DO380 - ch02s03

Bookmark this page

OADP Operator Deployment and Features

Objectives

Deploy the OADP operator and describe its features and dependencies.

OpenShift API for Data Protection

The OpenShift API for Data Protection (OADP) product provides a native backup solution for applications that run on OpenShift.

OADP uses several components such as Velero and Restic to back up all the Kubernetes resources, container images from the internal registry, and persistent volumes that are associated with an application.

The following list describes the main components that OADP uses:

Velero: Velero is the main upstream component of OADP. It provides the backup API to the users and uses plug-ins to add extended capabilities to OADP.
OADP Data Mover: This OAPD feature enables exporting snapshot content to object storage.
Restic: Open source backup tool that Velero and Data Mover use to back up persistent volumes.

Those components are discussed in more detail later in this chapter. See the references section for more information about Velero and Restic.

The OADP framework is initially designed for partners to provide the needed infrastructure for a complete backup solution. OpenShift administrators can use OADP as a basic backup solution, although it might not implement some required features, such as a graphical user interface or multi-tenancy support. The following examples are backup solutions that use OADP:

Catalogic CloudCasa
IBM Spectrum Protect Plus
Dell EMC PowerProtect Data Manager

Kubernetes Resources Backup

OADP uses Velero to back up all the Kubernetes resources to cloud object storage. You can filter objects to back up and restore by namespace, resource type, and label.

Velero not only exports and imports resources; it also performs additional processing on the resources. The following list describes some of this additional processing:

Determine the correct restore order for each resource.
Apply any user-provided filters.
Modify the destination namespace, if it is different from the backup.
Remove or alter resource attributes such as auto-assigned node ports, IP addresses, or hostnames.
Skip managed resources such as a replica set that deployment owns.

You can add backup and export logic by using Velero plug-ins.

Data Volume Snapshot

OAPD can back up volumes by using cloud native snapshot API or the Kubernetes Container Storage Interface (CSI) snapshot API.

Red Hat recommends the use of snapshots when possible, because this feature enables fast and consistent backup.

File System Backup

For volumes that are not supported by either a cloud-native snapshot API or the CSI snapshot API, OADP provides a file-system backup solution.

File System Backup (FSB), or Pod Volume Backup, enables backing up almost any kind of Kubernetes volume that does not support the snapshot capability, such as NFS and local storage.

Warning

File System Backup does not support hostPath volumes.

OADP uses the open source Restic tool to back up the application volume file system.

Restic accesses the volume file system from the volume mount point on the cluster node. For that reason, the application pod must be running during the backup.

During the file system backup, the application can still alter the file system and corrupt the backup. To prevent such a scenario, the application must be quiesced to prevent any write operations while the backup is in progress.

Application-Consistent Backup

You can use backup and restore hooks to run commands before and after the backup and restore operation. By using a pre-hook, it is possible to quiesce an application, such as a transactional database, to flush pending I/O operations to the storage back end and pause future application writing operations to avoid any data loss or corruption during the backup. When the backup is complete, a post-hook is used to resume the application operations.

If you use volume snapshots, then the hooks are executed just before and after the snapshot creation, which significantly reduces the time that the application is in read-only mode.

OADP Data Mover

Some CSI drivers might store the snapshot in the same storage location as the original volume and might be vulnerable to data loss in the event of a disaster. The storage solution that is used with Red Hat OpenShift Container Platform might not guarantee snapshot durability. In such scenarios, you can enable the OADP Data Mover to copy the snapshot content to a remote backup storage location and remove the snapshot from the storage back end.

Data Mover uses the Restic component of the VolSync operator for replication. Restic secures backup content that is stored on the remote storage location with a user-defined password (also called an encryption key).

Important

The Restic password is required to decrypt and restore a backup. Keep a copy of this password in a safe place in case of a disaster event.

OADP uses Velero's Volume Snapshot Mover (VSM) plug-in to integrate with VolSync. The VolSync operator and the VSM Velero plug-in must be installed to enable Data Mover.

Important

The OADP 1.2 Data Mover is a Technology Preview feature. Technology Preview features are not supported with Red Hat production service level agreements (SLAs) and might not be functionally complete. Red Hat does not recommend the use of Technology Preview features in production.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

Velero Plug-ins

You can extend the OADP capabilities and backup logic by using the Velero plug-in system. Support for various cloud providers, storage solutions, and additional CRDs are available with integrated plug-ins.

OADP includes the following plug-ins that you can enable during the installation:

Plug-in name	Description
`aws`	Stores and retrieves backups on AWS S3-compatible storage. Manages volume snapshots on AWS EBS volumes.
`gcp`	Stores and retrieves backups on Google Cloud Storage. Manages volume snapshots on Google Compute Engine Disks.
`azure`	Stores and retrieves backups on Azure Blob Storage. Manages volume snapshots on Azure Managed Disks.
`openshift`	Provides additional logic to back up and restore OpenShift resources, including container images from the internal registry.
`kubevirt`	Provides additional logic to back up and restore virtual machines and other OpenShift Virtualization resources.
`csi`	Provides volume snapshot support by using the Kubernetes CSI Snapshot API.
`vsm`	Volume Snapshot Mover (VSM) controller integration. Enables volume snapshot data movement to object storage.

OADP can also use third-party plug-ins, such as the following examples, to extend support to additional storage solutions and custom Kubernetes resources.

OpenStack plug-in for object storage on Swift and volume snapshots on Cinder
HPE plug-in for volume snapshots on HPE Nimble Storage
DigitalOcean plug-in for volume snapshots on DigitalOcean Volumes Block Storage

Important

Red Hat does not support third-party plug-ins.

OADP API Resources

The OADP operator provides the following API resources:

DataProtectionApplication: The dataProtectionApplication resource is the configuration for the OADP operator and its components.
BackupStorageLocation: The OADP operator creates and manages a backupStorageLocation resource for each storage location that is defined in the dataProtectionApplication configuration.
VolumeSnapshotLocation: The OADP operator creates and manages a volumeSnapshotLocation resource for each snapshot location that is defined in the dataProtectionApplication configuration.
Backup: The backup resource requests the Velero server to create a backup.
Restore: The restore resource requests the Velero server to restore a backup.
Schedule: The schedule resource creates a backup periodically on a given schedule by using the Cron format.

Requirements for OADP

Red Hat OpenShift API for Data Protection requires the following resources.

OpenShift User Permissions

OADP configuration requires a user with the cluster-admin role. Backup and restore operations require administrative privileges in the OADP namespace (openshift-adp by default).

Important

OADP deployment has administrative privileges on the cluster to back up and restore all resources in any namespaces.

Object Storage

OADP requires an object storage location to store the backups. The following list is an example of object storage providers that are available for storing backups:

Amazon Web Services
Microsoft Azure
Google Cloud Platform
Any AWS S3-compatible provider, such as MinIO or OpenShift Data Foundation

Object Storage with OpenShift Data Foundation

OpenShift Data Foundation (ODF) is the storage solution that is used in this classroom environment. ODF provides two object storage services: the MultiCloud Object Gateway (NooBaa MCG) and the Ceph RADOS Object Gateway (Ceph RGW). Both services are fully compatible with OADP by using the aws provider plug-in.

For more details about OpenShift Data Foundation, refer to the DO370: Enterprise Kubernetes Storage with Red Hat OpenShift Data Foundation training course.

Similar to a persistent volume claim, you can use an object bucket claim to request an S3-compatible bucket. ODF creates a secret and a configuration map with the same name as the object bucket claim with the credentials and information to access the bucket.

The following is an example of an object bucket claim definition:

apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: my-bucket-claim
  namespace: my-namespace
spec:
  storageClassName: storage-class-name 
  generateBucketName: my-bucket

	Storage class name for the object bucket. To use NooBaa MCG, set the value to `openshift-storage.noobaa.io`. To use the Ceph RGW gateway, set the value to `ocs-external-storagecluster-ceph-rgw`.
	Prefix to add to the generated bucket name.

A few minutes after the object bucket claim creation, the status is set to Bound when the bucket is created and ready to use.

[user@host ~]$ oc get obc
NAME             STORAGE-CLASS                 PHASE   AGE
my-bucket-claim  openshift-storage.noobaa.io   Bound   5m

ODF creates a configuration map with the bucket information in the same namespace as the object bucket claim:

[user@host ~]$ oc get configmap/my-bucket-claim -oyaml
apiVersion: v1
data:
  BUCKET_HOST: s3.openshift-storage.svc 
  BUCKET_NAME: my-bucket-9ce46e22-2fb8-4a46-af95-f6949d87c3fd 
  BUCKET_PORT: "443" 
  BUCKET_REGION: "" 
  BUCKET_SUBREGION: ""
kind: ConfigMap
...output omitted...

	S3 API URL, for internal use only.
	The generated name of the bucket.
	The TCP port for the S3 endpoint. The port 443 is for `https` protocol.
	The region name, if used by the storage class.

If the BUCKET_HOST uses an internal service URL that ends with .svc, then the URL can be reached only from a workload that is running inside the cluster. The s3 route in the openshift-storage namespace provides the external endpoint URL.

[user@host ~]$ oc get route/s3 -n openshift-storage \
  -o jsonpath='{.spec.host}{"\n"}'
s3-openshift-storage.apps.ocp4.example.com

The S3 bucket credentials are stored in a secret in the same namespace as the object bucket claim:

[user@host ~]$ oc extract secret/my-bucket-claim --to=-
# AWS_ACCESS_KEY_ID
YEAsbMJnG3o1bGANZprt
# AWS_SECRET_ACCESS_KEY
xjaeCDhskn7lfrdA7WqzoUxpiRYuyjc9uDaWlMw3

CSI Snapshot

To use volume snapshots with CSI drivers, a volume snapshot class must be created to register the CSI driver to use to create snapshots. The driver name must be the same as the provisioner attribute of the volume storage class to back up.

[user@host ~]$ oc get storageclasses
NAME                          PROVISIONER
nfs-storage (default)         k8s-sigs.io/nfs-subdir-external-provisioner
ocs-storagecluster-ceph-rbd   openshift-storage.rbd.csi.ceph.com
ocs-storagecluster-ceph-rgw   openshift-storage.ceph.rook.io/bucket
ocs-storagecluster-cephfs     openshift-storage.cephfs.csi.ceph.com
openshift-storage.noobaa.io   openshift-storage.noobaa.io/obc

[user@host ~]$ oc get volumesnapshotclasses
NAME                                        DRIVER
ocs-storagecluster-cephfsplugin-snapclass   openshift-storage.cephfs.csi.ceph.com
ocs-storagecluster-rbdplugin-snapclass      openshift-storage.rbd.csi.ceph.com

Note

For storage classes that do not support snapshots, such as nfs-storage in the previous example, you can use the file system backup with Restic.

OADP Installation and Configuration

You can install the OADP operator from the OperatorHub or by using the oc command. See the references section for instructions to install an operator by using the OperatorHub or the oc command.

The dataProtectionApplication resource defines the configuration and components that the OADP operator manages. The following YAML file is an example of a dataProtectionApplication resource that stores backups on AWS S3 storage:

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: oadp-backup
  namespace: openshift-adp
spec:
  features:
    dataMover:
      enable: true
      credentialName: restic-enc-key
  configuration:
    velero:
      defaultPlugins:
        - aws
        - openshift
        - csi
        - vsm
  backupLocations:
    - velero:
        config:
          profile: "default"
          region: "us-east-1"
        provider: aws
        default: true
        credential:
          key: cloud
          name: cloud-credentials
        objectStorage:
          bucket: my-bucket
          prefix: oadp

The OADP configuration is composed of several sections.

Optional OADP Features

The features section describes the configuration of additional features, such as Data Mover.

  features:
    dataMover:
      enable: true 
      credentialName: restic-enc-key 
      maxConcurrentBackupVolumes: "3" 
      maxConcurrentRestoreVolumes: "3"
      volumeOptionsForStorageClasses: 
        gp2-csi-copy-1:
          destinationVolumeOptions:
            storageClassName: csi-copy-2
          sourceVolumeOptions:
            storageClassName: csi-copy-1

	Enable OADP Data Mover. Default is `false`.
	Secret name that contains the Restic encryption key.
	Maximum number of volume backup and restore tasks that can be running at the same time. Default is 10.
	Specify volume options for backup and restore such as the storage class to use for the backup and restore volume, if they are different from the original application volume.

To encrypt and decrypt the backups, Restic uses the stored password in the secret that the credentialName attribute defines. This secret must be created in the OADP namespace by using the following YAML template:

apiVersion: v1
kind: Secret
metadata:
  name: restic-enc-key
type: Opaque
stringData:
  RESTIC_PASSWORD: my-secure-restic-password

Note

The csi plug-in must be enabled in the configuration section to use OADP Data Mover.

Components Configuration

The configuration section describes the configuration OADP components, such as Velero and Restic.

  configuration:
    restic:
      enable: false 
      podConfig: 
        resourceAllocations:
          limits:
            cpu: "1"
            memory: 8Gi
          requests:
            cpu: 500m
            memory: 256Mi
        labels:
          mylabel: myvalue
        nodeSelector:
          matchLabels:
            node-role.kubernetes.io/worker: ""
        tolerations:
        - effect: NoSchedule
          key: somekey
          operator: Exists
    velero:
      defaultPlugins: 
        - aws
        - openshift
      podConfig: 
        resourceAllocations:
          limits:
            cpu: "1"
            memory: 8Gi
          requests:
            cpu: 500m
            memory: 256Mi

	Enable OADP File System Backup.
	Optional pod configuration such as node selector, labels, and resource allocation for each component.
	Velero plug-ins to enable. The `openshift` plug-in is mandatory.

Backup Storage Location

The backupLocation section describes the object storage location for backups. Multiple backup locations can be defined. The following example uses the aws provider plug-in:

  backupLocations:
    - velero:
        config: 
          profile: "default" 
          region: "us-east-1"
          s3Url: https://s3.openshift-storage.svc
          s3ForcePathStyle: "true"
          insecureSkipTLSVerify: "true"
        provider: aws 
        default: true 
        credential: 
          key: cloud
          name: cloud-credentials
        objectStorage:
          bucket: my-bucket 
          prefix: oadp 
          caCert: LLS0S0...LS0tLS0K

	Storage provider-specific configuration. In this example, the configuration is for the `aws` provider.
	The credentials profile name that is defined in the Velero secret.
	The storage provider plug-in name.
	Use this backup location as the default one if none is specified in the backup and restore resources.
	Velero secret with the storage provider credentials.
	Bucket name from the storage provider.
	Optional subdirectory in the bucket to store backups. If not specified, then the backups are stored at the root level of the bucket.
	Optional CA bundle in Base64 format to verify TLS connections to the storage provider.

With the aws provider plug-in, you can configure any S3-compatible object storage by setting the s3Url attribute with a custom S3 endpoint URL. OADP can access the S3 endpoint by using two addressing models:

The path-style model, such as https://s3.mydomain.com/<bucket-name>/myfile.txt
The DNS-style model (also known as virtual-hosted style), such as https://<bucket-name>.s3.mydomain.com/myfile.txt This method is the default.

If the object storage solution does not support the DNS-style method, then you can configure OADP to use the path-style model instead with the s3ForcePathStyle option.

The region attribute must be set even if the storage solution does not use a region. You can then set this attribute to the standard AWS region, such as "us-east-1".

Note

The OADP Data Mover does not use the insecureSkipTLSVerify option. If the S3 endpoint certificate is not trusted, then both the insecureSkipTLSVerify and the caCert attributes are required.

The Velero secret contains the credentials to access the object storage. If the secret name is not specified in the configuration, then Velero uses the cloud-credentials default secret name. You can create the Velero secret with a configuration file that is specific to the provider plug-in. The following Velero configuration file is for the aws provider plug-in:

[user@host ~]$ cat credentials-velero

[myProfile] 
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>

The profile name for the credentials. The name must match the profile name in the backup storage location configuration.

You can then create the Velero secret with the following oc create secret command:

[user@host ~]$ oc create secret generic cloud-credentials \
  --from-file cloud=credentials-velero

Note

The Velero secret must be created before the DataProtectionApplication object, or the installation will fail.

Snapshot Storage Location

The snapshotLocations section describes the storage configuration to use for volume snapshots when using the cloud provider native snapshot capability. For CSI snapshots, this section is not needed, because volume snapshot classes are used instead. With Data Mover and file system backup with Restic, backups are stored in the object storage location that is defined in the backupLocations section.

You can configure multiple snapshot locations per provider. The following example defines one snapshot location by using the aws provider plug-in:

  snapshotLocations:
    - name: default
      velero:
        provider: aws
        config:
          region: us-west-2 
          profile: "default" 
        credential: 
          key: cloud
          name: cloud-credentials

	AWS region to use to create the snapshots.
	The credentials profile name that is defined in the Velero secret.
	Optional. Velero secret with the storage provider credentials.

If the secret name is not specified in the configuration, then Velero uses the cloud-credentials default secret name. The same secret can be shared with the snapshot location and the backup location.

Note

Depending on the storage provider, the region to store snapshots might be limited to the same region where the original volume is.

Cross-provider snapshots are not supported.

See the references section for configuring OADP with other cloud providers such as Microsoft Azure and Google Cloud Platform.

CSI Snapshots

CSI snapshots with OADP require additional configuration on the volume snapshot classes. To prevent deletion of snapshots if the application namespace is removed, you must set the deletion policy to Retain. You can use the following command to change the deletion policy to Retain:

[user@host ~]$ oc patch volumesnapshotclass my-snapshot-storageclass \
  --type=merge -p '{"deletionPolicy": "Retain"}'
my-snapshot-storageclass patched

[user@host ~]$ oc get volumesnapshotclass my-snapshot-storageclass
NAME                         DRIVER                DELETIONPOLICY   AGE
my-snapshot-storageclass     some.csi.driver.com   Retain           1d

For OADP to use a volume snapshot class, you must add the velero.io/csi-volumesnapshot-class: "true" label. Only one volume snapshot class per driver needs this label.

You can use the following command to add the required label:

[user@host ~]$ oc label volumesnapshotclass my-snapshot-storageclass \
  velero.io/csi-volumesnapshot-class="true"
my-snapshot-storageclass labeled

Verification and Troubleshooting

When the configuration is complete, several OADP components are created depending on the enabled features.

[user@host ~]$ oc -n openshift-adp get deploy
NAME                               READY   UP-TO-DATE   AVAILABLE   AGE
openshift-adp-controller-manager   1/1     1            1           24h 
velero                             1/1     1            1           25s 
volume-snapshot-mover              1/1     1            1           25s

	OADP controller that is deployed on the OADP operator installation.
	Velero deployment that manages backup and restore operations.
	Volume Snapshot Mover for the OADP Data Mover component.

If the File System Backup feature is enabled, then the following daemon set is created:

[user@host ~]$ oc -n openshift-adp get daemonset
NAME       DESIRED CURRENT READY UP-TO-DATE AVAILABLE NODE SELECTOR AGE
node-agent 3       3       3     3          3         <none>        23s

The node-agent is deployed on all compute nodes, to back up volume file systems with Restic.

The OADP operator creates and validates each backup storage location that is defined in the DataProtectionApplication object. OADP tries to connect to the object storage with the provided credentials and validates the configuration. If the configuration is correct, then the backup storage location enters the Available phase.

[user@host ~]$ oc -n openshift-adp get backupstoragelocation
NAME           PHASE       LAST VALIDATED   AGE     DEFAULT
oadp-backup-1  Available   7s               2m44s   true

If the backup storage location remains in the Unavailable phase, then you can use the oc describe command to get more information and error messages from the Status field:

[user@host ~]$ oc -n openshift-adp describe \
  backupstoragelocation oadp-backup-1
...output omitted...
Status:
  Last Synced Time:      2023-09-22T10:27:27Z
  Last Validation Time:  2023-09-22T12:03:27Z
  Message:               BackupStorageLocation "oadp-backup-1" is unavailable: rpc error: code = Unknown desc = InvalidAccessKeyId: The AWS access key Id you provided does not exist in our records.
  Phase:                 Unavailable
...output omitted...

In this example, the S3 credentials that are configured in the Velero secret are incorrect.

Note

The OADP operator checks the validity of the backup storage location configuration every minute. Review the last validated field of the backup storage location to determine when the last check ran.

You can use the AWS CLI or the s3cmd tool to validate the S3 configuration and to browse the content of the S3 bucket.

To configure the s3cmd tool, create a .s3cfg file in your home directory with your S3 credentials. You can use the following configuration template:

[user@host ~]$ cat << EOF > ~/.s3cfg
access_key = AWS_ACCESS_KEY_ID 
secret_key = AWS_SECRET_ACCESS_KEY
host_base = s3.mydomain.com 
host_bucket = s3.mydomain.com/%(bucket)s 
signature_v2 = True 
EOF

	S3 access key and secret key.
	S3 endpoint URL, if the AWS S3 endpoint is not used.
	S3 bucket address model, if your storage provider does not support the DNS-style model.
	If your storage provider does not support the new AWS v4 signature, then you can use the AWS v2 signature instead. OpenShift Data Foundation requires this setting.

To list the contents of a bucket and to validate the configuration, use the s3cmd ls command to list all available buckets and the s3cmd la command to list all objects in all buckets:

[user@host ~]$ s3cmd ls
2023-09-22 12:33  s3://my-bucket

[user@host ~]$ s3cmd la
2023-09-22 12:31          143  s3://my-bucket/somefile.txt
...output omitted...

Note

If the S3 bucket is empty, then the s3cmd la command returns an empty line.

See the references section for using the s3cmd tool.

References

Velero Website

Restic Website

For more details about OpenShift Data Foundation, refer to the DO370: Enterprise Kubernetes Storage with Red Hat OpenShift Data Foundation training course.

For more details about Kubernetes operators, refer to the DO280: Red Hat OpenShift Administration II: Operating a Production Kubernetes Cluster training course.

For more information about installing operators by using the OperatorHub, refer to the Installing from OperatorHub Using the Web Console section in the Administrator Tasks chapter in the Red Hat OpenShift Container Platform 4.14 Operators documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/operators/index#olm-installing-from-operatorhub-using-web-console_olm-adding-operators-to-a-cluster

For more information about installing operators by using the command line, refer to the Installing from OperatorHub Using the CLI section in the Administrator Tasks chapter in the Red Hat OpenShift Container Platform 4.14 Operators documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/operators/index#olm-installing-operator-from-operatorhub-using-cli_olm-adding-operators-to-a-cluster

For more information about configuring OADP with other cloud object storage, refer to the Installing and Configuring OADP section in the Application Backup and Restore chapter in the Red Hat OpenShift Container Platform 4.14 Backup and Restore documentation at https://access.redhat.com/documentation/en-us/openshift_container_platform/4.14/html-single/backup_and_restore/index#installing-and-configuring-oadp

For more information about the s3cmd client, refer to the s3cmd website at https://s3tools.org/s3cmd

Discuss Red Hat OpenShift Administration III: Scaling Deployments in the Enterprise

Go to community

Welcome to Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise!

Syed

12 wrz 2023

We are excited to launch a space dedicated to the Red Hat Training course Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise! To gain the most value from this group - click the "Join Group" button in the upper right hand corner of the group home page.We encourage group members to collaborate in this group to discuss topics, ask questions, share best practices and tips, provide course feedback, and share their accomplishments as it relates to DO378.Read more about Red Hat OpenShift Administration III: Scaling Kubernetes Deployments in the Enterprise here.

Revision: do380-4.14-397a507