Remote storage for OpenSDN database backups

MOSK enables you to store OpenSDN database backups on a remote storage system. Using remote storage helps offload backups from the control plane nodes, improves data durability, and simplifies disaster recovery procedures. This section explains how to configure the supported remote storage options, including Network File System (NFS) storage and S3 object storage.

Remote NFS storage for OpenSDN database backups

TechPreview

MOSK supports configuring a remote NFS storage for OpenSDN data backups through the TFOperator custom resource:

spec:
  features:
     dbBackup:
       enabled: true
       backupType: "pv_nfs"
       nfsOptions:
         path: <PATH_TO_SHARE_FOLDER_ON_SERVER>
         server: <IP_ADDRESS/DNS_NAME_OF_SERVER>

If PVC backups were used previously, the old PVC will not be utilized. You can delete it with the following command:

kubectl -n tf delete pvc <TF_DB_BACKUP_PVC>

See also

• Configure a remote NFS storage for OpenStack backups

• Switch back to the local storage for OpenStack backups

Remote S3 storage for OpenSDN database backups

TechPreview

MOSK enables you to configure the TFOperator to store and synchronize database backups with a remote S3 storage. This feature keeps backups off the control plane nodes and ensures that the backup data is protected by encryption both in flight and at rest.

Known limitations:

• Only one remote S3 storage can be configured at a time.

• Disabling S3 synchronization does not automatically remove existing data from the remote storage.

To enable synchronization with remote S3 storage:

1. Verify that the remote storage is accessible from all OpenSDN control plane nodes.

2. Create a Kubernetes secret to store the S3 access credentials:

   ---
   apiVersion: v1
   kind: Secret
   metadata:
     name: tf-backup-s3-secret
     namespace: tf
   type: Opaque
   data:
     access_key: <ACCESS-KEY-FOR-S3-ACCOUNT>
     secret_key: <SECRET-KEY-FOR-S3-ACCOUNT>
     sse_kms_key_id: <SECRET-KEY-FOR-SERVER-SIDE-ENCRYPTION>
   

3. Enable synchronization by adding the following parameters to the TFOperator custom resource:

   spec:
     features:
       dbBackup:
         enabled: true
         remoteSync:
           enabled: true
           provider: Ceph
           endpoint: https://openstack-store.it.just.works/
           path: bucket_name
           type: s3
           serverSideEncryption: aws:kms
           secretData:
             secretName: tf-backup-s3-secret
             accessKeyName: access_key
             secretAccessKeyName: secret_key
             sseKmsKeyName: sse_kms_key_id
   

   Remote S3 backup configuration parameters

   Parameter	Description
   provider	Remote backup provider. Supported values: AWS or Ceph.
   path	Name of the remote S3 bucket. If the specified bucket does not exist, it is created automatically.
   endpoint	Endpoint for the S3 API. Omit this parameter when using the AWS provider.
   region	AWS region to connect to. Used only when provider is set to AWS.
   backupDir	Directory path within the bucket where backups are stored. The default value is tf/data/backups/.
   serverSideEncryption	Server-side encryption algorithm to use when storing objects. Supported values: AES256 or aws:kms.

If server-side encryption is not required, omit the serverSideEncryption and sseKmsKeyName parameters.

To restore a database from a remote S3 backup, use the same configuration parameters as for remoteSync:

spec:
  features:
    dbRestoreMode:
      enabled: true
      syncFromRemote:
        enabled: true
        provider: Ceph
        endpoint: https://openstack-store.it.just.works/
        path: bucket_name
        type: s3
        serverSideEncryption: aws:kms
        secretData:
          secretName: tf-backup-s3-secret
          accessKeyName: access_key
          secretAccessKeyName: secret_key
          sseKmsKeyName: sse_kms_key_id