Installing Cloud Pak for Data OADP backup and restore utility components

This information shows you how to install cpdbr-velero-plugin and OpenShift® APIs for Data Protection (OADP).

Before you begin

The OpenShift command-line interface (oc CLI) must be installed on the client workstation.

An S3-compatible object storage that uses Signature Version 4 is needed to store Kubernetes resource definitions and Restic backups. A bucket must be created in object storage. The Cloud Pak for Data OADP backup and restore utility supports the following S3-compatible object storage:

  • AWS S3
  • IBM® Cloud Object Storage
  • MinIO
  • Ceph® Object Gateway
Note: NetApp ONTAP S3 is not supported.

If your cluster is in a restricted network, make the OADP backup and restore utility images available inside the cluster network.

About this task

The Cloud Pak for Data OADP backup and restore utility uses the following components:
OADP, Velero, and its default plug-ins
OADP, Velero, and the default openshift-velero-plugin are open source projects that are used to back up Kubernetes resources and data volumes on Red Hat OpenShift.
Custom Velero plug-in cpdbr-velero-plugin
The custom cpdbr-velero-plugin implements more Velero backup and restore actions for OpenShift-specific resource handling.
cpd-cli oadp command-line interface
This CLI is part of the cpd-cli utility.

cpd-cli oadp is used for backup and restore operations by calling Velero client APIs, similar to the velero CLI. In addition, cpd-cli oadp invokes backup and restore hooks, pre-actions and post-actions, and manages dependencies and prioritization across the Cloud Pak for Data services to ensure the correctness of sophisticated, stateful apps.

Supported cluster hardware
cpdbr-velero-plugin and OADP 1.0 and higher are supported on:
  • x86-64 hardware
  • ppc64le hardware
Supported versions of OADP
The version of OADP that you need depends on:
  • The version of Red Hat OpenShift Container Platform that you are running
  • The type of backup that you plan to perform
OpenShift version Ceph Container Storage Interface (CSI) snapshots Restic backups
Version 4.8

4.6.0 - 4.6.2 only

  • OADP Version 1.0.x
  • OADP Version 1.1.x (recommended)
  • OADP Version 1.0.x
  • OADP Version 1.1.x (recommended)
Version 4.10

4.6.x

OADP Version 1.1.x
  • OADP Version 1.0.x
  • OADP Version 1.1.x (recommended)
Version 4.12

4.6.4 or later

OADP Version 1.1.x
  • OADP Version 1.0.x
  • OADP Version 1.1.x (recommended)

When OADP is installed, the default project (namespace) is openshift-adp. Examples in this task use oadp-operator as the OADP project.

Procedure

  1. Create the oadp-operator project.
  2. Annotate the oadp-operator project so that Restic pods can be scheduled on all nodes.
    oc annotate namespace oadp-operator openshift.io/node-selector=""
  3. Install the Red Hat OADP operator.
    1. In the OpenShift Container Platform web console, click Operators > OperatorHub.
    2. Use the Filter by keyword field to find the OADP Operator.
    3. Select the OADP Operator and click Install.
    4. Under Installed Namespace, select Select a Namespace, and choose oadp-operator.
    5. Verify the installation by clicking Operators > Installed Operators.
  4. Create a secret in the oadp-operator project with the credentials of the S3-compatible object store that you are using to store the backups.

    Credentials must use alphanumeric characters and cannot contain special characters like the number sign (#).

    1. Create a file credentials-velero that contains the credentials for the object store.
      For example:
      vi credentials-velero
      [default]
      aws_access_key_id = minio
      aws_secret_access_key = minio123
    2. Create the secret:

      The name of the secret must be cloud-credentials.

      oc create secret generic cloud-credentials \
      --namespace oadp-operator \
      --from-file cloud=./credentials-velero
  5. In the OpenShift web console, create an instance of the DataProtectionApplication (Velero) custom resource.

    You can create the Velero instance by selecting configurations in the web console or by using a YAML file. This step shows an example of a custom resource for a DataProtectionApplication (Velero) instance. To use this YAML file, replace the following variables with the appropriate values for your environment.

    <cpdbr-velero-plugin_image_location>
    The custom Velero plug-in cpdbr-velero-plugin image location.

    If the cluster has access to the IBM Entitled Registry, specify one of the following values:

    • x86-64 systems: icr.io/cpopen/cpd/cpdbr-velero-plugin:4.0.0-beta1-1-x86_64
    • ppc64le systems: icr.io/cpopen/cpd/cpdbr-velero-plugin:4.0.0-beta1-1-ppc64le

    If the cluster is in a restricted network and images are stored in a private container registry, specify one of the following values:

    • x86-64 systems: ${PRIVATE_REGISTRY_LOCATION}/cpd/cpdbr-velero-plugin:4.0.0-beta1-1-x86_64
    • ppc64le systems: ${PRIVATE_REGISTRY_LOCATION}/cpd/cpdbr-velero-plugin:4.0.0-beta1-1-ppc64le
    <velero_pod_cpu_limit>
    The CPU limit for the Velero pod. A value of 0 indicates unbounded.
    <restic_pod_cpu_limit>
    The CPU limit for the Restic pod. A value of 0 indicates unbounded.
    <s3_url>
    The URL of the object store that you are using to store backups.

    Omit any default ports from the variable (:80 for http, :443 for https).

    If the object store is Amazon S3, you do not need to set this variable.

    If the object store is IBM Cloud Object Storage on public cloud, an example s3url is

    https://s3.us-south.cloud-object-storage.appdomain.cloud

    where us-south is the region. You can find the public endpoint under Bucket > Configuration > Endpoints.

    For more information about IBM Cloud Object Storage connection details, see IBM Cloud Object Storage connection.

    If the object store is MinIO, you can get the s3url by running oc get route -n <minio namespace>.

    <bucket_name>
    The object storage bucket name.
    <bucket_prefix>
    The bucket prefix. Backup files are stored under bucket/prefix.
    Note: If you previously created backups with the OADP 0.2.6 Community Operator, these backups might no longer be visible. The bucket prefix is optional with OADP 0.2.6, so backups are stored in a different path.

    You might also need to change the following values.

    • If only Restic backups are needed, under spec.configuration.velero.defaultPlugins, remove csi.
    • spec.configuration.restic.timeout specifies the Restic timeout. The default is 1 hour. You might need to increase the Restic timeout if Restic backup or restore fails, indicated by pod volume timeout errors in the Velero log.
    • spec.configuration.restic.memory specifies the Restic memory limit. You might need to increase the Restic memory limit if Restic volume backups fail or hang on a large volume, indicated by Restic pod containers restarting due to an OOMKilled Kubernetes error.
    • If the object store is Amazon S3, you can omit s3ForcePathStyle.
    • For object stores with a self-signed certificate, add backupLocations.velero.objectStorage.caCert and specify the base64 encoded certificate string as the value. For more information, see Use Self-Signed Certificate.
    apiVersion: oadp.openshift.io/v1alpha1
    kind: DataProtectionApplication
    metadata:
      name: dpa-sample
    spec:
      configuration:
        velero:
          customPlugins:
          - image: <cpdbr-velero-plugin_image_location>
            name: cpdbr-velero-plugin
          defaultPlugins:
          - aws
          - openshift
          - csi
          podConfig:
            resourceAllocations:
              limits:
                cpu: "<velero_pod_cpu_limit>"
                memory: 1Gi
              requests:
                cpu: 500m
                memory: 256Mi
        restic:
          enable: true
          timeout: 12h
          podConfig:
            resourceAllocations:
              limits:
                cpu: "<restic_pod_cpu_limit>"
                memory: 8Gi
              requests:
                cpu: 500m
                memory: 256Mi
            tolerations:
            - key: icp4data
              operator: Exists
              effect: NoSchedule
      backupImages: false
      backupLocations:
        - velero:
            provider: aws
            default: true
            objectStorage:
              bucket: <bucket_name>
              prefix: <bucket_prefix>
            config:
              region: minio
              s3ForcePathStyle: "true"
              s3Url: <s3_url>
            credential:
              name: cloud-credentials
              key: cloud
  6. Check that the velero pods are running in the oadp-operator project.
    oc get po -n oadp-operator

    The Restic daemonset creates one Restic pod for each worker node. For example,

    NAME                                                READY   STATUS    RESTARTS   AGE
    openshift-adp-controller-manager-678f6998bf-fnv8p   2/2     Running   0          55m
    restic-f846j                                        1/1     Running   0          49m
    restic-fk6vl                                        1/1     Running   0          49m
    restic-mdcnp                                        1/1     Running   0          49m
    velero-7d847d5bb7-zm6vd                             1/1     Running   0          49m