Installing the software for backing up an instance by using Portworx asynchronous data replication

After you install IBM Software Hub, you must install the cpdbr-tenant service and the Backup Restore Orchestration service for the instance so that the Backup Restore Orchestration service can communicate with Portworx Enterprise.

Installation phase
  • You are not here. Setting up a client workstation
  • You are not here. Setting up a cluster
  • You are not here. Collecting required information
  • You are not here. Preparing to run installs in a restricted network
  • You are not here. Preparing to run installs from a private container registry
  • You are not here. Preparing the cluster for IBM Software Hub
  • You are not here. Preparing to install an instance of IBM Software Hub
  • You are not here. Installing an instance of IBM Software Hub
  • You are here icon. Setting up the control plane
  • You are not here. Installing solutions and services
Who needs to complete this task?

Cluster administrator A cluster administrator must complete this task.

When do you need to complete this task?

Complete this task if you plan to use Portworx asynchronous data replication backup your IBM Software Hub installation.

Repeat as needed If you have multiple instances of IBM Software Hub, repeat this task for each instance.

Before you begin

Best practice: You can run the commands in this task exactly as written if you set up environment variables. For instructions, see Setting up installation environment variables.

Ensure that you source the environment variables before you run the commands in this task.

About this task

To ensure that you can back up this instance of IBM Software Hub with Portworx asynchronous data replication, you must:
  • Give the service accounts for the Backup Restore Orchestration service the edit cluster role on the specified projects:
    Service account Projects Details
    ${BR_OPERATOR_SA}
    • Backup Restore Orchestration service
    		 The Red Hat® OpenShift® Container Platform edit role enables the Backup Restore Orchestration service operator to modify resources in the specified project.
    ${BR_OPERATOR_JOB_SA}
    • Operators project
    • Operands project
    • Any tethered projects
    		 The Red Hat OpenShift Container Platform edit role enables the Backup Restore Orchestration service jobs to modify resources in the specified projects. For example, the service can use this role to patch a custom resource to put a service in maintenance mode.
  • Install the cpdbr-tenant service.
  • Install the Backup Restore Orchestration service

Procedure

  1. Install the cpdbr-tenant service.

    The command that you run depends on where your cluster pulls images from:

    IBM Entitled Registry
    cpd-cli oadp install \
--component=cpdbr-tenant \
--namespace=${OADP_PROJECT} \
--cpd-scheduler-namespace=${PROJECT_SCHEDULING_SERVICE} \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--skip-recipes \
--log-level=debug \
--verbose
    Private container registry
    cpd-cli oadp install \
--component=cpdbr-tenant \
--namespace=${OADP_PROJECT} \
--cpd-scheduler-namespace=${PROJECT_SCHEDULING_SERVICE} \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--private_registry_location=${PRIVATE_REGISTRY_LOCATION} \
--skip-recipes \
--log-level=debug \
--verbose
  2. Confirm that the required cluster role and cluster role binding were created in the ${PROJECT_INST_BR_SVC} when you installed the cpdbr-tenant service.
    If they do not exist, the command creates them.
    BINDING_NAME="cpdbr-tenant-service-crb-${PROJECT_CPD_INST_OPERATORS}"
SHOULD_ADD=false

# Check if the exact combination of SA name and namespace exists
if oc get clusterrolebinding ${BINDING_NAME} -o json | \
   jq -e ".subjects[]? | select(.kind==\"ServiceAccount\" and .name==\"${BR_OPERATOR_JOB_SA}\" and .namespace==\"${PROJECT_INST_BR_SVC}\")" > /dev/null 2>&1; then
  echo "ServiceAccount ${BR_OPERATOR_JOB_SA} already exists in namespace ${PROJECT_INST_BR_SVC}"
else
  echo "ServiceAccount ${BR_OPERATOR_JOB_SA} in namespace ${PROJECT_INST_BR_SVC} not found, adding"
  SHOULD_ADD=true
fi

# Add the subject if needed
if [ "${SHOULD_ADD}" = true ]; then
  oc patch clusterrolebinding ${BINDING_NAME} --type=json -p="[
    {
      \"op\": \"add\",
      \"path\": \"/subjects/-\",
      \"value\": {
        \"kind\": \"ServiceAccount\",
        \"name\": \"${BR_OPERATOR_JOB_SA}\",
        \"namespace\": \"${PROJECT_INST_BR_SVC}\"
      }
    }
  ]"
fi
  3. Install the Backup Restore Orchestration service for the instance:
    Instances without tethered projects
    cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}
    Instances with tethered projects
    cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--tethered_instance_ns=${PROJECT_CPD_INSTANCE_TETHERED_LIST} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}
  4. Give the ${BR_OPERATOR_SA} service account the edit cluster role on the required projects: 
    oc create rolebinding bros-rolebinding-edit \
--clusterrole=edit \
--serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_SA} \
-n ${PROJECT_CPD_INST_BR_SVC}

oc label rolebinding bros-rolebinding-edit \
-n ${PROJECT_CPD_INST_BR_SVC} \
component-id=br-orchestration \
icpdsupport/addOnId=bros
  5. Give the ${BR_OPERATOR_JOB_SA} service account the edit cluster role on the required projects: 
    # Assign the edit role in the operators project
# =======================================================================================
oc create rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
--clusterrole=edit \
--serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERATORS}

oc label rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERATORS} \
component-id=br-orchestration \
icpdsupport/addOnId=bros

# Assign the edit role in the operands project
# =======================================================================================
oc create rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
--clusterrole=edit \
--serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERANDS}


oc label rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
-n ${PROJECT_CPD_INST_OPERANDS} \
component-id=br-orchestration \
icpdsupport/addOnId=bros

if [ -n "${PROJECT_CPD_INSTANCE_TETHERED_LIST}" ]; then
    IFS=',' read -ra TETHERED_NS_LIST <<< "${PROJECT_CPD_INSTANCE_TETHERED_LIST}"
    
    for TETHERED_NS in "${TETHERED_NS_LIST[@]}"; do
      oc create rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
      --clusterrole=edit \
      --serviceaccount=${PROJECT_CPD_INST_BR_SVC}:${BR_OPERATOR_JOB_SA} \
      -n ${TETHERED_NS}
      
      oc label rolebinding bros-job-sa-rb-${BR_OPERATOR_JOB_SA} \
      -n ${TETHERED_NS} \
      component-id=br-orchestration \
      icpdsupport/addOnId=bros

    done
fi
  6. Icon representing back up and restore Restore Install the cpdbr-tenant service role-based access control and the Backup Restore Orchestration service role-based access control on the target cluster:
    1. Install the cpdbr-tenant service role-based access control:
      cpd-cli oadp install \
--component=cpdbr-tenant \
--namespace=${OADP_PROJECT} \
--tenant-operator-namespace=${PROJECT_CPD_INST_OPERATORS} \
--skip-recipes \
--rbac-only=true \
--log-level=debug \
--verbose
    2. Install the Backup Restore Orchestration service role-based access control.
      Instances without tethered projects
      cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--ignore_tenant_ns_resources \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}
      Instances with tethered projects
      cpd-cli manage apply-br \
--license_acceptance=true \
--release=${VERSION} \
--patch_id=${PATCH_ID} \
--br_tool=oadp \
--oadp_ns=${OADP_PROJECT} \
--ignore_tenant_ns_resources \
--br_operator_ns=${PROJECT_INST_BR_SVC} \
--operator_ns=${PROJECT_CPD_INST_OPERATORS} \
--instance_ns=${PROJECT_CPD_INST_OPERANDS} \
--tethered_instance_ns=${PROJECT_CPD_INSTANCE_TETHERED_LIST} \
--image_pull_prefix=${IMAGE_PULL_PREFIX} \
--image_pull_secret=${IMAGE_PULL_SECRET}