Configuring backup settings for Analytics on OpenShift and Cloud Pak for Integration

Configure the IBM® API Connect Analytics subsystem on OpenShift and Cloud Pak for Integration to support backing up and restoring the Analytics database.

1. Create the analytics backup secret for your S3-compatible storage:
   1. Obtain an access key and corresponding access key secret from your S3 provider.

      For example, you might obtain the key and secret from one of the following providers, using the instructions found on their sites:

      • IBM Cloud Object Storage
      • AWS
   2. Create the Kubernetes secret by running the following command and filling in your access key, access key secret, and namespace:

      oc create secret generic analytics-backup-secret --from-literal=username='Your_Access_Key' --from-literal=password='Your_access_key_secret' -n Analytics_namespace

2. Add the backup configuration to the Analytics section of the top-level APIConnectCluster CR:
   You can add or modify the Analytics backup configuration using one of the following methods:

   • OpenShift web console:
     1. Navigate to Advanced Configuration > Analytics Subsystem > Advanced Configuration > Database Backups > Advanced Configuration.
     2. Configure the backup settings using the settings described in Table 1.
   • Cloud Pak Platform Navigator:
     1. Open the API Connect capability in Platform Navigator for editing.
     2. On the Details page, enable Advanced settings, which allows you to add backup configurations in the Analytics subsystem section.
     3. Click Analytics subsystem and configure settings in the "Database backups" section using the settings described in Table 1.
   • YAML: Edit the top-level APIConnectCluster CR and add a databaseBackup section using the settings described in Table 1; for example:

       
     spec:
         analytics:
           databaseBackup:
             credentials: analytics-backup-secret
             host: s3.eu-gb.cloud-object-storage.appdomain.cloud
             path: my-s3-bucket/apic-analytics-backups
             backupCerts: <custom-s3-server-CA-cert>
             schedule: "0 2 * * *"
             enableCompression: true
             chunkSize: 1GB
             enableServerSideEncryption: false

   Table 1. Backup configuration settings for Analytics

   Field name in UI	Field name in YAML	Description
   Credentials	credentials	The name of the Kubernetes secret that you created in step 1.
   Server hostname	host	The S3 endpoint with the corresponding S3 region in the format s3.s3region.s3domain
   Backup path	path	A combination of the S3 bucket and the base path within the bucket, using the format bucket_name/base_path
   Schedule	schedule	(Optional) The schedule that determines how often backups will be invoked automatically. The format for the schedule is any valid cron string. The timezone for backups is that of the kube-controller-manager. Backing up once a day is probably sufficient; remember that the more frequently you run backups, the more storage space you need.
   Compress	enableCompression	(Optional) Determines whether metadata files are stored in compressed format. Default value is true.
   Backup chunk size	chunkSize	(Optional) Specifies how large files are stored. Large files can be stored as chunks when the snapshot is created. This setting specifies the size of the chunks as GB, MB, or KB. Default value is 1GB.
   Enable server side encryption	enableServerSideEncryption	(Optional) Determines whether files are encrypted. When set to true, files are encrypted on the server side using AES256. Default value is false.
   Backup Certs	backupCerts	The name of a custom certificate that contains your upstream custom S3 CA certificate. Supported beginning with 10.0.1.2-eus. Used only when s3Provider is set to custom. Most of the custom S3 providers are created based on custom CA certificates. This field accepts name of the Kubernetes secret containing your upstream custom S3 CA certificate. The key of the secret must be ca.crt and the value is the base64-encoded value of the CA certificate. If the server certificate that is presented by your S3/object-store endpoint is signed by a well known CA and includes any intermediate certificates in the chain, then you do not need to provide the CA certificate using this feature because the Analytics subsystem already trusts the server certificate. You can test this by configuring the Analytics backup to your S3/object-store server without providing the CA certificate. If you do need to provide the CA certificate then you must provide the entire chain in the ca.crt member of the secret, as follows: intermediate-certificate-1 intermediate-certificate-2 . . . intermediate-certificate-n root-certificate Where the first certificate in the ca.crt member (intermediate-certificate-1) is the issuer of the S3/object-store server certificate, and each subsequent certificate in the ca.crt member is the issuer of the preceding certificate. The root certificate in the ca.crt member must be self-signed. If there are no intermediate certificates involved, then the ca.crt member contains only the root certificate. The following sample bash script creates the Kubernetes secret: cat >customs3ca.yaml <<EOF apiVersion: v1 data: ca.crt: $(base64 <path-to-ca-certificate> | tr -d '\n' ) kind: Secret metadata: name: custom-server-ca type: generic EOF kubectl apply -f customs3ca.yaml -n <namespace>