Installation of OpenShift API for Data Protection (OADP) Operator
This section outlines the installation of OpenShift API for Data Protection (OADP) Operator.
Prerequisites
-
A Red Hat OpenShift cluster (later than version 4.12) installed on bare-metal infrastructure with RHCOS worker nodes
-
A NetApp ONTAP cluster integrated with the cluster using Trident
-
A Trident backend configured with an SVM on ONTAP cluster
-
A StorageClass configured on the OpenShift cluster with Trident as the provisioner
-
Trident Snapshot class created on the cluster
-
Cluster-admin access to Red Hat OpenShift cluster
-
Admin access to NetApp ONTAP cluster
-
An application eg. postgresql deployed on the cluster
-
An admin workstation with tridentctl and oc tools installed and added to $PATH
Steps to install OADP Operator
-
Go to the Operator Hub of the cluster and select Red Hat OADP operator. In the Install page, use all the default selections and click install. On the next page, again use all the defaults and click Install. The OADP operator will be installed in the namespace openshift-adp.
Prerequisites for Velero configuration with Ontap S3 details
After the installation of the operator succeeds, configure the instance of Velero.
Velero can be configured to use S3 compatible Object Storage. Configure ONTAP S3 using the procedures shown in the Object Storage Management section of ONTAP documentation. You will need the following information from your ONTAP S3 configuration to integrate with Velero.
-
A Logical Interface (LIF) that can be used to access S3
-
User credentials to access S3 that includes the access key and the secret access key
-
A bucket name in S3 for backups with access permissions for the user
-
For secure access to the Object storage, TLS certificate should be installed on the Object Storage server.
Prerequisites for Velero configuration with StorageGrid S3 details
Velero can be configured to use S3 compatible Object Storage. You can configure StorageGrid S3 using the procedures shown in the StorageGrid documentation. You will need the following information from your StorageGrid S3 configuration to integrate with Velero.
-
The endpoint that can be used to access S3
-
User credentials to access S3 that includes the access key and the secret access key
-
A bucket name in S3 for backups with access permissions for the user
-
For secure access to the Object storage, TLS certificate should be installed on the Object Storage server.
Steps to configure Velero
-
First, create a secret for an ONTAP S3 user credential or StorageGrid Tenant user credentials. This will be used to configure Velero later. You can create a secret from the CLI or from the web console.
To create a secret from the web console, select Secrets, then click on Key/Value Secret. Provide the values for the credential name, key and the value as shown. Be sure to use the Access Key Id and Secret Access Key of your S3 user. Name the secret appropriately. In the sample below, a secret with ONTAP S3 user credentials named ontap-s3-credentials is created.
To create a secret named sg-s3-credentials from the CLI you can use the following command.
-
Next, to configure Velero, select Installed Operators from the menu item under Operators, click on OADP operator, and then select the DataProtectionApplication tab.
Click on Create DataProtectionApplication. In the form view, provide a name for the DataProtection Application or use the default name.
Now go to the YAML view and replace the spec information as shown in the yaml file examples below.
Sample yaml file for configuring Velero with ONTAP S3 as the backupLocation
spec: backupLocations: - velero: config: insecureSkipTLSVerify: 'false' ->use this for https communication with ONTAP S3 profile: default region: us-east-1 s3ForcePathStyle: 'true' ->This allows use of IP in s3URL s3Url: 'https://10.61.181.161' ->Ensure TLS certificate for S3 is configured credential: key: cloud name: ontap-s3-credentials -> previously created secret default: true objectStorage: bucket: velero -> Your bucket name previously created in S3 for backups prefix: container-demo-backup ->The folder that will be created in the bucket caCert: <base64 encoded CA Certificate installed on ONTAP Cluster with the SVM Scope where the bucker exists> provider: aws configuration: nodeAgent: enable: true uploaderType: kopia #default Data Mover uses Kopia to move snapshots to Object Storage velero: defaultPlugins: - csi ->This plugin to use CSI snapshots - openshift - aws - kubevirt -> This plugin to use Velero with OIpenShift Virtualization
Sample yaml file for configuring Velero with StorageGrid S3 as the backupLocation
spec: backupLocations: - velero: config: insecureSkipTLSVerify: 'true' profile: default region: us-east-1 ->region of your StorageGrid system s3ForcePathStyle: 'True' s3Url: 'https://172.21.254.25:10443' ->the IP used to access S3 credential: key: cloud name: sg-s3-credentials ->secret created earlier default: true objectStorage: bucket: velero prefix: demobackup provider: aws configuration: nodeAgent: enable: true uploaderType: kopia velero: defaultPlugins: - csi - openshift - aws - kubevirt
The spec section in the yaml file should be configured appropriately for the following parameters similar to the example above
backupLocations
ONTAP S3 or StorageGrid S3 (with its credentials and other information as shown in the yaml) is configured as the default BackupLocation for velero.
snapshotLocations
If you use Container Storage Interface (CSI) snapshots, you do not need to specify a snapshot location because you will create a VolumeSnapshotClass CR to register the CSI driver. In our example, you use Trident CSI and you have previously created VolumeSnapShotClass CR using the Trident CSI driver.
Enable CSI plugin
Add csi to the defaultPlugins for Velero to back up persistent volumes with CSI snapshots.
The Velero CSI plugins, to backup CSI backed PVCs, will choose the VolumeSnapshotClass in the cluster that has velero.io/csi-volumesnapshot-class label set on it. For this
-
You must have the trident VolumeSnapshotClass created.
-
Edit the label of the trident-snapshotclass and set it to
velero.io/csi-volumesnapshot-class=true as shown below.
Ensure that the snapshots can persist even if the VolumeSnapshot objects are deleted. This can be done by setting the deletionPolicy to Retain. If not, deleting a namespace will completely lose all PVCs ever backed up in it.
apiVersion: snapshot.storage.k8s.io/v1 kind: VolumeSnapshotClass metadata: name: trident-snapshotclass driver: csi.trident.netapp.io deletionPolicy: Retain
Ensure that the DataProtectionApplication is created and is in condition:Reconciled.
The OADP operator will create a corresponding BackupStorageLocation.This will be used when creating a backup.