Backup and restore as code

Make use of the backup and restore services through custom resources (CRs) and integrate these functionalities with the application code. It manages application backups by using a declarative state and maintains your backup posture for an application alongside the application in Git.

You can use CRs to deploy backup storage locations, establish backup policies to each cluster, assign policies to applications, and perform backup and restore operations for applications and their resources.

Note: If you are not currently in the same namespace, then include

-n
<namespace>

in all commands. If you are already in the IBM Fusion namespace (ibm-spectrum-fusion-ns), then -n <namespace> is not necessary.

Backup storage location

If you want to create a backup storage location, then define the type of the S3 endpoint, the name of the target S3 bucket, credentials to connect to the endpoint, and some optional parameters based on the type.

Create a backup storage location

oc create -f <storagelocation.yaml>

Sample storage location YAML file:


apiVersion: v1
data:
  access-key-id: AMIATNJ3JEMKR6GAUOLN
  secret-access-key: vgm9AJPztPkOygBFpBp2UzEErLBelTcp3JPdPn9c
kind: Secret
metadata:
  name: backup-storage-location-example-secret-0
  namespace: ibm-spectrum-fusion-ns
---
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupStorageLocation
metadata:
  
  name: backup-storage-location-example
  namespace: ibm-spectrum-fusion-ns
spec:
  type: aws
  credentialName:  backup-storage-location-example-secret-0
  provider: isf-backup-restore
  params:
    region: us-west-2
    bucket: bucket-name
    endpoint: https://s3.us-west-2.amazonaws.com

In this sample, a secret and backup storage locations are created.

Note: The secret is created before the triple dashes, and the backup storage location is created after the triple dashes in the YAML file.

Run the following command to generate the cloud data:

printf "[default]\naws_access_key_id=minio\naws_secret_access_key=minio123\n" | base64 -w 0

Replace the value of aws_access_key_id and aws_secret_access_key with your value.

Modify backup storage location

oc edit fbsl backup-storage-location-example

You can modify the backup storage location details.

Modify secret

oc edit secret backup-storage-location-example-secret-0

You can modify the secret details.

Delete backup storage location

oc delete fbsl backup-storage-location-example

Note: You cannot delete a backup storage location if there are any existing backup policies or backups associated with it. For successful backups, they must surpass their retention period before IBM Fusion can automatically remove them. However, failed backups can be manually removed through the IBM Fusion web console.

Delete secret

oc delete secret backup-storage-location-example-secret-0

Get all backup storage locations

oc get fbsl

Backup policy

Create a backup policy

oc create -f <backuppolicy.yaml>

oc apply -f <backuppolicy.yaml>

Sample backup policy YAML files:

Backup policy to take backups daily:


apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupPolicy
metadata:
  name: daily-policy
  namespace: ibm-spectrum-fusion-ns
spec:
  provider: isf-backup-restore
  backupStorageLocation: backup-storage-location-example
  retention:
    number: 10
    unit: days
  schedule:
    cron: "30 10 * * *"
    timezone: America/Los_Angeles

Backup policy to take backups weekly from Monday through Friday:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupPolicy
metadata:
  name: backup-policy-weekdays
  namespace: ibm-spectrum-fusion-ns
spec:
  provider: isf-backup-restore
  backupStorageLocation: backup-storage-location-example
  retention:
    number: 4
    unit: weeks
  schedule:
    cron: "30 20 * * 1,2,3,4,5"
    timezone: America/Los_Angeles

Edit a backup policy

oc edit backuppolicy <backuppolicy name>

You cannot modify the policy name and CR name.

Delete a backup policy

oc delete backuppolicy <backuppolicy name>

Example:

oc delete backuppolicy daily-policy

If at least one reference exists a backupObject or PolicyAssignment Object, then you cannot delete the policy.

Get the basic information about a backup policy

oc get backuppolicy <backuppolicy name>

Get all the information about a backup policy

oc describe backuppolicy daily-policy

Alternatively, you can use the following sample OC command:

oc describe backuppolicy/daily-policy

Get all backup policies

oc get backuppolicies

Assign a policy to an application

BackupPolicyAssignment is a call to create backups by associating a backup policy with an application. You must assign a policy to an application to schedule backups.

oc create -f <policyassignment.yaml>

Note: The appCluster is the name of the cluster where this application resides. It is optional and only required for remote Spoke applications to designate which Spoke cluster to run the job against. If it is not provided, the assumption is that the jobs are for an application on the Hub cluster.

Sample assignment YAML file for daily backup:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: PolicyAssignment
metadata:
  name: backup-policy-assignment-example
  namespace: ibm-spectrum-fusion-ns
spec:
  application: application-sample
  backupPolicy: daily-policy
  appCluster: fusion-cluster

Run the following command to get the name:

oc get cluster

Example:


apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: PolicyAssignment
metadata:
  
  name: filebrowser-20220919-1834111-isf-auto-ibmcos-backuppolicy-20220919-183411
  namespace: ibm-spectrum-fusion-ns
spec:
  application: filebrowser-20220919-1834111
  backupPolicy: isf-auto-ibmcos-backuppolicy-20220919-183411
  appCluster: fusion-cluster
  runNow: true

The corresponding backup CRD file is as follows:


apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupPolicy
metadata:
  
  name: isf-auto-ibmcos-backuppolicy-20220919-183411
  namespace: ibm-spectrum-fusion-ns
spec:
  backupStorageLocation: isf-ibm-location-20220919-183411
  provider: isf-backup-restore
  retention:
    number: 1
    unit: days
  schedule:
    cron: 51 18 1 * *
    timezone: America/Los_Angeles

Edit policy assignment

oc edit policyassignment <policyassignment-name>

Delete policy assignment

oc delete policyassignment <policyassignment-name>

Backup and restore

Create backup CR for on-demand backup

Here, one time application backup is taken by using an on-demand backup policy.

oc create -f <CR_Ondemand_backup.yaml>

Sample YAML file:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Backup
metadata:
  
  name: auto-fb-spoke1-20230702-1122581-azure-dpcos1-daily-202307102004
  namespace: ibm-spectrum-fusion-ns
spec:
  appCluster: apps.bnr-sno-sunshine.fusion-sno-ibm.com
  application: auto-fb-spoke1-20230702-1122581
  backupPolicy: azure-dpcos1-daily

Run the following command to get the name of the cluster where this application resides and add it as a value for appCluster:

oc get cluster

Delete backup request CR

A DeleteBackupRequest can be used to delete a backup CR and all the related resources (backup data, snapshot, and so on) of a backup CR.

oc create -f <delete_CR_Name.yaml>

Sample YAML file:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: DeleteBackupRequest
metadata:
  name: backup-example-delete-request
  namespace: ibm-spectrum-fusion-ns
spec:
  backup: backup-example

Restore an application

oc create -f <backup-restore.yaml>

Sample of YAML restore file:

The following sample restores the backup-wordpress backup.

For cross cluster restore, the targetCluster is provided. If targetCluster is not available, then default to the same cluster where the backup got originated from:


apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Restore
metadata:
  dp.isf.ibm.com/provider-name: isf-backup-restore
  name: restore-complete-wordpress-1689030046
  namespace: ibm-spectrum-fusion-ns
spec:
  backup: complete-wordpress-ibm-do-not-use-202307102253
  objectsToRestore:
    RESOURCES:
    - ALL
    v1/persistentvolumeclaim:
    - complete-wordpress/mysql-pv-claim
    - complete-wordpress/wp-pv-claim
  targetCluster: guard-vpc-dog-98b7318c91b01bd72490e80cc2328915-0000.us-south.containers.appdomain.cloud

Restore an application to alternate namespaces

You can restore application to alternate namespaces on same cluster or another cluster.

For example, application A comprising of three namespaces namely ns1, ns2, and ns3 are backed up, then you need to specify the namespaceMapping field in Restore CR to restore this application to alternate namespace.

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Restore
metadata:
  name: <custom-restore-name>
  namespace: ibm-spectrum-fusion-ns
spec:
  backup: <your-backup-job-name>
  namespaceMapping:
      ns1: ns1-new
      ns2: ns2-new
      ns3: ns3-new

Namespace variables automatically point to the correct namespaces during backup and restore. And it would be useful in scenarios, where you want to refer current namespace like exec hooks, mainly in restore cases.

Note: If a namespace or namespace field is missing in the namespaceMapping, then it restores to the original namespace.

An example of application that is backed up with three variables in Application CR.

apiVersion: application.isf.ibm.com/v1alpha1
kind: Application
...
spec:
  includedNamespaces:
    - ns1
    - ns2
    - ns3
  variables:
    - name: PARENT_NAMESPACE
      value: ns1
    - name: CHILD1_NAMESPACE
      value: ns2
    - name: CHILD2_NAMESPACE
      value: ns3

There are two methods to access these variables:

The first method is using ${PARENT_NAMESPACE}. It is valid only in backup scenario, and becomes invalid during restore as still referring to ns1.
The second method is using new construct ${APP.${PARENT_NAMESPACE}.name}, which substitutes namespace variables correctly. This refers to ns1 in case of backup and ns1-new when restoring to alternate namespace.
In a restore scenario within the same namespace, it refers to ns1 only. This new construct can be utilized while specifying hook namespace field and exec commands.

List backups

oc get backups.data-protection.isf.ibm.com

List restores

oc get restores.data-protection.isf.ibm.com

List policy assignments

oc get policyassignments.data-protection.isf.ibm.com

Self-service Backup & Restore

Create a RecoverBackup CR: To create a RecoverBackup CR, see Self-service Backup & Restore.

Service protection

Note: The service protection is supported only through the user interface and not from the command line.