yk8s.k8s-service-layer.etcd-backup
Automated etcd backups can be configured in this section. When enabled it periodically creates snapshots of etcd database and store it in a object storage using s3. It uses the helm chart etcdbackup present in yaook operator helm chart repository. The object storage retains data for 30 days then deletes it.
The usage of it is disabled by default but can be enabled (and
configured) in the following section. The credentials are stored in
Vault. By default, they are searched for in the cluster’s kv storage (at
yaook/$clustername/kv
) under etcdbackup
. They must be in the
form of a JSON object/dict with the keys access_key
and
secret_key
.
Note
To enable etcd-backup,
k8s-service-layer.etcd-backup.enabled
needs to be set to
true
.
The following values need to be set:
Variable |
Description |
---|---|
|
Identifier for your S3 endpoint |
|
Credential for your S3 endpoint |
|
URL of your S3 endpoint |
|
Certificate bundle of the endpoint. |
etcd-backup configuration template
---
access_key: REPLACEME
secret_key: REPLACEME
endpoint_url: REPLACEME
endpoint_cacrt: |
-----BEGIN CERTIFICATE-----
REPLACEME
-----END CERTIFICATE-----
...
Generate/Figure out etcd-backup configuration values
# Generate access and secret key on OpenStack
openstack ec2 credentials create
# Get certificate bundle of url
openssl s_client -connect ENDPOINT_URL:PORT showcerts 2>&1 < /dev/null | sed -n '/-----BEGIN/,/-----END/p'
yk8s.k8s-service-layer.etcd-backup.bucket_name
Name of the s3 bucket to store the backups.
Type::
non-empty string
Default::
"etcd-backup"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.chart_version
etcdbackup chart version to install. If this is not specified, the latest version is installed.
Type::
string
Default::
""
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.days_of_retention
Number of days after which individual items in the bucket are dropped. Enforced by S3 lifecyle rules which are also implemented by Ceph’s RGW.
Type::
signed integer
Default::
30
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.enabled
Whether to enable etcd-backups.
Type::
boolean
Default::
false
Example::
true
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.file_prefix
Name of the folder to keep the backup files.
Type::
string
Default::
"etcd-backup"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.helm_repo_url
Type::
non-empty string
Default::
"https://charts.yaook.cloud/operator/stable/"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.metrics_port
Metrics port on which the backup-shifter Pod will provide metrics. Please note that the etcd-backup deployment runs in host network mode for easier access to the etcd cluster.
Type::
16 bit unsigned integer; between 0 and 65535 (both inclusive)
Default::
19100
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.name
Type::
non-empty string
Default::
"etcd-backup"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.namespace
Type::
non-empty string
Default::
"kube-system"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.schedule
Configure value for the cron job schedule for etcd backups.
Type::
non-empty string
Default::
"21 */12 * * *"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.secret_name
Type::
non-empty string
Default::
"etcd-backup-s3-credentials"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.vault_mount_point
Configure the location of the Vault kv2 storage where the credentials can be found. This location is the default location used by import.sh and is recommended.
Type::
non-empty string
Default::
"yaook/\${config.yk8s.vault.cluster_name}/kv"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix
yk8s.k8s-service-layer.etcd-backup.vault_path
Configure the kv2 key under which the credentials are found inside Vault. This location is the default location used by import.sh and is recommended.
The role expects a JSON object with access_key and secret_key keys, containing the corresponding S3 credentials.
Type::
non-empty string
Default::
"etcdbackup"
Declared by https://gitlab.com/yaook/k8s/-/tree/devel/nix/yk8s/k8s-supplements/etcd-backup.nix