Backup and restore as code

Make use of the backup and restore services through custom resources (CRs) and integrate these functionalities with the application code. It manages application backups by using a declarative state and maintains your backup posture for an application alongside the application in Git. 

You can use CRs to deploy backup storage locations, establish backup policies to each cluster, assign policies to applications, and perform backup and restore operations for applications and their resources.
Note: If you are not currently in the same namespace, then include -n <namespace> in all commands. If you are already in the IBM Fusion namespace (ibm-spectrum-fusion-ns), then -n <namespace> is not necessary.

Backup storage location

If you want to create a backup storage location, then define the type of the S3 endpoint, the name of the target S3 bucket, credentials to connect to the endpoint, and some optional parameters based on the type.
Create a backup storage location
oc create -f <storagelocation.yaml>
Sample storage location YAML file:

apiVersion: v1
data:
  access-key-id: AMIATNJ3JEMKR6GAUOLN
  secret-access-key: vgm9AJPztPkOygBFpBp2UzEErLBelTcp3JPdPn9c
kind: Secret
metadata:
  name: backup-storage-location-example-secret-0
  namespace: ibm-spectrum-fusion-ns
---
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupStorageLocation
metadata:
  
  name: backup-storage-location-example
  namespace: ibm-spectrum-fusion-ns
spec:
  type: aws
  credentialName:  backup-storage-location-example-secret-0
  provider: isf-backup-restore
  params:
    region: us-west-2
    bucket: bucket-name
    endpoint: https://s3.us-west-2.amazonaws.com

In this sample, a secret and backup storage locations are created.

Note: The secret is created before the triple dashes, and the backup storage location is created after the triple dashes in the YAML file.
Run the following command to generate the cloud data:
printf "[default]\naws_access_key_id=minio\naws_secret_access_key=minio123\n" | base64 -w 0

Replace the value of aws_access_key_id and aws_secret_access_key with your value.

Modify backup storage location
oc edit fbsl backup-storage-location-example

You can modify the backup storage location details.

Modify secret
oc edit secret backup-storage-location-example-secret-0

You can modify the secret details.

Delete backup storage location
oc delete fbsl backup-storage-location-example
Note: You cannot delete a backup storage location if there are any existing backup policies or backups associated with it. For successful backups, they must surpass their retention period before IBM Fusion can automatically remove them. However, failed backups can be manually removed through the IBM Fusion web console.
Delete secret
oc delete secret backup-storage-location-example-secret-0
Get all backup storage locations
oc get fbsl

Backup policy

Create a backup policy
oc create -f <backuppolicy.yaml>
or
oc apply -f <backuppolicy.yaml>
Sample backup policy YAML files:
  • Backup policy to take backups daily:
    
    apiVersion: data-protection.isf.ibm.com/v1alpha1
    kind: BackupPolicy
    metadata:
      name: daily-policy
      namespace: ibm-spectrum-fusion-ns
    spec:
      provider: isf-backup-restore
      backupStorageLocation: backup-storage-location-example
      retention:
        number: 10
        unit: days
      schedule:
        cron: "30 10 * * *"
        timezone: America/Los_Angeles
        
  • Backup policy to take backups weekly from Monday through Friday:
    apiVersion: data-protection.isf.ibm.com/v1alpha1
    kind: BackupPolicy
    metadata:
      name: backup-policy-weekdays
      namespace: ibm-spectrum-fusion-ns
    spec:
      provider: isf-backup-restore
      backupStorageLocation: backup-storage-location-example
      retention:
        number: 4
        unit: weeks
      schedule:
        cron: "30 20 * * 1,2,3,4,5"
        timezone: America/Los_Angeles
Edit a backup policy
oc edit backuppolicy <backuppolicy name>

You cannot modify the policy name and CR name.

Delete a backup policy
oc delete backuppolicy <backuppolicy name>
Example:
oc delete backuppolicy daily-policy

If at least one reference exists a backupObject or PolicyAssignment Object, then you cannot delete the policy.

Get the basic information about a backup policy
oc get backuppolicy <backuppolicy name>
Get all the information about a backup policy
oc describe backuppolicy daily-policy 
Alternatively, you can use the following sample OC command:
oc describe backuppolicy/daily-policy
Get all backup policies
oc get backuppolicies
Assign a policy to an application
BackupPolicyAssignment is a call to create backups by associating a backup policy with an application. You must assign a policy to an application to schedule backups.
oc create -f <policyassignment.yaml>
Note: The appCluster is the name of the cluster where this application resides. It is optional and only required for remote Spoke applications to designate which Spoke cluster to run the job against. If it is not provided, the assumption is that the jobs are for an application on the Hub cluster.
Sample assignment YAML file for daily backup:
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: PolicyAssignment
metadata:
  name: backup-policy-assignment-example
  namespace: ibm-spectrum-fusion-ns
spec:
  application: application-sample
  backupPolicy: daily-policy
  appCluster: fusion-cluster
  
Run the following command to get the name:
oc get cluster
Example:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: PolicyAssignment
metadata:
  
  name: filebrowser-20220919-1834111-isf-auto-ibmcos-backuppolicy-20220919-183411
  namespace: ibm-spectrum-fusion-ns
spec:
  application: filebrowser-20220919-1834111
  backupPolicy: isf-auto-ibmcos-backuppolicy-20220919-183411
  appCluster: fusion-cluster
  runNow: true
The corresponding backup CRD file is as follows:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: BackupPolicy
metadata:
  
  name: isf-auto-ibmcos-backuppolicy-20220919-183411
  namespace: ibm-spectrum-fusion-ns
spec:
  backupStorageLocation: isf-ibm-location-20220919-183411
  provider: isf-backup-restore
  retention:
    number: 1
    unit: days
  schedule:
    cron: 51 18 1 * *
    timezone: America/Los_Angeles
Edit policy assignment
oc edit policyassignment <policyassignment-name>
Delete policy assignment
oc delete policyassignment <policyassignment-name>

Backup and restore

Create backup CR for on-demand backup
Here, one time application backup is taken by using an on-demand backup policy.
oc create -f <CR_Ondemand_backup.yaml> 
Sample YAML file:
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Backup
metadata:
  
  name: auto-fb-spoke1-20230702-1122581-azure-dpcos1-daily-202307102004
  namespace: ibm-spectrum-fusion-ns
spec:
  appCluster: apps.bnr-sno-sunshine.fusion-sno-ibm.com
  application: auto-fb-spoke1-20230702-1122581
  backupPolicy: azure-dpcos1-daily
Note: The appCluster is the name of the cluster where this application resides. It is optional and only required for remote Spoke applications to designate which Spoke cluster to run the job against. If it is not provided, the assumption is that the jobs are for an application on the Hub cluster.
Run the following command to get the name of the cluster where this application resides and add it as a value for appCluster:
oc get cluster
Delete backup request CR
A DeleteBackupRequest can be used to delete a backup CR and all the related resources (backup data, snapshot, and so on) of a backup CR.
oc create -f <delete_CR_Name.yaml>

Sample YAML file:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: DeleteBackupRequest
metadata:
  name: backup-example-delete-request
  namespace: ibm-spectrum-fusion-ns
spec:
  backup: backup-example
Restore an application
oc create -f <backup-restore.yaml>

Sample of YAML restore file:

The following sample restores the backup-wordpress backup.

For cross cluster restore, the targetCluster is provided. If targetCluster is not available, then default to the same cluster where the backup got originated from:

apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Restore
metadata:
  dp.isf.ibm.com/provider-name: isf-backup-restore
  name: restore-complete-wordpress-1689030046
  namespace: ibm-spectrum-fusion-ns
spec:
  backup: complete-wordpress-ibm-do-not-use-202307102253
  objectsToRestore:
    RESOURCES:
    - ALL
    v1/persistentvolumeclaim:
    - complete-wordpress/mysql-pv-claim
    - complete-wordpress/wp-pv-claim
  targetCluster: guard-vpc-dog-98b7318c91b01bd72490e80cc2328915-0000.us-south.containers.appdomain.cloud
Restore an application to alternate namespaces
You can restore application to alternate namespaces on same cluster or another cluster.
For example, application A comprising of three namespaces namely ns1, ns2, and ns3 are backed up, then you need to specify the namespaceMapping field in Restore CR to restore this application to alternate namespace.
apiVersion: data-protection.isf.ibm.com/v1alpha1
kind: Restore
metadata:
  name: <custom-restore-name>
  namespace: ibm-spectrum-fusion-ns
spec:
  backup: <your-backup-job-name>
  namespaceMapping:
      ns1: ns1-new
      ns2: ns2-new
      ns3: ns3-new
Namespace variables automatically point to the correct namespaces during backup and restore. And it would be useful in scenarios, where you want to refer current namespace like exec hooks, mainly in restore cases.
Note: If a namespace or namespace field is missing in the namespaceMapping, then it restores to the original namespace.
An example of application that is backed up with three variables in Application CR.
apiVersion: application.isf.ibm.com/v1alpha1
kind: Application
...
spec:
  includedNamespaces:
    - ns1
    - ns2
    - ns3
  variables:
    - name: PARENT_NAMESPACE
      value: ns1
    - name: CHILD1_NAMESPACE
      value: ns2
    - name: CHILD2_NAMESPACE
      value: ns3
There are two methods to access these variables:
  • The first method is using ${PARENT_NAMESPACE}. It is valid only in backup scenario, and becomes invalid during restore as still referring to ns1.
  • The second method is using new construct ${APP.${PARENT_NAMESPACE}.name}, which substitutes namespace variables correctly. This refers to ns1 in case of backup and ns1-new when restoring to alternate namespace.

    In a restore scenario within the same namespace, it refers to ns1 only. This new construct can be utilized while specifying hook namespace field and exec commands.

List backups
oc get backups.data-protection.isf.ibm.com
List restores
oc get restores.data-protection.isf.ibm.com
List policy assignments
oc get policyassignments.data-protection.isf.ibm.com

Self-service Backup & Restore

Create a RecoverBackup CR
To create a RecoverBackup CR, see Self-service Backup & Restore.

Service protection

Note: The service protection is supported only through the user interface and not from the command line.