-
Notifications
You must be signed in to change notification settings - Fork 11
/
bandr-backup-auto.html.md.erb
268 lines (210 loc) · 8.5 KB
/
bandr-backup-auto.html.md.erb
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
---
title: Backing Up Tanzu Application Service for Kubernetes Using Automation
owner: Tanzu Application Service Release Engineering
---
This topic provides an overview of how to back up
<%= vars.app_runtime_full %> (<%= vars.app_runtime_short %>) using automation.
To back up <%= vars.app_runtime_short %> manually, see
[Backing Up <%= vars.app_runtime_short %> Manually](bandr-backup-manual.html).
<%= partial 'evaluation_only' %>
<%= partial 'limitation_notes' %>
## <a id='overview'></a> Overview
To back up <%= vars.app_runtime_short %> using automation:
1. [Create and Configure a Service Account for Backing Up](#backup-service-account)
1. [Automate Your Velero Backup](#backup-create-script)
1. [Review the Automated Velero Backup](#backup-review-automated)
## <a id='prerequisites'></a> Prerequisites
Complete the configuration for manual back up before proceeding with configuring automated back up.
For more information, see [Backing Up <%= vars.app_runtime_full %>](bandr-backup-manual.html).
## <a id='backup-service-account'></a> Create and Configure a Service Account for Backing Up
To create a service account to run the automated backup:
1. Use your IaaS tools to create the service account:
<br>
For example, to create a service account on GCP:
<pre class="terminal">
gcloud iam service-accounts create velero-service-account \
--display-name "Velero service account"
</pre>
1. Grant the new Velero service account permissions needed to complete the backup.
<br>
For example, to grant the service account permissions on GCP:
<pre class="terminal">
SERVICE\_ACCOUNT\_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:Velero service account" \
--format 'value(email)')
PROJECT\_ID=$(gcloud config get-value project)
ROLE\_PERMISSIONS=(
compute.disks.get
compute.disks.create
compute.disks.createSnapshot
compute.snapshots.get
compute.snapshots.create
compute.snapshots.useReadOnly
compute.snapshots.delete
compute.zones.get
storage.buckets.get
storage.objects.create
storage.objects.delete
storage.objects.list
)
gcloud iam roles create velero.server \
--project $PROJECT\_ID \
--title "Velero Server" \
--permissions "$(IFS=","; echo "${ROLE\_PERMISSIONS[*]}")"
gcloud projects add-iam-policy-binding $PROJECT\_ID \
--member serviceAccount:$SERVICE\_ACCOUNT\_EMAIL \
--role projects/$PROJECT\_ID/roles/velero.server
gsutil iam ch serviceAccount:$SERVICE\_ACCOUNT\_EMAIL:objectAdmin gs://velero-demo-bucket
</pre>
1. To create a service account key, use your IaaS tools to create the key.
Specify for the IaaS tool to create a `credentials-velero` output file to your local directory.
<br>
For example, to create a service account key on GCP:
<pre class="terminal">
gcloud iam service-accounts keys create credentials-velero \
--iam-account $SERVICE\_ACCOUNT\_EMAIL
</pre>
## <a id='backup-create-script'></a> Automate Your Velero Backup
There are two methods for automating your Velero backup:
* [Create a Bash Script](#backup-create-bash-script)
* [Create a Concourse Script](#backup-create-concourse-script)
### <a id='backup-create-bash-script'></a> Create a Bash Script
To create a Velero backup script:
1. Create a bash script with the following content:
```
#!/usr/bin/env bash
set -euo pipefail
if ! kubectl get namespace cf-system &> /dev/null
then
echo "error: cf-system namespace not found"
echo " Please ensure Tanzu Application Service is installed on this cluster"
exit 1
fi
backup_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')"
ONE_DAY=24
ONE_YEAR=365
FOUR_YEARS="$((4*${ONE_YEAR}*${ONE_DAY}))h"
velero create backup "${backup_name}" \
--include-namespaces cf-system,postgres-dbs \
--selector ‘app in (cf-metadata, postgres) \
--ttl "${FOUR_YEARS}" \
--wait
```
### <a id='backup-create-concourse-script'></a> Create a Concourse Script
To automate Velero back up using a Concourse pipeline:
1. Create the following Concourse configuration:
```
---
resources:
- name: every-3h
type: time
icon: clock-outline
source:
interval: 3h
jobs:
- name: backup
plan:
- get: every-3h
trigger: true
- task: create-backup
config:
platform: linux
image_resource:
type: registry-image
source:
repository: IMAGE-REPOSITORY
params:
SERVICE_ACCOUNT_KEY: ((service-account-key))
SERVICE_ZONE: ((service-zone))
SERVICE_CLUSTER_NAME: ((service-cluster-name))
run:
path: /bin/bash
args:
- -c
- |
set -eu
gcloud auth activate-service-account --key-file=<(echo "$SERVICE_ACCOUNT_KEY")
gcloud container clusters get-credentials "${SERVICE_CLUSTER_NAME}" --zone "${SERVICE_ZONE}"
if ! kubectl get namespace cf-system &> /dev/null
then
echo "error: cf-system namespace not found"
echo " Please ensure Tanzu Application Service is installed on this cluster"
exit 1
fi
backup_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')"
ONE_DAY=24
ONE_YEAR=365
FOUR_YEARS="$((4*${ONE_YEAR}*${ONE_DAY}))h"
velero create backup "${backup_name}" \
--include-namespaces postgres-dbs,cf-system \
--selector 'app in (cf-metadata, postgres)' \
--ttl "${FOUR_YEARS}" \
--wait
velero backup describe "${backup_name}" --details
```
Where `IMAGE-REPOSITORY` is the registry location for storing your backups.
<br>
For example:
```
---
resources:
- name: every-3h
type: time
icon: clock-outline
source:
interval: 3h
jobs:
- name: backup
plan:
- get: every-3h
trigger: true
- task: create-backup
config:
platform: linux
image\_resource:
type: registry-image
source:
repository: pcfplatformrecovery/backup-and-restore-cf-for-k8s
params:
SERVICE\_ACCOUNT\_KEY: ((service-account-key))
SERVICE\_ZONE: ((service-zone))
SERVICE\_CLUSTER\_NAME: ((service-cluster-name))
run:
path: /bin/bash
args:
- -c
- |
set -eu
gcloud auth activate-service-account --key-file=<(echo "$SERVICE\_ACCOUNT\_KEY")
gcloud container clusters get-credentials "${SERVICE\_CLUSTER\_NAME}" --zone "${SERVICE\_ZONE}"
if ! kubectl get namespace cf-system &> /dev/null
then
echo "error: cf-system namespace not found"
echo " Please ensure Tanzu Application Service is installed on this cluster"
exit 1
fi
backup\_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')"
ONE\_DAY=24
ONE\_YEAR=365
FOUR\_YEARS="$((4*${ONE\_YEAR}*${ONE\_DAY}))h"
velero create backup "${backup\_name}" \
--include-namespaces postgres-dbs,cf-system \
--selector 'app in (cf-metadata, postgres)' \
--ttl "${FOUR\_YEARS}" \
--wait
velero backup describe "${backup\_name}" --details
```
1. Configure the pipeline to run with the following required parameters:
```
--var service-account-key=”SERVICE-ACCOUNT-KEY”
--var service-zone=”ZONE-NAME”
--var service-cluster-name=”CLUSTER-NAME"
```
Where:
* `SERVICE-ACCOUNT-KEY` is the content of service account key.
* `ZONE-NAME` is the project zone where cluster is deployed.
* `CLUSTER-NAME` is the name of the cluster to be backed up.
## <a id='backup-review-automated'></a> Review the Automated Velero Backup
To review or troubleshoot an automated backup,
follow the steps in [Review a Completed Backup](bandr-backup-manual.html#backup-review)
in _Backing Up <%= vars.app_runtime_full %>_.