website
website copied to clipboard
cert-manager
Backup and Restore Resources
This concerns the page https://cert-manager.io/next-docs/tutorials/backup/
This issue is related to https://github.com/jetstack/cert-manager/issues/2112.
I'm sorry, but the backup/restoration process does simply not work as advertised, and conveys a false sense of security. I'd argue it should be removed or, at the very least, augmented with a warning of some kind.
This procedure is really misleading and does not work like that... Luckily I did it on staging environment first...
I could manage to restore my backup using the following (suboptimal/error prone/bizarre) procedure:
- Take a 2nd backup from the created resources that we wanna overwrite:
kubectl get -o yaml \
--all-namespaces \
issuer,clusterissuer,certificates,certificaterequests > cert-manager-backup-2.yaml
-
Just to play safe: please don't forget to version your 1st backup YAML file before continuing...
-
Put your 1st backup (let's say:
cert-manager-backup-1.yaml) side by side with the 2nd backup (cert-manager-backup-2.yaml) on the text editor... -
On the 1st backup file, make sure to replace the following fields using the values from the 2nd backup on their equivalent code regions:
-
creationTimestamp -
resourceVersion -
uid -
lastTransitionTime
-
-
Apply the changes you made on top of your 1st backup file:
kubectl apply -f cert-manager-backup-staging.yaml
- It worked for me and I hope that helps while we don't have a "clean" backup/restore procedure that we can follow...
Hey @ailox
Thanks for the bug report. There are a bunch of similar issues in the cert-manager repo too. We need to document (and test) an improved process for restoring cert-manager backups:
@wallrj: The label(s) priority/important cannot be applied, because the repository doesn't have them
In response to this:
/priority important
Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.
In https://github.com/cert-manager/website/issues/397#issuecomment-755345251 @meyskens wrote:
Is it better to backup these secrets, or let LE re-issue?Probably better to backup the secrets too unless you think the storage medium of your backups is compromised/easy to infiltrate. It will allow to:
restore certificates before everything us online to solve the ACME challenges not hit the LE rate limitsIf you are sharing the backup on something like a Git repo, Slack, shared computer,... I would avoid it as it will leak your private key.
In https://github.com/jetstack/cert-manager/issues/2112#issuecomment-619076005 @munnerz wrote:
As noted above, I don't think it's trivial for us to create an entirely 'restorable' resource that can be applied during the restore phase.
I think we can take this issue and turn it into one of two things:
Documenting how to perform the backup/restore process with something like Velero Extending our own CLI tool to have a dedicated backup and restore subcomannd.I think (2) would be really interesting/useful for users, although in a lot of cases (1) may be more appropriate if you're running backups across a large number of clusters/regularly.