Configuring portal database backups

Configure scheduled database backups of your portal subsystem.

About this task

The developer portal by default takes database backups of itself every 24 hours and stores the last three days of backups in the portal subsystem PVCs (older backups are automatically deleted). These backups are called local backups because they are stored locally rather than on remote backup servers. For disaster recovery, you must configure the portal to create and store backups on a remote server.

Supported remote servers for backup storage are:

S3 object-store, for example:
- AWS S3.
- IBM Cloud Object Storage.
- Custom S3 storage.
Only password-based authentication is supported for S3, not authentication based on public certificates and private keys. Password-based authentication for S3 requires that you generate an access key and secret.
SFTP
Supported credentials types:
- Username and password.
- Username and SSH-key. Only OpenSSH keys are supported.¹

Important points:

Portal database backups can be restored in the same environment where they were taken, or in a different environment that has the same network configuration, endpoints, and deployment profile. You cannot restore a portal database backup in a different network environment, form factor, or deployment profile. If you want to move your API Connect deployment to a different form factor or change endpoints, see: Migrating from v10 to v10 on a different form factor.
Keep your portal's Infrastructure configuration backup up to date with any changes in your portals Kubernetes configuration. If a disaster occurs and you lose your portal subsystem configuration, then you cannot restore your portal database backup without first restoring the config backup.
Take management database backups at the same time as you take portal database backups. One backup per day is recommended.
The portal keeps a log of the last 30 days of remote backups that are taken, configured with the backupRecordDays property. Configure the retention policy on your remote backup server to match or exceed the backupRecordDays value.
To disable scheduled database backups, you must remove the entire databaseBackup section from the portal CR. Local backups continue to be taken in all cases.

Note: For OpenShift® users: The steps that are detailed in this topic use the Kubernetes kubectl command. On OpenShift, use the equivalent oc command in its place.

Procedure

Create your backup secret:

For SFTP backup destination, use:

Username and password credentials:

kubectl create secret generic portal-backup-secret --from-literal=username='<username>' 
--from-literal=password='<password>' -n <portal namespace>

Username and SSH-key credentials:

kubectl create secret generic portal-backup-secret --from-literal=username='<username>'
 --from-file=ssh-privatekey='<private key filepath>' -n <portal namespace>

For S3 backup destination, use:

kubectl create secret generic portal-backup-secret --from-literal=username='<S3 access key or username>' 
    --from-literal=password='<S3 access key secret or password>' -n <portal namespace>

Keep the backup secret in your Infrastructure configuration backup.

S3 storage only: If your S3 store has a custom CA certificate, then create a Kubernetes secret that contains this CA certificate, so that your portal subsystem trusts the S3 store.
1. Run the following command to create a Kubernetes secret from the certificate file:
```
kubectl -n <portal namespace> create secret generic portal-custom-server-ca --from-file=ca.crt=/path/to/cert.crt
```
  Note: Include the complete chain in your certificate file, for example:
```
intermediate-certificate-1
intermediate-certificate-2
. . .
intermediate-certificate-n
root-certificate
```
  The first certificate (intermediate-certificate-1) is the issuer of the object-store server certificate, and each subsequent certificate is the issuer of the preceding certificate. The root certificate must be self-signed.
  If the certificate includes no intermediate certificates, then the file contains only the root certificate.
2. Take a backup of the new secret.
```
kubectl -n <portal namespace> get secret portal-custom-server-ca -o yaml > portal_custom_s3_ca.yaml
```
  Keep the generated portal_custom_s3_ca.yaml file with your Infrastructure configuration backup.
Kubernetes and OpenShift individual subsystem CR users: Edit your PortalCluster CR:
```
kubectl -n <portal namespace> edit PortalCluster
```
Cloud Pak for Integration and OpenShift top-level CR users: Edit your APIConnectCluster CR:
```
oc -n <apic namespace> edit APIConnectCluster
```

Configure your backup settings in the portalBackup section of the spec object:

For S3 object-store backup destination, use:

spec:
  portalBackup:
    credentials: <portal backup secret>
    host: <host>/<region>
    path: <path>
    port: <port>
    protocol: objstore
    backupCerts: <custom CA certificate>
    backups3URIStyle: <path/host>
    schedule: '<cron schedule>'
    backupRecordDays: 30

For SFTP backup destination, use:

spec:
  portalBackup:
    credentials: <portal backup secret>
    host: <sftp server hostname>
    path: <directory path>
    port: <port>
    protocol: sftp
    schedule: '<cron schedule>'
    backupRecordDays: 30

Note: On Cloud Pak for Integration and OpenShift when using the top-level CR, add the databaseBackup section to the spec.portal section.

Set the properties as follows:

Table 1. Developer Portal backup settings
Setting	Description
`credentials`	The name of the secret you created in step 1.
`host`	The hostname or your remote backup storage target: S3 - `host`: is the S3 endpoint and region (if your S3 endpoint has a region) in the format `<S3endpoint>` or `<S3endpoint>/<S3region>`. SFTP - the hostname of the SFTP server
`path`	The location for the backups on your remote storage target: S3 - the name of your S3 bucket and path. Valid examples: `bucket bucket/path bucket/lots/of/paths` SFTP - the full absolute path of the folder on the SFTP server, beginning with `/`.
`port`	The port on the remote storage target. Defaults are: S3 - 443. SFTP - 22.
`protocol`	The backup type. Specify one of the following values: `sftp` - For backups to a remote SFTP server. `objstore` - For backups to a remote S3 object-store. `local` - To store backups locally, in the portal subsystem's PVCs. Note: If a disaster occurs your portal PVCs might be lost or corrupted, so it is recommended to use one of the remote backup server options.
`backupCerts`	S3 storage only: The secret that contains your S3 store's CA certificate, that you create in step: 2.
`backups3URIStyle`	S3 storage only: `backups3URIStyle` indicates whether URIs to your S3 backup should specify a host or a path value. Default is `host`. Valid values: `host` and `path`. Some custom S3 providers require URI style to be set to `path`. For example, MinIO supports both `host` and `path` style setup. You can create a MinIO S3 server to accept only `path` style client communications. Important: Contact your custom S3 administrator before you configure this field. If not properly configured, an upstream custom S3 object-store can reject connections.
`schedule`	The schedule for how often automatic Developer Portal backups are run. The format for the schedule is any valid cron string. The time zone for backups is Coordinated Universal Time. Valid for all backup types: S3, SFTP, and local. `spec: portalBackup: ... schedule: '0 2 * * *'` If the schedule property is omitted, the default schedule of one backup per day is implemented.
`backupRecordDays`	The `backupRecordDays` setting denotes the number of days that backup records (backups that exist on the remote backup server) are shown when you list your remote backups. It is defaulted to 30 days.

Update the PortalCluster CR backup in your Infrastructure configuration backup.
If you are using Cloud Pak for Integration or OpenShift with the top-level CR, also update your APIConnectCluster CR backup.

What to do next

Run an on-demand backup to confirm that your backup configuration is correct, see Running an on-demand backup of the portal database.

¹ PuTTY style keys can be converted to OpenSSH by using the PuTTY Key Generator (PuTTYgen) application; see https://www.puttygen.com/.