Skip to main content

Restore applications using Trident protect

Contributors netapp-mwallis netapp-shwetav
PDFs

You can use Trident protect to restore your application from a snapshot or backup. Restoring from an existing snapshot will be faster when restoring the application to the same cluster.

Note When you restore an application, all execution hooks configured for the application are restored with the app. If a post-restore execution hook is present, it runs automatically as part of the restore operation.

Namespace annotations and labels during restore and failover operations

During restore and failover operations, labels and annotations in the destination namespace are made to match the labels and annotations in the source namespace. Labels or annotations from the source namespace that don't exist in the destination namespace are added, and any labels or annotations that already exist are overwritten to match the value from the source namespace. Labels or annotations that exist only on the destination namespace remain unchanged.

Note If you use RedHat OpenShift, it's important to note the critical role of namespace annotations in OpenShift environments. Namespace annotations ensure that restored pods adhere to the appropriate permissions and security configurations defined by OpenShift security context constraints (SCCs) and can access volumes without permission issues. For more information, refer to the OpenShift security context constraints documentation.

You can prevent specific annotations in the destination namespace from being overwritten by setting the Kubernetes environment variable RESTORE_SKIP_NAMESPACE_ANNOTATIONS before you perform the restore or failover operation. For example:

kubectl set env -n trident-protect deploy/trident-protect-controller-manager RESTORE_SKIP_NAMESPACE_ANNOTATIONS=<annotation_key_to_skip_1>,<annotation_key_to_skip_2>

If you installed the source application using Helm with the --create-namespace flag, special treatment is given to the name label key. During the restore or failover process, Trident protect copies this label to the destination namespace, but updates the value to the destination namespace value if the value from source matches the source namespace. If this value doesn't match the source namespace it is copied to the destination namespace with no changes.

Example

The following example presents a source and destination namespace, each with different annotations and labels. You can see the state of the destination namespace before and after the operation, and how the annotations and labels are combined or overwritten in the destination namespace.

Before the restore or failover operation

The following table illustrates the state of the example source and destination namespaces before the restore or failover operation:

Namespace Annotations Labels

Namespace ns-1 (source)

  • annotation.one/key: "updatedvalue"

  • annotation.two/key: "true"

  • environment=production

  • compliance=hipaa

  • name=ns-1

Namespace ns-2 (destination)

  • annotation.one/key: "true"

  • annotation.three/key: "false"

  • role=database

After the restore operation

The following table illustrates the state of the example destination namespace after the restore or failover operation. Some keys have been added, some have been overwritten, and the name label has been updated to match the destination namespace:

Namespace Annotations Labels

Namespace ns-2 (destination)

  • annotation.one/key: "updatedvalue"

  • annotation.two/key: "true"

  • annotation.three/key: "false"

  • name=ns-2

  • compliance=hipaa

  • environment=production

  • role=database

Restore from a backup to a different namespace

When you restore a backup to a different namespace using a BackupRestore CR, Trident protect restores the application in a new namespace and creates an application CR for the restored application. To protect the restored application, create on-demand backups or snapshots, or establish a protection schedule.

Note Restoring a backup to a different namespace with existing resources will not alter any resources that share names with those in the backup. To restore all resources in the backup, either delete and re-create the target namespace, or restore the backup to a new namespace.
Use a CR
Steps

  1. Create the custom resource (CR) file and name it trident-protect-backup-restore-cr.yaml.

  2. In the file you created, configure the following attributes:

    • metadata.name: (Required) The name of this custom resource; choose a unique and sensible name for your environment.

    • spec.appArchivePath: The path inside AppVault where the backup contents are stored. You can use the following command to find this path:

      kubectl get backups <BACKUP_NAME> -n my-app-namespace -o jsonpath='{.status.appArchivePath}'

    • spec.appVaultRef: (Required) The name of the AppVault where the backup contents are stored.

    • spec.namespaceMapping: The mapping of the source namespace of the restore operation to the destination namespace. Replace my-source-namespace and my-destination-namespace with information from your environment.

    • spec.storageClassMapping: The mapping of the source storage class of the restore operation to the destination storage class. Replace destinationStorageClass and sourceStorageClass with information from your environment.

      ---
apiVersion: protect.trident.netapp.io/v1
kind: BackupRestore
metadata:
  name: my-cr-name
  namespace: my-destination-namespace
spec:
  appArchivePath: my-backup-path
  appVaultRef: appvault-name
  namespaceMapping: [{"source": "my-source-namespace", "destination": "my-destination-namespace"}]
  storageClassMapping:
    destination: "${destinationStorageClass}"
    source: "${sourceStorageClass}"

  3. (Optional) If you need to select only certain resources of the application to restore, add filtering that includes or excludes resources marked with particular labels:

    • resourceFilter.resourceSelectionCriteria: (Required for filtering) Use Include or Exclude to include or exclude a resource defined in resourceMatchers. Add the following resourceMatchers parameters to define the resources to be included or excluded:

      • resourceFilter.resourceMatchers: An array of resourceMatcher objects. If you define multiple elements in this array, they match as an OR operation, and the fields inside each element (group, kind, version) match as an AND operation.

        • resourceMatchers[].group: (Optional) Group of the resource to be filtered.

        • resourceMatchers[].kind: (Optional) Kind of the resource to be filtered.

        • resourceMatchers[].version: (Optional) Version of the resource to be filtered.

        • resourceMatchers[].names: (Optional) Names in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].namespaces: (Optional) Namespaces in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].labelSelectors: (Optional) Label selector string in the Kubernetes metadata.name field of the resource as defined in the Kubernetes documentation. For example: "trident.netapp.io/os=linux".

          For example:

          spec:
  resourceFilter:
    resourceSelectionCriteria: "Include"
    resourceMatchers:
      - group: my-resource-group-1
        kind: my-resource-kind-1
        version: my-resource-version-1
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]
      - group: my-resource-group-2
        kind: my-resource-kind-2
        version: my-resource-version-2
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]

  4. After you populate the trident-protect-backup-restore-cr.yaml file with the correct values, apply the CR:

    kubectl apply -f trident-protect-backup-restore-cr.yaml
Use the CLI
Steps

  1. Restore the backup to a different namespace, replacing values in brackets with information from your environment. The namespace-mapping argument uses colon-separated namespaces to map source namespaces to the correct destination namespaces in the format source1:dest1,source2:dest2. For example:

    tridentctl-protect create backuprestore <my_restore_name> --backup <backup_namespace>/<backup_to_restore> --namespace-mapping <source_to_destination_namespace_mapping> -n <application_namespace>

Restore from a backup to the original namespace

You can restore a backup to the original namespace at any time.

Use a CR
Steps

  1. Create the custom resource (CR) file and name it trident-protect-backup-ipr-cr.yaml.

  2. In the file you created, configure the following attributes:

    • metadata.name: (Required) The name of this custom resource; choose a unique and sensible name for your environment.

    • spec.appArchivePath: The path inside AppVault where the backup contents are stored. You can use the following command to find this path:

      kubectl get backups <BACKUP_NAME> -n my-app-namespace -o jsonpath='{.status.appArchivePath}'

    • spec.appVaultRef: (Required) The name of the AppVault where the backup contents are stored.

      For example:

      ---
apiVersion: protect.trident.netapp.io/v1
kind: BackupInplaceRestore
metadata:
  name: my-cr-name
  namespace: my-app-namespace
spec:
  appArchivePath: my-backup-path
  appVaultRef: appvault-name

  3. (Optional) If you need to select only certain resources of the application to restore, add filtering that includes or excludes resources marked with particular labels:

    • resourceFilter.resourceSelectionCriteria: (Required for filtering) Use Include or Exclude to include or exclude a resource defined in resourceMatchers. Add the following resourceMatchers parameters to define the resources to be included or excluded:

      • resourceFilter.resourceMatchers: An array of resourceMatcher objects. If you define multiple elements in this array, they match as an OR operation, and the fields inside each element (group, kind, version) match as an AND operation.

        • resourceMatchers[].group: (Optional) Group of the resource to be filtered.

        • resourceMatchers[].kind: (Optional) Kind of the resource to be filtered.

        • resourceMatchers[].version: (Optional) Version of the resource to be filtered.

        • resourceMatchers[].names: (Optional) Names in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].namespaces: (Optional) Namespaces in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].labelSelectors: (Optional) Label selector string in the Kubernetes metadata.name field of the resource as defined in the Kubernetes documentation. For example: "trident.netapp.io/os=linux".

          For example:

          spec:
  resourceFilter:
    resourceSelectionCriteria: "Include"
    resourceMatchers:
      - group: my-resource-group-1
        kind: my-resource-kind-1
        version: my-resource-version-1
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]
      - group: my-resource-group-2
        kind: my-resource-kind-2
        version: my-resource-version-2
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]

  4. After you populate the trident-protect-backup-ipr-cr.yaml file with the correct values, apply the CR:

    kubectl apply -f trident-protect-backup-ipr-cr.yaml
Use the CLI
Steps

  1. Restore the backup to the original namespace, replacing values in brackets with information from your environment. The backup argument uses a namespace and backup name in the format <namespace>/<name>. For example:

    tridentctl-protect create backupinplacerestore <my_restore_name> --backup <namespace/backup_to_restore> -n <application_namespace>

Restore from a backup to a different cluster

You can restore a backup to a different cluster if there is an issue with the original cluster.

Before you begin

Ensure the following prerequisites are met:

  • The destination cluster has Trident protect installed.

  • The destination cluster has access to the bucket path of the same AppVault as the source cluster, where the backup is stored.

Steps

  1. Check the availability of the AppVault CR on the destination cluster using Trident protect CLI plugin:

    tridentctl-protect get appvault --context <destination_cluster_name>
    Note Ensure that the namespace intended for the application restore exists on the destination cluster.

  2. View the backup contents of the available AppVault from the destination cluster:

    tridentctl-protect get appvaultcontent <appvault_name> --show-resources backup --show-paths --context <destination_cluster_name>

    Running this command displays the available backups in the AppVault, including their originating clusters, corresponding application names, timestamps, and archive paths.

    Example output:

    +-------------+-----------+--------+-----------------+--------------------------+-------------+
|   CLUSTER   |    APP    |  TYPE  |      NAME       |        TIMESTAMP         |    PATH     |
+-------------+-----------+--------+-----------------+--------------------------+-------------+
| production1 | wordpress | backup | wordpress-bkup-1| 2024-10-30 08:37:40 (UTC)| backuppath1 |
| production1 | wordpress | backup | wordpress-bkup-2| 2024-10-30 08:37:40 (UTC)| backuppath2 |
+-------------+-----------+--------+-----------------+--------------------------+-------------+

  3. Restore the application to the destination cluster using the AppVault name and archive path:

Use a CR

  1. Create the custom resource (CR) file and name it trident-protect-backup-restore-cr.yaml.

  2. In the file you created, configure the following attributes:

    • metadata.name: (Required) The name of this custom resource; choose a unique and sensible name for your environment.

    • spec.appVaultRef: (Required) The name of the AppVault where the backup contents are stored.

    • spec.appArchivePath: The path inside AppVault where the backup contents are stored. You can use the following command to find this path:

      kubectl get backups <BACKUP_NAME> -n my-app-namespace -o jsonpath='{.status.appArchivePath}'
      Note If BackupRestore CR is not available, you can use the command mentioned in step 2 to view the backup contents.

    • spec.namespaceMapping: The mapping of the source namespace of the restore operation to the destination namespace. Replace my-source-namespace and my-destination-namespace with information from your environment.

      For example:

      apiVersion: protect.trident.netapp.io/v1
kind: BackupRestore
metadata:
  name: my-cr-name
  namespace: my-destination-namespace
spec:
  appVaultRef: appvault-name
  appArchivePath: my-backup-path
  namespaceMapping: [{"source": "my-source-namespace", "destination": "my-destination-namespace"}]

  3. After you populate the trident-protect-backup-restore-cr.yaml file with the correct values, apply the CR:

    kubectl apply -f trident-protect-backup-restore-cr.yaml
Use the CLI

  1. Use the following command to restore the application, replacing values in brackets with information from your environment. The namespace-mapping argument uses colon-separated namespaces to map source namespaces to the correct destination namespaces in the format source1:dest1,source2:dest2. For example:

    tridentctl-protect create backuprestore <restore_name> --namespace-mapping <source_to_destination_namespace_mapping> --appvault <appvault_name> --path <backup_path> -n <application_namespace> --context <destination_cluster_name>

Restore from a snapshot to a different namespace

You can restore data from a snapshot using a custom resource (CR) file either to a different namespace or the original source namespace. When you restore a snapshot to a different namespace using a SnapshotRestore CR, Trident protect restores the application in a new namespace and creates an application CR for the restored application. To protect the restored application, create on-demand backups or snapshots, or establish a protection schedule.

Use a CR
Steps

  1. Create the custom resource (CR) file and name it trident-protect-snapshot-restore-cr.yaml.

  2. In the file you created, configure the following attributes:

    • metadata.name: (Required) The name of this custom resource; choose a unique and sensible name for your environment.

    • spec.appVaultRef: (Required) The name of the AppVault where the snapshot contents are stored.

    • spec.appArchivePath: The path inside AppVault where the snapshot contents are stored. You can use the following command to find this path:

      kubectl get snapshots <SNAPHOT_NAME> -n my-app-namespace -o jsonpath='{.status.appArchivePath}'

    • spec.namespaceMapping: The mapping of the source namespace of the restore operation to the destination namespace. Replace my-source-namespace and my-destination-namespace with information from your environment.

    • spec.storageClassMapping: The mapping of the source storage class of the restore operation to the destination storage class. Replace destinationStorageClass and sourceStorageClass with information from your environment.

      ---
apiVersion: protect.trident.netapp.io/v1
kind: SnapshotRestore
metadata:
  name: my-cr-name
  namespace: my-app-namespace
spec:
  appVaultRef: appvault-name
  appArchivePath: my-snapshot-path
  namespaceMapping: [{"source": "my-source-namespace", "destination": "my-destination-namespace"}]
  storageClassMapping:
    destination: "${destinationStorageClass}"
    source: "${sourceStorageClass}"

  3. (Optional) If you need to select only certain resources of the application to restore, add filtering that includes or excludes resources marked with particular labels:

    • resourceFilter.resourceSelectionCriteria: (Required for filtering) Use Include or Exclude to include or exclude a resource defined in resourceMatchers. Add the following resourceMatchers parameters to define the resources to be included or excluded:

      • resourceFilter.resourceMatchers: An array of resourceMatcher objects. If you define multiple elements in this array, they match as an OR operation, and the fields inside each element (group, kind, version) match as an AND operation.

        • resourceMatchers[].group: (Optional) Group of the resource to be filtered.

        • resourceMatchers[].kind: (Optional) Kind of the resource to be filtered.

        • resourceMatchers[].version: (Optional) Version of the resource to be filtered.

        • resourceMatchers[].names: (Optional) Names in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].namespaces: (Optional) Namespaces in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].labelSelectors: (Optional) Label selector string in the Kubernetes metadata.name field of the resource as defined in the Kubernetes documentation. For example: "trident.netapp.io/os=linux".

          For example:

          spec:
  resourceFilter:
    resourceSelectionCriteria: "Include"
    resourceMatchers:
      - group: my-resource-group-1
        kind: my-resource-kind-1
        version: my-resource-version-1
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]
      - group: my-resource-group-2
        kind: my-resource-kind-2
        version: my-resource-version-2
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]

  4. After you populate the trident-protect-snapshot-restore-cr.yaml file with the correct values, apply the CR:

    kubectl apply -f trident-protect-snapshot-restore-cr.yaml
Use the CLI
Steps

  1. Restore the snapshot to a different namespace, replacing values in brackets with information from your environment.

    • The snapshot argument uses a namespace and snapshot name in the format <namespace>/<name>.

    • The namespace-mapping argument uses colon-separated namespaces to map source namespaces to the correct destination namespaces in the format source1:dest1,source2:dest2.

      For example:

      tridentctl-protect create snapshotrestore <my_restore_name> --snapshot <namespace/snapshot_to_restore> --namespace-mapping <source_to_destination_namespace_mapping> -n <application_namespace>

Restore from a snapshot to the original namespace

You can restore a snapshot to the original namespace at any time.

Use a CR
Steps

  1. Create the custom resource (CR) file and name it trident-protect-snapshot-ipr-cr.yaml.

  2. In the file you created, configure the following attributes:

    • metadata.name: (Required) The name of this custom resource; choose a unique and sensible name for your environment.

    • spec.appVaultRef: (Required) The name of the AppVault where the snapshot contents are stored.

    • spec.appArchivePath: The path inside AppVault where the snapshot contents are stored. You can use the following command to find this path:

      kubectl get snapshots <SNAPSHOT_NAME> -n my-app-namespace -o jsonpath='{.status.appArchivePath}'
      ---
apiVersion: protect.trident.netapp.io/v1
kind: SnapshotInplaceRestore
metadata:
  name: my-cr-name
  namespace: my-app-namespace
spec:
  appVaultRef: appvault-name
    appArchivePath: my-snapshot-path

  3. (Optional) If you need to select only certain resources of the application to restore, add filtering that includes or excludes resources marked with particular labels:

    • resourceFilter.resourceSelectionCriteria: (Required for filtering) Use Include or Exclude to include or exclude a resource defined in resourceMatchers. Add the following resourceMatchers parameters to define the resources to be included or excluded:

      • resourceFilter.resourceMatchers: An array of resourceMatcher objects. If you define multiple elements in this array, they match as an OR operation, and the fields inside each element (group, kind, version) match as an AND operation.

        • resourceMatchers[].group: (Optional) Group of the resource to be filtered.

        • resourceMatchers[].kind: (Optional) Kind of the resource to be filtered.

        • resourceMatchers[].version: (Optional) Version of the resource to be filtered.

        • resourceMatchers[].names: (Optional) Names in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].namespaces: (Optional) Namespaces in the Kubernetes metadata.name field of the resource to be filtered.

        • resourceMatchers[].labelSelectors: (Optional) Label selector string in the Kubernetes metadata.name field of the resource as defined in the Kubernetes documentation. For example: "trident.netapp.io/os=linux".

          For example:

          spec:
  resourceFilter:
    resourceSelectionCriteria: "Include"
    resourceMatchers:
      - group: my-resource-group-1
        kind: my-resource-kind-1
        version: my-resource-version-1
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]
      - group: my-resource-group-2
        kind: my-resource-kind-2
        version: my-resource-version-2
        names: ["my-resource-names"]
        namespaces: ["my-resource-namespaces"]
        labelSelectors: ["trident.netapp.io/os=linux"]

  4. After you populate the trident-protect-snapshot-ipr-cr.yaml file with the correct values, apply the CR:

    kubectl apply -f trident-protect-snapshot-ipr-cr.yaml
Use the CLI
Steps

  1. Restore the snapshot to the original namespace, replacing values in brackets with information from your environment. For example:

    tridentctl-protect create snapshotinplacerestore <my_restore_name> --snapshot <snapshot_to_restore> -n <application_namespace>

Check the status of a restore operation

You can use the command line to check the status of a restore operation that is in progress, has completed, or has failed.

Steps

  1. Use the following command to retrieve status of the restore operation, replacing values in brackes with information from your environment:

    kubectl get backuprestore -n <namespace_name> <my_restore_cr_name> -o jsonpath='{.status}'