×

You can employ OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS (ROSA) clusters to backup and restore application data. A ROSA deployment of OpenShift is configured specifically for AWS services.

Installing OADP on Red Hat OpenShift Service on AWS with AWS STS

AWS Security Token Service (AWS STS) is a global web service that provides short-term credentials for IAM or federated users. Red Hat OpenShift Service on AWS (ROSA) with STS is the recommended credential mode for ROSA clusters. This document describes how to install OpenShift API for Data Protection (OADP) on (ROSA) with AWS STS.

Restic is not supported in the OADP on ROSA with AWS STS environment. Ensure the Restic service is disabled. Use native snapshots to backup volumes. See Known Issues for more information.

Prerequisites
  • A ROSA OpenShift Cluster with the required access and tokens.

  • A default Secret, if your backup and snapshot locations use the same credentials, or if you do not require a snapshot location.

Procedure
  1. Create an Openshift secret from your AWS token file by entering the following commands:

    1. Create the credentials file:

      $ cat <<EOF > ${SCRATCH}/credentials
      [default]
      role_arn = ${ROLE_ARN}
      web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
      EOF
    2. Create the OpenShift secret:

      $ oc -n openshift-adp create secret generic cloud-credentials \
        --from-file=${SCRATCH}/credentials
  2. Install the OADP Operator.

    1. In the Red Hat OpenShift Service on AWS web console, navigate to Operators OperatorHub.

    2. Search for the OADP Operator, then click Install.

  3. Create AWS cloud storage using your AWS credentials:

    $ cat << EOF | oc create -f -
    apiVersion: oadp.openshift.io/v1alpha1
    kind: CloudStorage
    metadata:
      name: ${CLUSTER_NAME}-oadp
      namespace: openshift-adp
    spec:
      creationSecret:
        key: credentials
        name: cloud-credentials
      enableSharedConfig: true
      name: ${CLUSTER_NAME}-oadp
      provider: aws
      region: $REGION
    EOF
  4. Create the DataProtectionApplication resource, which is used to configure the connection to the storage where the backups and volume snapshots will be stored:

    $ cat << EOF | oc create -f -
    apiVersion: oadp.openshift.io/v1alpha1
    kind: DataProtectionApplication
    metadata:
      name: ${CLUSTER_NAME}-dpa
      namespace: openshift-adp
    spec:
      backupLocations:
      - bucket:
          cloudStorageRef:
            name: ${CLUSTER_NAME}-oadp
          credential:
            key: credentials
            name: cloud-credentials
          default: true
      configuration:
        velero:
          defaultPlugins:
          - openshift
          - aws
          restic:
            enable: false
      volumeSnapshots:
      - velero:
          config:
            credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials
            enableSharedConfig: "true"
            region: ${REGION}
          provider: aws
    EOF

    The enable parameter of restic is set to false in this configuration because OADP does not support Restic in ROSA environments.

    You are now ready to backup and restore OpenShift applications, as described in the OADP documentation.