This project sets up a CronJob running the basic project backup script project_export.sh on GitHub. The basic project backup script will only backup v1 api version objects, to get a list of backed up objects see scripts/project_export.sh Line 2-5.
Please note that no attempt is made to back up the contents of databases or mounted persistent volumes. This backup focuses on the API objects stored in etcd.
Admin access is required at the start (to create project and the cluster-reader and secret-reader ClusterRoleBindings for the service account), but from then on access is strictly controlled.
NOTE secret-reader is only needed if you intent to backup Secrets. To not backup Secrets, use the template-no-secret-backup.yml. The template.yml will backup Secrets and other objects.
See the exports file for an example, which can directly be used with Set the timer.
| Name | Default | Description |
|---|---|---|
BACKUP_SECRETS |
true |
If Secrets should also be backed up. |
OPENSHIFT_BACKUP_NAME |
openshift-backup |
Name of each API object |
OPENSHIFT_BACKUP_NAMESPACE |
cluster-backup |
The project that is created for the test runner |
OPENSHIFT_BACKUP_CAPACITY |
2Gi |
Create a PersistentVolumeClaim with this size and use it to store the backups. |
OPENSHIFT_BACKUP_SCHEDULE |
15 0 * * * |
The schedule at which the backup CronJob will be run. |
| Filename | Description |
|---|---|
template.yml |
Backup CronJob which runs on cluster-reader and "custom" cluster-secret-reader (Cluster)Roles. |
template-no-secret.yml |
Same as template.yml but does not backup secrets. |
template-non-admin-*.yml |
Backup CronJob which can be run as non cluster-reader/cluster-admin User. Must have edit permissions to the projects that should be backed up. |
$ make
In addition to the CronJob running nightly backups, you can trigger a backup any time by opening a remote shell on the pod. This pod is also useful for retrieving (and restoring!) what you have backed up.
Let's start by backing up all projects in your cluster:
$ oc project
Using project "cluster-backup" on server "https://127.0.0.1:8443".
$ POD=$(oc get po | grep openshift-backup.*Running | head -n1 | awk '{ print $1 }')
$ oc rsh ${POD} openshift-backup
Processing 'myproject'
Exporting namespace to api-guidelines/ns.json
Exporting rolebindings to api-guidelines/rolebindings.json
Exporting serviceaccounts to api-guidelines/serviceaccounts.json
...
You can skip this step if you're happy to use the Docker Hub image that accompanies this repo (gerald1248/openshift-backup).
$ make build-docker-image
The current version is built from this repo. It sacrifices the small footprint of the Alpine-based original for readily installable oc binaries and CentOS/RHEL compatibility.
Call make clean to remove the project cluster-backup and the rolebinding that gives the serviceaccount openshift-backup read-only access to all projects.
These are only present as a scaffold for now, run:
$ make test