diff --git a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc index d0ece5cb08..969e1b1e7e 100644 --- a/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc +++ b/backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -20,55 +20,58 @@ To install the OADP Operator in a restricted network environment, you must first include::modules/oadp-s3-and-gov-cloud.adoc[leveloffset=+1] -//include::modules/oadp-installing-operator.adoc[leveloffset=+1] include::modules/migration-configuring-aws-s3.adoc[leveloffset=+1] + include::modules/oadp-about-backup-snapshot-locations-secrets.adoc[leveloffset=+1] + include::modules/oadp-creating-default-secret.adoc[leveloffset=+2] + include::modules/oadp-aws-secrets-for-different-credentials.adoc[leveloffset=+2] -include::modules/oadp-configuring-aws-bsl.adoc[leveloffset=+2] + include::modules/oadp-ssec-encrypted-backups.adoc[leveloffset=+2] -[role="_additional-resources_1"] -.Additional resources - -You can also download the file with the additional encryption key backed up with Velero by running a different command. See xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc#oadp-ssec-encrypted-backups-velero_installing-oadp-aws[Downloading a file with an SSE-C encryption key for files backed up by Velero]. - include::modules/oadp-ssec-encrypted-backups-velero.adoc[leveloffset=+3] -[id="configuring-dpa-aws"] -== Configuring the Data Protection Application - -You can configure the Data Protection Application by setting Velero resource allocations or enabling self-signed CA certificates. +include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1] include::modules/oadp-setting-resource-limits-and-requests.adoc[leveloffset=+2] include::snippets/oadp-nodeselector-snippet.adoc[] -For more details, see xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc#oadp-configuring-node-agents_installing-oadp-aws[Configuring node agents and node labels]. - include::modules/oadp-self-signed-certificate.adoc[leveloffset=+2] + include::modules/oadp-using-ca-certificates-with-velero-command.adoc[leveloffset=+2] -// include::modules/oadp-installing-dpa-1-2-and-earlier.adoc[leveloffset=+1] -include::modules/oadp-installing-dpa-1-3.adoc[leveloffset=+1] include::modules/oadp-configuring-node-agents.adoc[leveloffset=+2] -include::modules/oadp-configuring-aws-md5sum.adoc[leveloffset=+1] -include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1] -include::modules/oadp-configuring-node-agent-load-affinity.adoc[leveloffset=+1] -include::modules/oadp-node-agent-load-affinity-guidelines.adoc[leveloffset=+1] -include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1] -include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1] -include::modules/oadp-configuring-repository-maintenance.adoc[leveloffset=+1] -include::modules/oadp-configuring-velero-load-affinity.adoc[leveloffset=+1] -include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1] -include::modules/oadp-configuring-dpa-multiple-bsl.adoc[leveloffset=+1] -include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+2] -include::modules/oadp-about-disable-node-agent-dpa.adoc[leveloffset=+2] -[role="_additional-resources_2"] +include::modules/oadp-configuring-aws-md5sum.adoc[leveloffset=+1] + +include::modules/oadp-configuring-client-burst-qps.adoc[leveloffset=+1] + +include::modules/oadp-configuring-node-agent-load-affinity.adoc[leveloffset=+1] + +include::modules/oadp-node-agent-load-affinity-guidelines.adoc[leveloffset=+1] + +include::modules/oadp-configuring-node-agent-load-concurrency.adoc[leveloffset=+1] + +include::modules/oadp-configuring-node-agent-non-root.adoc[leveloffset=+1] + +include::modules/oadp-configuring-repository-maintenance.adoc[leveloffset=+1] + +include::modules/oadp-configuring-velero-load-affinity.adoc[leveloffset=+1] + +include::modules/oadp-configuring-imagepullpolicy.adoc[leveloffset=+1] + +include::modules/oadp-enabling-csi-dpa.adoc[leveloffset=+1] + +include::modules/oadp-about-disable-node-agent-dpa.adoc[leveloffset=+1] + + +[role="_additional-resources"] .Additional resources * xref:../../../backup_and_restore/application_backup_and_restore/installing/installing-oadp-kubevirt.adoc#oadp-installing-dpa_installing-oadp-kubevirt[Installing the Data Protection Application with the `kubevirt` and `openshift` plugins] -* xref:../../../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs[Running tasks in pods using jobs]. + +* xref:../../../nodes/jobs/nodes-nodes-jobs.adoc#nodes-nodes-jobs[Running tasks in pods using jobs] :!installing-oadp-aws: diff --git a/modules/migration-configuring-aws-s3.adoc b/modules/migration-configuring-aws-s3.adoc index 5748492a1b..346c3d6142 100644 --- a/modules/migration-configuring-aws-s3.adoc +++ b/modules/migration-configuring-aws-s3.adoc @@ -8,11 +8,12 @@ [id="migration-configuring-aws-s3_{context}"] = Configuring Amazon Web Services +[role="_abstract"] ifdef::installing-3-4,installing-mtc[] -You configure Amazon Web Services (AWS) S3 object storage as a replication repository for the {mtc-first} . +Configure Amazon Web Services (AWS) S3 storage and Identity and Access Management (IAM) credentials for backup storage with {mtc-first}. This provides the necessary permissions and storage infrastructure for data protection operations. endif::[] ifdef::installing-oadp-aws[] -You configure Amazon Web Services (AWS) for the OpenShift API for Data Protection (OADP). +Configure Amazon Web Services (AWS) S3 storage and Identity and Access Management (IAM) credentials for backup storage with {oadp-short}. This provides the necessary permissions and storage infrastructure for data protection operations. endif::[] .Prerequisites @@ -50,17 +51,23 @@ $ REGION= $ aws s3api create-bucket \ --bucket $BUCKET \ --region $REGION \ - --create-bucket-configuration LocationConstraint=$REGION <1> + --create-bucket-configuration LocationConstraint=$REGION ---- -<1> `us-east-1` does not support a `LocationConstraint`. If your region is `us-east-1`, omit `--create-bucket-configuration LocationConstraint=$REGION`. ++ +where: ++ +`LocationConstraint`:: Specifies the bucket configuration location constraint. `us-east-1` does not support `LocationConstraint`. If your region is `us-east-1`, omit `--create-bucket-configuration LocationConstraint=$REGION`. . Create an IAM user: + [source,terminal] ---- -$ aws iam create-user --user-name velero <1> +$ aws iam create-user --user-name velero ---- -<1> If you want to use Velero to back up multiple clusters with multiple S3 buckets, create a unique user name for each cluster. ++ +where: ++ +`velero`:: Specifies the user name. If you want to use Velero to back up multiple clusters with multiple S3 buckets, create a unique user name for each cluster. . Create a `velero-policy.json` file: + @@ -128,8 +135,6 @@ $ aws iam put-user-policy \ $ aws iam create-access-key --user-name velero ---- + -.Example output -+ [source,terminal] ---- { @@ -159,4 +164,4 @@ EOF ---- + You use the `credentials-velero` file to create a `Secret` object for AWS before you install the Data Protection Application. -endif::[] +endif::[] \ No newline at end of file diff --git a/modules/oadp-about-backup-snapshot-locations-secrets.adoc b/modules/oadp-about-backup-snapshot-locations-secrets.adoc index 56a6a1e2a1..56dd75738b 100644 --- a/modules/oadp-about-backup-snapshot-locations-secrets.adoc +++ b/modules/oadp-about-backup-snapshot-locations-secrets.adoc @@ -10,7 +10,8 @@ [id="oadp-about-backup-snapshot-locations_{context}"] = About backup and snapshot locations and their secrets -You specify backup and snapshot locations and their secrets in the `DataProtectionApplication` custom resource (CR). +[role="_abstract"] +Review backup location, snapshot location, and secret configuration requirements for the `DataProtectionApplication` custom resource (CR). This helps you understand storage options and credential management for data protection operations. [id="backup-locations_{context}"] == Backup locations diff --git a/modules/oadp-about-disable-node-agent-dpa.adoc b/modules/oadp-about-disable-node-agent-dpa.adoc index 3c3f2bc0d2..7b54e849ea 100644 --- a/modules/oadp-about-disable-node-agent-dpa.adoc +++ b/modules/oadp-about-disable-node-agent-dpa.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -23,11 +24,14 @@ If you are not using `Restic`, `Kopia`, or `DataMover` for your backups, you can # ... configuration: nodeAgent: - enable: false # <1> + enable: false uploaderType: kopia # ... ---- -<1> Disables the node agent. ++ +where: ++ +`enable`:: Enables the node agent. . To enable the `nodeAgent`, set the `enable` flag to `true`. See the following example: + @@ -37,10 +41,13 @@ configuration: # ... configuration: nodeAgent: - enable: true # <1> + enable: true uploaderType: kopia # ... ---- -<1> Enables the node agent. - ++ +where: ++ +`enable`:: Enables the node agent. ++ You can set up a job to enable and disable the `nodeAgent` field in the `DataProtectionApplication` CR. For more information, see "Running tasks in pods using jobs". diff --git a/modules/oadp-configuring-aws-md5sum.adoc b/modules/oadp-configuring-aws-md5sum.adoc index b6fcfdcfaf..565e4a2c35 100644 --- a/modules/oadp-configuring-aws-md5sum.adoc +++ b/modules/oadp-configuring-aws-md5sum.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -15,12 +16,8 @@ You can configure the Backup Storage Location (BSL) in the Data Protection Appli * `SHA1` * `SHA256` -[NOTE] -==== -You can also set the `checksumAlgorithm` field to an empty value to skip the MD5 checksum check. +You can also set the `checksumAlgorithm` field to an empty value to skip the MD5 checksum check. If you do not set a value for the `checksumAlgorithm` field, then the default value is set to `CRC32`. -If you do not set a value for the `checksumAlgorithm` field, then the default value is set to `CRC32`. -==== .Prerequisites @@ -44,10 +41,10 @@ spec: - name: default velero: config: - checksumAlgorithm: "" # <1> + checksumAlgorithm: "" insecureSkipTLSVerify: "true" profile: "default" - region: + region: s3ForcePathStyle: "true" s3Url: credential: @@ -55,7 +52,7 @@ spec: name: cloud-credentials default: true objectStorage: - bucket: + bucket: prefix: velero provider: aws configuration: @@ -65,12 +62,15 @@ spec: - aws - csi ---- -<1> Specify the `checksumAlgorithm`. In this example, the `checksumAlgorithm` field is set to an empty value. You can select an option from the following list: `CRC32`, `CRC32C`, `SHA1`, `SHA256`. ++ +where: ++ +`checksumAlgorithm`:: Specifies the `checksumAlgorithm`. In this example, the `checksumAlgorithm` field is set to an empty value. You can select an option from the following list: `CRC32`, `CRC32C`, `SHA1`, `SHA256`. ++ [IMPORTANT] ==== If you are using Noobaa as the object storage provider, and you do not set the `spec.backupLocations.velero.config.checksumAlgorithm` field in the DPA, an empty value of `checksumAlgorithm` is added to the BSL configuration. The empty value is only added for BSLs that are created using the DPA. This value is not added if you create the BSL by using any other method. ==== - diff --git a/modules/oadp-configuring-client-burst-qps.adoc b/modules/oadp-configuring-client-burst-qps.adoc index dcd882e09c..01fc801aae 100644 --- a/modules/oadp-configuring-client-burst-qps.adoc +++ b/modules/oadp-configuring-client-burst-qps.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -33,10 +34,10 @@ spec: backupLocations: - name: default velero: - config: + config: insecureSkipTLSVerify: "true" profile: "default" - region: + region: s3ForcePathStyle: "true" s3Url: credential: @@ -44,7 +45,7 @@ spec: name: cloud-credentials default: true objectStorage: - bucket: + bucket: prefix: velero provider: aws configuration: @@ -52,12 +53,15 @@ spec: enable: true uploaderType: restic velero: - client-burst: 500 # <1> - client-qps: 300 # <2> + client-burst: 500 + client-qps: 300 defaultPlugins: - openshift - aws - kubevirt ---- -<1> Specify the `client-burst` value. In this example, the `client-burst` field is set to 500. -<2> Specify the `client-qps` value. In this example, the `client-qps` field is set to 300. \ No newline at end of file ++ +where: ++ +`client-burst`:: Specifies the `client-burst` value. In this example, the `client-burst` field is set to 500. +`client-qps`:: Specifies the `client-qps` value. In this example, the `client-qps` field is set to 300. diff --git a/modules/oadp-configuring-imagepullpolicy.adoc b/modules/oadp-configuring-imagepullpolicy.adoc index 08a6b3bea6..81098b8961 100644 --- a/modules/oadp-configuring-imagepullpolicy.adoc +++ b/modules/oadp-configuring-imagepullpolicy.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -37,10 +38,10 @@ spec: backupLocations: - name: default velero: - config: + config: insecureSkipTLSVerify: "true" profile: "default" - region: + region: s3ForcePathStyle: "true" s3Url: credential: @@ -48,7 +49,7 @@ spec: name: cloud-credentials default: true objectStorage: - bucket: + bucket: prefix: velero provider: aws configuration: @@ -61,6 +62,9 @@ spec: - aws - kubevirt - csi - imagePullPolicy: Never # <1> + imagePullPolicy: Never ---- -<1> Specify the value for `imagePullPolicy`. In this example, the `imagePullPolicy` field is set to `Never`. \ No newline at end of file ++ +where: ++ +`imagePullPolicy`:: Specifies the value for `imagePullPolicy`. In this example, the `imagePullPolicy` field is set to `Never`. diff --git a/modules/oadp-configuring-node-agent-load-affinity.adoc b/modules/oadp-configuring-node-agent-load-affinity.adoc index 49130f96ac..30d273cb90 100644 --- a/modules/oadp-configuring-node-agent-load-affinity.adoc +++ b/modules/oadp-configuring-node-agent-load-affinity.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -47,11 +48,11 @@ spec: configuration: nodeAgent: enable: true - loadAffinity: # <1> + loadAffinity: - nodeSelector: matchLabels: label.io/role: cpu-1 - matchExpressions: # <2> + matchExpressions: - key: label.io/hostname operator: In values: @@ -59,5 +60,8 @@ spec: - node2 ... ---- -<1> Configure the `loadAffinity` object by adding the `matchLabels` and `matchExpressions` objects. -<2> Configure the `matchExpressions` object to add restrictions on the node agent pods scheduling. \ No newline at end of file ++ +where: ++ +`loadAffinity`:: Specifies the `loadAffinity` object by adding the `matchLabels` and `matchExpressions` objects. +`matchExpressions`:: Specifies the `matchExpressions` object to add restrictions on the node agent pods scheduling. diff --git a/modules/oadp-configuring-node-agent-load-concurrency.adoc b/modules/oadp-configuring-node-agent-load-concurrency.adoc index 3ab0cbe79f..cce345da9a 100644 --- a/modules/oadp-configuring-node-agent-load-concurrency.adoc +++ b/modules/oadp-configuring-node-agent-load-concurrency.adoc @@ -1,3 +1,4 @@ + :_mod-docs-content-type: PROCEDURE // Module included in the following assemblies: // @@ -38,13 +39,16 @@ $ oc label node/ label.io/instance-type='large' enable: true uploaderType: kopia loadConcurrency: - globalConfig: 1 # <1> + globalConfig: 1 perNodeConfig: - nodeSelector: matchLabels: - label.io/instance-type: large # <2> - number: 3 # <3> + label.io/instance-type: large + number: 3 ---- -<1> Global concurrent number. The default value is 1, which means there is no concurrency and only one load is allowed. The `globalConfig` value does not have a limit. -<2> Label for per-node concurrency. -<3> Per-node concurrent number. You can specify many per-node concurrent numbers, for example, based on the instance type and size. The range of per-node concurrent number is the same as the global concurrent number. If the configuration file contains a per-node concurrent number and a global concurrent number, the per-node concurrent number takes precedence. ++ +where: ++ +`globalConfig`:: Specifies the global concurrent number. The default value is 1, which means there is no concurrency and only one load is allowed. The `globalConfig` value does not have a limit. +`label.io/instance-type`:: Specifies the label for per-node concurrency. +`number`:: Specifies the per-node concurrent number. You can specify many per-node concurrent numbers, for example, based on the instance type and size. The range of per-node concurrent number is the same as the global concurrent number. If the configuration file contains a per-node concurrent number and a global concurrent number, the per-node concurrent number takes precedence. diff --git a/modules/oadp-configuring-node-agent-non-root.adoc b/modules/oadp-configuring-node-agent-non-root.adoc index 91e40fe1a3..4d884ff830 100644 --- a/modules/oadp-configuring-node-agent-non-root.adoc +++ b/modules/oadp-configuring-node-agent-non-root.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -51,7 +52,7 @@ spec: prefix: velero provider: gcp configuration: - nodeAgent: # <1> + nodeAgent: enable: true uploaderType: kopia velero: @@ -59,10 +60,13 @@ spec: - csi - gcp - openshift - disableFsBackup: true # <2> + disableFsBackup: true ---- -<1> Enable the node agent in the DPA. -<2> Set the `disableFsBackup` field to `true`. ++ +where: ++ +`nodeAgent`:: Specifies to enable the node agent in the DPA. +`disableFsBackup`:: Specifies to set the `disableFsBackup` field to `true`. .Verification @@ -94,12 +98,12 @@ spec: containers: ... securityContext: - allowPrivilegeEscalation: false # <1> + allowPrivilegeEscalation: false capabilities: drop: - ALL - privileged: false # <2> - readOnlyRootFilesystem: true # <3> + privileged: false + readOnlyRootFilesystem: true ... nodeSelector: kubernetes.io/os: linux @@ -108,14 +112,17 @@ spec: restartPolicy: Always schedulerName: default-scheduler securityContext: - runAsNonRoot: true # <4> + runAsNonRoot: true seccompProfile: type: RuntimeDefault serviceAccount: velero serviceAccountName: velero .... ---- -<1> The `allowPrivilegeEscalation` field is false. -<2> The `privileged` field is false. -<3> The root file system is read-only. -<4> The node agent is run as a non-root user. ++ +where: ++ +`allowPrivilegeEscalation`:: Specifies that the `allowPrivilegeEscalation` field is false. +`privileged`:: Specifies that the `privileged` field is false. +`readOnlyRootFilesystem`:: Specifies that the root file system is read-only. +`runAsNonRoot`:: Specifies that the node agent is run as a non-root user. diff --git a/modules/oadp-configuring-repository-maintenance.adoc b/modules/oadp-configuring-repository-maintenance.adoc index 1f01eee13f..49dc349540 100644 --- a/modules/oadp-configuring-repository-maintenance.adoc +++ b/modules/oadp-configuring-repository-maintenance.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -30,8 +31,8 @@ You have the option to configure the load affinity at the global level affecting ... spec: configuration: - repositoryMaintenance: # <1> - global: # <2> + repositoryMaintenance: + global: podResources: cpuRequest: "100m" cpuLimit: "200m" @@ -48,8 +49,11 @@ spec: - US - EU ---- -<1> Configure the `repositoryMaintenance` object as shown in the example. -<2> Use the `global` object to configure load affinity for all repositories. ++ +where: ++ +`repositoryMaintenance`:: Specifies the `repositoryMaintenance` object as shown in the example. +`global`:: Specifies the `global` object to configure load affinity for all repositories. ** Per-repository configuration: Configure load affinity per repository as shown in the following example: + @@ -59,10 +63,13 @@ spec: spec: configuration: repositoryMaintenance: - myrepositoryname: # <1> + myrepositoryname: loadAffinity: - nodeSelector: matchLabels: label.io/cpu: 'yes' ---- -<1> Configure the `repositoryMaintenance` object for each repository. \ No newline at end of file ++ +where: ++ +`myrepositoryname`:: Specifies the `repositoryMaintenance` object for each repository. diff --git a/modules/oadp-creating-default-secret.adoc b/modules/oadp-creating-default-secret.adoc index 14330f3053..a6ee34cb14 100644 --- a/modules/oadp-creating-default-secret.adoc +++ b/modules/oadp-creating-default-secret.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -80,5 +81,5 @@ endif::[] ---- $ oc create secret generic {credentials} -n openshift-adp --from-file cloud=credentials-velero ---- - -The `Secret` is referenced in the `spec.backupLocations.credential` block of the `DataProtectionApplication` CR when you install the Data Protection Application. \ No newline at end of file ++ +The `Secret` is referenced in the `spec.backupLocations.credential` block of the `DataProtectionApplication` CR when you install the Data Protection Application. diff --git a/modules/oadp-enabling-csi-dpa.adoc b/modules/oadp-enabling-csi-dpa.adoc index 6d91917d71..e9129b14ef 100644 --- a/modules/oadp-enabling-csi-dpa.adoc +++ b/modules/oadp-enabling-csi-dpa.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -31,6 +32,9 @@ spec: velero: defaultPlugins: - openshift - - csi <1> + - csi ---- -<1> Add the `csi` default plugin. ++ +where: ++ +`csi`:: Specifies the `csi` default plugin. diff --git a/modules/oadp-installing-dpa-1-3.adoc b/modules/oadp-installing-dpa-1-3.adoc index f65bdb2e7b..a50037406d 100644 --- a/modules/oadp-installing-dpa-1-3.adoc +++ b/modules/oadp-installing-dpa-1-3.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -52,61 +53,64 @@ apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: - namespace: openshift-adp # <1> + namespace: openshift-adp spec: configuration: velero: defaultPlugins: - - openshift # <2> + - openshift - aws - resourceTimeout: 10m # <3> - nodeAgent: # <4> - enable: true # <5> - uploaderType: kopia # <6> + resourceTimeout: 10m + nodeAgent: + enable: true + uploaderType: kopia podConfig: - nodeSelector: # <7> + nodeSelector: backupLocations: - name: default velero: provider: {provider} default: true objectStorage: - bucket: # <8> - prefix: # <9> + bucket: + prefix: config: region: profile: "default" - s3ForcePathStyle: "true" # <10> - s3Url: # <11> + s3ForcePathStyle: "true" + s3Url: credential: key: cloud - name: {credentials} # <12> - snapshotLocations: # <13> + name: {credentials} + snapshotLocations: - name: default velero: provider: {provider} config: - region: # <14> + region: profile: "default" credential: key: cloud - name: {credentials} # <15> + name: {credentials} ---- -<1> The default namespace for OADP is `openshift-adp`. The namespace is a variable and is configurable. -<2> The `openshift` plugin is mandatory. -<3> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m. -<4> The administrative agent that routes the administrative requests to servers. -<5> Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. -<6> Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. -<7> Specify the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. -<8> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. -<9> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. -<10> Specify whether to force path style URLs for S3 objects (Boolean). Not Required for AWS S3. Required only for S3 compatible storage. -<11> Specify the URL of the object store that you are using to store backups. Not required for AWS S3. Required only for S3 compatible storage. -<12> Specify the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. -<13> Specify a snapshot location, unless you use CSI snapshots or a File System Backup (FSB) to back up PVs. -<14> The snapshot location must be in the same region as the PVs. -<15> Specify the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the snapshot location. If your backup and snapshot locations use different credentials, create separate profiles in the `credentials-velero` file. ++ +where: ++ +`namespace`:: Specifies the default namespace for OADP which is `openshift-adp`. The namespace is a variable and is configurable. +`openshift`:: Specifies that the `openshift` plugin is mandatory. +`resourceTimeout`:: Specifies how many minutes to wait for several Velero resources such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability, before timeout occurs. The default is 10m. +`nodeAgent`:: Specifies the administrative agent that routes the administrative requests to servers. +`enable`:: Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. +`uploaderType`:: Specifies the uploader type. Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. +`nodeSelector`:: Specifies the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. +`bucket`:: Specifies a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. +`prefix`:: Specifies a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. +`s3ForcePathStyle`:: Specifies whether to force path style URLs for S3 objects (Boolean). Not Required for AWS S3. Required only for S3 compatible storage. +`s3Url`:: Specifies the URL of the object store that you are using to store backups. Not required for AWS S3. Required only for S3 compatible storage. +`name`:: Specifies the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. +`snapshotLocations`:: Specifies a snapshot location, unless you use CSI snapshots or a File System Backup (FSB) to back up PVs. +`region`:: Specifies that the snapshot location must be in the same region as the PVs. +`name`:: Specifies the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the snapshot location. If your backup and snapshot locations use different credentials, create separate profiles in the `credentials-velero` file. endif::[] ifdef::installing-oadp-ibm-cloud[] @@ -127,26 +131,29 @@ spec: - csi backupLocations: - velero: - provider: aws # <1> + provider: aws default: true objectStorage: - bucket: # <2> + bucket: prefix: velero config: insecureSkipTLSVerify: 'true' profile: default - region: # <3> + region: s3ForcePathStyle: 'true' - s3Url: # <4> + s3Url: credential: key: cloud - name: cloud-credentials # <5> + name: cloud-credentials ---- -<1> The provider is `aws` when you use {ibm-cloud-title} as a backup storage location. -<2> Specify the {ibm-cloud-object-storage} bucket name. -<3> Specify the COS region name, for example, `eu-gb`. -<4> Specify the S3 URL of the COS bucket. For example, `http://s3.eu-gb.cloud-object-storage.appdomain.cloud`. Here, `eu-gb` is the region name. Replace the region name according to your bucket region. -<5> Defines the name of the secret you created by using the access key and the secret access key from the `HMAC` credentials. ++ +where: ++ +`provider`:: Specifies that the provider is `aws` when you use {ibm-cloud-title} as a backup storage location. +`bucket`:: Specifies the {ibm-cloud-object-storage} bucket name. +`region`:: Specifies the COS region name, for example, `eu-gb`. +`s3Url`:: Specifies the S3 URL of the COS bucket. For example, `http://s3.eu-gb.cloud-object-storage.appdomain.cloud`. Here, `eu-gb` is the region name. Replace the region name according to your bucket region. +`name`:: Specifies the name of the secret you created by using the access key and the secret access key from the `HMAC` credentials. endif::[] ifdef::installing-oadp-azure[] @@ -157,34 +164,34 @@ apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: - namespace: openshift-adp # <1> + namespace: openshift-adp spec: configuration: velero: defaultPlugins: - azure - - openshift # <2> - resourceTimeout: 10m # <3> - nodeAgent: # <4> - enable: true # <5> - uploaderType: kopia # <6> + - openshift + resourceTimeout: 10m + nodeAgent: + enable: true + uploaderType: kopia podConfig: - nodeSelector: # <7> + nodeSelector: backupLocations: - velero: config: - resourceGroup: # <8> - storageAccount: # <9> - subscriptionId: # <10> + resourceGroup: + storageAccount: + subscriptionId: credential: key: cloud - name: {credentials} # <11> + name: {credentials} provider: {provider} default: true objectStorage: - bucket: # <12> - prefix: # <13> - snapshotLocations: # <14> + bucket: + prefix: + snapshotLocations: - velero: config: resourceGroup: @@ -194,23 +201,26 @@ spec: provider: {provider} credential: key: cloud - name: {credentials} # <15> + name: {credentials} ---- -<1> The default namespace for OADP is `openshift-adp`. The namespace is a variable and is configurable. -<2> The `openshift` plugin is mandatory. -<3> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m. -<4> The administrative agent that routes the administrative requests to servers. -<5> Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. -<6> Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. -<7> Specify the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. -<8> Specify the Azure resource group. -<9> Specify the Azure storage account ID. -<10> Specify the Azure subscription ID. -<11> If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. -<12> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. -<13> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. -<14> You do not need to specify a snapshot location if you use CSI snapshots or Restic to back up PVs. -<15> Specify the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. ++ +where: ++ +`namespace`:: Specifies the default namespace for OADP which is `openshift-adp`. The namespace is a variable and is configurable. +`openshift`:: Specifies that the `openshift` plugin is mandatory. +`resourceTimeout`:: Specifies how many minutes to wait for several Velero resources such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability, before timeout occurs. The default is 10m. +`nodeAgent`:: Specifies the administrative agent that routes the administrative requests to servers. +`enable`:: Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. +`uploaderType`:: Specifies the uploader type. Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. +`nodeSelector`:: Specifies the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. +`resourceGroup`:: Specifies the Azure resource group. +`storageAccount`:: Specifies the Azure storage account ID. +`subscriptionId`:: Specifies the Azure subscription ID. +`name`:: Specifies the name of the `Secret` object. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. +`bucket`:: Specifies a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. +`prefix`:: Specifies a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. +`snapshotLocations`:: Specifies the snapshot location. You do not need to specify a snapshot location if you use CSI snapshots or Restic to back up PVs. +`name`:: Specifies the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. endif::[] ifdef::installing-oadp-gcp[] @@ -221,56 +231,59 @@ apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: - namespace: # <1> + namespace: spec: configuration: velero: defaultPlugins: - gcp - - openshift # <2> - resourceTimeout: 10m # <3> - nodeAgent: # <4> - enable: true # <5> - uploaderType: kopia # <6> + - openshift + resourceTimeout: 10m + nodeAgent: + enable: true + uploaderType: kopia podConfig: - nodeSelector: # <7> + nodeSelector: backupLocations: - velero: provider: {provider} default: true credential: - key: cloud # <8> - name: {credentials} # <9> + key: cloud + name: {credentials} objectStorage: - bucket: # <10> - prefix: # <11> - snapshotLocations: # <12> + bucket: + prefix: + snapshotLocations: - velero: provider: {provider} default: true config: project: - snapshotLocation: us-west1 # <13> + snapshotLocation: us-west1 credential: key: cloud - name: {credentials} # <14> - backupImages: true # <15> + name: {credentials} + backupImages: true ---- -<1> The default namespace for OADP is `openshift-adp`. The namespace is a variable and is configurable. -<2> The `openshift` plugin is mandatory. -<3> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m. -<4> The administrative agent that routes the administrative requests to servers. -<5> Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. -<6> Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. -<7> Specify the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. -<8> Secret key that contains credentials. For Google workload identity federation cloud authentication use `service_account.json`. -<9> Secret name that contains credentials. If you do not specify this value, the default name, `{credentials}`, is used. -<10> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. -<11> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. -<12> Specify a snapshot location, unless you use CSI snapshots or Restic to back up PVs. -<13> The snapshot location must be in the same region as the PVs. -<14> Specify the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. -<15> Google workload identity federation supports internal image backup. Set this field to `false` if you do not want to use image backup. ++ +where: ++ +`namespace`:: Specifies the default namespace for OADP which is `openshift-adp`. The namespace is a variable and is configurable. +`openshift`:: Specifies that the `openshift` plugin is mandatory. +`resourceTimeout`:: Specifies how many minutes to wait for several Velero resources such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability, before timeout occurs. The default is 10m. +`nodeAgent`:: Specifies the administrative agent that routes the administrative requests to servers. +`enable`:: Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. +`uploaderType`:: Specifies the uploader type. Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. +`nodeSelector`:: Specifies the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. +`key`:: Specifies the secret key that contains credentials. For Google workload identity federation cloud authentication use `service_account.json`. +`name`:: Specifies the secret name that contains credentials. If you do not specify this value, the default name, `{credentials}`, is used. +`bucket`:: Specifies a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. +`prefix`:: Specifies a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. +`snapshotLocations`:: Specifies a snapshot location, unless you use CSI snapshots or Restic to back up PVs. +`snapshotLocation`:: Specifies that the snapshot location must be in the same region as the PVs. +`name`:: Specifies the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. +`backupImages`:: Specifies that Google workload identity federation supports internal image backup. Set this field to `false` if you do not want to use image backup. endif::[] ifdef::installing-oadp-mcg[] @@ -281,49 +294,52 @@ apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: - namespace: openshift-adp # <1> + namespace: openshift-adp spec: configuration: velero: defaultPlugins: - - aws # <2> - - openshift # <3> - resourceTimeout: 10m # <4> - nodeAgent: # <5> - enable: true # <6> - uploaderType: kopia # <7> + - aws + - openshift + resourceTimeout: 10m + nodeAgent: + enable: true + uploaderType: kopia podConfig: - nodeSelector: # <8> + nodeSelector: backupLocations: - velero: config: profile: "default" - region: <9> - s3Url: # <10> + region: + s3Url: insecureSkipTLSVerify: "true" s3ForcePathStyle: "true" provider: {provider} default: true credential: key: cloud - name: {credentials} # <11> + name: {credentials} objectStorage: - bucket: # <12> - prefix: # <13> + bucket: + prefix: ---- -<1> The default namespace for OADP is `openshift-adp`. The namespace is a variable and is configurable. -<2> An object store plugin corresponding to your storage locations is required. For all S3 providers, the required plugin is `aws`. For {azure-short} and {gcp-short} object stores, the `azure` or `gcp` plugin is required. -<3> The `openshift` plugin is mandatory. -<4> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m. -<5> The administrative agent that routes the administrative requests to servers. -<6> Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. -<7> Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. -<8> Specify the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. -<9> Specify the region, following the naming convention of the documentation of your object storage server. -<10> Specify the URL of the S3 endpoint. -<11> Specify the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. -<12> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. -<13> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. ++ +where: ++ +`namespace`:: Specifies the default namespace for OADP which is `openshift-adp`. The namespace is a variable and is configurable. +`aws`:: Specifies that an object store plugin corresponding to your storage locations is required. For all S3 providers, the required plugin is `aws`. For {azure-short} and {gcp-short} object stores, the `azure` or `gcp` plugin is required. +`openshift`:: Specifies that the `openshift` plugin is mandatory. +`resourceTimeout`:: Specifies how many minutes to wait for several Velero resources such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability, before timeout occurs. The default is 10m. +`nodeAgent`:: Specifies the administrative agent that routes the administrative requests to servers. +`enable`:: Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. +`uploaderType`:: Specifies the uploader type. Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. +`nodeSelector`:: Specifies the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. +`region`:: Specifies the region, following the naming convention of the documentation of your object storage server. +`s3Url`:: Specifies the URL of the S3 endpoint. +`name`:: Specifies the name of the `Secret` object that you created. If you do not specify this value, the default name, `{credentials}`, is used. If you specify a custom name, the custom name is used for the backup location. +`bucket`:: Specifies a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. +`prefix`:: Specifies a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. endif::[] ifdef::installing-oadp-ocs[] @@ -334,46 +350,49 @@ apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: - namespace: openshift-adp # <1> + namespace: openshift-adp spec: configuration: velero: defaultPlugins: - - aws # <2> - - kubevirt # <3> - - csi # <4> - - openshift # <5> - resourceTimeout: 10m # <6> - nodeAgent: # <7> - enable: true # <8> - uploaderType: kopia # <9> + - aws + - kubevirt + - csi + - openshift + resourceTimeout: 10m + nodeAgent: + enable: true + uploaderType: kopia podConfig: - nodeSelector: # <10> + nodeSelector: backupLocations: - velero: - provider: {provider} # <11> + provider: {provider} default: true credential: key: cloud - name: # <12> + name: objectStorage: - bucket: # <13> - prefix: # <14> + bucket: + prefix: ---- -<1> The default namespace for OADP is `openshift-adp`. The namespace is a variable and is configurable. -<2> An object store plugin corresponding to your storage locations is required. For all S3 providers, the required plugin is `aws`. For {azure-short} and {gcp-short} object stores, the `azure` or `gcp` plugin is required. -<3> Optional: The `kubevirt` plugin is used with {VirtProductName}. -<4> Specify the `csi` default plugin if you use CSI snapshots to back up PVs. The `csi` plugin uses the link:https://{velero-domain}/docs/main/csi/[Velero CSI beta snapshot APIs]. You do not need to configure a snapshot location. -<5> The `openshift` plugin is mandatory. -<6> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m. -<7> The administrative agent that routes the administrative requests to servers. -<8> Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. -<9> Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. -<10> Specify the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. -<11> Specify the backup provider. -<12> Specify the correct default name for the `Secret`, for example, `cloud-credentials-gcp`, if you use a default plugin for the backup provider. If specifying a custom name, then the custom name is used for the backup location. If you do not specify a `Secret` name, the default name is used. -<13> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. -<14> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. ++ +where: ++ +`namespace`:: Specifies the default namespace for OADP which is `openshift-adp`. The namespace is a variable and is configurable. +`aws`:: Specifies that an object store plugin corresponding to your storage locations is required. For all S3 providers, the required plugin is `aws`. For {azure-short} and {gcp-short} object stores, the `azure` or `gcp` plugin is required. +`kubevirt`:: Optional: The `kubevirt` plugin is used with {VirtProductName}. +`csi`:: Specifies the `csi` default plugin if you use CSI snapshots to back up PVs. The `csi` plugin uses the link:https://{velero-domain}/docs/main/csi/[Velero CSI beta snapshot APIs]. You do not need to configure a snapshot location. +`openshift`:: Specifies that the `openshift` plugin is mandatory. +`resourceTimeout`:: Specifies how many minutes to wait for several Velero resources such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability, before timeout occurs. The default is 10m. +`nodeAgent`:: Specifies the administrative agent that routes the administrative requests to servers. +`enable`:: Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. +`uploaderType`:: Specifies the uploader type. Enter `kopia` or `restic` as your uploader. You cannot change the selection after the installation. For the Built-in DataMover you must use Kopia. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. +`nodeSelector`:: Specifies the nodes on which Kopia or Restic are available. By default, Kopia or Restic run on all nodes. +`provider`:: Specifies the backup provider. +`name`:: Specifies the correct default name for the `Secret`, for example, `cloud-credentials-gcp`, if you use a default plugin for the backup provider. If specifying a custom name, then the custom name is used for the backup location. If you do not specify a `Secret` name, the default name is used. +`bucket`:: Specifies a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. +`prefix`:: Specifies a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. endif::[] ifdef::virt-backup-restore-overview,installing-oadp-kubevirt[] @@ -384,46 +403,49 @@ apiVersion: oadp.openshift.io/v1alpha1 kind: DataProtectionApplication metadata: name: - namespace: openshift-adp # <1> + namespace: openshift-adp spec: configuration: velero: defaultPlugins: - - kubevirt # <2> - - gcp # <3> - - csi # <4> - - openshift # <5> - resourceTimeout: 10m # <6> - nodeAgent: # <7> - enable: true # <8> - uploaderType: kopia # <9> + - kubevirt + - gcp + - csi + - openshift + resourceTimeout: 10m + nodeAgent: + enable: true + uploaderType: kopia podConfig: - nodeSelector: # <10> + nodeSelector: backupLocations: - velero: - provider: {provider} # <11> + provider: {provider} default: true credential: key: cloud - name: # <12> + name: objectStorage: - bucket: # <13> - prefix: # <14> + bucket: + prefix: ---- -<1> The default namespace for OADP is `openshift-adp`. The namespace is a variable and is configurable. -<2> The `kubevirt` plugin is mandatory for {VirtProductName}. -<3> Specify the plugin for the backup provider, for example, `gcp`, if it exists. -<4> The `csi` plugin is mandatory for backing up PVs with CSI snapshots. The `csi` plugin uses the link:https://{velero-domain}/docs/main/csi/[Velero CSI beta snapshot APIs]. You do not need to configure a snapshot location. -<5> The `openshift` plugin is mandatory. -<6> Specify how many minutes to wait for several Velero resources before timeout occurs, such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability. The default is 10m. -<7> The administrative agent that routes the administrative requests to servers. -<8> Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. -<9> Enter `kopia` as your uploader to use the Built-in DataMover. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. -<10> Specify the nodes on which Kopia are available. By default, Kopia runs on all nodes. -<11> Specify the backup provider. -<12> Specify the correct default name for the `Secret`, for example, `cloud-credentials-gcp`, if you use a default plugin for the backup provider. If specifying a custom name, then the custom name is used for the backup location. If you do not specify a `Secret` name, the default name is used. -<13> Specify a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. -<14> Specify a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. ++ +where: ++ +`namespace`:: Specifies the default namespace for OADP which is `openshift-adp`. The namespace is a variable and is configurable. +`kubevirt`:: Specifies that the `kubevirt` plugin is mandatory for {VirtProductName}. +`gcp`:: Specifies the plugin for the backup provider, for example, `gcp`, if it exists. +`csi`:: Specifies that the `csi` plugin is mandatory for backing up PVs with CSI snapshots. The `csi` plugin uses the link:https://{velero-domain}/docs/main/csi/[Velero CSI beta snapshot APIs]. You do not need to configure a snapshot location. +`openshift`:: Specifies that the `openshift` plugin is mandatory. +`resourceTimeout`:: Specifies how many minutes to wait for several Velero resources such as Velero CRD availability, volumeSnapshot deletion, and backup repository availability, before timeout occurs. The default is 10m. +`nodeAgent`:: Specifies the administrative agent that routes the administrative requests to servers. +`enable`:: Set this value to `true` if you want to enable `nodeAgent` and perform File System Backup. +`uploaderType`:: Specifies the uploader type. Enter `kopia` as your uploader to use the Built-in DataMover. The `nodeAgent` deploys a daemon set, which means that the `nodeAgent` pods run on each working node. You can configure File System Backup by adding `spec.defaultVolumesToFsBackup: true` to the `Backup` CR. +`nodeSelector`:: Specifies the nodes on which Kopia are available. By default, Kopia runs on all nodes. +`provider`:: Specifies the backup provider. +`name`:: Specifies the correct default name for the `Secret`, for example, `cloud-credentials-gcp`, if you use a default plugin for the backup provider. If specifying a custom name, then the custom name is used for the backup location. If you do not specify a `Secret` name, the default name is used. +`bucket`:: Specifies a bucket as the backup storage location. If the bucket is not a dedicated bucket for Velero backups, you must specify a prefix. +`prefix`:: Specifies a prefix for Velero backups, for example, `velero`, if the bucket is used for multiple purposes. endif::[] . Click *Create*. @@ -437,8 +459,6 @@ endif::[] $ oc get all -n openshift-adp ---- + -.Example output -+ ---- NAME READY STATUS RESTARTS AGE pod/oadp-operator-controller-manager-67d9494d47-6l8z8 2/2 Running 0 2m8s @@ -469,7 +489,6 @@ replicaset.apps/velero-588db7f655 1 1 ---- $ oc get dpa dpa-sample -n openshift-adp -o jsonpath='{.status}' ---- -.Example output + [source,yaml] ---- @@ -484,7 +503,6 @@ $ oc get dpa dpa-sample -n openshift-adp -o jsonpath='{.status}' ---- $ oc get backupstoragelocations.velero.io -n openshift-adp ---- -.Example output + [source,yaml] ---- diff --git a/modules/oadp-s3-and-gov-cloud.adoc b/modules/oadp-s3-and-gov-cloud.adoc index d9d1f88945..e4b4fcc300 100644 --- a/modules/oadp-s3-and-gov-cloud.adoc +++ b/modules/oadp-s3-and-gov-cloud.adoc @@ -6,7 +6,10 @@ [id="oadp-s3-and-gov-cloud_{context}"] = About Amazon Simple Storage Service, Identity and Access Management, and GovCloud -Amazon Simple Storage Service (Amazon S3) is a storage solution of Amazon for the internet. As an authorized user, you can use this service to store and retrieve any amount of data whenever you want, from anywhere on the web. +[role="_abstract"] +Review Amazon Simple Storage Service (S3), Identity and Access Management (IAM), and AWS GovCloud requirements to configure backup storage with appropriate security controls. This helps you meet federal data security requirements and use correct endpoints. + +{aws-short} S3 is a storage solution of Amazon for the internet. As an authorized user, you can use this service to store and retrieve any amount of data whenever you want, from anywhere on the web. You securely control access to Amazon S3 and other Amazon services by using the AWS Identity and Access Management (IAM) web service. @@ -17,7 +20,7 @@ AWS GovCloud (US) is an Amazon storage solution developed to meet the stringent * You cannot copy the contents of an Amazon S3 bucket in the AWS GovCloud (US) regions directly to or from another AWS region. * If you use Amazon S3 policies, use the AWS GovCloud (US) Amazon Resource Name (ARN) identifier to unambiguously specify a resource across all of AWS, such as in IAM policies, Amazon S3 bucket names, and API calls. -** IIn AWS GovCloud (US) regions, ARNs have an identifier that is different from the one in other standard AWS regions, `arn:aws-us-gov`. If you need to specify the US-West or US-East region, use one the following ARNs: +** In AWS GovCloud (US) regions, ARNs have an identifier that is different from the one in other standard AWS regions, `arn:aws-us-gov`. If you need to specify the US-West or US-East region, use one the following ARNs: *** For US-West, use `us-gov-west-1`. *** For US-East, use `us-gov-east-1`. diff --git a/modules/oadp-self-signed-certificate.adoc b/modules/oadp-self-signed-certificate.adoc index 768126eb7a..cfd40ac5d8 100644 --- a/modules/oadp-self-signed-certificate.adoc +++ b/modules/oadp-self-signed-certificate.adoc @@ -33,12 +33,13 @@ spec: objectStorage: bucket: prefix: - caCert: <1> + caCert: config: - insecureSkipTLSVerify: "false" <2> + insecureSkipTLSVerify: "false" # ... ---- -<1> Specify the Base64-encoded CA certificate string. -<2> The `insecureSkipTLSVerify` configuration can be set to either `"true"` or `"false"`. If set to `"true"`, SSL/TLS security is disabled. If set to `"false"`, SSL/TLS security is enabled. - - ++ +where: ++ +`caCert`:: Specifies the Base64-encoded CA certificate string. +`insecureSkipTLSVerify`:: Specifies the `insecureSkipTLSVerify` configuration. The configuration can be set to either `"true"` or `"false"`. If set to `"true"`, SSL/TLS security is disabled. If set to `"false"`, SSL/TLS security is enabled. diff --git a/modules/oadp-setting-resource-limits-and-requests.adoc b/modules/oadp-setting-resource-limits-and-requests.adoc index fbd4c7a5c7..826dcc7aed 100644 --- a/modules/oadp-setting-resource-limits-and-requests.adoc +++ b/modules/oadp-setting-resource-limits-and-requests.adoc @@ -34,8 +34,8 @@ spec: configuration: velero: podConfig: - nodeSelector: <1> - resourceAllocations: <2> + nodeSelector: + resourceAllocations: limits: cpu: "1" memory: 1024Mi @@ -43,12 +43,15 @@ spec: cpu: 200m memory: 256Mi ---- -<1> Specify the node selector to be supplied to Velero podSpec. -<2> The `resourceAllocations` listed are for average usage. ++ +where: ++ +`nodeSelector`:: Specifies the node selector to be supplied to Velero podSpec. +`resourceAllocations`:: Specifies the resource allocations listed for average usage. + [NOTE] ==== Kopia is an option in OADP 1.3 and later releases. You can use Kopia for file system backups, and Kopia is your only option for Data Mover cases with the built-in Data Mover. Kopia is more resource intensive than Restic, and you might need to adjust the CPU and memory requirements accordingly. -==== +==== \ No newline at end of file diff --git a/modules/oadp-ssec-encrypted-backups-velero.adoc b/modules/oadp-ssec-encrypted-backups-velero.adoc index 80a7e60461..3017c0820a 100644 --- a/modules/oadp-ssec-encrypted-backups-velero.adoc +++ b/modules/oadp-ssec-encrypted-backups-velero.adoc @@ -22,4 +22,4 @@ $ aws s3api get-object \ --sse-customer-algorithm AES256 \ --debug \ velero_download.tar.gz ----- +---- \ No newline at end of file diff --git a/modules/oadp-ssec-encrypted-backups.adoc b/modules/oadp-ssec-encrypted-backups.adoc index 74eda04aea..fd1a21bd78 100644 --- a/modules/oadp-ssec-encrypted-backups.adoc +++ b/modules/oadp-ssec-encrypted-backups.adoc @@ -1,3 +1,4 @@ + // Module included in the following assemblies: // // * backup_and_restore/application_backup_and_restore/installing/installing-oadp-aws.adoc @@ -6,7 +7,10 @@ [id="oadp-ssec-encrypted-backups_{context}"] = Creating an OADP SSE-C encryption key for additional data security -{aws-first} S3 applies server-side encryption with Amazon S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. +[role="_abstract"] +Configure server-side encryption with customer-provided keys (SSE-C) to add an additional layer of encryption for backup data stored in {aws-first} S3. This protects backup data if AWS credentials become exposed. + +{aws-first} S3 applies server-side encryption with {aws-short} S3 managed keys (SSE-S3) as the base level of encryption for every bucket in Amazon S3. {oadp-first} encrypts data by using SSL/TLS, HTTPS, and the `velero-repo-credentials` secret when transferring the data from a cluster to storage. To protect backup data in case of lost or stolen AWS credentials, apply an additional layer of encryption. @@ -33,9 +37,8 @@ This is a workaround for a known issue: https://issues.redhat.com/browse/OADP-39 The following procedure contains an example of a `spec:backupLocations` block that does not specify credentials. This example would trigger an OADP secret mounting. ==== -* If you need the backup location to have credentials with a different name than `cloud-credentials`, you must add a snapshot location, such as the one in the following example, that does not contain a credential name. Because the example does not contain a credential name, the snapshot location will use `cloud-credentials` as its secret for taking snapshots. - -.Example snapshot location in a DPA without credentials specified +* If you need the backup location to have credentials with a different name than `cloud-credentials`, you must add a snapshot location, such as the one in the following example, that does not contain a credential name. Because the following example does not contain a credential name, the snapshot location will use `cloud-credentials` as its secret for taking snapshots. ++ [source,yaml] ---- snapshotLocations: @@ -143,9 +146,8 @@ $ aws s3api get-object \ ---- $ cat downloaded.txt ---- -.Example output + [source,terminal] ---- encrypt me please ----- \ No newline at end of file +---- diff --git a/modules/oadp-using-ca-certificates-with-velero-command.adoc b/modules/oadp-using-ca-certificates-with-velero-command.adoc index 35af262c91..26ae493113 100644 --- a/modules/oadp-using-ca-certificates-with-velero-command.adoc +++ b/modules/oadp-using-ca-certificates-with-velero-command.adoc @@ -9,14 +9,14 @@ :_mod-docs-content-type: PROCEDURE [id="oadp-using-ca-certificates-with-velero-command-aliased-for-velero-deployment_{context}"] -== Using CA certificates with the velero command aliased for Velero deployment += Using CA certificates with the velero command aliased for Velero deployment [role="_abstract"] You might want to use the Velero CLI without installing it locally on your system by creating an alias for it. .Prerequisites -* You must be logged in to the OpenShift Container Platform cluster as a user with the `cluster-admin` role. +* You must be logged in to the {product-title} cluster as a user with the `cluster-admin` role. * You must have the OpenShift CLI (`oc`) installed. .Procedure @@ -79,5 +79,5 @@ You can use these logs to view failures and warnings for the resources that you $ oc exec -n openshift-adp -i deploy/velero -c velero -- bash -c "ls /tmp/your-cacert.txt" /tmp/your-cacert.txt ---- - ++ In a future release of OpenShift API for Data Protection (OADP), we plan to mount the certificate to the Velero pod so that this step is not required.