Preparing the target cluster to test restoring Cloud Pak for Data with IBM Storage Fusion

To test restoring Cloud Pak for Data to a different cluster, you must first prepare the target cluster.

Before you begin

The target cluster must meet the following requirements.

  1. For environments that use a private container registry, such as air-gapped environments, ensure that the target cluster has the same image content source policy as the source cluster. For more information about configuring the image content source policy, see Configuring an image content source policy.
  2. Ensure that the target cluster is able to pull software images. For more information, see Updating the global image pull secret.

About this task

In a test scenario, the target cluster is passive, and data protection is not active on the cluster. Data protection is active only on the source cluster, which is the active cluster. When you prepare the target cluster, you point the IBM Spectrum® Protect Plus Backup as a Service (BaaS) agent in the target cluster to the IBM Spectrum Protect Plus server on the source cluster.

Procedure

  1. Install IBM® Storage Fusion 2.5.2, which includes IBM Spectrum Protect Plus. For information about installing IBM Storage Fusion, see Deploying IBM Storage Fusion.
  2. Check that the backup and restore recipe fusion-cr-backup exists for the IBM Storage Fusion project (namespace) .
    1. Set the PROJECT_FUSION environment variable to the IBM Storage Fusion project name.
      export PROJECT_FUSION=<fusion-namespace>
    2. To check whether the fusion-cr-backup recipe exists, run the following command:
      oc get frcpe -A

      If the recipe exists, the command returns output like the following example, where the IBM Storage Fusion project name is ibm-spectrum-fusion-ns:

      NAMESPACE                NAME               AGE
      ibm-spectrum-fusion-ns   fusion-cr-backup   46h
    3. If the recipe does not exist, restart the spp-dp-controller-manager pod within the IBM Storage Fusion project.

      For example:

      oc delete pod -n ${PROJECT_FUSION} spp-dp-controller-manager-66ccbd968d-7bg7j

      The recipe is automatically created when the spp-dp-controller-manager pod restarts.

      To check that the spp-dp-controller-manager pod restarted, run the oc get pod command:
      oc get pod -n ${PROJECT_FUSION}

      Then rerun oc get frcpe -A again to verify that the fusion-cr-backup recipe now exists.

  3. Install the Cloud Pak for Data command line interface, which includes the Cloud Pak for Data OADP backup and restore utility.
  4. Install cpdbr services.

    This step creates the permissions and role bindings that are needed for the restore operation to succeed. The cpdbr service, deployment, and pod are not installed.

    Note: Run the cpdbr installation commands in the IBM Cloud Pak for Data control plane project and in the Cloud Pak for Data operators project even though those projects do not yet exist in the target cluster. Do not manually create these projects on the target cluster. These projects are created during the restore process.

    The following message appears when the installation commands have completed.

    spp cpdbr roles and bindings installed
  5. Create the same storage classes that were used in the source cluster.
    Remember: Cloud Pak for Data must be deployed on either Red Hat OpenShift Data Foundation or IBM Storage Scale storage.
    1. Confirm the storage classes.
      For example,
      oc get sc ibm-spectrum-scale-sc
    2. Check whether the output has the same name and provisioner in both places.
      For example,
      NAME                              PROVISIONER                 RECLAIMPOLICY   VOLUMEBINDINGMODE   ALLOWVOLUMEEXPANSION   AGE
      ibm-spectrum-scale-sc (default)   spectrumscale.csi.ibm.com   Delete          Immediate           true                   40d
  6. Modify the BaaS agent to point to the IBM Spectrum Protect Plus server on the source cluster.
    1. In the BaaS project, edit the ibmsppcs custom resource:
      oc edit ibmsppc -n baas ibmsppc-entitled-registry
    2. Update the following variables:
      • is_server_installed_on_another_cluster: true
      • spp_fqdn: <SPP_server_route_on_source_cluster>

        Find the server route by running the command oc get route -n ibm-spectrum-protect-plus-ns.

      • spp_ips: <SPP_server_route_on_source_cluster>
      • spp_port: 443

      For more information about the BaaS custom resource values, see Setting up configuration parameters in the baas-values-cr.yaml file.

    3. Replace the baasadmin and baaspassword values in the baas-secret secret with the corresponding values from the source cluster.
      1. On the source cluster, run the following command:
        oc get secret -n baas baas-secret -o yaml
      2. On the target cluster, edit the baas-secret and modify the baasadmin and baaspassword values to match the source cluster:
        oc edit secret -n baas baas-secret

        For more information about updating baas-secret, see Updating your credentials after installation on Red Hat OpenShift.

    4. On the target cluster, delete the existing IBM Spectrum Protect Plus server certificate secret baas-spp-server-cert:
      oc delete secret -n baas baas-spp-server-cert
    5. Create a new baas-spp-server-cert secret.
      1. On the source cluster, get the base64 value of the certificate for the IBM Spectrum Protect Plus route:
        openssl x509 -in <(openssl s_client -connect <spp_fqdn>:443 -prexit 2>/dev/null) | base64 --wrap=0
      2. Create the baas-spp-server-cert yaml file with the following configuration:
        apiVersion: v1
        kind: Secret
        metadata:
          name: baas-spp-server-cert
          namespace: baas
        type: Opaque
        data:
          tls.crt: <base64-encoded certificate>
      3. Create the certificate on the target cluster by applying the yaml:
        oc apply -f <baas-spp-server-cert yaml file>

      For more information, see Importing the IBM Spectrum Protect Plus certificate.

    6. On the target cluster, get the details that are needed to register the target cluster BaaS agent by running the following commands.
      1. Host address:
        oc get route -n baas baas-spp-agent-route
      2. User ID and password:
        oc extract secret/baas-secret --keys=datamoveruser,datamoverpassword --to=- -n baas
      3. CA certificate for the BaaS agent, using the host address:
        openssl x509 -in <(openssl s_client -connect <host_address>:443 -prexit 2>/dev/null)
    7. In IBM Spectrum Protect Plus on the source cluster, register the target BaaS agent to the server.
      1. Go to Manage Protection > Containers > OpenShift.
      2. Select Manage cluster and then click Add cluster.
      3. Add the Host address, User ID, and password from the previous step.
      4. For certificate, select Copy and paste, provide a name for the certificate, and paste the certificate from the previous step.
      5. Click Create to create the certificate.

        The certificate is now available to use.

      6. Select Use existing certificate and select the certificate that you just created.
      7. Leave additional options as default.
      8. Register the BaaS agent by clicking Save.
      9. For the new managed cluster, validate that the BaaS agent was successfully registered by running the Test and Inventory actions.