Backing Up Tanzu Application Service for Kubernetes Using Automation
This topic provides an overview of how to back up Tanzu Application Service for Kubernetes (TAS for Kubernetes) using automation.
To back up TAS for Kubernetes manually, see Backing Up TAS for Kubernetes Manually.
Overview
To back up TAS for Kubernetes using automation:
- Create and Configure a Service Account for Backing Up
- Automate Your Velero Backup
- Review the Automated Velero Backup
Prerequisites
Complete the configuration for manual back up before proceeding with configuring automated back up. For more information, see Backing Up Tanzu Application Service for Kubernetes.
Create and Configure a Service Account for Backing Up
To create a service account to run the automated backup:
Use your IaaS tools to create the service account:
For example, to create a service account on GCP:gcloud iam service-accounts create velero-service-account \ --display-name "Velero service account"Grant the new Velero service account permissions needed to complete the backup.
For example, to grant the service account permissions on GCP:SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \ --filter="displayName:Velero service account" \ --format 'value(email)')
PROJECT_ID=$(gcloud config get-value project)
ROLE_PERMISSIONS=( compute.disks.get compute.disks.create compute.disks.createSnapshot compute.snapshots.get compute.snapshots.create compute.snapshots.useReadOnly compute.snapshots.delete compute.zones.get storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list )
gcloud iam roles create velero.server \ --project $PROJECT_ID \ --title "Velero Server" \ --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role projects/$PROJECT_ID/roles/velero.server
gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://velero-demo-bucket
To create a service account key, use your IaaS tools to create the key. Specify for the IaaS tool to create a
credentials-velerooutput file to your local directory.
For example, to create a service account key on GCP:gcloud iam service-accounts keys create credentials-velero \ --iam-account $SERVICE_ACCOUNT_EMAIL
Automate Your Velero Backup
There are two methods for automating your Velero backup:
Create a Bash Script
To create a Velero backup script:
Create a bash script with the following content:
#!/usr/bin/env bash set -euo pipefail if ! kubectl get namespace cf-system &> /dev/null then echo "error: cf-system namespace not found" echo " Please ensure Tanzu Application Service is installed on this cluster" exit 1 fi backup_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')" ONE_DAY=24 ONE_YEAR=365 FOUR_YEARS="$((4*${ONE_YEAR}*${ONE_DAY}))h" velero create backup "${backup_name}" \ --include-namespaces cf-system,postgres-dbs \ --selector ‘app in (cf-metadata, postgres) \ --ttl "${FOUR_YEARS}" \ --wait
Create a Concourse Script
To automate Velero back up using a Concourse pipeline:
Create the following Concourse configuration:
--- resources: - name: every-3h type: time icon: clock-outline source: interval: 3h jobs: - name: backup plan: - get: every-3h trigger: true - task: create-backup config: platform: linux image_resource: type: registry-image source: repository: IMAGE-REPOSITORY params: SERVICE_ACCOUNT_KEY: ((service-account-key)) SERVICE_ZONE: ((service-zone)) SERVICE_CLUSTER_NAME: ((service-cluster-name)) run: path: /bin/bash args: - -c - | set -eu gcloud auth activate-service-account --key-file=<(echo "$SERVICE_ACCOUNT_KEY") gcloud container clusters get-credentials "${SERVICE_CLUSTER_NAME}" --zone "${SERVICE_ZONE}" if ! kubectl get namespace cf-system &> /dev/null then echo "error: cf-system namespace not found" echo " Please ensure Tanzu Application Service is installed on this cluster" exit 1 fi backup_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')" ONE_DAY=24 ONE_YEAR=365 FOUR_YEARS="$((4*${ONE_YEAR}*${ONE_DAY}))h" velero create backup "${backup_name}" \ --include-namespaces postgres-dbs,cf-system \ --selector 'app in (cf-metadata, postgres)' \ --ttl "${FOUR_YEARS}" \ --wait velero backup describe "${backup_name}" --detailsWhere
IMAGE-REPOSITORYis the registry location for storing your backups.
For example:--- resources: - name: every-3h type: time icon: clock-outline source: interval: 3h jobs: - name: backup plan: - get: every-3h trigger: true - task: create-backup config: platform: linux image\_resource: type: registry-image source: repository: pcfplatformrecovery/backup-and-restore-cf-for-k8s params: SERVICE\_ACCOUNT\_KEY: ((service-account-key)) SERVICE\_ZONE: ((service-zone)) SERVICE\_CLUSTER\_NAME: ((service-cluster-name)) run: path: /bin/bash args: - -c - | set -eu gcloud auth activate-service-account --key-file=<(echo "$SERVICE\_ACCOUNT\_KEY") gcloud container clusters get-credentials "${SERVICE\_CLUSTER\_NAME}" --zone "${SERVICE\_ZONE}" if ! kubectl get namespace cf-system &> /dev/null then echo "error: cf-system namespace not found" echo " Please ensure Tanzu Application Service is installed on this cluster" exit 1 fi backup\_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')" ONE\_DAY=24 ONE\_YEAR=365 FOUR\_YEARS="$((4*${ONE\_YEAR}*${ONE\_DAY}))h" velero create backup "${backup\_name}" \ --include-namespaces postgres-dbs,cf-system \ --selector 'app in (cf-metadata, postgres)' \ --ttl "${FOUR\_YEARS}" \ --wait velero backup describe "${backup\_name}" --detailsConfigure the pipeline to run with the following required parameters:
--var service-account-key=”SERVICE-ACCOUNT-KEY” --var service-zone=”ZONE-NAME” --var service-cluster-name=”CLUSTER-NAME"Where:
SERVICE-ACCOUNT-KEYis the content of service account key.ZONE-NAMEis the project zone where cluster is deployed.CLUSTER-NAMEis the name of the cluster to be backed up.
Review the Automated Velero Backup
To review or troubleshoot an automated backup, follow the steps in Review a Completed Backup in Backing Up Tanzu Application Service for Kubernetes.