How to Archive your Backups
For long-term storage of your backups you may want to use cheaper storage. Even if this is slower to restore, you usually don’t need to restore that data frequently, so you save some money.
The Archive object defines the restore method and back-end required to archive backups of your namespace:
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
repoPasswordSecretRef:
name: backup-repo
key: password
restoreMethod:
s3:
endpoint: http://10.144.1.224:9000
bucket: restoremini
accessKeyIDSecretRef:
name: backup-credentials
key: username
secretAccessKeySecretRef:
name: backup-credentials
key: password
backend:
s3:
endpoint: http://10.144.1.224:9000
bucket: k8up
accessKeyIDSecretRef:
name: backup-credentials
key: username
secretAccessKeySecretRef:
name: backup-credentials
key: passwordSave the YAML above in a file named archive.yaml and use the kubectl apply -f archive.yaml command to deploy this configuration to your cluster.
Self-signed issuer and Mutual TLS
If you are using self-signed issuer or using mutual tls for authenticate client, you be able to using volume for mounting cert files into backup object.
Self-signed issuer
-
Using with
optionsfeature in backend
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
tlsOptions:
caCert: /mnt/ca/ca.crt
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420-
Using with
envin backend
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
CA_CERT_FILE: /mnt/ca/ca.crt
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420-
Using with
optionsfeature in restore
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
restoreMethod:
s3: {}
tlsOptions:
caCert: /mnt/ca/ca.crt
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420-
Using with
envin restore
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
RESTORE_CA_CERT_FILE: /mnt/ca/ca.crt
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
restoreMethod:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420-
Using same cert with
optionsfeature in backend and restore
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
tlsOptions:
caCert: /mnt/ca/ca.crt
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
tlsOptions:
caCert: /mnt/ca/ca.crt
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420-
Using same cert with
envin backend and restore
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
CA_CERT_FILE: /mnt/ca/ca.crt
RESTORE_CA_CERT_FILE: /mnt/ca/ca.crt
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420-
Using different cert with
optionsfeature in backend and restore
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
tlsOptions:
caCert: /mnt/ca/ca.crt
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
tlsOptions:
caCert: /mnt/custom-ca/ca.crt
volumeMounts:
- name: custom-ca-tls
mountPath: /mnt/custom-ca/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420
- name: custom-ca-tls
secret:
secretName: custom-ca-tls
defaultMode: 420-
Using different cert with
envin backend and restore
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
CA_CERT_FILE: /mnt/ca/ca.crt
RESTORE_CA_CERT_FILE: /mnt/custom-ca/ca.crt
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: ca-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
volumeMounts:
- name: custom-ca-tls
mountPath: /mnt/custom-ca/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: ca-tls
secret:
secretName: ca-tls
defaultMode: 420
- name: custom-ca-tls
secret:
secretName: custom-ca-tls
defaultMode: 420Self-signed issuer with mTLS
-
Using with
optionsfeature in backend
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
tlsOptions:
caCert: /mnt/ca/ca.crt
clientCert: /mnt/tls/tls.crt
clientKey: /mnt/tls/tls.key
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
restoreMethod:
s3: {}
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420-
Using with
envin backend
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
CA_CERT_FILE: /mnt/tls/ca.crt
CLIENT_CERT_FILE: /mnt/tls/tls.crt
CLIENT_KEY_FILE: /mnt/tls/tls.key
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
restoreMethod:
s3: {}
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420-
Using with
optionsfeature in restore
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
restoreMethod:
s3: {}
tlsOptions:
caCert: /mnt/tls/ca.crt
clientCert: /mnt/tls/tls.crt
clientKey: /mnt/tls/tls.key
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420-
Using with
envin restore
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
RESTORE_CA_CERT_FILE: /mnt/tls/ca.crt
RESTORE_CLIENT_CERT_FILE: /mnt/tls/tls.crt
RESTORE_CLIENT_KEY_FILE: /mnt/tls/tls.key
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
restoreMethod:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420-
Using same cert with
optionsfeature in backend and restore
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
tlsOptions:
caCert: /mnt/tls/ca.crt
clientCert: /mnt/tls/tls.crt
clientKey: /mnt/tls/tls.key
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
restoreMethod:
s3: {}
tlsOptions:
caCert: /mnt/tls/ca.crt
clientCert: /mnt/tls/tls.crt
clientKey: /mnt/tls/tls.key
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420-
Using same cert with
envin backend and restore
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
CA_CERT_FILE: /mnt/tls/ca.crt
CLIENT_CERT_FILE: /mnt/tls/tls.crt
CLIENT_KEY_FILE: /mnt/tls/tls.key
RESTORE_CA_CERT_FILE: /mnt/tls/ca.crt
RESTORE_CLIENT_CERT_FILE: /mnt/tls/tls.crt
RESTORE_CLIENT_KEY_FILE: /mnt/tls/tls.key
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
restoreMethod:
s3: {}
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420-
Using different cert with
optionsfeature in backend and restore
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
tlsOptions:
caCert: /mnt/tls/ca.crt
clientCert: /mnt/tls/tls.crt
clientKey: /mnt/tls/tls.key
volumeMounts:
- name: client-tls
mountPath: /mnt/tls/
restoreMethod:
s3: {}
tlsOptions:
caCert: /mnt/custom-tls/ca.crt
clientCert: /mnt/custom-tls/tls.crt
clientKey: /mnt/custom-tls/tls.key
volumeMounts:
- name: custom-client-tls
mountPath: /mnt/custom-tls/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420
- name: custom-client-tls
secret:
secretName: custom-client-tls
defaultMode: 420-
Using different cert with
envin backend and restore
apiVersion: v1
kind: ConfigMap
metadata:
name: archive-cert
data:
CA_CERT_FILE: /mnt/tls/ca.crt
CLIENT_CERT_FILE: /mnt/tls/tls.crt
CLIENT_KEY_FILE: /mnt/tls/tls.key
RESTORE_CA_CERT_FILE: /mnt/custom-tls/ca.crt
RESTORE_CLIENT_CERT_FILE: /mnt/custom-tls/tls.crt
RESTORE_CLIENT_KEY_FILE: /mnt/custom-tls/tls.key
---
apiVersion: k8up.io/v1
kind: Archive
metadata:
name: archive-test
spec:
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
backend:
s3: {}
envFrom:
- configMapRef:
name: archive-cert
volumeMounts:
- name: client-tls
mountPath: /mnt/ca/
restoreMethod:
s3: {}
volumeMounts:
- name: client-custom-tls
mountPath: /mnt/custom-tls/
podSecurityContext:
fsGroup: 1000
runAsUser: 1000
volumes:
- name: client-tls
secret:
secretName: client-tls
defaultMode: 420
- name: client-custom-tls
secret:
secretName: client-custom-tls
defaultMode: 420