Use AppVault objects to manage buckets
Suggest changes
PDFs
The bucket custom resource (CR) for Trident protect is known as an AppVault. AppVault objects are the declarative Kubernetes workflow representation of a storage bucket. An AppVault CR contains the configurations necessary for a bucket to be used in protection operations, such as backups, snapshots, restore operations, and SnapMirror replication. Only administrators can create AppVaults.
Key generation and AppVault definition examples
When defining an AppVault CR, you need to include credentials to access the resources hosted by the provider. How you generate the keys for the credentials will differ depending on the provider. The following are command line key generation examples for several providers, followed by example AppVault definitions for each provider.
Google Cloud
Key generation example:
kubectl create secret generic gcp-creds --from-file=credentials=<mycreds-file.json> -n trident-protectThe following AppVault definition examples are provided as a CR that you can use and modify, or an example Trident protect CLI command that generates the AppVault CR for you:
apiVersion: protect.trident.netapp.io/v1
kind: AppVault
metadata:
name: gcp-trident-protect-src-bucket-b643cc50-0429-4ad5-971f-ac4a83621922
namespace: trident-protect
spec:
providerType: GCP
providerConfig:
gcp:
bucketName: trident-protect-src-bucket
projectID: project-id
providerCredentials:
credentials:
valueFromSecret:
key: credentials
name: gcp-trident-protect-src-bucket-secrettridentctl protect create vault gcp my-new-vault --bucket mybucket --project my-gcp-project --secret <gcp-creds>/<credentials>Amazon S3
Key generation example:
kubectl create secret generic -n trident-protect s3 --from-literal=accessKeyID=<secret-name> --from-literal=secretAccessKey=<generic-s3-trident-protect-src-bucket-secret>The following AppVault definition examples are provided as a CR that you can use and modify, or an example Trident protect CLI command that generates the AppVault CR for you:
apiVersion: protect.trident.netapp.io/v1
kind: AppVault
metadata:
name: amazon-s3-trident-protect-src-bucket-b643cc50-0429-4ad5-971f-ac4a83621922
namespace: trident-protect
spec:
providerType: AWS
providerConfig:
s3:
bucketName: trident-protect-src-bucket
endpoint: s3.example.com
providerCredentials:
accessKeyID:
valueFromSecret:
key: accessKeyID
name: s3
secretAccessKey:
valueFromSecret:
key: secretAccessKey
name: s3tridentctl protect create vault GenericS3 s3vault --bucket <bucket-name> --secret <secret-name> --endpoint <s3-endpoint>Microsoft Azure
Key generation example:
kubectl create secret generic <secret-name> --from-literal=accountKey=<secret-name> -n trident-protectThe following AppVault definition examples are provided as a CR that you can use and modify, or an example Trident protect CLI command that generates the AppVault CR for you:
apiVersion: protect.trident.netapp.io/v1
kind: AppVault
metadata:
name: azure-trident-protect-src-bucket-b643cc50-0429-4ad5-971f-ac4a83621922
namespace: trident-protect
spec:
providerType: Azure
providerConfig:
azure:
accountName: account-name
bucketName: trident-protect-src-bucket
providerCredentials:
accountKey:
valueFromSecret:
key: accountKey
name: azure-trident-protect-src-bucket-secrettridentctl protect create vault Azure <vault-name> --account <account-name> --bucket <bucket-name> --secret <secret-name>Supported values for providerType and providerConfig
The providerType and providerConfig keys in an AppVault CR require specific values. The following table lists supported values for the providerType key, and the associated providerConfig key that you need to use with each providerType value.
Supported providerType value |
Associated providerConfig key |
|---|---|
AWS |
s3 |
Azure |
azure |
GCP |
gcp |
GenericS3 |
s3 |
OntapS3 |
s3 |
StorageGridS3 |
s3 |
Use the AppVault browser to view AppVault information
You can use the Trident protect CLI plugin to view information about AppVault objects that have been created on the cluster.
-
View the contents of an AppVault object:
tridentctl protect get appvaultcontent gcp-vault --show-resources allExample output:
+-------------+-------+----------+-----------------------------+---------------------------+ | CLUSTER | APP | TYPE | NAME | TIMESTAMP | +-------------+-------+----------+-----------------------------+---------------------------+ | | mysql | snapshot | mysnap | 2024-08-09 21:02:11 (UTC) | | production1 | mysql | snapshot | hourly-e7db6-20240815180300 | 2024-08-15 18:03:06 (UTC) | | production1 | mysql | snapshot | hourly-e7db6-20240815190300 | 2024-08-15 19:03:06 (UTC) | | production1 | mysql | snapshot | hourly-e7db6-20240815200300 | 2024-08-15 20:03:06 (UTC) | | production1 | mysql | backup | hourly-e7db6-20240815180300 | 2024-08-15 18:04:25 (UTC) | | production1 | mysql | backup | hourly-e7db6-20240815190300 | 2024-08-15 19:03:30 (UTC) | | production1 | mysql | backup | hourly-e7db6-20240815200300 | 2024-08-15 20:04:21 (UTC) | | production1 | mysql | backup | mybackup5 | 2024-08-09 22:25:13 (UTC) | | | mysql | backup | mybackup | 2024-08-09 21:02:52 (UTC) | +-------------+-------+----------+-----------------------------+---------------------------+
-
Optionally, to see the AppVaultPath for each resource, use the flag
--show-paths.The cluster name in the first column of the table is only available if a cluster name was specified in the Trident protect helm installation. For example:
--set clusterName=production1.
Remove an AppVault
You can remove an AppVault object at any time.
|
Do not remove the finalizers key in the AppVault CR before deleting the AppVault object. If you do so, it can result in residual data in the AppVault bucket and orphaned resources in the cluster.
|
Ensure that you have deleted all snapshots and backups stored in the associated bucket.
-
Remove the AppVault object, replacing
appvault_namewith the name of the AppVault object to remove:kubectl delete appvault <appvault_name> -n trident-protect
-
Remove the AppVault object, replacing
appvault_namewith the name of the AppVault object to remove:tridentctl protect delete appvault <appvault_name> -n trident-protect