The etcd-backup-operator takes backups of ETCD instances on both the control plane and tenant clusters.
The operator is meant to be run on the management cluster and can perform both V2 and V3 ETCD backup.
main- When released, it triggers a deployment on all installations.
Clone the Git repository: https://github.com/giantswarm/etcd-backup-operator.git
Build it using the standard go build command.
cd etcd-backup-operator
go build
Use opsctl the usual way. This project uses the app method (opsctl deploy ... -m app).
Example command run:
export AWS_ACCESS_KEY_ID=<S3 access key ID>
export AWS_SECRET_ACCESS_KEY=<S3 secret access key>
go run -mod=vendor main.go daemon \
--service.kubernetes.incluster="true" \
--service.s3.bucket=<S3 bucket> \
--service.s3.region=<S3 region> \
--service.etcdv2.datadir="<Path of the directory where the V2 ETCD data is stored>" \
--service.etcdv3.cacert=<Path of the ETCD CA file> \
--service.etcdv3.cert=<Path of the ETCD Cert file> \
--service.etcdv3.key=<Path of the ETCD Private Key file> \
--service.etcdv3.endpoints=<URL to connect to ETCD with V3 protocol>
--service.kubernetes.incluster: (Optional, defaults tofalse) Whether to use the in-cluster config to authenticate with Kubernetes.--service.kubernetes.address: (Optional, defaults tohttp://127.0.0.1:6443) Address used to connect to Kubernetes. When empty in-cluster config is created.--service.kubernetes.kubeconfig: (Optional) KubeConfig (formatted as JSON string) used to connect to Kubernetes. When empty other settings are used.--service.kubernetes.tls.cafile: (Optional) Certificate authority file path to use to authenticate with Kubernetes.--service.kubernetes.tls.crtfile: (Optional) Certificate file path to use to authenticate with Kubernetes.--service.kubernetes.tls.keyfile: (Optional) Key file path to use to authenticate with Kubernetes.
--service.s3.bucket: (Required) AWS S3 Bucket name.--service.s3.region: (Required) AWS S3 Region name.--service.s3.endpoint: (Optional) Custom S3 endpoint URL.--service.s3.force-path-style: (Optional, defaults tofalse) Enable path-style S3 URLs.
--service.enableIRSA: (Optional, defaults tofalse) Enable IAM Roles for Service Accounts (IRSA) for S3 access instead of using static credentials.--service.roleArn: (Optional) AWS IAM Role ARN to use when IRSA is enabled.
There are two ways to authenticate with AWS for S3 access:
-
Static Credentials (default method):
- Set environment variables
AWS_ACCESS_KEY_IDandAWS_SECRET_ACCESS_KEY
- Set environment variables
-
IAM Roles for Service Accounts (IRSA):
- Enable with
--service.enableIRSA=true - Specify the role ARN with
--service.roleArn=arn:aws:iam::ACCOUNT_ID:role/ROLE_NAME - Ensure the Kubernetes service account is properly annotated with
eks.amazonaws.com/role-arn - No static credentials needed when using IRSA
- Enable with
When IRSA is enabled, the operator will use the AWS SDK's credential chain to authenticate, which will automatically use the IAM role associated with the service account.
--service.etcdv2.datadir: (Optional, see below for details) ETCD v2 Data Dir path.--service.etcdv3.cert: (Optional, see below for details) Client certificate for ETCD v3 connection--service.etcdv3.cacert: (Optional, see below for details) Client CA certificate for ETCD v3 connection--service.etcdv3.key: (Optional, see below for details) Client private key for ETCD v3 connection--service.etcdv3.endpoints: (Optional, see below for details)
Either service.etcdv2.datadir or all other fields are mandatory.
You can specify all of them as well (and you'll enable both V2 and V3 backups).
AWS_ACCESS_KEY_ID: (Required) The AWS access key ID, used to upload the backup files to AWS S3.AWS_SECRET_ACCESS_KEY: (Required) The AWS secret access key, used to upload the backup files to AWS S3.
You can schedule different cron datetimes to different clusters like it is explain here:
schedules:
- cronjob: 0 */6 * * *
clusters: '^(?!<cluster-id>)' # all clusters but the id defined
- cronjob: 0 3 * * * *
clusters: '<cluster-id>' # only one clusteretcd-backup-operator is under the Apache 2.0 license. See the LICENSE file for details.