×

You can include a self-signed Certificate Authority (CA) certificate in the Data Protection Application (DPA) and then back up an application. You store the backup in a NooBaa bucket provided by Red Hat OpenShift Data Foundation (ODF).

Backing up an application and its self-signed CA certificate

The s3.openshift-storage.svc service, provided by ODF, uses a Transport Layer Security protocol (TLS) certificate that is signed with the self-signed service CA.

To prevent a certificate signed by unknown authority error, you must include a self-signed CA certificate in the backup storage location (BSL) section of DataProtectionApplication custom resource (CR). For this situation, you must complete the following tasks:

  • Request a NooBaa bucket by creating an object bucket claim (OBC).

  • Extract the bucket details.

  • Include a self-signed CA certificate in the DataProtectionApplication CR.

  • Back up an application.

Prerequisites
  • You installed the OADP Operator.

  • You installed the ODF Operator.

  • You have an application with a database running in a separate namespace.

Procedure
  1. Create an OBC manifest to request a NooBaa bucket as shown in the following example:

    Example ObjectBucketClaim CR
    apiVersion: objectbucket.io/v1alpha1
    kind: ObjectBucketClaim
    metadata:
      name: test-obc (1)
      namespace: openshift-adp
    spec:
      storageClassName: openshift-storage.noobaa.io
      generateBucketName: test-backup-bucket (2)
    1 Specifies the name of the object bucket claim.
    2 Specifies the name of the bucket.
  2. Create the OBC by running the following command:

    $ oc create -f <obc_file_name>
  3. When you create an OBC, ODF creates a secret and a ConfigMap with the same name as the object bucket claim. The secret object contains the bucket credentials, and the ConfigMap object contains information to access the bucket. To get the bucket name and bucket host from the generated config map, run the following command:

    $ oc extract --to=- cm/test-obc (1)
    1 The name of the OBC is test-obc.
    Example output
    # BUCKET_NAME
    backup-c20...41fd
    # BUCKET_PORT
    443
    # BUCKET_REGION
    
    # BUCKET_SUBREGION
    
    # BUCKET_HOST
    s3.openshift-storage.svc
  4. To get the bucket credentials from the secret object , run the following command:

    $ oc extract --to=- secret/test-obc
    Example output
    # AWS_ACCESS_KEY_ID
    ebYR....xLNMc
    # AWS_SECRET_ACCESS_KEY
    YXf...+NaCkdyC3QPym
  5. Create a cloud-credentials file with the object bucket credentials by using the following example configuration:

    [default]
    aws_access_key_id=<AWS_ACCESS_KEY_ID>
    aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
  6. Create the cloud-credentials secret with the cloud-credentials file content by running the following command:

    $ oc create secret generic \
      cloud-credentials \
      -n openshift-adp \
      --from-file cloud=cloud-credentials
  7. Extract the service CA certificate from the openshift-service-ca.crt config map by running the following command. Ensure that you encode the certificate in Base64 format and note the value to use in the next step.

    $ oc get cm/openshift-service-ca.crt \
      -o jsonpath='{.data.service-ca\.crt}' | base64 -w0; echo
    Example output
    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...
    ....gpwOHMwaG9CRmk5a3....FLS0tLS0K
  8. Configure the DataProtectionApplication CR manifest file with the bucket name and CA certificate as shown in the following example:

    Example DataProtectionApplication CR
    apiVersion: oadp.openshift.io/v1alpha1
    kind: DataProtectionApplication
    metadata:
      name: oadp-backup
      namespace: openshift-adp
    spec:
      configuration:
        nodeAgent:
          enable: true
          uploaderType: kopia
        velero:
          defaultPlugins:
            - aws
            - openshift
            - csi
          defaultSnapshotMoveData: true
      backupLocations:
        - velero:
            config:
              profile: "default"
              region: noobaa
              s3Url: https://s3.openshift-storage.svc
              s3ForcePathStyle: "true"
              insecureSkipTLSVerify: "false" (1)
            provider: aws
            default: true
            credential:
              key: cloud
              name:  cloud-credentials
            objectStorage:
              bucket: <bucket_name> (2)
              prefix: oadp
              caCert: <ca_cert> (3)
    1 The insecureSkipTLSVerify flag can be set to either true or false. If set to "true", SSL/TLS security is disabled. If set to false, SSL/TLS security is enabled.
    2 Specify the name of the bucket extracted in an earlier step.
    3 Copy and paste the Base64 encoded certificate from the previous step.
  9. Create the DataProtectionApplication CR by running the following command:

    $ oc apply -f <dpa_filename>
  10. Verify that the DataProtectionApplication CR is created successfully by running the following command:

    $ oc get dpa -o yaml
    Example output
    apiVersion: v1
    items:
    - apiVersion: oadp.openshift.io/v1alpha1
      kind: DataProtectionApplication
      metadata:
        namespace: openshift-adp
        #...#
      spec:
        backupLocations:
        - velero:
            config:
              #...#
      status:
        conditions:
        - lastTransitionTime: "20....9:54:02Z"
          message: Reconcile complete
          reason: Complete
          status: "True"
          type: Reconciled
    kind: List
    metadata:
      resourceVersion: ""
  11. Verify that the backup storage location (BSL) is available by running the following command:

    $ oc get backupstoragelocations.velero.io -n openshift-adp
    Example output
    NAME           PHASE       LAST VALIDATED   AGE   DEFAULT
    dpa-sample-1   Available   3s               15s   true
  12. Configure the Backup CR by using the following example:

    Example Backup CR
    apiVersion: velero.io/v1
    kind: Backup
    metadata:
      name: test-backup
      namespace: openshift-adp
    spec:
      includedNamespaces:
      - <application_namespace> (1)
    1 Specify the namespace for the application to back up.
  13. Create the Backup CR by running the following command:

    $ oc apply -f <backup_cr_filename>
Verification
  • Verify that the Backup object is in the Completed phase by running the following command:

    $ oc describe backup test-backup -n openshift-adp
    Example output
    Name:         test-backup
    Namespace:    openshift-adp
    # ....#
    Status:
      Backup Item Operations Attempted:  1
      Backup Item Operations Completed:  1
      Completion Timestamp:              2024-09-25T10:17:01Z
      Expiration:                        2024-10-25T10:16:31Z
      Format Version:                    1.1.0
      Hook Status:
      Phase:  Completed
      Progress:
        Items Backed Up:  34
        Total Items:      34
      Start Timestamp:    2024-09-25T10:16:31Z
      Version:            1
    Events:               <none>