diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/README.md b/community/CM-Configuration-Management/acm-hub-pvc-backup/README.md new file mode 100644 index 000000000..bbd131bd8 --- /dev/null +++ b/community/CM-Configuration-Management/acm-hub-pvc-backup/README.md @@ -0,0 +1,260 @@ +# ACM Hub PersistentVolume backup and restore using VolSync + +Hub PersistentVolumeClaim(PVC) backup and restore using VolSync with the Restic-based mover feature. This leverages the Container Storage Interface (CSI) volume snapshot. + +Hub PVC with the `cluster.open-cluster-management.io/backup-hub-pvc` label are being backed up and could be restored on another hub using these backup policies. The PVC label's value can be any string. + +```yaml +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: global-hub-postgres-0 + namespace: global-hub + labels: + cluster.open-cluster-management.io/backup-hub-pvc: gh +spec: +``` + +------ + +- [List of PolicySets](#list-of-policysets) +- [List of Policies](#list-of-policies) +- [Policies configuration files](#policies-configuration-files) + - [Backup hub policies](#backup-hub-policies) + - [Restore hub policies](#restore-hub-policies) +- [Scenario](#scenario) +- [References](#references) + +------ + + + +## List of PolicySets + +PolicySet | Description +-------------------------------------------| ----------- +[acm-hub-pvc-backup-policyset](./acm-hub-pvc-backup-policyset.yaml) | This PolicySet is used to place the backup policies on the hub, using the placement which matches the `local-cluster` or any managed cluster with the `is-hub=true` label. Using this label the policy can be placed on any managed cluster where the ACM operator is installed. + +![VolSync PolisySet](images/policyset.png) + +## List of Policies + +Policy | Description +-------------------------------------------| ----------- +[acm-hub-pvc-backup-config](./acm-hub-pvc-backup-config.yaml) | Triggered to run on the hub only if the hub has any PVCs with the `cluster.open-cluster-management.io/backup-hub-pvc` label. It installs the volsync-addon on the hub or any managed cluster matching the `acm-hub-pvc-backup-policyset` PolicySet's placement. It reports on policy missing configuration: reports if the user had not create the `acm-hub-pvc-backup-restic-secret` Secret and `hub-pvc-backup` ConfigMap resources under the PolicySet namespace. The Secret is used by volsync to connect to the storage location where the PVC snapshot is stored. The `hub-pvc-backup` ConfigMap is used to define the ReplicationSource configuration, as defined in the [RHACM VolSync documentation](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync). You can provide a custom configuration file for a PVC by creating the `hub-pvc-backup-pvcns-pvcname` ConfigMap under the PolicySet namespace; this will overwrite the default `hub-pvc-backup` ConfigMap for the specified volume. +[acm-hub-pvc-backup-source](./acm-hub-pvc-backup-source.yaml) | Creates a volsync ReplicationSource for all PVCs with the `cluster.open-cluster-management.io/backup-hub-pvc` label. The Policy depends on the `acm-hub-pvc-backup-config` Policy so it only runs if the `acm-hub-pvc-backup-config` Policy is Compliant. +[acm-hub-pvc-backup-destination](./acm-hub-pvc-backup-destination.yaml) | In a restore hub backup operation, when the credentials backup is restored on a new hub, it creates a volsync ReplicationDestination for all PVCs with the `cluster.open-cluster-management.io/backup-hub-pvc` label. This is because the `acm-hub-pvc-backup-source` creates a set of configuration ConfigMaps defining the PVCs for which a snapshot is stored. These ConfigMaps have the `cluster.open-cluster-management.io/backup` backup label so they are backed up by the hub credentials backup. These ConfigMaps are used to recreate the PVCs on the restore hub. On the restore hub, you can use a restore storage config map [class mapping](https://velero.io/docs/main/restore-reference/#changing-pvpvc-storage-classes), when the backup cluster has a different storage class than the restore hub. The Policy depends on the `acm-hub-pvc-backup-config` Policy so it only runs if the `acm-hub-pvc-backup-config` Policy is Compliant. + + +### Policies + +![Policies](images/policies.png) + + +### Configuration Policy + +The `acm-hub-pvc-backup-config` Policy validates the configuration for both types of hubs (backup or restore). If any PVC is found with the `cluster.open-cluster-management.io/backup-hub-pvc` label, it installs the volsync addon and verifies the user has created in the Policy namespace the `acm-hub-pvc-backup-restic-secret` Secret, used to connect to the storage where the VolSync snapshots are saved.It also verifies if the user has created the `hub-pvc-backup` ConfigMap used to define the `ReplicationSource` configuration. + +![Configuration Policy](images/config_policy.png) + +### Backup Hub Policies + +Source Policy: + +![Backup Source Policy](images/backup_source_policy.png) + +Source Policy Templates: + +![Backup Source Policy](images/backup_source_policy_1.png) + +Policy acm-hub-pvc-backup-destination is not running since this is identified as a backup hub : + +![VolSync Destination Policy](images/backup_dest_policy.png) + +### Restore Hub Policies + +Backup Destination Policy: + +![Backup Destination Policy](images/restore_dest_policy.png) + +Backup Destination Policy Templates: + +![Backup Destination Policy Templates](images/restore_dest_policy_1.png) + +Policy acm-hub-pvc-backup-source is not running since this is identified as a restore hub : + +![Backup Destination Policy](images/restore_source_policy.png) + +## Policies configuration files + + +volsync label cluster.open-cluster-management.io/backup-hub-pvc set on PVC + +```yaml +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: mongo-storage + namespace: pacman-restore + finalizers: + - kubernetes.io/pvc-protection + labels: + cluster.open-cluster-management.io/backup-hub-pvc: pacman-restore +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 8Gi + volumeName: pvc-3b5b2975-77a4-452f-b14f-8eefed7454a5 + storageClassName: gp3-csi + volumeMode: Filesystem +``` + + +### Created by the ACM user + +#### acm-hub-pvc-backup-config + + +- Created by the user on the backup hub. +- Used to define the volsync ReplicationSource configuration, as defined in the [RHACM VolSync documentation](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync) + + +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: acm-hub-pvc-backup-config + namespace: open-cluster-management-backup + labels: + cluster.open-cluster-management.io/backup: cluster-activation +data: + cacheCapacity: 1Gi + copyMethod: Snapshot + pruneIntervalDays: '2' + repository: acm-hub-pvc-backup-restic-secret-vb + retain_daily: '2' + retain_hourly: '3' + retain_monthly: '1' + trigger_schedule: 0 */2 * * * +``` + +The above ConfigMap defines global options for all hub PVCs that need to be backed up with the policy. If you want to provide custom +properties for a PVC, you should define a ConfigMap using this name convention : `acm-hub-pvc-backup-config--` + +For example, if the PVC `my-pvc` created in namespace `ns-1` should be backed up every 5 hours, create this ConfigMap under the `open-cluster-management-backup` namespace : + +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: acm-hub-pvc-backup-config-ns-1-my-pvc + namespace: open-cluster-management-backup + labels: + cluster.open-cluster-management.io/backup: cluster-activation +data: + cacheCapacity: 1Gi + copyMethod: Snapshot + pruneIntervalDays: '2' + repository: acm-hub-pvc-backup-restic-secret + retain_daily: '2' + retain_hourly: '3' + retain_monthly: '1' + trigger_schedule: 0 */5 * * * +``` + +#### acm-hub-pvc-backup-restic-secret + +Created by the user + +Used to define the volsync ReplicationSource configuration, as defined in the [RHACM VolSync documentation](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync) + + +```yaml +kind: Secret +apiVersion: v1 +metadata: + name: acm-hub-pvc-backup-restic-secret + namespace: open-cluster-management-backup + labels: + cluster.open-cluster-management.io/backup: volsync +data: + AWS_ACCESS_KEY_ID: a2V5 + AWS_SECRET_ACCESS_KEY: a2V5 + RESTIC_PASSWORD: a2V5 + RESTIC_REPOSITORY: >- + czM6aHR0cDovL21pbmlvLm1pbmlvLnN2Yy5jbHVzdGVyLmxvY2FsOjkwMDAvbXktYnVja2V0 +type: Opaque +``` + + +### Generated by the policy + +#### acm-hub-pvc-backup-config-info- + +Created by the volsync policy on the backup hub for each PVC using the PVC's settings +This resource is backed up and used by the volsync ReplicationDestination to recreate the PV on the restore hub. + +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: acm-hub-pvc-backup-config-info-mongo-storage + namespace: pacman-ns + labels: + cluster.open-cluster-management.io/backup: cluster-activation +data: + resources.accessModes: ReadWriteOnce + resources.requests.storage: 8Gi + storageClassName: gp3-csi + volumeMode: Filesystem +``` + + +#### acm-hub-pvc-backup-config-pvcs + +Created by the policy on the backup hub; lists all PVCs that need to be restored. This resource is backed up + +```yaml +kind: ConfigMap +apiVersion: v1 +metadata: + name: acm-hub-pvc-backup-config-pvcs + namespace: open-cluster-management-backup + labels: + app: acm-hub-pvc-backup-config-pvcs + cluster.open-cluster-management.io/backup: cluster-activation + data: + pvcs: 'pacman-restore#mongo-storage##pacman-vb#mongo-storage##pacman#mongo-storage' +``` + + + + +## Scenario + +ACM components installed on the hub. +User adds the `cluster.open-cluster-management.io/backup-hub-pvc` label to the PVC to be backed up. + + +ACM user, on Primary hub: +1. Enables backup on MultiClusterHub. This installs the hub backup component +2. The user manually installs the policy from the community project +3. Creates a BackupSchedule + - The volsync policy informs the user if missing the volsync acm-hub-pvc-backup-restic-secret secret and acm-hub-pvc-backup-config ConfigMap +3. User creates the acm-hub-pvc-backup-restic-secret secret and acm-hub-pvc-backup-config ConfigMap +4. Policy installs volsync addon on hub and creates the volsync `ReplicationSources` for all PVCs with the volsync label + + +ACM user, on Restore hub: + +5. Enables backup on MultiClusterHub. This installs the hub backup component + - The user manually installs the policy from the community project +6. Creates an ACM Restore resource and restores active data + - The policy creates the volsync `ReplicationDestination` for all PVCs defined in the restored acm-hub-pvc-backup-config-pvcs ConfigMap + - the app using the PVC must be restored after the PVC is created so make sure these resources are restored at cluster activation time. + +## References +- [RHACM Volsync documentation](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync) + diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-config.yaml b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-config.yaml similarity index 91% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-config.yaml rename to community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-config.yaml index 86504511a..24cbca222 100644 --- a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-config.yaml +++ b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-config.yaml @@ -1,11 +1,11 @@ -# The volsync-config ConfigMap and secret must be defined under the open-cluster-management-backup ns, +# The acm-hub-pvc-backup-config ConfigMap and secret must be defined under the open-cluster-management-backup ns, # if a BackupSchedule is running and there are PVCs with the volsync label. # The volsync ConfigMap is in this format: ## #kind: ConfigMap #apiVersion: v1 #metadata: -# name: volsync-config +# name: hub-pvc-backup # namespace: open-cluster-management-backup # labels: # cluster.open-cluster-management.io/backup: cluster-activation @@ -13,7 +13,7 @@ # cacheCapacity: 2Gi # copyMethod: Snapshot # pruneIntervalDays: '2' -# repository: restic-secret +# repository: acm-hub-pvc-backup-restic-secret # retain_daily: '2' # retain_hourly: '3' # retain_monthly: '1' @@ -27,7 +27,7 @@ #kind: Secret #apiVersion: v1 #metadata: -# name: restic-secret +# name: acm-hub-pvc-backup-restic-secret # namespace: open-cluster-management-backup # labels: # cluster.open-cluster-management.io/backup: cluster-activation @@ -43,7 +43,7 @@ apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: - name: acm-volsync-config + name: acm-hub-pvc-backup-config namespace: open-cluster-management-backup annotations: policy.open-cluster-management.io/categories: CA Security Assessment and Authorization @@ -66,10 +66,10 @@ spec: {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $kind_restore := "Restore" }} {{- $ns := "open-cluster-management-backup" }} - {{- $volsync_map := "volsync-config" }} - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_map := "hub-pvc-backup" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $pv_claim_cond := gt (len ( lookup "v1" "PersistentVolumeClaim" "" "" $volsync_label).items ) 0 }} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} {{- /* check if volsync_pvcs configmap exists */ -}} {{- $volsync_pvcs_map := lookup "v1" "ConfigMap" $ns $volsync_pvcs }} @@ -109,16 +109,16 @@ spec: {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $kind_restore := "Restore" }} {{- $ns := "open-cluster-management-backup" }} - {{- $volsync_secret := "restic-secret" }} - {{- $volsync_map := "volsync-config" }} - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_secret := "acm-hub-pvc-backup-restic-secret" }} + {{- $volsync_map := "hub-pvc-backup" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $pv_claim_cond := gt (len ( lookup "v1" "PersistentVolumeClaim" "" "" $volsync_label).items ) 0 }} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} {{- $volsync_backup_cond := gt (len ( lookup $velero_api $kind_schedule $ns "" $schedule_label).items ) 0 }} {{- $volsync_restore_cond := eq ( lookup "v1" "ConfigMap" $ns $volsync_pvcs ).metadata.name $volsync_pvcs }} - {{- /* The volsync-config ConfigMap and secret must be defined under the open-cluster-management-backup ns, if a BackupSchedule is running and there are PVCs with the volsync label. */ -}} + {{- /* The hub-pvc-backup ConfigMap and secret must be defined under the open-cluster-management-backup ns, if a BackupSchedule is running and there are PVCs with the volsync label. */ -}} {{- /* Or for a restore hub, there is a restore resource and a volsync pvc config map */ -}} {{ if or (and $pv_claim_cond $volsync_backup_cond) $volsync_restore_cond }} @@ -158,11 +158,11 @@ spec: {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $kind_restore := "Restore" }} {{- $ns := "open-cluster-management-backup" }} - {{- $volsync_map := "volsync-config" }} - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_map := "hub-pvc-backup" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $pv_claim_cond := gt (len ( lookup "v1" "PersistentVolumeClaim" "" "" $volsync_label).items ) 0 }} {{- $volsync_backup_cond := gt (len ( lookup $velero_api $kind_schedule $ns "" $schedule_label).items ) 0 }} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} {{- $volsync_restore_cond := eq ( lookup "v1" "ConfigMap" $ns $volsync_pvcs ).metadata.name $volsync_pvcs }} {{- $has_local_cluster_ns := eq (lookup "cluster.open-cluster-management.io/v1" "ManagedCluster" "" "local-cluster").metadata.name "local-cluster" }} {{- $is_hub := "is-hub" }} diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-cr-destination.yaml b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-destination.yaml similarity index 93% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-cr-destination.yaml rename to community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-destination.yaml index 4a55975c3..94b291365 100644 --- a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-cr-destination.yaml +++ b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-destination.yaml @@ -1,7 +1,7 @@ apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: - name: acm-volsync-destination + name: acm-hub-pvc-backup-destination namespace: open-cluster-management-backup annotations: policy.open-cluster-management.io/categories: CA Security Assessment and Authorization @@ -13,7 +13,7 @@ spec: - apiVersion: policy.open-cluster-management.io/v1 compliance: Compliant kind: Policy - name: acm-volsync-config + name: acm-hub-pvc-backup-config policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 @@ -29,21 +29,21 @@ spec: {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $kind_restore := "Restore" }} {{- $ns := "open-cluster-management-backup" }} - {{- $volsync_secret := "restic-secret" }} + {{- $volsync_secret := "acm-hub-pvc-backup-restic-secret" }} - {{- /* common volsync config; to define different config for a PVC, create a volsync-config-pvc-ns-pvcname configMap */ -}} - {{- $volsync_map := "volsync-config" }} - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- /* common volsync config; to define different config for a PVC, create a acm-hub-pvc-backup-config-pvc-ns-pvcname configMap */ -}} + {{- $volsync_map := "hub-pvc-backup" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $volsync_backup_cond := gt (len ( lookup $velero_api $kind_schedule $ns "" $schedule_label).items ) 0 }} {{- $restore_label := "velero.io/backup-name" }} {{- $backup_name_prefix := "acm-credentials-schedule-" }} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} {{- /* Create the volsync ReplicationDestination and secret - if Restore exists, PVC is created by a Restore and no Backup is running */ -}} - {{- /* Use the volsync-config-pvcns-pvcname config instead of the default volsync-config map, if such map exists under the $ns */ -}} + {{- /* Use the hub-pvc-backup-pvcs-pvcns-pvcname config instead of the default acm-hub-pvc-backup-config map, if such map exists under the $ns */ -}} - {{- /* volsync-config map should exist and have a backup-name label */ -}} + {{- /* hub-pvc-backup-pvcs map should exist and have a backup-name label */ -}} {{- $volsync_pvcs_map := lookup "v1" "ConfigMap" $ns $volsync_pvcs }} {{- $volsync_restore_cond := eq $volsync_pvcs_map.metadata.name $volsync_pvcs }} @@ -77,7 +77,7 @@ spec: {{ $volsync_map = $pvc_config_name }} {{- end }} {{- $secret_name := fromConfigMap $ns $volsync_map "repository" }} - {{- $pvc_config_info_name := ( (cat $volsync_map "-info-" $pvc_name ) | replace " " "" ) }} + {{- $pvc_config_info_name := ( (cat $volsync_map "-" $pvc_name ) | replace " " "" ) }} {{ if eq ( lookup "v1" "ConfigMap" $pvc_namespace $pvc_config_info_name ).metadata.name $pvc_config_info_name }} @@ -173,7 +173,7 @@ spec: name: check-destination-replication-error spec: object-templates-raw: | - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $api := "cluster.open-cluster-management.io/v1beta1" }} {{- $velero_api := "velero.io/v1" }} {{- $kind_schedule := "Schedule" }} @@ -182,8 +182,8 @@ spec: {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $volsync_backup_cond := gt (len ( lookup $velero_api $kind_schedule $ns "" $schedule_label).items ) 0 }} - {{- /* volsync-config-pvcs map should exist */ -}} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- /* acm-hub-pvc-backup-config-pvcs map should exist */ -}} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} {{- $volsync_pvcs_map := lookup "v1" "ConfigMap" $ns $volsync_pvcs }} {{- $volsync_restore_cond := eq $volsync_pvcs_map.metadata.name $volsync_pvcs }} @@ -215,7 +215,7 @@ spec: name: check-destination-replication-success spec: object-templates-raw: | - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $api := "cluster.open-cluster-management.io/v1beta1" }} {{- $velero_api := "velero.io/v1" }} {{- $kind_schedule := "Schedule" }} @@ -224,8 +224,8 @@ spec: {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $volsync_backup_cond := gt (len ( lookup $velero_api $kind_schedule $ns "" $schedule_label).items ) 0 }} - {{- /* volsync-config-pvcs map should exist */ -}} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- /* acm-hub-pvc-backup-config-pvcs map should exist */ -}} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} {{- $volsync_pvcs_map := lookup "v1" "ConfigMap" $ns $volsync_pvcs }} {{- $volsync_restore_cond := eq $volsync_pvcs_map.metadata.name $volsync_pvcs }} diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-policyset.yaml b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-policyset.yaml new file mode 100644 index 000000000..7e79190f8 --- /dev/null +++ b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-policyset.yaml @@ -0,0 +1,11 @@ +apiVersion: policy.open-cluster-management.io/v1beta1 +kind: PolicySet +metadata: + name: acm-hub-pvc-backup-policyset + namespace: open-cluster-management-backup +spec: + description: Hub PVC backup and restore using volsync with the restic mover feature. This leverages CSI volume snapshot. + policies: + - acm-hub-pvc-backup-config + - acm-hub-pvc-backup-source + - acm-hub-pvc-backup-destination diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-cr-source.yaml b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-source.yaml similarity index 91% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-cr-source.yaml rename to community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-source.yaml index 4dcf4ac99..2fce13960 100644 --- a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-cr-source.yaml +++ b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-backup-source.yaml @@ -1,7 +1,7 @@ apiVersion: policy.open-cluster-management.io/v1 kind: Policy metadata: - name: acm-volsync-source + name: acm-hub-pvc-backup-source namespace: open-cluster-management-backup annotations: policy.open-cluster-management.io/categories: CA Security Assessment and Authorization @@ -13,7 +13,7 @@ spec: - apiVersion: policy.open-cluster-management.io/v1 compliance: Compliant kind: Policy - name: acm-volsync-config + name: acm-hub-pvc-backup-config policy-templates: - objectDefinition: apiVersion: policy.open-cluster-management.io/v1 @@ -28,15 +28,22 @@ spec: {{- $kind_schedule := "Schedule" }} {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $ns := "open-cluster-management-backup" }} - {{- $volsync_secret := "restic-secret" }} - {{- $volsync_map := "volsync-config" }} - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_secret := "acm-hub-pvc-backup-restic-secret" }} + {{- $volsync_map := "hub-pvc-backup" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $pv_claim_cond := gt (len ( lookup "v1" "PersistentVolumeClaim" "" "" $volsync_label).items ) 0 }} {{- $volsync_backup_cond := gt (len ( lookup $velero_api $kind_schedule $ns "" $schedule_label).items ) 0 }} - {{- $volsync_pvcs := "volsync-config-pvcs" }} + {{- $volsync_pvcs := "hub-pvc-backup-pvcs" }} + + {{- /* PVC labels */ -}} + {{- $last_backup_schedule_label := "cluster.open-cluster-management.io/backup-last-schedule" }} + {{- $last_sync_name_label := "cluster.open-cluster-management.io/backup-last-sync-name" }} + {{- $last_sync_time_label := "cluster.open-cluster-management.io/backup-last-sync-time" }} + {{- $last_sync_status_label := "cluster.open-cluster-management.io/backup-last-sync-status" }} {{- /* Create the volsync ReplicationSource and secret - if BackupSchedule exists ; delete ReplicationSource otherwise */ -}} {{ if $volsync_backup_cond }} + {{- range $rs := (lookup "volsync.backube/v1alpha1" "ReplicationSource" "" "" $volsync_label).items }} {{- $pvc_rs := (lookup "v1" "PersistentVolumeClaim" $rs.metadata.namespace "" $volsync_label).items }} {{- /* If the PVC in the ReplicationSource ns no longer exists or doesn't have the volsync label, delete the ReplicationSource */ -}} @@ -55,7 +62,7 @@ spec: kind: ConfigMap apiVersion: v1 metadata: - name: {{( (cat $volsync_map "-info-" $rs.metadata.name ) | replace " " "") }} + name: {{( (cat $volsync_map "-" $rs.metadata.name ) | replace " " "") }} namespace: {{ $rs.metadata.namespace }} {{- end }} {{- end }} @@ -64,10 +71,10 @@ spec: {{- range $pvc := (lookup "v1" "PersistentVolumeClaim" "" "" $volsync_label).items }} {{- if eq $pvc.status.phase "Bound" }} - {{- /* Use the volsync-config-pvcns-pvcname config instead of the default volsync-config map, if such map exists under the $ns */ -}} + {{- /* Use the hub-pvc-backup-pvcns-pvcname config instead of the default acm-hub-pvc-backup-config map, if such map exists under the $ns */ -}} {{- $pvc_config_name := ( (cat $volsync_map "-" $pvc.metadata.namespace "-" $pvc.metadata.name ) | replace " " "" ) }} - {{- $pvc_config_info_name := ( (cat $volsync_map "-info-" $pvc.metadata.name ) | replace " " "" ) }} + {{- $pvc_config_info_name := ( (cat $volsync_map "-" $pvc.metadata.name ) | replace " " "" ) }} - complianceType: musthave objectDefinition: @@ -119,6 +126,7 @@ spec: {{- end }} RESTIC_REPOSITORY: {{ ( ( (cat $common_restic_repo "/" $pvc.metadata.namespace "-" $pvc.metadata.name ) | replace " " "" ) | base64enc ) }} type: Opaque + - complianceType: musthave objectDefinition: kind: ReplicationSource @@ -181,7 +189,7 @@ spec: name: check-source-replication-success spec: object-templates-raw: | - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $ns := "open-cluster-management-backup" }} {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $velero_api := "velero.io/v1" }} @@ -211,7 +219,7 @@ spec: name: check-source-replication-errors spec: object-templates-raw: | - {{- $volsync_label := "cluster.open-cluster-management.io/volsync" }} + {{- $volsync_label := "cluster.open-cluster-management.io/backup-hub-pvc" }} {{- $ns := "open-cluster-management-backup" }} {{- $schedule_label := "cluster.open-cluster-management.io/backup-schedule-type, cluster.open-cluster-management.io/backup-schedule-type in (resources)"}} {{- $velero_api := "velero.io/v1" }} diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-placement.yaml b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-placement.yaml similarity index 86% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-placement.yaml rename to community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-placement.yaml index 7a5b59a7d..784d39c5d 100644 --- a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-placement.yaml +++ b/community/CM-Configuration-Management/acm-hub-pvc-backup/acm-hub-pvc-placement.yaml @@ -2,7 +2,7 @@ apiVersion: cluster.open-cluster-management.io/v1beta1 kind: Placement metadata: - name: volsync-placement + name: acm-hub-pvc-placement namespace: open-cluster-management-backup spec: predicates: @@ -24,14 +24,14 @@ spec: apiVersion: policy.open-cluster-management.io/v1 kind: PlacementBinding metadata: - name: volsync-placement + name: acm-hub-pvc-placement namespace: open-cluster-management-backup placementRef: - name: volsync-placement + name: acm-hub-pvc-placement apiGroup: cluster.open-cluster-management.io kind: Placement subjects: - - name: acm-volsync + - name: acm-hub-pvc-backup-policyset apiGroup: policy.open-cluster-management.io kind: PolicySet diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_dest_policy.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_dest_policy.png new file mode 100644 index 000000000..8e763946f Binary files /dev/null and b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_dest_policy.png differ diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_source_policy.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_source_policy.png new file mode 100644 index 000000000..e4cfb9900 Binary files /dev/null and b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_source_policy.png differ diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_source_policy_1.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_source_policy_1.png new file mode 100644 index 000000000..493742ede Binary files /dev/null and b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/backup_source_policy_1.png differ diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/images/config_policy.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/config_policy.png new file mode 100644 index 000000000..f895ca265 Binary files /dev/null and b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/config_policy.png differ diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/images/policies.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/policies.png new file mode 100644 index 000000000..be2d09e53 Binary files /dev/null and b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/policies.png differ diff --git a/community/CM-Configuration-Management/acm-hub-pvc-backup/images/policyset.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/policyset.png new file mode 100644 index 000000000..1b52640a0 Binary files /dev/null and b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/policyset.png differ diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/restore_dest_policy.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/restore_dest_policy.png similarity index 100% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/images/restore_dest_policy.png rename to community/CM-Configuration-Management/acm-hub-pvc-backup/images/restore_dest_policy.png diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/restore_dest_policy_1.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/restore_dest_policy_1.png similarity index 100% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/images/restore_dest_policy_1.png rename to community/CM-Configuration-Management/acm-hub-pvc-backup/images/restore_dest_policy_1.png diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/restore_source_policy.png b/community/CM-Configuration-Management/acm-hub-pvc-backup/images/restore_source_policy.png similarity index 100% rename from community/CM-Configuration-Management/acm-volsync-hub-backup/images/restore_source_policy.png rename to community/CM-Configuration-Management/acm-hub-pvc-backup/images/restore_source_policy.png diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/README.md b/community/CM-Configuration-Management/acm-volsync-hub-backup/README.md deleted file mode 100644 index f969126dd..000000000 --- a/community/CM-Configuration-Management/acm-volsync-hub-backup/README.md +++ /dev/null @@ -1,239 +0,0 @@ -# ACM Hub PV backup and restore using volsync - -ACM Hub PVC backup and restore with volsync using ACM policies - -Hub PVC with the `cluster.open-cluster-management.io/volsync` label are being backed up and could be restored on another hub using these volsync policies. The PVC label's value can be any string. - -``` -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: global-hub-postgres-0 - namespace: global-hub - labels: - cluster.open-cluster-management.io/volsync: gh -spec: -``` - ------- - -- [List of PolicySets](#list-of-policysets) -- [List of Policies](#list-of-policies) -- [Policies configuration files](#policies-configuration-files) - - [Backup hub policies](#backup-hub-policies) - - [Restore hub policies](#restore-hub-policies) -- [Scenario](#scenario) -- [References](#references) - ------- - - - -## List of PolicySets - -PolicySet | Description --------------------------------------------| ----------- -[acm-volsync-policyset](./acm-volsync-policyset.yaml) | This PolicySet is used to place the volsync policies on the hub, using the placement which matches the `local-cluster` or any managed cluster with the `is-hub=true` label. Using this label the policy can be placed on any managed cluster where the ACM operator is installed. - -![Volsync PolisySet](images/policyset.png) - -## List of Policies - -Policy | Description --------------------------------------------| ----------- -[acm-volsync-config](./acm-volsync-config.yaml) | Trigerred to run on the hub only if the hub has any PVCs with the `cluster.open-cluster-management.io/volsync` label. It installs the volsync-addon on the hub or any managed cluster matching the `acm-volsync-policyset` PolicySet's placement. It reports on volsync missing configuration: reports if the user had not create the `restic-secret` Secret and `volsync-config` ConfigMap resources under the PolicySet namespace. The Secret is used by volsync to connect to the storage location where the PVC snapshot is stored. The ConfigMap is used to define the ReplicationSource configuration, as defined [here](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync). -[acm-volsync-source](./acm-volsync-source.yaml) | Creates a volsync ReplicationSource for all PVCs with the `cluster.open-cluster-management.io/volsync` label. -[acm-volsync-destination](./acm-volsync-destination.yaml) | In a restore hub backup operation, when the credentials backup is restored on a new hub, it creates a volsync ReplicationDestination for all PVCs with the `cluster.open-cluster-management.io/volsync` label. This is because the `acm-volsync-source` creates a set of configuration ConfigMaps defining the PVCs for which a snapshot is stored. These ConfigMaps have the `cluster.open-cluster-management.io/backup` backup label so thy are backed up by the hub credentials backup. They are used to recreate the PVCs on the restore hub. - - -### Policies - -![Volsync Policies](images/policies.png) - - -### Configuration Policy - -The `acm-volsync-config` Policy validates the configuration for both types of hubs ( backup or restore ). If any PVC is found with the cluster.open-cluster-management.io/volsync label, it installs the volsync addon and verifies the user had created the restic-secret used to connect to the storage where the snapshot are saved. - - -![Volsync Config Policy](images/config_policy.png) - -### Backup Hub Policies - -Volsync Source Policy: - -![Volsync Source Policy](images/backup_source_policy.png) - -Volsync Source Policy Templates: - -![Volsync Source Policy](images/backup_source_policy_1.png) - -Policy acm-volsync-destination is not running since this is identified as a backup hub : - -![Volsync Destination Policy](images/backup_dest_policy.png) - -### Restore Hub Policies - -Volsync Destination Policy: - -![Volsync Destination Policy](images/restore_dest_policy.png) - -Volsync Destination Policy Templates: - -![Volsync Destination Policy Templates](images/restore_dest_policy_1.png) - -Policy acm-volsync-source is not running since this is identified as a restore hub : - -![Volsync Destination Policy](images/restore_source_policy.png) - -## Policies configuration files - - -volsync label cluster.open-cluster-management.io/volsync set on PVC - -``` -kind: PersistentVolumeClaim -apiVersion: v1 -metadata: - name: mongo-storage - namespace: pacman-restore - finalizers: - - kubernetes.io/pvc-protection - labels: - cluster.open-cluster-management.io/volsync: pacman-restore -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 8Gi - volumeName: pvc-3b5b2975-77a4-452f-b14f-8eefed7454a5 - storageClassName: gp3-csi - volumeMode: Filesystem -``` - - -### Created by the ACM user - -#### volsync-config - -Created by the user on the backup hub. -Used to define the volsync ReplicationSource configuration, as defined [here](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync) - - -``` -kind: ConfigMap -apiVersion: v1 -metadata: - name: volsync-config - namespace: open-cluster-management-backup - labels: - cluster.open-cluster-management.io/backup: cluster-activation -data: - cacheCapacity: 1Gi - copyMethod: Snapshot - pruneIntervalDays: '2' - repository: restic-secret-vb - retain_daily: '2' - retain_hourly: '3' - retain_monthly: '1' - trigger_schedule: 0 */2 * * * -``` - - -#### restic-secret - -Created by the user - -Used to define the volsync ReplicationSource configuration, as defined [here](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync) - - -``` -kind: Secret -apiVersion: v1 -metadata: - name: restic-secret - namespace: open-cluster-management-backup - labels: - cluster.open-cluster-management.io/backup: volsync -data: - AWS_ACCESS_KEY_ID: a2V5 - AWS_SECRET_ACCESS_KEY: a2V5 - RESTIC_PASSWORD: a2V5 - RESTIC_REPOSITORY: >- - czM6aHR0cDovL21pbmlvLm1pbmlvLnN2Yy5jbHVzdGVyLmxvY2FsOjkwMDAvbXktYnVja2V0 -type: Opaque -``` - - -### Generated by the policy - -#### volsync-config-info- - -Created by the volsync policy on the backup hub, for each PVC; uses the PVCs settings -This resource is backed up and used by the volsync ReplicationDestination to recreate the PV on the restore hub. - -``` -kind: ConfigMap -apiVersion: v1 -metadata: - name: volsync-config-info-mongo-storage - namespace: pacman-ns - labels: - cluster.open-cluster-management.io/backup: cluster-activation -data: - resources.accessModes: ReadWriteOnce - resources.requests.storage: 8Gi - storageClassName: gp3-csi - volumeMode: Filesystem -``` - - -#### volsync-config-pvcs - -Created by the policy on the backup hub; lists all PVCs that need to be restored. This resource is backed up - -``` -kind: ConfigMap -apiVersion: v1 -metadata: - name: volsync-config-pvcs - namespace: open-cluster-management-backup - labels: - app: volsync-config-pvcs - cluster.open-cluster-management.io/backup: cluster-activation - data: - pvcs: 'pacman-restore#mongo-storage##pacman-vb#mongo-storage##pacman#mongo-storage' -``` - - - - -## Scenario - -ACM components installed on the hub. -User adds the cluster.open-cluster-management.io/volsync label to the PVC to be backed up. - - -ACM user, on Primary hub: -1. Enables backup on MultiClusterHub. This installs the hub backup component -2. The user manually installs the policy from the community project -3. Creates a BackupSchedule - - The volsync policy informs the user if missing the volsync restic-secret secret and volsync-config ConfigMap -3. User creates the restic-secret secret and volsync-config ConfigMap -4. Policy installs volsync addon on hub and creates the volsync `ReplicationSources` for all PVCs with the volsync label - - -ACM user, on Restore hub: -5. Enables backup on MultiClusterHub. This installs the hub backup component - - The user manually installs the policy from the community project -6. Creates an ACM Restore resource and restores active data - - The policy creates the volsync `ReplicationDestination` for all PVCs defined in the restored volsync-config-pvcs ConfigMap - - the app using the PVC must be restored after the PVC is created - -## References -- [Volsync](https://access.redhat.com/login?redirectTo=https%3A%2F%2Faccess.redhat.com%2Fdocumentation%2Fen-us%2Fred_hat_advanced_cluster_management_for_kubernetes%2F2.8%2Fhtml%2Fbusiness_continuity%2Fbusiness-cont-overview%23restic-backup-volsync) - - - - diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-policyset.yaml b/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-policyset.yaml deleted file mode 100644 index 4e6f4b307..000000000 --- a/community/CM-Configuration-Management/acm-volsync-hub-backup/acm-volsync-policyset.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: policy.open-cluster-management.io/v1beta1 -kind: PolicySet -metadata: - name: acm-volsync - namespace: open-cluster-management-backup -spec: - description: backup support for PVC with cluster.open-cluster-management.io/volsync label - policies: - - acm-volsync-config - - acm-volsync-source - - acm-volsync-destination \ No newline at end of file diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_dest_policy.png b/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_dest_policy.png deleted file mode 100644 index 301444b2a..000000000 Binary files a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_dest_policy.png and /dev/null differ diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_source_policy.png b/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_source_policy.png deleted file mode 100644 index 8687cfcdb..000000000 Binary files a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_source_policy.png and /dev/null differ diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_source_policy_1.png b/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_source_policy_1.png deleted file mode 100644 index 13dccdfce..000000000 Binary files a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/backup_source_policy_1.png and /dev/null differ diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/config_policy.png b/community/CM-Configuration-Management/acm-volsync-hub-backup/images/config_policy.png deleted file mode 100644 index 56abbf692..000000000 Binary files a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/config_policy.png and /dev/null differ diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/policies.png b/community/CM-Configuration-Management/acm-volsync-hub-backup/images/policies.png deleted file mode 100644 index 24510da16..000000000 Binary files a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/policies.png and /dev/null differ diff --git a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/policyset.png b/community/CM-Configuration-Management/acm-volsync-hub-backup/images/policyset.png deleted file mode 100644 index d1e58454e..000000000 Binary files a/community/CM-Configuration-Management/acm-volsync-hub-backup/images/policyset.png and /dev/null differ