|
本文档采用自动化机器翻译技术翻译。 尽管我们力求提供准确的译文,但不对翻译内容的完整性、准确性或可靠性作出任何保证。 若出现任何内容不一致情况,请以原始 英文 版本为准,且原始英文版本为权威文本。 |
备份和恢复示例
本节包含备份和恢复自定义资源的示例。
默认备份存储位置在安装或升级`rancher-backup`操作员时配置。
只有在恢复自定义资源使用与创建备份时相同的加密配置密钥时,才能恢复加密备份。
备份
本节包含示例备份自定义资源。
| 有关配置以下选项的更多信息,请参阅备份配置参考页面。 |
在默认位置进行加密备份
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: default-location-encrypted-backup
spec:
resourceSetName: rancher-resource-set-full
encryptionConfigSecretName: encryptionconfig在默认位置进行定期备份
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: default-location-recurring-backup
spec:
resourceSetName: rancher-resource-set-basic
schedule: "@every 1h"
retentionCount: 10在默认位置进行加密定期备份
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: default-enc-recurring-backup
spec:
resourceSetName: rancher-resource-set-full
encryptionConfigSecretName: encryptionconfig
schedule: "@every 1h"
retentionCount: 3在Minio中进行加密备份
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: minio-backup
spec:
storageLocation:
s3:
credentialSecretName: minio-creds
credentialSecretNamespace: default
bucketName: rancherbackups
endpoint: minio.xip.io
endpointCA: <base64-encoded-cert>
resourceSetName: rancher-resource-set-full
encryptionConfigSecretName: encryptionconfig使用AWS凭证密钥在S3中备份
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: s3-backup
spec:
storageLocation:
s3:
credentialSecretName: s3-creds
credentialSecretNamespace: default
bucketName: rancher-backups
folder: ecm1
region: us-west-2
endpoint: s3.us-west-2.amazonaws.com
resourceSetName: rancher-resource-set-full
encryptionConfigSecretName: encryptionconfig使用AWS凭证密钥在S3中进行定期备份
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: s3-recurring-backup
spec:
storageLocation:
s3:
credentialSecretName: s3-creds
credentialSecretNamespace: default
bucketName: rancher-backups
folder: ecm1
region: us-west-2
endpoint: s3.us-west-2.amazonaws.com
resourceSetName: rancher-resource-set-full
encryptionConfigSecretName: encryptionconfig
schedule: "@every 1h"
retentionCount: 10从具有访问S3权限的EC2节点备份
此示例表明,如果运行`rancher-backup`的节点具有这些访问S3的权限,则不必提供AWS凭证密钥以创建备份。
apiVersion: resources.cattle.io/v1
kind: Backup
metadata:
name: s3-iam-backup
spec:
storageLocation:
s3:
bucketName: rancher-backups
folder: ecm1
region: us-west-2
endpoint: s3.us-west-2.amazonaws.com
resourceSetName: rancher-resource-set-full
encryptionConfigSecretName: encryptionconfig恢复
本节包含示例恢复自定义资源。
| 有关配置以下选项的更多信息,请参阅恢复配置参考页面。 |
使用默认备份文件位置进行恢复
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-default
spec:
backupFilename: default-location-recurring-backup-752ecd87-d958-4d20-8350-072f8d090045-2020-09-26T12-29-54-07-00.tar.gz
# encryptionConfigSecretName: test-encryptionconfig用于Rancher迁移的恢复
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-migration
spec:
backupFilename: backup-b0450532-cee1-4aa1-a881-f5f48a007b1c-2020-09-15T07-27-09Z.tar.gz
prune: false
storageLocation:
s3:
credentialSecretName: s3-creds
credentialSecretNamespace: default
bucketName: rancher-backups
folder: ecm1
region: us-west-2
endpoint: s3.us-west-2.amazonaws.com从加密备份中恢复
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-encrypted
spec:
backupFilename: default-test-s3-def-backup-c583d8f2-6daf-4648-8ead-ed826c591471-2020-08-24T20-47-05Z.tar.gz
encryptionConfigSecretName: encryptionconfig从Minio恢复加密备份
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-minio
spec:
backupFilename: default-minio-backup-demo-aa5c04b7-4dba-4c48-9ac4-ab7916812eaa-2020-08-30T13-18-17-07-00.tar.gz
storageLocation:
s3:
credentialSecretName: minio-creds
credentialSecretNamespace: default
bucketName: rancherbackups
endpoint: minio.xip.io
endpointCA: <base64-encoded-cert>
encryptionConfigSecretName: test-encryptionconfig使用AWS凭证密钥从备份恢复以访问S3
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-s3-demo
spec:
backupFilename: test-s3-recurring-backup-752ecd87-d958-4d20-8350-072f8d090045-2020-09-26T12-49-34-07-00.tar.gz.enc
storageLocation:
s3:
credentialSecretName: s3-creds
credentialSecretNamespace: default
bucketName: rancher-backups
folder: ecm1
region: us-west-2
endpoint: s3.us-west-2.amazonaws.com
encryptionConfigSecretName: test-encryptionconfig从具有IAM权限的EC2节点恢复以访问S3
此示例表明,如果运行`rancher-backup`的节点具有这些访问S3的权限,则不必提供AWS凭证密钥以从备份恢复。
apiVersion: resources.cattle.io/v1
kind: Restore
metadata:
name: restore-s3-demo
spec:
backupFilename: default-test-s3-recurring-backup-84bf8dd8-0ef3-4240-8ad1-fc7ec308e216-2020-08-24T10#52#44-07#00.tar.gz
storageLocation:
s3:
bucketName: rajashree-backup-test
folder: ecm1
region: us-west-2
endpoint: s3.us-west-2.amazonaws.com
encryptionConfigSecretName: test-encryptionconfig示例加密配置
下面的片段演示了两种不同类型的 Secret 及其与自定义资源的备份和恢复的相关性。可以使用以下命令创建 Secret:
kubectl create secret generic example-encryptionconfig \
--from-file=./encryption-provider-config.yaml \
-n cattle-resources-system第一个示例是用于加密备份文件的 Secret。备份操作员将读取encryption-provider-config.yaml键的内容,该内容包含以Base64编码的EncryptionConfiguration资源的定义。
第二个示例是Kubernetes EncryptionConfiguration资源本身,是第一个示例中Base64编码内容的明文形式。该资源还用于对存储在etcd中的Secret进行加密,以及Kubernetes中静态加密的常见情况。有关更多信息,请参见 上游文档。在此资源中定义的密钥对于访问加密备份的内容至关重要,特别是在恢复过程中。因此,这些密钥必须保持安全、机密并且易于检索。
apiVersion: v1
data:
encryption-provider-config.yaml: YXBpVmVyc2lvbjogYXBpc2VydmVyLmNvbmZpZy5rOHMuaW8vdjEKa2luZDogRW5jcnlwdGlvbkNvbmZpZ3VyYXRpb24KcmVzb3VyY2VzOgogIC0gcmVzb3VyY2VzOgogICAgICAtIHNlY3JldHMKICAgIHByb3ZpZGVyczoKICAgICAgLSBhZXNnY206CiAgICAgICAgICBrZXlzOgogICAgICAgICAgICAtIG5hbWU6IGtleTEKICAgICAgICAgICAgICBzZWNyZXQ6IGMyVmpjbVYwSUdseklITmxZM1Z5WlE9PQogICAgICAgICAgICAtIG5hbWU6IGtleTIKICAgICAgICAgICAgICBzZWNyZXQ6IGRHaHBjeUJwY3lCd1lYTnpkMjl5WkE9PQogICAgICAtIGFlc2NiYzoKICAgICAgICAgIGtleXM6CiAgICAgICAgICAgIC0gbmFtZToga2V5MQogICAgICAgICAgICAgIHNlY3JldDogYzJWamNtVjBJR2x6SUhObFkzVnlaUT09CiAgICAgICAgICAgIC0gbmFtZToga2V5MgogICAgICAgICAgICAgIHNlY3JldDogZEdocGN5QnBjeUJ3WVhOemQyOXlaQT09CiAgICAgIC0gc2VjcmV0Ym94OgogICAgICAgICAga2V5czoKICAgICAgICAgICAgLSBuYW1lOiBrZXkxCiAgICAgICAgICAgICAgc2VjcmV0OiBZV0pqWkdWbVoyaHBhbXRzYlc1dmNIRnljM1IxZG5kNGVYb3hNak0wTlRZPQ==
kind: Secret
metadata:
name: example-encryptionconfig
namespace: cattle-resources-system
type: OpaqueapiVersion: apiserver.config.k8s.io/v1
kind: EncryptionConfiguration
resources:
- resources:
- secrets
providers:
- aesgcm:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- aescbc:
keys:
- name: key1
secret: c2VjcmV0IGlzIHNlY3VyZQ==
- name: key2
secret: dGhpcyBpcyBwYXNzd29yZA==
- secretbox:
keys:
- name: key1
secret: YWJjZGVmZ2hpamtsbW5vcHFyc3R1dnd4eXoxMjM0NTY=