Taking a management infrastructure configuration backup

How to backup your management subsystem deployment configuration.

About this task

Your infrastructure configuration backup includes everything that you configure for API Connect in your deployment environment, such as:
  • Subsystem YAML files (and top-level CR YAML file if used).
  • Custom certificates.
  • Encryption secrets.
  • Backup secrets.

The infrastructure configuration backup is also referred to as the config backup.

If you have a disaster, your config backup is essential for restoring your API Connect subsystems.

Note: For OpenShift® users: The steps that are detailed in this topic use the Kubernetes kubectl command. On OpenShift, use the equivalent oc command in its place.

Procedure

  1. Export the management CR to a file called mgmt_cr_backup.yaml: 
    kubectl -n <management namespace> get ManagementCluster -o yaml > mgmt_cr_backup.yaml
  2. Export the management database encryption secret to a file called management_enc_key_backup.yaml:
    1. Get the name of the encryption secret:
      kubectl -n <management namespace> get mgmt -o yaml | grep encryption
    2. Take note of the encryptionSecret name returned:
      encryptionSecret: <management enc key>
    3. Backup the encryption secret to a YAML file:
      kubectl -n <management namespace> get secret <management enc key> -o yaml > management_enc_key_backup.yaml
  3. Export your management database backup secret: 
    kubectl -n <management namespace> get secret <mgmt backup secret> -o yaml > mgmt-backup-secret_backup.yaml

    The backup secret is created when you configure database backups: Create backup secret. If database backups are not yet configured, ensure that this secret is backed up when it is configured.

  4. If you created a secret for your S3 store's CA certificate, take a backup of this secret: 
    kubectl -n <management namespace> get secret <mgmt custom server ca> -o yaml > mgmt-custom-server-ca_backup.yaml
    The S3 CA secret is created when you configure database backups: Create S3 CA secret. If database backups are not yet configured, ensure that this secret is backed up when it is configured.
  5. Export the management client application credential secrets to YAML files:
    1. Get the names of the credential secrets:
      kubectl -n <management namespace> get mgmt -o yaml | grep CredentialSecret
      Expected output is:
      atmCredentialSecret: management-atm-cred
consumerToolkitCredentialSecret: management-ccli-cred
consumerUICredentialSecret: management-cui-cred
designerCredentialSecret: management-dsgr-cred
discoveryCredentialSecret: management-discovery-cred
governanceCredentialSecret: management-governance-cred
juhuCredentialSecret: management-juhu-cred
toolkitCredentialSecret: management-cli-cred
uiCredentialSecret: management-ui-cred
    2. Backup each credential secret to a YAML file:
      kubectl -n <management namespace> get secret <secret name> -o yaml > <secret name>_backup.yaml
      For example, to backup the ATM credential secret:
      kubectl -n <management namespace> get secret management-atm-cred -o yaml > management-atm-cred_backup.yaml
    3. Edit each credential secret YAML file and remove both the ownerReferences subsection and the selfLink property.
      Example of the ownerReferences and selfLink properties to be removed:
      ownerReferences:
  - apiVersion: management.apiconnect.ibm.com/v1beta1
    blockOwnerDeletion: true
    controller: true
    kind: ManagementCluster
    name: management
    uid: 623e6b20-7eb8-46ce-94ac-6b64cd71afc4
  selfLink: /api/v1/namespaces/default/secrets/management-atm-cred
  6. Export any other certificates that you customized. For example, if you customized the apiManagerEndpoint certificate, save the certificate by copying the corresponding secret to a YAML file: 
    kubectl -n <management namespace> get secret apim-endpoint -o yaml > apim-endpoint_secret_backup.yaml