Intro
Having a proper backup recovery plan is vital to any organization’s IT operation. However, when you begin to distribute workloads across data centers and regions, that process begins to become more and more complex. Container orchestration platforms such as Kubernetes have begun to ease this burden and enabled the management of distributed workloads in areas that were previously very challenging.
In this post, we are going to introduce you to a Kubernetes-native tool for taking backups of your disks, helping with the crucial recovery plan. Stash is a Restic Operator that accelerates the task of backing up and recovering your Kubernetes infrastructure. You can read more about the Operator Framework via this blog post.
How does Stash work?
Using Stash, you can backup Kubernetes volumes mounted in following types of workloads:
- Deployment
- DaemonSet
- ReplicaSet
- ReplicationController
- StatefulSet
At the heart of Stash is a Kubernetes controller which uses Custom Resource Definition (CRD) to specify targets and behaviors of the backup and restore process in a Kubernetes native way. A simplified architecture of Stash is shown below:
Installing Stash
Using Helm 3
Stash can be installed via Helm using the chart from AppsCode Charts Repository. To install the chart with the release name stash-operator
:
$ helm repo add appscode https://charts.appscode.com/stable/ $ helm repo update $ helm search repo appscode/stash --version v0.9.0-rc.6 NAME CHART VERSION APP VERSION DESCRIPTION appscode/stash v0.9.0-rc.6 v0.9.0-rc.6 Stash by AppsCode - Backup your Kubernetes Volumes $ helm install stash-operator appscode/stash \ --version v0.9.0-rc.6 \ --namespace kube-system
Using YAML
If you prefer to not use Helm, you can generate YAMLs from Stash chart and deploy using kubectl
:
$ helm repo add appscode https://charts.appscode.com/stable/ $ helm repo update $ helm search repo appscode/stash --version v0.9.0-rc.6 NAME CHART VERSION APP VERSION DESCRIPTION appscode/stash v0.9.0-rc.6 v0.9.0-rc.6 Stash by AppsCode - Backup your Kubernetes Volumes $ helm template stash-operator appscode/stash \ --version v0.9.0-rc.6 \ --namespace kube-system \ --no-hooks | kubectl apply -f -
Installing on GKE Cluster
If you are installing Stash on a GKE cluster, you will need cluster admin permissions to install Stash operator. Run the following command to grant admin permission to the cluster.
$ kubectl create clusterrolebinding "cluster-admin-$(whoami)" \ --clusterrole=cluster-admin \ --user="$(gcloud config get-value core/account)"
In addition, if your GKE cluster is a private cluster, you will need to either add an additional firewall rule that allows master nodes access port 8443/tcp
on worker nodes, or change the existing rule that allows access to ports 443/tcp
and 10250/tcp
to also allow access to port 8443/tcp
. The procedure to add or modify firewall rules is described in the official GKE documentation for private clusters mentioned above.
Verify installation
To check if Stash operator pods have started, run the following command:
$ kubectl get pods --all-namespaces -l app=stash --watch NAMESPACE NAME READY STATUS RESTARTS AGE kube-system stash-operator-859d6bdb56-m9br5 2/2 Running 2 5s
Once the operator pods are running, you can cancel the above command by typing Ctrl+C
.
Now, to confirm CRD groups have been registered by the operator, run the following command:
$ kubectl get crd -l app=stash NAME AGE recoveries.stash.appscode.com 5s repositories.stash.appscode.com 5s restics.stash.appscode.com 5s
With this, you are ready to take your first backup using Stash.
Configuring Auto Backup for Database
To keep everything isolated, we are going to use a separate namespace called demo
throughout this tutorial.
$ kubectl create ns demo namespace/demo created
Prepare Backup Blueprint
We are going to use GCS Backend to store the backed up data. You can use any supported backend you prefer. You just have to configure Storage Secret and spec.backend
section of BackupBlueprint
to match with your backend. Visit here to learn which backends are supported by Stash and how to configure them.
For GCS backend, if the bucket does not exist, Stash needs Storage Object Admin
role permissions to create the bucket. For more details, please check the following guide.
Create Storage Secret:
At first, let’s create a Storage Secret for the GCS backend,
$ echo -n 'changeit' > RESTIC_PASSWORD $ echo -n '<your-project-id>' > GOOGLE_PROJECT_ID $ mv downloaded-sa-json.key > GOOGLE_SERVICE_ACCOUNT_JSON_KEY $ kubectl create secret generic -n demo gcs-secret \ --from-file=./RESTIC_PASSWORD \ --from-file=./GOOGLE_PROJECT_ID \ --from-file=./GOOGLE_SERVICE_ACCOUNT_JSON_KEY secret/gcs-secret created
Create BackupBlueprint:
Next, we have to create a BackupBlueprint
CRD with a blueprint for Repository
and BackupConfiguration
object.
Below is the YAML of the BackupBlueprint
object that we are going to create:
apiVersion: stash.appscode.com/v1beta1 kind: BackupBlueprint metadata: name: postgres-backup-blueprint spec: # ============== Blueprint for Repository ========================== backend: gcs: bucket: appscode-qa prefix: stash-backup/${TARGET_NAMESPACE}/${TARGET_APP_RESOURCE}/${TARGET_NAME} storageSecretName: gcs-secret # ============== Blueprint for BackupConfiguration ================= task: name: postgres-backup-${TARGET_APP_VERSION} schedule: "*/5 * * * *" retentionPolicy: name: 'keep-last-5' keepLast: 5 prune: true
Note that we have used few variables (format: ${<variable name>}
) in the spec.backend.gcs.prefix
field. Stash will substitute these variables with values from the respective target. To learn which variables you can use in the prefix
field, please visit here.
Let’s create the BackupBlueprint
that we have shown above.
$ kubectl apply -f https://github.com/stashed/docs/raw/v0.9.0-rc.6/docs/examples/guides/latest/auto-backup/database/backupblueprint.yaml backupblueprint.stash.appscode.com/postgres-backup-blueprint created
With this, automatic backup is configured for PostgreSQL database. We just have to add an annotation to the AppBinding
of the targeted database.
Required Annotation for Auto-Backup Database:
You have to add the following annotation to the AppBinding
CRD of the targeted database to enable backup for it:
stash.appscode.com/backup-blueprint: <BackupBlueprint name>
This annotation specifies the name of the BackupBlueprint
object where a blueprint for Repository
and BackupConfiguration
has been defined.
Prepare Databases
Next, we are going to deploy two sample PostgreSQL databases of two different versions using KubeDB. We are going to backup these two databases using auto-backup.
Deploy First PostgreSQL Sample:
Below is the YAML of the first Postgres
CRD:
apiVersion: kubedb.com/v1alpha1 kind: Postgres metadata: name: sample-postgres-1 namespace: demo spec: version: "11.2" storageType: Durable storage: storageClassName: "standard" accessModes: - ReadWriteOnce resources: requests: storage: 1Gi terminationPolicy: Delete
Let’s create the Postgres
we have shown above:
$ kubectl apply -f https://github.com/stashed/docs/raw/v0.9.0-rc.6/docs/examples/guides/latest/auto-backup/database/sample-postgres-1.yaml postgres.kubedb.com/sample-postgres-1 created
KubeDB will deploy a PostgreSQL database according to the above specification and it will create the necessary secrets and services to access the database. It will also create an AppBinding
CRD that holds the necessary information to connect with the database.
Verify that an AppBinding
has been created for this PostgreSQL sample:
$ kubectl get appbinding -n demo NAME AGE sample-postgres-1 47s
If you view the YAML of this AppBinding
, you will see it holds service and secret information. Stash uses this information to connect with the database.
$ kubectl get appbinding -n demo sample-postgres-1 -o yaml
apiVersion: appcatalog.appscode.com/v1alpha1 kind: AppBinding metadata: name: sample-postgres-1 namespace: demo ... spec: clientConfig: service: name: sample-postgres-1 path: / port: 5432 query: sslmode=disable scheme: postgresql secret: name: sample-postgres-1-auth secretTransforms: - renameKey: from: POSTGRES_USER to: username - renameKey: from: POSTGRES_PASSWORD to: password type: kubedb.com/postgres version: "11.2"
Deploy Second PostgreSQL Sample:
Below is the YAML of the second Postgres
object:
apiVersion: kubedb.com/v1alpha1 kind: Postgres metadata: name: sample-postgres-2 namespace: demo spec: version: "10.6-v2" storageType: Durable storage: storageClassName: "standard" accessModes: - ReadWriteOnce resources: requests: storage: 1Gi terminationPolicy: Delete
Let’s create the Postgres
we have shown above.
$ kubectl apply -f https://github.com/stashed/docs/raw/v0.9.0-rc.6/docs/examples/guides/latest/auto-backup/database/sample-postgres-2.yaml postgres.kubedb.com/sample-postgres-2 created
Verify that an AppBinding
has been created for this PostgreSQL database:
$ kubectl get appbinding -n demo NAME AGE sample-postgres-1 2m49s sample-postgres-2 10s
Here, we can see AppBinding
sample-postgres-2
has been created for our second PostgreSQL sample.
Backup
Next, we are going to add auto-backup specific annotation to the AppBinding
of our desired database. Stash watches for AppBinding
CRD. Once it finds an AppBinding
with auto-backup annotation, it will create a Repository
and a BackupConfiguration
CRD according to respective BackupBlueprint
. Then, rest of the backup process will proceed as normal database backup as described here.
Backup First PostgreSQL Sample
Let’s backup our first PostgreSQL sample using auto-backup.
Add Annotations:
At first, add the auto-backup specific annotation to the AppBinding sample-postgres-1
:
$ kubectl annotate appbinding sample-postgres-1 -n demo --overwrite \ stash.appscode.com/backup-blueprint=postgres-backup-blueprint
Verify that the annotation has been added successfully:
$ kubectl get appbinding -n demo sample-postgres-1 -o yaml
apiVersion: appcatalog.appscode.com/v1alpha1 kind: AppBinding metadata: annotations: stash.appscode.com/backup-blueprint: postgres-backup-blueprint name: sample-postgres-1 namespace: demo ... spec: clientConfig: service: name: sample-postgres-1 path: / port: 5432 query: sslmode=disable scheme: postgresql secret: name: sample-postgres-1-auth secretTransforms: - renameKey: from: POSTGRES_USER to: username - renameKey: from: POSTGRES_PASSWORD to: password type: kubedb.com/postgres version: "11.2"
Following this, Stash will create a Repository
and a BackupConfiguration
CRD according to the blueprint.
Verify Repository:
Verify that the Repository
has been created successfully by the following command:
$ kubectl get repository -n demo NAME INTEGRITY SIZE SNAPSHOT-COUNT LAST-SUCCESSFUL-BACKUP AGE postgres-sample-postgres-1
If we view the YAML of this Repository
, we are going to see that the variables ${TARGET_NAMESPACE}
, ${TARGET_APP_RESOURCE}
and ${TARGET_NAME}
has been replaced by demo
, postgres
and sample-postgres-1
respectively.
$ kubectl get repository -n demo postgres-sample-postgres-1 -o yaml
apiVersion: stash.appscode.com/v1beta1 kind: Repository metadata: creationTimestamp: "2019-08-01T13:54:48Z" finalizers: - stash generation: 1 name: postgres-sample-postgres-1 namespace: demo resourceVersion: "50171" selfLink: /apis/stash.appscode.com/v1beta1/namespaces/demo/repositories/postgres-sample-postgres-1 uid: ed49dde4-b463-11e9-a6a0-080027aded7e spec: backend: gcs: bucket: appscode-qa prefix: stash-backup/demo/postgres/sample-postgres-1 storageSecretName: gcs-secret
Verify BackupConfiguration:
Verify that the BackupConfiguration
CRD has been created by the following command:
$ kubectl get backupconfiguration -n demo NAME TASK SCHEDULE PAUSED AGE postgres-sample-postgres-1 postgres-backup-11.2 */5 * * * * 3m39s
Notice the TASK
field. It denotes that this backup will be performed using postgres-backup-11.2
task. We had specified postgres-backup-${TARGET_APP_VERSION}
as task name in the BackupBlueprint
. Here, the variable ${TARGET_APP_VERSION}
has been substituted by the database version.
Let’s check the YAML of this BackupConfiguration
.
$ kubectl get backupconfiguration -n demo postgres-sample-postgres-1 -o yaml
apiVersion: stash.appscode.com/v1beta1 kind: BackupConfiguration metadata: creationTimestamp: "2019-08-01T13:54:48Z" finalizers: - stash.appscode.com generation: 1 name: postgres-sample-postgres-1 namespace: demo ownerReferences: - apiVersion: v1 blockOwnerDeletion: false kind: AppBinding name: sample-postgres-1 uid: a799156e-b463-11e9-a6a0-080027aded7e resourceVersion: "50170" selfLink: /apis/stash.appscode.com/v1beta1/namespaces/demo/backupconfigurations/postgres-sample-postgres-1 uid: ed4bd257-b463-11e9-a6a0-080027aded7e spec: repository: name: postgres-sample-postgres-1 retentionPolicy: keepLast: 5 name: keep-last-5 prune: true runtimeSettings: {} schedule: '*/5 * * * *' target: ref: apiVersion: v1 kind: AppBinding name: sample-postgres-1 task: name: postgres-backup-11.2 tempDir: {}
Notice that the spec.target.ref
is pointing to the AppBinding sample-postgres-1
that we have just annotated with auto-backup annotation.
Wait for BackupSession:
Now, wait for the next backup schedule. Run the following command to watch BackupSession
CRD:
$ watch -n 1 kubectl get backupsession -n demo -l=stash.appscode.com/backup-configuration=postgres-sample-postgres-1 Every 1.0s: kubectl get backupsession -n demo -l=stash.appscode.com/backup-configuration=postgres-sample-postgres-1 workstation: Thu Aug 1 20:35:43 2019 NAME INVOKER-TYPE INVOKER-NAME PHASE AGE postgres-sample-postgres-1-1564670101 BackupConfiguration postgres-sample-postgres-1 Succeeded 42s
Note: Backup CronJob creates BackupSession
CRD with the following label stash.appscode.com/backup-configuration=<BackupConfiguration crd name>
. We can use this label to watch only the BackupSession
of our desired BackupConfiguration
.
Verify Backup:
When backup session is completed, Stash will update the respective Repository
to reflect the latest state of backed up data.
Run the following command to check if a snapshot has been sent to the backend:
$ kubectl get repository -n demo postgres-sample-postgres-1 NAME INTEGRITY SIZE SNAPSHOT-COUNT LAST-SUCCESSFUL-BACKUP AGE postgres-sample-postgres-1 true 1.324 KiB 1 73s 6m7s
If we navigate to stash-backup/demo/postgres/sample-postgres-1
directory of our GCS bucket, we are going to see that the snapshot has been stored there.
Backup Second Sample PostgreSQL
Now, lets backup our second PostgreSQL sample using the same BackupBlueprint
we have used to backup the first PostgreSQL sample.
Add Annotations:
Add the auto backup specific annotation to AppBinding sample-postgres-2
.
$ kubectl annotate appbinding sample-postgres-2 -n demo --overwrite \ stash.appscode.com/backup-blueprint=postgres-backup-blueprint
Verify Repository:
Verify that the Repository
has been created successfully by the following command:
$ kubectl get repository -n demo NAME INTEGRITY SIZE SNAPSHOT-COUNT LAST-SUCCESSFUL-BACKUP AGE postgres-sample-postgres-1 true 1.324 KiB 1 2m3s 6m57s postgres-sample-postgres-2 15s
Here, repository postgres-sample-postgres-2
has been created for the second PostgreSQL sample.
If we view the YAML of this Repository
, we will see that the variables ${TARGET_NAMESPACE}
, ${TARGET_APP_RESOURCE}
and ${TARGET_NAME}
have been replaced by demo
, postgres
and sample-postgres-2
respectively.
$ kubectl get repository -n demo postgres-sample-postgres-2 -o yaml
apiVersion: stash.appscode.com/v1beta1 kind: Repository metadata: creationTimestamp: "2019-08-01T14:37:22Z" finalizers: - stash generation: 1 name: postgres-sample-postgres-2 namespace: demo resourceVersion: "56103" selfLink: /apis/stash.appscode.com/v1beta1/namespaces/demo/repositories/postgres-sample-postgres-2 uid: df58523c-b469-11e9-a6a0-080027aded7e spec: backend: gcs: bucket: appscode-qa prefix: stash-backup/demo/postgres/sample-postgres-2 storageSecretName: gcs-secret
Verify BackupConfiguration:
Verify that the BackupConfiguration
CRD has been created by the following command:
$ kubectl get backupconfiguration -n demo NAME TASK SCHEDULE PAUSED AGE postgres-sample-postgres-1 postgres-backup-11.2 */5 * * * * 7m52s postgres-sample-postgres-2 postgres-backup-10.6 */5 * * * * 70s
Again, notice the TASK
field. This time, ${TARGET_APP_VERSION}
has been replaced with 10.6
which is the database version of our second sample.
Wait for BackupSession:
Now, wait for the next backup schedule. Run the following command to watch BackupSession
CRD:
$ watch -n 1 kubectl get backupsession -n demo -l=stash.appscode.com/backup-configuration=postgres-sample-postgres-2 Every 1.0s: kubectl get backupsession -n demo -l=stash.appscode.com/backup-configuration=postgres-sample-postgres-2 workstation: Thu Aug 1 20:55:40 2019 NAME INVOKER-TYPE INVOKER-NAME PHASE AGE postgres-sample-postgres-2-1564671303 BackupConfiguration postgres-sample-postgres-2 Succeeded 37s
Verify Backup:
Run the following command to check if a snapshot has been sent to the backend:
$ kubectl get repository -n demo postgres-sample-postgres-2 NAME INTEGRITY SIZE SNAPSHOT-COUNT LAST-SUCCESSFUL-BACKUP AGE postgres-sample-postgres-2 true 1.324 KiB 1 52s 19m
If we navigate to stash-backup/demo/postgres/sample-postgres-2
directory of our GCS bucket, we are going to see that the snapshot has been stored there.
Cleanup
To cleanup the Kubernetes resources created by this tutorial, run:
kubectl delete -n demo pg/sample-postgres-1 kubectl delete -n demo pg/sample-postgres-2 kubectl delete -n demo repository/postgres-sample-postgres-1 kubectl delete -n demo repository/postgres-sample-postgres-2 kubectl delete -n demo backupblueprint/postgres-backup-blueprint
Final thoughts
You’ve now gotten a deep dive into setting up a Kubernetes-native disaster recovery and backup solution with Stash. You can find a lot of really helpful information on their documentation site here. I hope you gained some educational knowledge from this post and will stay tuned for future tutorials!