mirror of
https://github.com/openshift/openshift-docs.git
synced 2026-02-05 12:46:18 +01:00
277 lines
7.0 KiB
Plaintext
277 lines
7.0 KiB
Plaintext
// Module included in the following assemblies:
|
|
//
|
|
// * backup_and_restore/application_backup_and_restore/oadp-use-cases/oadp-usecase-enable-ca-cert.adoc
|
|
|
|
:_mod-docs-content-type: PROCEDURE
|
|
[id="oadp-usecase-include-ca-cert-backup_{context}"]
|
|
= Backing up an application and its self-signed CA certificate
|
|
|
|
[role="_abstract"]
|
|
The `s3.openshift-storage.svc` service, provided by {odf-short}, uses a Transport Layer Security protocol (TLS) certificate that is signed with the self-signed service CA.
|
|
|
|
To prevent a `certificate signed by unknown authority` error, you must include a self-signed CA certificate in the backup storage location (BSL) section of `DataProtectionApplication` custom resource (CR). For this situation, you must complete the following tasks:
|
|
|
|
* Request a NooBaa bucket by creating an object bucket claim (OBC).
|
|
* Extract the bucket details.
|
|
* Include a self-signed CA certificate in the `DataProtectionApplication` CR.
|
|
* Back up an application.
|
|
|
|
.Prerequisites
|
|
|
|
* You installed the {oadp-short} Operator.
|
|
* You installed the {odf-short} Operator.
|
|
* You have an application with a database running in a separate namespace.
|
|
|
|
.Procedure
|
|
|
|
. Create an OBC manifest to request a NooBaa bucket as shown in the following example:
|
|
+
|
|
.Example `ObjectBucketClaim` CR
|
|
[source,yaml]
|
|
----
|
|
apiVersion: objectbucket.io/v1alpha1
|
|
kind: ObjectBucketClaim
|
|
metadata:
|
|
name: test-obc # <1>
|
|
namespace: openshift-adp
|
|
spec:
|
|
storageClassName: openshift-storage.noobaa.io
|
|
generateBucketName: test-backup-bucket # <2>
|
|
----
|
|
<1> Specifies the name of the object bucket claim.
|
|
<2> Specifies the name of the bucket.
|
|
|
|
. Create the OBC by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create -f <obc_file_name>
|
|
----
|
|
|
|
. When you create an OBC, {odf-short} creates a `secret` and a `ConfigMap` with the same name as the object bucket claim. The `secret` object contains the bucket credentials, and the `ConfigMap` object contains information to access the bucket. To get the bucket name and bucket host from the generated config map, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc extract --to=- cm/test-obc # <1>
|
|
----
|
|
<1> The name of the OBC is `test-obc`.
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
# BUCKET_NAME
|
|
backup-c20...41fd
|
|
# BUCKET_PORT
|
|
443
|
|
# BUCKET_REGION
|
|
|
|
# BUCKET_SUBREGION
|
|
|
|
# BUCKET_HOST
|
|
s3.openshift-storage.svc
|
|
----
|
|
|
|
. To get the bucket credentials from the `secret` object, run the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc extract --to=- secret/test-obc
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
# AWS_ACCESS_KEY_ID
|
|
ebYR....xLNMc
|
|
# AWS_SECRET_ACCESS_KEY
|
|
YXf...+NaCkdyC3QPym
|
|
----
|
|
|
|
. Create a `cloud-credentials` file with the object bucket credentials by using the following example configuration:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
[default]
|
|
aws_access_key_id=<AWS_ACCESS_KEY_ID>
|
|
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
|
|
----
|
|
|
|
. Create the `cloud-credentials` secret with the `cloud-credentials` file content by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc create secret generic \
|
|
cloud-credentials \
|
|
-n openshift-adp \
|
|
--from-file cloud=cloud-credentials
|
|
----
|
|
|
|
. Extract the service CA certificate from the `openshift-service-ca.crt` config map by running the following command. Ensure that you encode the certificate in `Base64` format and note the value to use in the next step.
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get cm/openshift-service-ca.crt \
|
|
-o jsonpath='{.data.service-ca\.crt}' | base64 -w0; echo
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,terminal]
|
|
----
|
|
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...
|
|
....gpwOHMwaG9CRmk5a3....FLS0tLS0K
|
|
----
|
|
|
|
. Configure the `DataProtectionApplication` CR manifest file with the bucket name and CA certificate as shown in the following example:
|
|
+
|
|
.Example `DataProtectionApplication` CR
|
|
[source,yaml]
|
|
----
|
|
apiVersion: oadp.openshift.io/v1alpha1
|
|
kind: DataProtectionApplication
|
|
metadata:
|
|
name: oadp-backup
|
|
namespace: openshift-adp
|
|
spec:
|
|
configuration:
|
|
nodeAgent:
|
|
enable: true
|
|
uploaderType: kopia
|
|
velero:
|
|
defaultPlugins:
|
|
- aws
|
|
- openshift
|
|
- csi
|
|
defaultSnapshotMoveData: true
|
|
backupLocations:
|
|
- velero:
|
|
config:
|
|
profile: "default"
|
|
region: noobaa
|
|
s3Url: https://s3.openshift-storage.svc
|
|
s3ForcePathStyle: "true"
|
|
insecureSkipTLSVerify: "false" # <1>
|
|
provider: aws
|
|
default: true
|
|
credential:
|
|
key: cloud
|
|
name: cloud-credentials
|
|
objectStorage:
|
|
bucket: <bucket_name> # <2>
|
|
prefix: oadp
|
|
caCert: <ca_cert> # <3>
|
|
----
|
|
<1> The `insecureSkipTLSVerify` flag can be set to either `true` or `false`. If set to "true", SSL/TLS security is disabled. If set to `false`, SSL/TLS security is enabled.
|
|
<2> Specify the name of the bucket extracted in an earlier step.
|
|
<3> Copy and paste the `Base64` encoded certificate from the previous step.
|
|
|
|
. Create the `DataProtectionApplication` CR by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f <dpa_filename>
|
|
----
|
|
|
|
. Verify that the `DataProtectionApplication` CR is created successfully by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get dpa -o yaml
|
|
----
|
|
+
|
|
.Example output
|
|
+
|
|
[source,yaml]
|
|
----
|
|
apiVersion: v1
|
|
items:
|
|
- apiVersion: oadp.openshift.io/v1alpha1
|
|
kind: DataProtectionApplication
|
|
metadata:
|
|
namespace: openshift-adp
|
|
#...#
|
|
spec:
|
|
backupLocations:
|
|
- velero:
|
|
config:
|
|
#...#
|
|
status:
|
|
conditions:
|
|
- lastTransitionTime: "20....9:54:02Z"
|
|
message: Reconcile complete
|
|
reason: Complete
|
|
status: "True"
|
|
type: Reconciled
|
|
kind: List
|
|
metadata:
|
|
resourceVersion: ""
|
|
----
|
|
|
|
. Verify that the backup storage location (BSL) is available by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc get backupstoragelocations.velero.io -n openshift-adp
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
NAME PHASE LAST VALIDATED AGE DEFAULT
|
|
dpa-sample-1 Available 3s 15s true
|
|
----
|
|
|
|
. Configure the `Backup` CR by using the following example:
|
|
+
|
|
.Example `Backup` CR
|
|
[source,yaml]
|
|
----
|
|
apiVersion: velero.io/v1
|
|
kind: Backup
|
|
metadata:
|
|
name: test-backup
|
|
namespace: openshift-adp
|
|
spec:
|
|
includedNamespaces:
|
|
- <application_namespace> # <1>
|
|
----
|
|
<1> Specify the namespace for the application to back up.
|
|
|
|
. Create the `Backup` CR by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc apply -f <backup_cr_filename>
|
|
----
|
|
|
|
.Verification
|
|
|
|
* Verify that the `Backup` object is in the `Completed` phase by running the following command:
|
|
+
|
|
[source,terminal]
|
|
----
|
|
$ oc describe backup test-backup -n openshift-adp
|
|
----
|
|
+
|
|
.Example output
|
|
[source,terminal]
|
|
----
|
|
Name: test-backup
|
|
Namespace: openshift-adp
|
|
# ....#
|
|
Status:
|
|
Backup Item Operations Attempted: 1
|
|
Backup Item Operations Completed: 1
|
|
Completion Timestamp: 2024-09-25T10:17:01Z
|
|
Expiration: 2024-10-25T10:16:31Z
|
|
Format Version: 1.1.0
|
|
Hook Status:
|
|
Phase: Completed
|
|
Progress:
|
|
Items Backed Up: 34
|
|
Total Items: 34
|
|
Start Timestamp: 2024-09-25T10:16:31Z
|
|
Version: 1
|
|
Events: <none>
|
|
----
|