Configure the IBM® API
Connect Analytics subsystem on
OpenShift and Cloud Pak for Integration to support backing up and restoring the Analytics
database.
About this task
Generating a backup for Analytics is performed on demand by configuring backup settings in the
Analytics section of the top-level APIConnectCluster
CR. You can create a restore
CR to start the restoration of a previously generated backup.
- Backups can be scheduled or generated manually (on-demand), but you can only run one backup or
restore process at a time.
- The Backup and Restore solution for Analytics supports only remote, cloud-based S3 storage (such
as IBM Cloud Object Storage, AWS S3, or a custom S3 configuration).
Note:
- Only host-style S3 backups are supported. Path-style S3 backups are not supported.
- If you are using a self-managed S3 backup server, check that you have a DNS hostname entry and
matching TLS certificate for your S3 backup endpoint.
Procedure
-
Create the analytics backup secret for your S3-compatible storage:
-
Obtain an access key and corresponding access key secret from your S3 provider.
For example, you might obtain the key and secret from one of the following providers, using the
instructions found on their sites:
-
Create the Kubernetes secret by running the following command and filling in your access key,
access key secret, and namespace:
oc create secret generic analytics-backup-secret --from-literal=username='Your_Access_Key' --from-literal=password='Your_access_key_secret' -n Analytics_namespace
-
Add the backup configuration to the Analytics section of the top-level
APIConnectCluster
CR:
You can add or modify the Analytics backup configuration using one of the following methods:
Table 1. Backup configuration settings for Analytics
Field name in UI |
Field name in YAML |
Description |
Credentials |
credentials |
The name of the Kubernetes secret that you created in step 1. |
Server hostname |
host |
The S3 endpoint with the corresponding S3 region in the format
s3.s3region.s3domain |
Backup path |
path |
A combination of the S3 bucket and the base path within the bucket, using the format
bucket_name/base_path |
Schedule |
schedule |
(Optional) The schedule that determines how often backups will be invoked automatically. The
format for the schedule is any valid cron string. The timezone for backups is that of the
kube-controller-manager. Backing up once a day is probably sufficient; remember that the more
frequently you run backups, the more storage space you need. |
Compress |
enableCompression |
(Optional) Determines whether metadata files are stored in compressed format. Default value
is true . |
Backup chunk size |
chunkSize |
(Optional) Specifies how large files are stored. Large files can be stored as chunks when the
snapshot is created. This setting specifies the size of the chunks as GB, MB, or KB. Default value
is 1GB . |
Enable server side encryption |
enableServerSideEncryption |
(Optional) Determines whether files are encrypted. When set to true, files are encrypted on
the server side using AES256. Default value is false . |
Backup Certs |
backupCerts |
The name of a custom certificate that contains your upstream custom S3 CA certificate.
Supported beginning with 10.0.1.2-eus. Used only when s3Provider is set to
custom . Most of the custom S3 providers are created based on custom CA
certificates.
This field accepts name of the Kubernetes secret containing your upstream custom
S3 CA certificate. The key of the secret must be ca.crt and the value is the
base64-encoded value of the CA certificate.
If the server certificate that is presented by
your S3/object-store endpoint is signed by a well known CA and includes any intermediate
certificates in the chain, then you do not need to provide the CA certificate using this feature
because the Analytics subsystem already trusts the server certificate. You can test this by
configuring the Analytics backup to your S3/object-store server without providing the CA
certificate.
If you do need to provide the CA certificate then you must provide the entire
chain in the ca.crt member of the secret, as
follows: intermediate-certificate-1
intermediate-certificate-2
. . .
intermediate-certificate-n
root-certificate
Where
the first certificate in the ca.crt member (intermediate-certificate-1) is the
issuer of the S3/object-store server certificate, and each subsequent certificate in the
ca.crt member is the issuer of the preceding certificate. The root certificate in the
ca.crt member must be self-signed.
If there are no intermediate certificates
involved, then the ca.crt member contains only the root certificate.
The
following sample bash script creates the Kubernetes
secret: cat >customs3ca.yaml <<EOF
apiVersion: v1
data:
ca.crt: $(base64 <path-to-ca-certificate> | tr -d '\n' )
kind: Secret
metadata:
name: custom-server-ca
type: generic
EOF
kubectl apply -f customs3ca.yaml -n <namespace>
|