Add a backup repository

This page describes how to create a backup repository for cluster workloads in Google Distributed Cloud (GDC) air-gapped.

A backup repository represents a compatible storage location for your backups. A backup repository is also used to store records of backups, backup plans, restore plans, and restores.

Before you begin

To create a backup repository, you must have the following:

Compatible endpoint: The fully qualified domain name of your object storage site.
Bucket name: The name of the bucket, found in the status of the GDC bucket custom resource.
Bucket access: Configured permissions for the object storage bucket.
Service identity: A service account to manage API interactions. Replace the variable SA_NAME in these instructions with the name of the service account you use to access object storage.

Request IAM roles

Contact your Organization IAM Admin to request the following role on your project:

Organization Cluster Backup Admin (organization-cluster-backup-admin): create, get, list, watch and delete backup resources such as backup and restore plans in user clusters.

Create a repository

Create a repository by using the GDC console or the API.

Console

Sign in to the GDC console.
In the navigation menu, click Backup for Clusters. Ensure no project is selected in the project selector.
Click Repository > Create Repository.
Enter a repository name. The description is optional.
In the S3 URI endpoint field, enter an endpoint containing the fully-qualified domain name of your object storage site.
In the Bucket name field, enter the name of the fully qualified name of the bucket, found from the status of the GDC bucket custom resource.
In the Bucket region field, enter the region where the bucket was created.
In the Access Key ID list, enter the access key ID from the bucket Secret.
In the Access key field, enter the access key from the bucket Secret.
Click Create.

API

To use the backup and restore APIs, you must configure a valid ClusterBackupRepository custom resource and supply the required credentials. You must also use a service identity, often referred to as a service account to create repositories with the API.

Get the name of the secret that contains S3 credentials:
```
export PROJECT_NAME=PROJECT_NAME
export SA_NAME=SA_NAME
kubectl get secrets --namespace $PROJECT_NAME -o json | jq -r --arg USER_NAME "${SA_NAME:?}" '.items[] | select( (.metadata.annotations."object.gdc.goog/subject"==$USER_NAME)) | .metadata.name'
```
Make sure to record the secret name returned by the command and use it as the SECRET_NAME value when you create your ClusterBackupRepository custom resource.

Replace the following:
- PROJECT_NAME: the name of your project.
- SA_NAME: the name of the service account used to access object storage.
To get bucket details like FQDN and endpoints, extract the fullyQualifiedName and zonalEndpoints values from the output:
```
kubectl get buckets -n PROJECT_NAME BUCKET_NAME -o yaml
```
Add a ClusterBackupRepository custom resource to use these credentials and apply the new resource to the Management API server. Backup repositories are cluster-scoped:
```
apiVersion: backup.gdc.goog/v1
kind: ClusterBackupRepository
metadata:
  name: CLUSTER_BACKUP_REPOSITORY
  namespace: PROJECT_NAME
spec:
  secretReference:
    namespace: PROJECT_NAME
    name: SECRET_NAME
  endpoint: END_POINT
  type: "S3"
  s3Options:
    bucket: BUCKET_FQDN
    region: REGION
    forcePathStyle: FORCE_PATH_STYLE
  importPolicy: IMPORT_POLICY
```
Replace the following:
- CLUSTER_BACKUP_REPOSITORY: the name of the cluster backup repository.
- PROJECT_NAME: the name of your project.
- SA_NAME: the name of the service account used to access object storage.
- SECRET_NAME: the name of the secret returned from the kubectl get secrets command.
- ENDPOINT: the fully qualified domain name for the storage system, for example, https://objectstorage.google.gdch.test. For the type field, only a value of S3 is supported.
- BUCKET_FQDN: the fully qualified name of the bucket.
- REGION: the region where the bucket was created.
- FORCE_PATH_STYLE: use the forcePathStyle field to force path style URLs for objects. This field must have a value of true or false.
- IMPORT_POLICY: set to one of the following:
  - ReadWrite: This repository can be used to schedule or create backups, backup plans, and restores.
  - ReadOnly: This repository can only be used to import and view backups. You can't create new backups or resources in this repository, but restores can use and reference read-only backups for restoration. There is no restriction on how often you can use a backup repository as ReadOnly.

Backup repository import policies

All clusters must have at least one ReadWrite repository to successfully use backup and restore features. ReadOnly repositories are optional, have no limit, and are used to gain visibility into other cluster backups for cross-cluster restores.

ReadOnly repositories cannot be used as storage locations for additional backups or for backup plans within the cluster they were imported.

Importing a repository as ReadWrite claims the repository for that cluster, preventing other clusters from importing the same repository as ReadWrite. After importing a ReadWrite repository, all records of previous backups, backup plans, and restores in that repository are imported into the target cluster as local custom resources.

Importing a repository as ReadOnly does not claim the repository, it only imports the backups, backup plans, restores, and restore plans. Backup plans in read-only repositories don't schedule backups, they exist to provide visibility into what backup plans exist in the cluster you are importing from. Removing a ReadOnly repository cleans up any imported resources from the cluster and has no effect on the resources in the storage location as no write operations occur to object storage for read-only repositories.

When a ReadWrite repository is removed from the cluster:

All local custom resources associated with that repository, such as backups and restores, are removed from the current cluster.
That cluster's claim on the repository is removed, allowing the repository to be used as ReadWrite by another cluster. However, these resources are not removed from the storage endpoint.

Add a backup repository Stay organized with collections Save and categorize content based on your preferences.