURE_STORAGE_CONNECTION_STRING: <AZURE_STORAGE_CONNECTION_STRING>
BUCKET: <BUCKET>
EOF
kubectl apply -f des-backup.yaml -n <NAMESPACE>
DES configuration¶
The backup.enabled chart option enable the daily backup cron job:
helm upgrade <NAME> <CHART> \
--namespace <NAMESPACE> \
--reuse-values \
--set backup.enabled=true