示例

本节包含 Backup 和 Restore 自定义资源的示例。

默认的备份存储位置是在安装或升级 rancher-backup operator 时配置的。

只有 Restore 自定义资源使用创建备份时使用的加密配置密文时,才能还原加密的备份。

备份

本节包含 Backup 自定义资源的示例。

注意:有关配置以下选项的更多信息,请参阅备份配置参考页面

在默认位置进行加密备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: default-location-encrypted-backup
  5. spec:
  6. resourceSetName: rancher-resource-set
  7. encryptionConfigSecretName: encryptionconfig

在默认位置进行定期备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: default-location-recurring-backup
  5. spec:
  6. resourceSetName: rancher-resource-set
  7. schedule: "@every 1h"
  8. retentionCount: 10

在默认位置进行加密的定期备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: default-enc-recurring-backup
  5. spec:
  6. resourceSetName: rancher-resource-set
  7. encryptionConfigSecretName: encryptionconfig
  8. schedule: "@every 1h"
  9. retentionCount: 3

Minio 中的加密备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: minio-backup
  5. spec:
  6. storageLocation:
  7. s3:
  8. credentialSecretName: minio-creds
  9. credentialSecretNamespace: default
  10. bucketName: rancherbackups
  11. endpoint: minio.xip.io
  12. endpointCA: <base64-encoded-cert>
  13. resourceSetName: rancher-resource-set
  14. encryptionConfigSecretName: encryptionconfig

使用 AWS 凭证密文在 S3 中备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: s3-backup
  5. spec:
  6. storageLocation:
  7. s3:
  8. credentialSecretName: s3-creds
  9. credentialSecretNamespace: default
  10. bucketName: rancher-backups
  11. folder: ecm1
  12. region: us-west-2
  13. endpoint: s3.us-west-2.amazonaws.com
  14. resourceSetName: rancher-resource-set
  15. encryptionConfigSecretName: encryptionconfig

使用 AWS 凭证密文在 S3 中进行定期备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: s3-recurring-backup
  5. spec:
  6. storageLocation:
  7. s3:
  8. credentialSecretName: s3-creds
  9. credentialSecretNamespace: default
  10. bucketName: rancher-backups
  11. folder: ecm1
  12. region: us-west-2
  13. endpoint: s3.us-west-2.amazonaws.com
  14. resourceSetName: rancher-resource-set
  15. encryptionConfigSecretName: encryptionconfig
  16. schedule: "@every 1h"
  17. retentionCount: 10

从具有访问 S3 的 IAM 权限的 EC2 节点进行备份

这个例子表明,如果运行 rancher-backup 的节点拥有这些访问 S3 的权限,就不必提供 AWS 的凭证密文来创建备份。

  1. apiVersion: resources.cattle.io/v1
  2. kind: Backup
  3. metadata:
  4. name: s3-iam-backup
  5. spec:
  6. storageLocation:
  7. s3:
  8. bucketName: rancher-backups
  9. folder: ecm1
  10. region: us-west-2
  11. endpoint: s3.us-west-2.amazonaws.com
  12. resourceSetName: rancher-resource-set
  13. encryptionConfigSecretName: encryptionconfig

还原

本节包含 Restore 自定义资源的示例。

注意:有关配置以下选项的更多信息,请参阅恢复配置参考页面

使用默认备份文件位置还原

  1. apiVersion: resources.cattle.io/v1
  2. kind: Restore
  3. metadata:
  4. name: restore-default
  5. spec:
  6. backupFilename: default-location-recurring-backup-752ecd87-d958-4d20-8350-072f8d090045-2020-09-26T12-29-54-07-00.tar.gz
  7. # encryptionConfigSecretName: test-encryptionconfig

为 Rancher 迁移进行还原

  1. apiVersion: resources.cattle.io/v1
  2. kind: Restore
  3. metadata:
  4. name: restore-migration
  5. spec:
  6. backupFilename: backup-b0450532-cee1-4aa1-a881-f5f48a007b1c-2020-09-15T07-27-09Z.tar.gz
  7. prune: false
  8. storageLocation:
  9. s3:
  10. credentialSecretName: s3-creds
  11. credentialSecretNamespace: default
  12. bucketName: rancher-backups
  13. folder: ecm1
  14. region: us-west-2
  15. endpoint: s3.us-west-2.amazonaws.com

使用加密的备份还原

  1. apiVersion: resources.cattle.io/v1
  2. kind: Restore
  3. metadata:
  4. name: restore-encrypted
  5. spec:
  6. backupFilename: default-test-s3-def-backup-c583d8f2-6daf-4648-8ead-ed826c591471-2020-08-24T20-47-05Z.tar.gz
  7. encryptionConfigSecretName: encryptionconfig

从 Minio 还原加密的备份

  1. apiVersion: resources.cattle.io/v1
  2. kind: Restore
  3. metadata:
  4. name: restore-minio
  5. spec:
  6. backupFilename: default-minio-backup-demo-aa5c04b7-4dba-4c48-9ac4-ab7916812eaa-2020-08-30T13-18-17-07-00.tar.gz
  7. storageLocation:
  8. s3:
  9. credentialSecretName: minio-creds
  10. credentialSecretNamespace: default
  11. bucketName: rancherbackups
  12. endpoint: minio.xip.io
  13. endpointCA: <base64-encoded-cert>
  14. encryptionConfigSecretName: test-encryptionconfig

使用 AWS 凭证密文访问 S3 从备份中还原

  1. apiVersion: resources.cattle.io/v1
  2. kind: Restore
  3. metadata:
  4. name: restore-s3-demo
  5. spec:
  6. backupFilename: test-s3-recurring-backup-752ecd87-d958-4d20-8350-072f8d090045-2020-09-26T12-49-34-07-00.tar.gz.enc
  7. storageLocation:
  8. s3:
  9. credentialSecretName: s3-creds
  10. credentialSecretNamespace: default
  11. bucketName: rancher-backups
  12. folder: ecm1
  13. region: us-west-2
  14. endpoint: s3.us-west-2.amazonaws.com
  15. encryptionConfigSecretName: test-encryptionconfig

从具有访问 S3 的 IAM 权限的 EC2 节点进行还原

这个例子表明,如果运行 rancher-backup 的节点拥有这些访问 S3 的权限,就不必提供 AWS 的凭证密文来从备份中还原。

  1. apiVersion: resources.cattle.io/v1
  2. kind: Restore
  3. metadata:
  4. name: restore-s3-demo
  5. spec:
  6. backupFilename: default-test-s3-recurring-backup-84bf8dd8-0ef3-4240-8ad1-fc7ec308e216-2020-08-24T10#52#44-07#00.tar.gz
  7. storageLocation:
  8. s3:
  9. bucketName: rajashree-backup-test
  10. folder: ecm1
  11. region: us-west-2
  12. endpoint: s3.us-west-2.amazonaws.com
  13. encryptionConfigSecretName: test-encryptionconfig

在 S3 中存储备份的凭证密文示例

  1. apiVersion: v1
  2. kind: Secret
  3. metadata:
  4. name: creds
  5. type: Opaque
  6. data:
  7. accessKey: <Enter your base64-encoded access key>
  8. secretKey: <Enter your base64-encoded secret key>

EncryptionConfiguration 示例

以下代码片段演示了两种不同类型的密文及其与自定义资源的备份和还原的相关性。

第一个示例是用于加密备份文件的密钥。在这种情况下,Backup operator 将无法读取密文加密文件。它只使用密文的内容。

第二个示例是 Kubernetes 密文加密配置文件,用于加密存储在 etcd 中的密文。备份 etcd 数据存储时,请务必同时备份 EncryptionConfiguration。如果你没有这样做,而且备份数据时正在使用密文加密,你将无法使用恢复的数据。

  1. apiVersion: apiserver.config.k8s.io/v1
  2. kind: EncryptionConfiguration
  3. resources:
  4. - resources:
  5. - secrets
  6. providers:
  7. - aesgcm:
  8. keys:
  9. - name: key1
  10. secret: c2VjcmV0IGlzIHNlY3VyZQ==
  11. - name: key2
  12. secret: dGhpcyBpcyBwYXNzd29yZA==
  13. - aescbc:
  14. keys:
  15. - name: key1
  16. secret: c2VjcmV0IGlzIHNlY3VyZQ==
  17. - name: key2
  18. secret: dGhpcyBpcyBwYXNzd29yZA==
  19. - secretbox:
  20. keys:
  21. - name: key1
  22. secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=