charts icon indicating copy to clipboard operation
charts copied to clipboard
verified publisher icon cloudnative-pg

Documentation for endpointCA feature #230

Open mboncalo opened this issue 1 year ago • 1 comments

Hi,

I've been trying the CNPG operator with cluster helm charts and I couldn't make the S3 backup work. We have an Minio S3 CRD provided by our cloud provider (Gardner) and a secret with all S3 bucket details including the endpointCABundle. I tried creating a new secret: endpointCA:

# -- Creates a secret with the given value if true, otherwise uses an existing secret.
create: true
name: "bucket-postgres-service-1"
key: "s3_ca_bundle"
value: "IyBrdWJlLX..." # CA bundle value from bucket secret

Use the existing secret:

endpointCA:

# -- Creates a secret with the given value if true, otherwise uses an existing secret.
create: false
name: "s3-bucket-postgres-service-1"
key: "s3_ca_bundle"
value: ""

destinationPath: ""

-- One of s3, azure or google

provider: s3 s3: region: "" #tried "default" and "us-east-1" as well bucket: "5437053e567993e87f73a0cd1aafb5b04f1b85334d32a534acb8a1b8" path: "/" accessKey: " secretKey: "" azure: path: "/" connectionString: "" storageAccount: "" storageKey: "" storageSasToken: "" containerName: "" serviceName: blob inheritFromAzureAD: false google: path: "/" bucket: "" gkeEnvironment: false applicationCredentials: "" secret: # -- Whether to create a secret for the backup credentials create: true # -- Name of the backup credentials secret name: "service-1-backup"

scheduledBackups: - # -- Scheduled backup name name: daily-backup # -- Schedule in cron format schedule: "0 */5 * * * *" # -- Backup owner reference backupOwnerReference: self # -- Backup method, can be barmanObjectStore (default) or volumeSnapshot method: barmanObjectStore

-- Retention policy for backups

retentionPolicy: "30d"

Operator says in the logs that it's doing backups: {"level":"info","ts":"2024-06-12T16:55:00Z","msg":"Next backup schedule","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"c5b94074-f9d3-4918-a2fa-efac38036a85","next":"2024-06-12T16:55:00Z"} {"level":"info","ts":"2024-06-12T16:55:00Z","msg":"Creating backup","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"c5b94074-f9d3-4918-a2fa-efac38036a85","backupName":"service-1-daily-backup-20240612165500"} {"level":"info","ts":"2024-06-12T16:55:00Z","logger":"backup-resource","msg":"default","version":"v1","name":"service-1-daily-backup-20240612165500","namespace":"postgres"} {"level":"info","ts":"2024-06-12T16:55:00Z","logger":"backup-resource","msg":"validate create","version":"v1","name":"service-1-daily-backup-20240612165500","namespace":"postgres"} {"level":"info","ts":"2024-06-12T16:55:00Z","msg":"Next backup schedule","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"c5b94074-f9d3-4918-a2fa-efac38036a85","next":"2024-06-12T16:55:00Z"} {"level":"info","ts":"2024-06-12T16:55:00Z","msg":"Next backup schedule","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"4197f8c9-e524-4cfc-bedf-dabfd0056210","next":"2024-06-12T17:00:00Z"} {"level":"info","ts":"2024-06-12T16:55:35Z","msg":"Starting backup","controller":"backup","controllerGroup":"postgresql.cnpg.io","controllerKind":"Backup","Backup":{"name":"service-1-daily-backup-20240612161035","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup-20240612161035","reconcileID":"b9c0cc7b-5908-42ce-9b0b-aed6f0a77377","cluster":"service-1","pod":"service-1-2"} {"level":"info","ts":"2024-06-12T17:00:00Z","msg":"Next backup schedule","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"87718222-d4bd-44fa-8061-bdb5fed386a6","next":"2024-06-12T17:00:00Z"} {"level":"info","ts":"2024-06-12T17:00:00Z","msg":"Creating backup","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"87718222-d4bd-44fa-8061-bdb5fed386a6","backupName":"service-1-daily-backup-20240612170000"} {"level":"info","ts":"2024-06-12T17:00:00Z","logger":"backup-resource","msg":"default","version":"v1","name":"service-1-daily-backup-20240612170000","namespace":"postgres"} {"level":"info","ts":"2024-06-12T17:00:00Z","logger":"backup-resource","msg":"validate create","version":"v1","name":"service-1-daily-backup-20240612170000","namespace":"postgres"} {"level":"info","ts":"2024-06-12T17:00:00Z","msg":"Next backup schedule","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"87718222-d4bd-44fa-8061-bdb5fed386a6","next":"2024-06-12T17:00:00Z"} {"level":"info","ts":"2024-06-12T17:00:00Z","msg":"Next backup schedule","controller":"scheduledbackup","controllerGroup":"postgresql.cnpg.io","controllerKind":"ScheduledBackup","ScheduledBackup":{"name":"service-1-daily-backup","namespace":"postgres"},"namespace":"postgres","name":"service-1-daily-backup","reconcileID":"f76b06a4-e6b3-49dc-80bf-d3854a1bae9a","next":"2024-06-12T17:05:00Z"}

T00155ae05:charts psy$ kubectl --namespace postgres get backups --selector cnpg.io/cluster=service-1|tail service-1-daily-backup-20240612164054 20m service-1 barmanObjectStore service-1-daily-backup-20240612164055 20m service-1 barmanObjectStore service-1-daily-backup-20240612164056 20m service-1 barmanObjectStore service-1-daily-backup-20240612164057 20m service-1 barmanObjectStore service-1-daily-backup-20240612164058 20m service-1 barmanObjectStore service-1-daily-backup-20240612164059 20m service-1 barmanObjectStore service-1-daily-backup-20240612164500 16m service-1 barmanObjectStore service-1-daily-backup-20240612165000 11m service-1 barmanObjectStore service-1-daily-backup-20240612165500 6m51s service-1 barmanObjectStore service-1-daily-backup-20240612170000 111s service-1 barmanObjectStore

mboncalo avatar Jun 12 '24 17:06 mboncalo

Here is an minimal example of an MinIO configuration:

mode: standalone
cluster:
  instances: 2
  storage:
    size: 256Mi
backups:
  enabled: true
  provider: s3
  endpointURL: "https://minio.minio.svc.cluster.local"
  endpointCA:
    name: kube-root-ca.crt
    key: ca.crt
  wal:
    encryption: ""
  data:
    encryption: ""
  s3:
    bucket: "mybucket"
    path: "/v1"
    accessKey: "minio"
    secretKey: "minio123"
    region: "local"
  scheduledBackups: []
  retentionPolicy: "30d"

The kube-root-ca you can create/fetch like so:

kubectl -n $NAMESPACE create secret generic kube-root-ca.crt --from-literal=ca.crt="$(kubectl -n kube-system get configmaps kube-root-ca.crt -o jsonpath='{.data.ca\.crt}')" --dry-run=client -o yaml | kubectl apply -f -

This is because be default you're getting the Kubernetes cluster self-signed certificates and this way you are explicitly whitelisting them.

For a proper setup refer to the operator documentation: here and here.

itay-grudev avatar Jun 26 '24 17:06 itay-grudev