Backing up and restoring IBM Cloud Pak for Integration

You can backup and restore some parts of your Cloud Pak for Integration installation by using Red Hat OpenShift API for Data Protection (OADP). OADP is a tool, based on the Velero project, for backing up and restoring Kubernetes cluster resources and persistent volumes, which you might want to do as part of disaster recovery preparation.

The backup process saves a copy of the configuration (and some of the data) for some of the instances in Cloud Pak for Integration. Currently, the instance types that you can back up by using OADP are as follows:

Operator	Instance type
Cloud Pak for Integration	Platform UI API API Product Assembly Messaging server Messaging queue Messaging channel Messaging user Policy Policy binding
IBM Automation Foundation assets	Automation assets
IBM API Connect	API Connect cluster API Manager API Analytics API Gateway API Portal
IBM App Connect	Configuration Integration dashboard Integration design Integration runtime Integration server Switch server
IBM MQ	Queue manager
IBM DataPower Gateway	Enterprise gateways
IBM Event Streams	Kafka cluster Kafka connect Kafka topic Kafka user Kafka bridge Kafka connector Kafka rebalance
IBM Event Endpoint Management	Event Gateway
IBM Cloud Pak foundational services	Keycloak

For instance types that are not yet supported by OADP, you can recover data by using automation techniques. For more information about automation techniques and disaster recovery strategies, see Disaster recovery.

When you use OADP, you can specify which namespaces are backed up, and back up multiple namespaces at the same time. You can also specify which resources within a namespace are backed up, by using labels. You can restore a backup into the same OpenShift cluster (in-place recovery) or into a new OpenShift cluster.

Important: There are some limitations on what OADP can achieve:

Transient data (such as in-flight events and messages, and MQ configurations that are not specified declaratively) is not backed up.
IBM API Connect supports OADP backup, beginning with v. 10.0.8.1. OADP is not supported in earlier versions of API Connect.

Before you begin

You must be a OpenShift cluster administrator to create or restore a backup. For more information, see OpenShift roles and permissions.
Set up secure storage to contain the backups. For a list of storage types that OADP supports, see About installing OADP in the Red Hat OpenShift documentation.
OADP is not installed by default in an OpenShift Container Platform installation. If your OpenShift cluster does not already contain the OADP operator, install it by following the instructions in Installing the OADP Operator in the OpenShift Container Platform documentation (select the latest stable-1.x update channel and accept the default namespace, which is openshift-adp).
If you intend to restore the files that are backed up in one OpenShift cluster (the backup cluster) into another OpenShift cluster (the restore cluster), do the following:
- If your system includes instances that are managed by the IBM App Connect or IBM API Connect operators, ensure that the restore cluster has the same hostname as the backup cluster.
- Ensure that the restore cluster has the same storage classes (with the same names that are used by the instances that you back up) as the backup cluster. Also ensure that the restore cluster has access to the storage location that contains the backups.
- Install the OADP operator on the restore cluster and configure OADP in the same way that you did when you installed it on the backup cluster.
- If you are using a certificate manager on the backup cluster, install a certificate manager on the restore cluster, as well.
Create a storage bucket and generate credentials in your object storage location. For example, on IBM Cloud you will need to create a service ID with the Include HMAC Credential option selected.
Because of the space required, local backups of the API Analytics subsystem are not enabled by default. For this reason, you need to enable backups of this data (also know as analytics database or a7s) to ensure it can be backed up and restored by OADP. Use one of the following methods:
- Configure local backup.
- Configure external storage, such as S3.
- Offload the data to another location. For a procedure on how to configure backups of the data, see Configuring analytics database backups in the API Connect documentation.

Configuring OADP

To configure OADP, you need to create a Secret and a DataProtectionApplication Kubernetes resource.

For more detailed information and examples, follow the instructions in the "Installing and configuring OADP" section of the OpenShift Container Platform documentation that are appropriate for your s3 storage type. For example, to configure OADP with AWS or IBM Cloud, follow the instructions in Configuring the OpenShift API for Data Protection with AWS S3 compatible storage.

Create a credentials-velero file. The following example is for AWS and IBM Cloud. Your file will differ if you are using a different s3 storage type:
```
cat << EOF > ./credentials-velero
[default]
aws_access_key_id=<ACCESS_KEY_ID>
aws_secret_access_key=<SECRET_ACCESS_KEY>
EOF
```

Use your credentials-velero file to create a Secret object with the default name of cloud-credentials:

oc create secret generic cloud-credentials -n openshift-adp --from-file cloud=credentials-velero

Copy the following YAML to create a draft copy for modification:

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: oadp-application
  namespace: openshift-adp
spec:
  backupLocations:
    - velero:
        config:
          insecureSkipTLSVerify: 'true'
          region: <region>
          s3ForcePathStyle: 'true'
          s3Url: <s3Url>
        credential:
          key: cloud
          name: cloud-credentials
        default: true
        objectStorage:
          bucket: <bucketName>
          prefix: integration
        provider: aws
  configuration:
    nodeAgent:
      enable: true
      uploaderType: restic
    velero:
      customPlugins:
            - image: cp.icr.io/cp/appc/acecc-velero-plugin-prod:12.0.12-r23-20260415-112230@sha256:28aff41893ac25710bf9d97d4a89c3a8819fef3f3354fa472d99694bc34a58c9
              name: app-connect
            - image: cp.icr.io/cp/icp4i/ar-velero-plugin:2.0.4-2026-04-14-1204-66a929f3@sha256:db9e8338acb50e12280fb65bfd2fdac06b08291c268cff7e73b592b16a04e906
              name: integration
            - image: cp.icr.io/cp/apic/ibm-apiconnect-apiconnect-velero-plugin:10.0.8.8@sha256:7515737c436a1d74869ae2e06dab5dd70ed6325994096072b9c3a197462f2206
              name: apiconnect
      defaultPlugins:
        - openshift
        - aws
      logLevel: debug

Replace the following values in the YAML:
- <s3-url>: the URL of your s3 storage. For example, https://s3.us-south.cloud-object-storage.appdomain.cloud
- <bucket-name>: the name of the bucket you want to backup to in your s3 storage
- <region>: the region where your s3 storage bucket is located. For example, us-south.
Use your updated YAML to create the DataProtectionApplication Kubernetes resource in your OpenShift cluster. When the DataProtectionApplication Kubernetes resource is ready, the status of the BackupStorageLocation Kubernetes resource in the BackupStorageLocations tab of the OADP operator is also ready. You can also view the status by running the following command:
```
oc get BackupStorageLocations -n openshift-adp
```

Creating a backup

Label the instances to back up

The backup process backs up any resource that has an appropriate backup label. You must therefore ensure that every resource that you want to backup has such a label.

The following steps show how to add labels to the instances in Cloud Pak for Integration by using the Red Hat OpenShift CLI. If you want to do more advanced actions such as adding your own labels or labeling only some instances, see the More information about labels section later in this topic.

Attention: After you apply labels to the API Connect cluster instances, the API Portal and API Analytics subsystems will be unavailable for a few minutes while the pods restart. After you apply the labels, and before you proceed, verify that all API Connect cluster instances are "Ready" before creating a backup resource.

The following procedure uses the CLI to add labels.

(Prerequisite step) Ensure that you have the Red Hat OpenShift command-line interface (CLI) installed. For more information, see Getting started with the OpenShift CLI.
Log in to your OpenShift Container Platform system as an OpenShift cluster administrator by running the oc login command.
If you installed Cloud Pak for Integration into a single namespace, run the following command to make that namespace the default namespace. If you installed Cloud Pak for Integration into all namespaces, you can skip this step; later commands will run against all namespaces.
```
oc project <cloud-pak-for-integration-namespace>
```
For <cloud-pak-for-integration-namespace>, enter the namespace into which you installed the operators.

Add labels to the operators. For more information about oc label command usage, see oc label in the Red Hat OpenShift documentation.

Add labels to the catalog sources, which make the operators available for you to install:

oc label catalogsource ibm-integration-platform-navigator-catalog backup.integration.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource ibm-integration-asset-repository-catalog backup.integration.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource appconnect-operator-catalogsource backup.appconnect.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource ibm-datapower-operator-catalog backup.datapower.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource ibm-eventstreams backup.eventstreams.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource opencloud-operators backup.integration.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource ibm-apiconnect-catalog backup.apiconnect.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource ibmmq-operator-catalogsource backup.mq.ibm.com/component=catalogsource -n openshift-marketplace
oc label catalogsource ibm-eventendpointmanagement-catalog backup.events.ibm.com/component=catalogsource -n openshift-marketplace

The catalog source names in this example list are the default names when the catalog sources are created by using the oc ibm-pak tool. If you create your catalog sources by using a different method (such as installation by using the CLI or a CICD pipeline), you may need to enter different catalog source names.

Add labels to the operator subscriptions that are part of Cloud Pak for Integration, with the following exceptions:

Do not add labels for operators that were installed automatically, such as EDB. (You only need to add labels for operators that you installed.)
Do not add labels for the IBM DataPower Gateway operator if it was installed as a dependency of the IBM API Connect operator. If you do back up the subscription, the operator will not be installed when it is restored.

oc label subscription ibm-integration-platform-navigator backup.integration.ibm.com/component=subscription
oc label subscription ibm-integration-asset-repository backup.integration.ibm.com/component=subscription
oc label subscription ibm-appconnect backup.appconnect.ibm.com/component=subscription
oc label subscription datapower-operator backup.datapower.ibm.com/component=subscription
oc label subscription ibm-eventstreams backup.eventstreams.ibm.com/component=subscription
oc label subscription ibm-common-service-operator backup.integration.ibm.com/component=subscription
oc label subscription ibm-apiconnect backup.apiconnect.ibm.com/component=subscription
oc label subscription ibm-mq backup.mq.ibm.com/component=subscription
oc label subscription ibm-eventendpointmanagement backup.events.ibm.com/component=subscription

The subscription names in this example list are the default names when the operator is installed using the OpenShift web console. If you create your subscriptions using a different method (such as installation by using the CLI or a CICD pipeline), you may need to enter different subscription names.

Add labels to the operator groups. This step is required only if you installed the operators in A specific namespace on the cluster mode. If you installed the operators in All namespaces on the cluster mode, you do not need to backup the operator groups.

oc label operatorgroup --all backup.integration.ibm.com/component=operatorgroup
oc label operatorgroup --all backup.appconnect.ibm.com/component=operatorgroup
oc label operatorgroup --all backup.eventstreams.ibm.com/component=operatorgroup
oc label operatorgroup --all backup.datapower.ibm.com/component=operatorgroup
oc label operatorgroup --all backup.apiconnect.ibm.com/component=operatorgroup
oc label operatorgroup --all backup.mq.ibm.com/component=operatorgroup
oc label operatorgroup --all backup.events.ibm.com/component=operatorgroup

Add labels to all the Cloud Pak for Integration instances on the OpenShift cluster that support OADP backup and restore:

oc label platformnavigator --all --all-namespaces backup.integration.ibm.com/component=platformnavigator  
oc label integrationassembly --all --all-namespaces backup.integration.ibm.com/component=integrationassembly
oc label messagingserver --all --all-namespaces backup.integration.ibm.com/component=messagingserver
oc label messagingqueue --all --all-namespaces backup.integration.ibm.com/component=messagingqueue
oc label messagingchannel --all --all-namespaces backup.integration.ibm.com/component=messagingchannel
oc label messaginguser --all --all-namespaces backup.integration.ibm.com/component=messaginguser
oc label validatingadmissionpolicy --all --all-namespaces backup.integration.ibm.com/component=validatingadmissionpolicy
oc label validatingadmissionpolicybinding --all --all-namespaces backup.integration.ibm.com/component=validatingadmissionpolicybinding
oc label assetrepository --all --all-namespaces backup.integration.ibm.com/component=assetrepository
oc label configuration --all --all-namespaces backup.appconnect.ibm.com/component=configuration
oc label api --all --all-namespaces backup.apiconnect.ibm.com/component=api
oc label product --all --all-namespaces backup.apiconnect.ibm.com/component=product
oc label dashboard --all --all-namespaces backup.appconnect.ibm.com/component=dashboard
oc label designerauthoring --all --all-namespaces backup.appconnect.ibm.com/component=designerauthoring
oc label integrationruntime --all --all-namespaces backup.appconnect.ibm.com/component=integrationruntime
oc label integrationserver --all --all-namespaces backup.appconnect.ibm.com/component=integrationserver
oc label switchserver --all --all-namespaces backup.appconnect.ibm.com/component=switchserver
oc label eventstreams --all --all-namespaces backup.eventstreams.ibm.com/component=eventstreams
oc label eventgateway --all --all-namespaces backup.events.ibm.com/component=eventgateway
oc label datapowerservice --all --all-namespaces backup.datapower.ibm.com/component=datapowerservice
oc label kafkaconnect --all --all-namespaces backup.eventstreams.ibm.com/component=kafkaconnect
oc label kafkatopic --all --all-namespaces backup.eventstreams.ibm.com/component=kafkatopic
oc label kafkauser --all --all-namespaces backup.eventstreams.ibm.com/component=kafkauser
oc label kafkabridge --all --all-namespaces backup.eventstreams.ibm.com/component=kafkabridge
oc label kafkaconnector --all --all-namespaces backup.eventstreams.ibm.com/component=kafkaconnector
oc label kafkarebalance --all --all-namespaces backup.eventstreams.ibm.com/component=kafkarebalance
oc label apiconnectclusters --all --all-namespaces backup.apiconnect.ibm.com/component=apiconnectcluster
oc label commonservice --all --all-namespaces backup.integration.ibm.com/component=commonservice

If API Connect subsystems are deployed without the API Connect cluster CR, then label the API Connect subsystems and certificate issuers. Run these commands in each namespace where API Connect subsystems are deployed:

oc label managementclusters --all backup.apiconnect.ibm.com/component=managementcluster
oc label certificates.cert-manager.io ingress-ca backup.apiconnect.ibm.com/component=managementcluster 
oc label certificates.cert-manager.io gateway-client-client backup.apiconnect.ibm.com/component=managementcluster
oc label certificates.cert-manager.io portal-admin-client backup.apiconnect.ibm.com/component=managementcluster
oc label certificates.cert-manager.io analytics-ingestion-client backup.apiconnect.ibm.com/component=managementcluster 
oc label certificates.cert-manager.io api-manager-ca backup.apiconnect.ibm.com/component=managementcluster
oc label secret api-manager-ca backup.apiconnect.ibm.com/component=managementcluster
oc label secret portal-admin-client backup.apiconnect.ibm.com/component=managementcluster
oc label secret gateway-client-client backup.apiconnect.ibm.com/component=managementcluster  

oc label portalclusters --all backup.apiconnect.ibm.com/component=portalcluster
oc label secret ingress-ca backup.apiconnect.ibm.com/component=portalcluster
oc label issuers.cert-manager.io ingress-issuer backup.apiconnect.ibm.com/component=portalcluster                                                                            
oc label issuers.cert-manager.io selfsigning-issuer backup.apiconnect.ibm.com/component=portalcluster

oc label analyticsclusters --all backup.apiconnect.ibm.com/component=analyticscluster
oc label issuers.cert-manager.io ingress-issuer backup.apiconnect.ibm.com/component=analyticscluster                                                                     
oc label issuers.cert-manager.io selfsigning-issuer backup.apiconnect.ibm.com/component=analyticscluster
oc label secret ingress-ca backup.apiconnect.ibm.com/component=analyticscluster 

oc label gatewayclusters --all backup.apiconnect.ibm.com/component=gatewaycluster
oc label issuers.cert-manager.io ingress-issuer backup.apiconnect.ibm.com/component=gatewaycluster
oc label issuers.cert-manager.io selfsigning-issuer backup.apiconnect.ibm.com/component=gatewaycluster
oc label secret gateway-service backup.apiconnect.ibm.com/component=gatewaycluster
oc label secret gateway-peering backup.apiconnect.ibm.com/component=gatewaycluster
oc label secret ingress-ca backup.apiconnect.ibm.com/component=gatewaycluster
oc label secret admin-secret backup.apiconnect.ibm.com/component=gatewaycluster
oc label secret api-manager-ca backup.apiconnect.ibm.com/component=gatewaycluster
oc label certificates.cert-manager.io gateway-service backup.apiconnect.ibm.com/component=gatewaycluster 
oc label certificates.cert-manager.io gateway-peering backup.apiconnect.ibm.com/component=gatewaycluster

For API Connect two data center disaster recovery deployments, follow the extra configuration steps in Using OADP for API Connect two data center disaster recovery instances.

Queue managers need two labels to be set. For each Queue manager, run this patch command:

oc patch queuemanager <queue manager name> --type merge --patch '{"metadata":{"labels":{"backup.mq.ibm.com/component":"queuemanager"}},"spec":{"labels":{"backup.mq.ibm.com/component":"nopodbackup"}}}'

You only need to label the Queue managers you created. Queue managers owned by assemblies or Messaging servers should not be labeled and will be restored by their owning resource.

You must also label any configmaps and secrets that are used to configure the Queue managers:

oc label configmap <configmap-name> backup.mq.ibm.com/component=configmap
oc label secret <secret-name> backup.mq.ibm.com/component=secret

Label the pull secret for your entitlement key. This is the secret that you created if you installed Cloud Pak for Integration in an online environment. For more information, see Installing.
```
oc label secret ibm-entitlement-key backup.integration.ibm.com/component=secret
```
This must be run in each namespace you have deployed instances that use the pull secret.
Label the namespaces where you have instances, including the namespace where the foundational services workload is deployed. If you are restoring on a different OpenShift cluster, ensure that the target (restore) cluster does not have any namespaces with the same names you are backing up.
```
oc label namespace <your-namespace> backup.integration.ibm.com/component=namespace
```
If you are backing up API or API Product Kubernetes resources, label any ConfigMaps and secrets that you create. These ConfigMaps and secrets are referenced when you use API and API Product Kubernetes resources.
```
oc label configmap <configmap-name> backup.integration.ibm.com/component=configmap
oc label secret <secret-name> backup.integration.ibm.com/component=secret
```
If you are backing up an API or API Product that uses an integration runtime, you must also backup and restore the integration runtime.
If you are backing up Enterprise gateway instances, label any secrets that those instances reference, such as secrets that contain user credentials:
```
oc label secret <secret-name> backup.integration.ibm.com/component=secret
```

Create and configure the "Backup" Kubernetes resource

OADP uses a Kubernetes resource of kind Backup to specify which resources are backed up and where the backups are stored.

Copy the following YAML to create a draft copy for modification:

apiVersion: velero.io/v1
kind: Backup
metadata:
  name: integration-backup
  namespace: openshift-adp
spec:
  ttl: 720h0m0s
  defaultVolumesToFsBackup: false
  includeClusterResources: true
  includedNamespaces:
  - '*'
  orLabelSelectors:
  - matchExpressions:
    - key: backup.integration.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - assetrepository
      - platformnavigator
      - integrationassembly
      - messagingserver
      - messagingqueue
      - messagingchannel
      - messaginguser
      - validatingadmissionpolicy
      - validatingadmissionpolicybinding
      - commonservice
      - secret
      - configmap
      - namespace
  - matchExpressions:
    - key: backup.apiconnect.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - api
      - product
      - apiconnectcluster
      - portalcluster
      - analyticscluster
      - managementcluster
      - gatewaycluster
      - secret
      - configmap
  - matchExpressions:
    - key: backup.datapower.ibm.com/component
      operator: In
      values:
      - catalogsource 
      - operatorgroup
      - subscription
      - datapowerservice
      - secret
      - configmap
  - matchExpressions:
    - key: backup.appconnect.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - configuration
      - dashboard
      - designerauthoring
      - integrationruntime
      - integrationserver
      - switchserver
      - secret
      - configmap
  - matchExpressions:
    - key: backup.mq.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - queuemanager
      - secret
      - configmap
  - matchExpressions:
    - key: backup.eventstreams.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - eventstreams
      - kafkaconnect
      - kafkatopic
      - kafkauser
      - kafkabridge
      - kafkaconnector
      - kafkarebalance
      - secret
      - configmap
  - matchExpressions:
    - key: backup.events.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - eventgateway
  - matchExpressions:
    - key: foundationservices.cloudpak.ibm.com
      operator: In
      values:
      - keycloak

Important: If the DataPower service was deployed as part of API Connect, remove the - datapowerservice line from the section for key: backup.datapower.ibm.com/component in the YAML.

(Optional) Modify the matchExpressions sections as needed for your installation:
- Remove an operator from the backup by removing the matchExpressions section for it. For example, if you don't want to backup any instance that is managed by the IBM App Connect operator, remove the matchExpression section that has a key value of backup.appconnect.ibm.com/component.
- Add or remove label values to back up components within an operator. For example, if you want to exclude operators because you back them up in a different way, remove the catalogsource, operatorgroup, and subscription label values. If you added your own labels with custom text, ensure that those labels are present.
A matchExpressions section for the IBM App Connect operator might look like this:
```
- matchExpressions:
  - key: backup.appconnect.ibm.com/component
    operator: In
    values:
    - my-custom-label
    - catalogsource
    - operatorgroup
    - subscription
    - dashboard
    - designerauthoring
    - integrationruntime
    - integrationserver
    - secret
    - configmap
```
Match expressions are useful if you installed multiple instances into a single namespace and you want to backup a subset of them. For more information about matchExpressions, see Resources that support set-based requirements in the Kubernetes documentation.
When your updates are complete, apply the modified YAML to create the Backup Kubernetes resource in your cluster. The backup process starts when you create the resource, and runs in the background, avoiding disruption to your system. You can create the resource by using the Red Hat OpenShift console or the CLI.

Using the OpenShift web console:
1. Click the Plus (Import YAML) icon to open the YAML editor.
2. Paste the modified YAML into the editor.
3. Click Create. The Backup Kubernetes resource is created in the namespace that is listed in the YAML.
Using the CLI:
1. Save your modified YAML in a text file.
2. Log in to your OpenShift cluster by running the oc login command.
3. Set the OADP namespace (openshift-adp by default) as the default namespace by running the following command:
```
oc project openshift-adp
```
4. Apply the YAML by running the following command, where <filename> is the name of the file that you saved:
```
oc apply -f <filename>.yaml
```
When the backup completes successfully, the status of your backup instance under the Backup tab of the OADP operator is completed. You can also view the status by running the following command:
```
oc get backup.velero.io <integration_backup> -n openshift-adp -o jsonpath='{.status.phase}'
```
For a new backup, or if you modified your system since your last backup, test the backup to ensure that you can successfully recover your system if a failure occurs. To test the backup, restore it into a new OpenShift cluster while your primary system is running, then check that your restored instances work as expected.

Restoring a backup

Create and configure the "Restore" Kubernetes resource

OADP uses a Kubernetes resource of kind Restore to specify which resources are restored and where from.

Copy the following YAML to create a draft copy for modification:

apiVersion: velero.io/v1
kind: Restore
metadata:
  name: integration-restore
  namespace: openshift-adp
spec:
  backupName: <integration-backup>
  includeClusterResources: true
  existingResourcePolicy: update
  restorePVs: true
  restoreStatus:
    includedResources:
    - apis.apiconnect.ibm.com
    - products.apiconnect.ibm.com
    - integrationkeycloakclients.keycloak.integration.ibm.com
    - integrationkeycloakusers.keycloak.integration.ibm.com
  hooks: {}
  includedNamespaces:
  - '*'
  itemOperationTimeout: 1h0m0s
  orLabelSelectors:
  - matchExpressions:
    - key: backup.integration.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - assetrepository
      - platformnavigator
      - integrationassembly
      - messagingserver
      - messagingqueue
      - messagingchannel
      - messaginguser
      - validatingadmissionpolicy
      - validatingadmissionpolicybinding
      - commonservice
      - secret
      - configmap
      - namespace
  - matchExpressions:
    - key: backup.apiconnect.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - api
      - product
      - apiconnectcluster
      - portalcluster
      - analyticscluster
      - managementcluster
      - secret
      - configmap
  - matchExpressions:
    - key: backup.datapower.ibm.com/component
      operator: In
      values:
      - catalogsource 
      - operatorgroup
      - subscription
      - datapowerservice
      - secret
      - configmap
  - matchExpressions:
    - key: backup.appconnect.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - configuration
      - dashboard
      - designerauthoring
      - integrationruntime
      - integrationserver
      - switchserver
      - secret
      - configmap
  - matchExpressions:
    - key: backup.mq.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - queuemanager
      - secret
      - configmap
  - matchExpressions:
    - key: backup.eventstreams.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - eventstreams
      - kafkaconnect
      - kafkatopic
      - kafkauser
      - kafkabridge
      - kafkaconnector
      - kafkarebalance
      - secret
      - configmap
  - matchExpressions:
    - key: backup.events.ibm.com/component
      operator: In
      values:
      - catalogsource
      - operatorgroup
      - subscription
      - eventgateway
  - matchExpressions:
    - key: foundationservices.cloudpak.ibm.com
      operator: In
      values:
        - keycloak

Important: If the DataPower service was deployed as part of API Connect, remove the - datapowerservice line from the section for key: backup.datapower.ibm.com/component in the YAML.

Replace <integration-backup> with the name of the backup to restore. If you are restoring into a new OpenShift cluster that you prepared as described earlier, you can view a list of all the backups that were created in your old cluster, on the Backup tab of the OADP operator. You can also list the backups by running this command:
```
oc get backups.velero.io -n openshift-adp
```
(Optional) Edit the matchExpressions sections in the YAML code to add or remove resources that you want to restore, as you did for the Backup Kubernetes resource.

Important: Some resources have dependencies on others, so even if you don't want to restore a resource, you might need to restore it so that dependent resources can start successfully after the restore operation. For example, the Integration dashboard (dashboard) and Integration design (designerauthoring) instances require the IBM Cloud Pak for Integration operator (subscription under backup.integration.ibm.com/component).
Use your updated YAML to create the Restore Kubernetes resource in your OpenShift cluster, in the same way that you created the Backup Kubernetes resource. The restore process starts when you create the resource. When the restore completes successfully, the status of your restore instance in the Restore tab of the OADP operator is completed. You can also view the status by running the following command:
```
oc get restore.velero.io -n openshift-adp <integration-restore> -o jsonpath='{.status.phase}'
```
Tip: Some objects, such as pods, might remain in an error state until the associated operator recreates all the related resources (such as configmaps or secrets).

Check the restored backup

Verify that the expected Cloud Pak for Integration resources are restored and functioning correctly. For example:

Platform UI: Check that you can access the user interface.
Assembly: Check that the IntegrationAssembly Kubernetes resource has a status of Ready.
Automation assets: Check that you can see the expected assets in the restored instance.
Enterprise gateway: Check that the DataPowerService Kubernetes resource has a status of Ready. OADP backs up and restores only the stateless components of the instance.

If you are using the backup to test your preparedness for a failure, your primary system should still be running. Some instances might require further configuration to test in this scenario. For example:

Kafka cluster: Because of the georeplication feature, you should be able to see information coming from the primary cluster.
Integration runtime: Use DNS router configuration to route data from the primary cluster to the test cluster, to imitate a failover situation and check that the restored backup in the new OpenShift cluster works as expected.

Advanced usage for labels

You can apply this reference information for either of the following tasks:

Adding custom labels to instances
Backing up only a subset of instances

A backup label has the following format, where <api_string> is a string that represents the operator that provides the instance and <label_value> is the label value to apply to that instance:

backup.<api_string>.ibm.com/component=<label_value>

The following table contains valid API strings for instances.

Table 1. Valid (default) strings for instances
Operator name	API string
IBM Cloud Pak for Integration	`integration`
IBM Automation Foundation assets	`integration`
IBM App Connect	`appconnect`
IBM DataPower Gateway	`datapower`
IBM Event Streams	`eventstreams`

These labels are added by default to instances. However, if the instances in your Cloud Pak for Integration installation do not already have labels applied (for example, if you are upgrading from an earlier release where backup labels were not present), you must add them. Use either the default string or custom label values.

All operators in Cloud Pak for Integration have the following standard labels.

Table 2. Standard labels for operators
Operator resource	Label value
Catalog source	`catalogsource`
Operator group	`operatorgroup`
Subscription	`subscription`

The following table contains the default label strings for each instance:

Table 3. Default label stings for instances
Instance type	Label value
Platform UI	`platformnavigator`
Assembly	`integrationassembly`
Automation assets	`assetrepository`
API	`api`
API Product	`product`
Messaging server	`messagingserver`
Messaging queue	`messagingqueue`
Messaging channel	`messagingchannel`
Messaging user	`messaginguser`
Policy	`validatingadmissionpolicy`
Policy binding	`validatingadmissionpolicybinding`
Integration dashboard	`dashboard`
Integration design	`designerauthoring`
Integration runtime	`integrationruntime`
Integration server	`integrationserver`
Enterprise gateway	`datapowerservice`
Kafka cluster	`eventstreams`
Kafka connect	`kafkaconnect`
Kafka topic	`kafkatopic`
Kafka user	`kafkauser`
Kafka bridge	`kafkabridge`
Kafka connector	`kafkaconnector`
Kafka rebalance	`kafkarebalance`
Foundational services	`commonservice`

To back up a specific instance, add a custom label to the instance. For example, the following label assigns a custom label value of my-instance to an instance that is provided by the IBM App Connect operator:

backup.appconnect.ibm.com/component=my-dashboard

In addition to adding labels by using the oc label command, as described earlier, you can add labels to an instance by using the Platform UI or by modifying the YAML for the instance's Kubernetes resource. For more information about adding labels in the Platform UI, see Using the Platform UI.

For more information about labels, including allowed characters and length, see Labels and selectors in the Kubernetes documentation.

Additional information

For more information about OADP, see Introduction to OpenShift API for Data Protection in the Red Hat OpenShift documentation.

Troubleshooting

If the restore process failed due to existing objects in the restore location, you might achieve a successful restore by deleting the existing objects then running the restore process again. For example, if you attempt to restore a namespace that already exists, an error occurs because the restore process cannot add a Velero label to the namespace.

You can view logs by installing the Velero CLI and running the following commands:

velero backup describe <integration-backup> -n openshift-adp
velero restore logs <integration-restore> -n openshift-adp

For more information about troubleshooting, see Troubleshooting in the OADP section of the Red Hat OpenShift documentation.