Backing Up Tanzu Application Service for Kubernetes Using Automation

This topic provides an overview of how to back up Tanzu Application Service for Kubernetes (TAS for Kubernetes) using automation.

To back up TAS for Kubernetes manually, see Backing Up TAS for Kubernetes Manually.

Overview

To back up TAS for Kubernetes using automation:

  1. Create and Configure a Service Account for Backing Up
  2. Automate Your Velero Backup
  3. Review the Automated Velero Backup

Prerequisites

Complete the configuration for manual back up before proceeding with configuring automated back up. For more information, see Backing Up Tanzu Application Service for Kubernetes.

Create and Configure a Service Account for Backing Up

To create a service account to run the automated backup:

  1. Use your IaaS tools to create the service account:

    For example, to create a service account on GCP:

     
    gcloud iam service-accounts create velero-service-account \
        --display-name "Velero service account"
    

  2. Grant the new Velero service account permissions needed to complete the backup.

    For example, to grant the service account permissions on GCP:

     
    SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
      --filter="displayName:Velero service account" \
      --format 'value(email)')

    PROJECT_ID=$(gcloud config get-value project)

    ROLE_PERMISSIONS=( compute.disks.get compute.disks.create compute.disks.createSnapshot compute.snapshots.get compute.snapshots.create compute.snapshots.useReadOnly compute.snapshots.delete compute.zones.get storage.buckets.get storage.objects.create storage.objects.delete storage.objects.list )

    gcloud iam roles create velero.server \ --project $PROJECT_ID \ --title "Velero Server" \ --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"

    gcloud projects add-iam-policy-binding $PROJECT_ID \ --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \ --role projects/$PROJECT_ID/roles/velero.server

    gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://velero-demo-bucket

  3. To create a service account key, use your IaaS tools to create the key. Specify for the IaaS tool to create a credentials-velero output file to your local directory.

    For example, to create a service account key on GCP:

     
    gcloud iam service-accounts keys create credentials-velero \
        --iam-account $SERVICE_ACCOUNT_EMAIL
    

Automate Your Velero Backup

There are two methods for automating your Velero backup:

Create a Bash Script

To create a Velero backup script:

  1. Create a bash script with the following content:

    #!/usr/bin/env bash
    
    set -euo pipefail
    
    if ! kubectl get namespace cf-system &> /dev/null
    then
        echo "error: cf-system namespace not found"
        echo "  Please ensure Tanzu Application Service is installed on this cluster"
        exit 1
    fi
    
    backup_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')"
    
    ONE_DAY=24
    ONE_YEAR=365
    FOUR_YEARS="$((4*${ONE_YEAR}*${ONE_DAY}))h"
    
    velero create backup "${backup_name}" \
       --include-namespaces cf-system,postgres-dbs \
        --selector ‘app in (cf-metadata, postgres) \
        --ttl "${FOUR_YEARS}" \
        --wait
    

Create a Concourse Script

To automate Velero back up using a Concourse pipeline:

  1. Create the following Concourse configuration:

    ---
    resources:
    - name: every-3h
      type: time
      icon: clock-outline
      source:
        interval: 3h
    
    jobs:
    - name: backup
      plan:
      - get: every-3h
        trigger: true
      - task: create-backup
        config:
          platform: linux
          image_resource:
            type: registry-image
            source:
              repository: IMAGE-REPOSITORY
          params:
            SERVICE_ACCOUNT_KEY: ((service-account-key))
            SERVICE_ZONE: ((service-zone))
            SERVICE_CLUSTER_NAME: ((service-cluster-name))
          run:
            path: /bin/bash
            args:
              - -c
              - |
                set -eu
    
                gcloud auth activate-service-account --key-file=<(echo "$SERVICE_ACCOUNT_KEY")
                gcloud container clusters get-credentials "${SERVICE_CLUSTER_NAME}" --zone "${SERVICE_ZONE}"
    
                if ! kubectl get namespace cf-system &> /dev/null
                then
                  echo "error: cf-system namespace not found"
                  echo "  Please ensure Tanzu Application Service is installed on this cluster"
                  exit 1
                fi
    
                backup_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')"
    
                ONE_DAY=24
                ONE_YEAR=365
                FOUR_YEARS="$((4*${ONE_YEAR}*${ONE_DAY}))h"
    
                velero create backup "${backup_name}" \
                  --include-namespaces postgres-dbs,cf-system \
                  --selector 'app in (cf-metadata, postgres)' \
                  --ttl "${FOUR_YEARS}" \
                  --wait
    
                velero backup describe "${backup_name}" --details
    

    Where IMAGE-REPOSITORY is the registry location for storing your backups.

    For example:

    ---
    resources:
    - name: every-3h
      type: time
      icon: clock-outline
      source:
        interval: 3h
    jobs:
    - name: backup
      plan:
      - get: every-3h
        trigger: true
      - task: create-backup
        config:
          platform: linux
          image\_resource:
            type: registry-image
            source:
              repository: pcfplatformrecovery/backup-and-restore-cf-for-k8s
          params:
            SERVICE\_ACCOUNT\_KEY: ((service-account-key))
            SERVICE\_ZONE: ((service-zone))
            SERVICE\_CLUSTER\_NAME: ((service-cluster-name))
          run:
            path: /bin/bash
            args:
              - -c
              - |
                set -eu
    
                gcloud auth activate-service-account --key-file=<(echo "$SERVICE\_ACCOUNT\_KEY")
                gcloud container clusters get-credentials "${SERVICE\_CLUSTER\_NAME}" --zone "${SERVICE\_ZONE}"
    
                if ! kubectl get namespace cf-system &> /dev/null
                then
                  echo "error: cf-system namespace not found"
                  echo "  Please ensure Tanzu Application Service is installed on this cluster"
                  exit 1
                fi
    
                backup\_name="tas4k8s-$(date -u +'%Y-%m-%d-%Hh%Mm%Ss')"
    
                ONE\_DAY=24
                ONE\_YEAR=365
                FOUR\_YEARS="$((4*${ONE\_YEAR}*${ONE\_DAY}))h"
    
                velero create backup "${backup\_name}" \
                  --include-namespaces postgres-dbs,cf-system \
                  --selector 'app in (cf-metadata, postgres)' \
                  --ttl "${FOUR\_YEARS}" \
                  --wait
    
                velero backup describe "${backup\_name}" --details
    
  2. Configure the pipeline to run with the following required parameters:

    --var service-account-key=”SERVICE-ACCOUNT-KEY”
    --var service-zone=”ZONE-NAME”
    --var service-cluster-name=”CLUSTER-NAME"
    

    Where:

    • SERVICE-ACCOUNT-KEY is the content of service account key.
    • ZONE-NAME is the project zone where cluster is deployed.
    • CLUSTER-NAME is the name of the cluster to be backed up.

Review the Automated Velero Backup

To review or troubleshoot an automated backup, follow the steps in Review a Completed Backup in Backing Up Tanzu Application Service for Kubernetes.