Red Hat Summit Red Hat SummitSupportConsoleDevelopersStart a trialContact

Backup and restore

Red Hat OpenShift Service on AWS 4

Backing up and restoring your Red Hat OpenShift Service on AWS cluster

Red Hat OpenShift Documentation Team

Abstract

This document provides instructions for backing up your cluster's data and for recovering from various disaster scenarios.

Chapter 1. OADP Application backup and restore
Copy link

The OpenShift API for Data Protection (OADP) product safeguards customer applications on Red Hat OpenShift Service on AWS. It offers comprehensive disaster recovery protection, covering Red Hat OpenShift Service on AWS applications, application-related cluster resources, persistent volumes, and internal images. OADP is also capable of backing up both containerized applications and virtual machines (VMs).

Important

OADP support is applicable to customer workload namespaces and cluster scope resources.

Full cluster backup and restore are not supported.

1.1.1. OpenShift API for Data Protection APIs
Copy link

OADP provides APIs that enable multiple approaches to customizing backups and preventing the inclusion of unnecessary or inappropriate resources.

OADP provides the following APIs:

Expand
Table 1.1. Supported versions of OADP

Version

OCP version

General availability

Full support ends

Maintenance ends

Extended Update Support (EUS)

Extended Update Support Term 2 (EUS Term 2)

1.5

  • 4.19

17 June 2025

Release of 1.6

Release of 1.7

EUS must be on OCP 4.20

EUS Term 2 must be on OCP 4.20

1.4

  • 4.14
  • 4.15
  • 4.16
  • 4.17
  • 4.18

10 Jul 2024

Release of 1.5

Release of 1.6

27 Jun 2026

EUS must be on OCP 4.16

27 Jun 2027

EUS Term 2 must be on OCP 4.16

1.3

  • 4.12
  • 4.13
  • 4.14
  • 4.15

29 Nov 2023

10 Jul 2024

Release of 1.5

31 Oct 2025

EUS must be on OCP 4.14

31 Oct 2026

EUS Term 2 must be on OCP 4.14

Expand
Table 1.2. Previous versions of the OADP Operator which are no longer supported

Version

General availability

Full support ended

Maintenance ended

1.2

14 Jun 2023

29 Nov 2023

10 Jul 2024

1.1

01 Sep 2022

14 Jun 2023

29 Nov 2023

1.0

09 Feb 2022

01 Sep 2022

14 Jun 2023

For more details about EUS, see Extended Update Support.

For more details about EUS Term 2, see Extended Update Support Term 2.

1.2. OADP release notes
Copy link

1.2.1. OADP 1.5 release notes
Copy link

The release notes for OpenShift API for Data Protection (OADP) describe new features and enhancements, deprecated features, product recommendations, known issues, and resolved issues.

Note

For additional information about OADP, see OpenShift API for Data Protection (OADP) FAQs

1.2.1.1. OADP 1.5.3 release notes
Copy link

OpenShift API for Data Protection (OADP) 1.5.3 is a Container Grade Only (CGO) release, which is released to refresh the health grades of the containers. No code was changed in the product itself compared to that of OADP 1.5.2.

1.2.1.2. OADP 1.5.2 release notes
Copy link

The OpenShift API for Data Protection (OADP) 1.5.2 release notes lists resolved issues.

1.2.1.2.1. Resolved issues
Copy link

Self-signed certificate for internal image backup should not break other BSLs

Before this update, OADP would only process the first custom CA certificate found among all backup storage locations (BSLs) and apply it globally. This behavior prevented multiple BSLs with different CA certificates from working correctly. Additionally, system-trusted certificates were not included, causing failures when connecting to standard services. With this update, OADP now:

  • Concatenates all unique CA certificates from AWS BSLs into a single bundle.
  • Includes system-trusted certificates automatically.
  • Enables multiple BSLs with different custom CA certificates to operate simultaneously.
  • Only processes CA certificates when image backup is enabled (default behavior).

This enhancement improves compatibility for environments using multiple storage providers with different certificate requirements, particularly when backing up internal images to AWS S3-compatible storage with self-signed certificates.

OADP-6765

1.2.1.3. OADP 1.5.1 release notes
Copy link

The OpenShift API for Data Protection (OADP) 1.5.1 release notes lists new features, resolved issues, known issues, and deprecated features.

1.2.1.3.1. New features
Copy link

CloudStorage API is fully supported

The CloudStorage API feature, available as a Technology Preview before this update, is fully supported from OADP 1.5.1. The CloudStorage API automates the creation of a bucket for object storage.

OADP-3307

New DataProtectionTest custom resource is available

The DataProtectionTest (DPT) is a custom resource (CR) that provides a framework to validate your OADP configuration. The DPT CR checks and reports information for the following parameters:

  • The upload performance of the backups to the object storage.
  • The Container Storage Interface (CSI) snapshot readiness for persistent volume claims.
  • The storage bucket configuration, such as encryption and versioning.

Using this information in the DPT CR, you can ensure that your data protection environment is properly configured and performing according to the set configuration.

Note that you must configure STORAGE_ACCOUNT_ID when using DPT with OADP on Azure.

OADP-6300

New node agent load affinity configurations are available

  • Node agent load affinity: You can schedule the node agent pods on specific nodes by using the spec.podConfig.nodeSelector object of the DataProtectionApplication (DPA) custom resource (CR). You can add more restrictions on the node agent pods scheduling by using the nodeagent.loadAffinity object in the DPA spec.

  • Repository maintenance job affinity configurations: You can use the repository maintenance job affinity configurations in the DataProtectionApplication (DPA) custom resource (CR) only if you use Kopia as the backup repository.

    You have the option to configure the load affinity at the global level affecting all repositories, or for each repository. You can also use a combination of global and per-repository configuration.

  • Velero load affinity: You can use the podConfig.nodeSelector object to assign the Velero pod to specific nodes. You can also configure the velero.loadAffinity object for pod-level affinity and anti-affinity.

OADP-5832

Node agent load concurrency is available

With this update, users can control the maximum number of node agent operations that can run simultaneously on each node within their cluster. It also enables better resource management, optimizing backup and restore workflows for improved performance and a more streamlined experience.

1.2.1.3.2. Resolved issues
Copy link

DataProtectionApplicationSpec overflowed annotation limit, causing potential misconfiguration in deployments

Before this update, the DataProtectionApplicationSpec used deprecated PodAnnotations, which led to an annotation limit overflow. This caused potential misconfigurations in deployments. In this release, we have added PodConfig for annotations in pods deployed by the Operator, ensuring consistent annotations and improved manageability for end users. As a result, deployments should now be more reliable and easier to manage.

OADP-6454

Root file system for OADP controller manager is now read-only

Before this update, the manager container of the openshift-adp-controller-manager-* pod was configured to run with a writable root file system. As a consequence, this could allow for tampering with the container’s file system or the writing of foreign executables. With this release, the container’s security context has been updated to set the root file system to read-only while ensuring necessary functions that require write access, such as the Kopia cache, continue to operate correctly. As a result, the container is hardened against potential threats.

nonAdmin.enable: false in multiple DPAs no longer causes reconcile issues

Before this update, when a user attempted to create a second non-admin DataProtectionApplication (DPA) on a cluster where one already existed, the new DPA failed to reconcile. With this release, the restriction on Non-Admin Controller installation to one per cluster has been removed. As a result, users can install multiple Non-Admin Controllers across the cluster without encountering errors.

OADP-6500

OADP supports self-signed certificates

Before this update, using a self-signed certificate for backup images with a storage provider such as Minio resulted in an x509: certificate signed by unknown authority error during the backup process. With this release, certificate validation has been updated to support self-signed certificates in OADP, ensuring successful backups.

OADP-641

velero describe includes defaultVolumesToFsBackup

Before this update, the velero describe output command omitted the defaultVolumesToFsBackup flag. This affected the visibility of backup configuration details for users. With this release, the velero describe output includes the defaultVolumesToFsBackup flag information, improving the visibility of backup settings.

OADP-5762

DPT CR no longer fail when s3Url is secured

Before this update, DataProtectionTest (DPT) failed to run when s3Url was secured due to an unverified certificate because the DPT CR lacked the ability to skip or add the caCert in the spec field. As a consequence, data upload failure occurred due to an unverified certificate. With this release, DPT CR has been updated to accept and skip CA cert in spec field, resolving SSL verification errors. As a result, DPT no longer fails when using secured s3Url.

OADP-6235

Adding a backupLocation to DPA with an existing backupLocation name is not rejected

Before this update, adding a second backupLocation with the same name in DataProtectionApplication (DPA) caused OADP to enter an invalid state, leading to Backup and Restore failures due to Velero’s inability to read Secret credentials. As a consequence, Backup and Restore operations failed. With this release, the duplicate backupLocation names in DPA are no longer allowed, preventing Backup and Restore failures. As a result, duplicate backupLocation names are rejected, ensuring seamless data protection.

OADP-6459

1.2.1.3.3. Known issues
Copy link

The restore fails for backups created on OpenStack using the Cinder CSI driver

When you start a restore operation for a backup that was created on an OpenStack platform using the Cinder Container Storage Interface (CSI) driver, the initial backup only succeeds after the source application is manually scaled down. The restore job fails, preventing you from successfully recovering your application’s data and state from the backup. No known workaround exists.

OADP-5552

Datamover pods scheduled on unexpected nodes during backup if the nodeAgent.loadAffinity parameter has many elements

Due to an issue in Velero 1.14 and later, the OADP node-agent only processes the first nodeSelector element within the loadAffinity array. As a consequence, if you define multiple nodeSelector objects, all objects except the first are ignored, potentially causing datamover pods to be scheduled on unexpected nodes during a backup.

To work around this problem, consolidate all required matchExpressions from multiple nodeSelector objects into the first nodeSelector object. As a result, all node affinity rules are correctly applied, ensuring datamover pods are scheduled to the appropriate nodes.

OADP-6469

OADP Backup fails when using CA certificates with aliased command

The CA certificate is not stored as a file on the running Velero container. As a consequence, the user experience degraded due to missing caCert in Velero container, requiring manual setup and downloads. To work around this problem, manually add cert to the Velero deployment. For instructions, see Using cacert with velero command aliased via velero deployment.

OADP-4668

The nodeSelector spec is not supported for the Data Mover restore action

When a Data Protection Application (DPA) is created with the nodeSelector field set in the nodeAgent parameter, Data Mover restore partially fails instead of completing the restore operation. No known workaround exists.

OADP-4743

Image streams backups are partially failing when the DPA is configured with caCert

An unverified certificate in the S3 connection during backups with caCert in DataProtectionApplication (DPA) causes the ocp-django application’s backup to partially fail and result in data loss. No known workaround exists.

OADP-4817

Kopia does not delete cache on worker node

When the ephemeral-storage parameter is configured and running file system restore, the cache is not automatically deleted from the worker node. As a consequence, the /var partition overflows during backup restore, causing increased storage usage and potential resource exhaustion. To work around this problem, restart the node agent pod, which clears the cache. As a result, cache is deleted.

OADP-4855

Google Cloud VSL backups fail with Workload Identity because of invalid project configuration

When performing a volumeSnapshotLocation (VSL) backup on Google Cloud Workload Identity, the Velero Google Cloud plugin creates an invalid API request if the Google Cloud project is also specified in the snapshotLocations configuration of DataProtectionApplication (DPA). As a consequence, the Google Cloud API returns a RESOURCE_PROJECT_INVALID error, and the backup job finishes with a PartiallyFailed status. No known workaround exists.

OADP-6697

VSL backups fail for CloudStorage API on AWS with STS

The volumeSnapshotLocation (VSL) backup fails because of missing the AZURE_RESOURCE_GROUP parameter in the credentials file, even if AZURE_RESOURCE_GROUP is already mentioned in the DataProtectionApplication (DPA) config for VSL. No known workaround exists.

OADP-6676

Backups of applications with ImageStreams fail on Azure with STS

When backing up applications that include image stream resources on an Azure cluster using STS, the OADP plugin incorrectly attempts to locate a secret-based credential for the container registry. As a consequence, the required secret is not found in the STS environment, causing the ImageStream custom backup action to fail. This results in the overall backup status marked as PartiallyFailed. No known workaround exists.

OADP-6675

DPA reconciliation fails for CloudStorageRef configuration

When a user creates a bucket and uses the backupLocations.bucket.cloudStorageRef configuration, bucket credentials are not present in the DataProtectionApplication (DPA) custom resource (CR). As a result, the DPA reconciliation fails even if bucket credentials are present in the CloudStorage CR. To work around this problem, add the same credentials to the backupLocations section of the DPA CR.

OADP-6669

1.2.1.3.4. Deprecated features
Copy link

The configuration.restic specification field has been deprecated

With OADP 1.5.0, the configuration.restic specification field has been deprecated. Use the nodeAgent section with the uploaderType field for selecting kopia or restic as a uploaderType. Note that Restic is deprecated in OADP 1.5.0.

OADP-5158

1.2.1.4. OADP 1.5.0 release notes
Copy link

The OpenShift API for Data Protection (OADP) 1.5.0 release notes lists resolved issues and known issues.

1.2.1.4.1. New features
Copy link

OADP 1.5.0 introduces a new Self-Service feature

OADP 1.5.0 introduces a new feature named OADP Self-Service, enabling namespace admin users to back up and restore applications on the Red Hat OpenShift Service on AWS. In the earlier versions of OADP, you needed the cluster-admin role to perform OADP operations such as backing up and restoring an application, creating a backup storage location, and so on.

From OADP 1.5.0 onward, you do not need the cluster-admin role to perform the backup and restore operations. You can use OADP with the namespace admin role. The namespace admin role has administrator access only to the namespace the user is assigned to. You can use the Self-Service feature only after the cluster administrator installs the OADP Operator and provides the necessary permissions.

OADP-4001

Collecting logs with the must-gather tool has been improved with a Markdown summary

You can collect logs, and information about OpenShift API for Data Protection (OADP) custom resources by using the must-gather tool. The must-gather data must be attached to all customer cases. This tool generates a Markdown output file with the collected information, which is located in the must-gather logs clusters directory.

OADP-5384

dataMoverPrepareTimeout and resourceTimeout parameters are now added to nodeAgent within the DPA

The nodeAgent field in Data Protection Application (DPA) now includes the following parameters:

  • dataMoverPrepareTimeout: Defines the duration the DataUpload or DataDownload process will wait. The default value is 30 minutes.
  • resourceTimeout: Sets the timeout for resource processes not addressed by other specific timeout parameters. The default value is 10 minutes.

OADP-3736

Use the spec.configuration.nodeAgent parameter in DPA for configuring nodeAgent daemon set

Velero no longer uses the node-agent-config config map for configuring the nodeAgent daemon set. With this update, you must use the new spec.configuration.nodeAgent parameter in a Data Protection Application (DPA) for configuring the nodeAgent daemon set.

OADP-5042

Configuring DPA with the backup repository configuration config map is now possible

With Velero 1.15 and later, you can now configure the total size of a cache per repository. This prevents pods from being removed due to running out of ephemeral storage. See the following new parameters added to the NodeAgentConfig field in DPA:

  • cacheLimitMB: Sets the local data cache size limit in megabytes.

  • fullMaintenanceInterval: The default value is 24 hours. Controls the removal rate of deleted Velero backups from the Kopia repository using the following override options:

    • normalGC: 24 hours
    • fastGC: 12 hours
    • eagerGC: 6 hours

OADP-5900

Enhancing the node-agent security

With this update, the following changes are added:

  • A new configuration option is now added to the velero field in DPA.

  • The default value for the disableFsBackup parameter is false or non-existing. With this update, the following options are added to the SecurityContext field:

    • Privileged: true
    • AllowPrivilegeEscalation: true

  • If you set the disableFsBackup parameter to true, it removes the following mounts from the node-agent:

    • host-pods
    • host-plugins
  • Modifies that the node-agent is always run as a non-root user.
  • Changes the root file system to read only.

  • Updates the following mount points with the write access:

    • /home/velero
    • tmp/credentials
  • Uses the SeccompProfileTypeRuntimeDefault option for the SeccompProfile parameter.

OADP-5031

Adds DPA support for parallel item backup

By default, only one thread processes an item block. Velero 1.16 supports a parallel item backup, where multiple items within a backup can be processed in parallel.

You can use the optional Velero server parameter --item-block-worker-count to run additional worker threads to process items in parallel. To enable this in OADP, set the dpa.Spec.Configuration.Velero.ItemBlockWorkerCount parameter to an integer value greater than zero.

Note

Running multiple full backups in parallel is not yet supported.

OADP-5635

OADP logs are now available in the JSON format

With the of release OADP 1.5.0, the logs are now available in the JSON format. It helps to have pre-parsed data in their Elastic logs management system.

OADP-3391

The oc get dpa command now displays RECONCILED status

With this release, the oc get dpa command now displays RECONCILED status instead of displaying only NAME and AGE to improve user experience. For example: 

$ oc get dpa -n openshift-adp
NAME            RECONCILED   AGE
velero-sample   True         2m51s
Copy to Clipboard Toggle word wrap

OADP-1338

1.2.1.4.2. Resolved issues
Copy link

Containers now use FallbackToLogsOnError for terminationMessagePolicy

With this release, the terminationMessagePolicy field can now set the FallbackToLogsOnError value for the OpenShift API for Data Protection (OADP) Operator containers such as operator-manager, velero, node-agent, and non-admin-controller.

This change ensures that if a container exits with an error and the termination message file is empty, OpenShift uses the last portion of the container logs output as the termination message.

OADP-5183

Namespace admin can now access the application after restore

Previously, the namespace admin could not execute an application after the restore operation with the following errors:

  • exec operation is not allowed because the pod’s security context exceeds your permissions
  • unable to validate against any security context constraint
  • not usable by user or serviceaccount, provider restricted-v2

With this update, this issue is now resolved and the namespace admin can access the application successfully after the restore.

OADP-5611

Specifying status restoration at the individual resource instance level using the annotation is now possible

Previously, status restoration was only configured at the resource type using the restoreStatus field in the Restore custom resource (CR).

With this release, you can now specify the status restoration at the individual resource instance level using the following annotation: 

metadata:
  annotations:
    velero.io/restore-status: "true"
Copy to Clipboard Toggle word wrap

OADP-5968

Restore is now successful with excludedClusterScopedResources

Previously, on performing the backup of an application with the excludedClusterScopedResources field set to storageclasses, Namespace parameter, the backup was successful but the restore partially failed. With this update, the restore is successful.

OADP-5239

Backup is completed even if it gets restarted during the waitingForPluginOperations phase

Previously, a backup was marked as failed with the following error message: 

failureReason: found a backup with status "InProgress" during the server starting,
mark it as "Failed"
Copy to Clipboard Toggle word wrap

With this update, the backup is completed if it gets restarted during the waitingForPluginOperations phase.

OADP-2941

Error messages are now more informative when the` disableFsbackup` parameter is set to true in DPA

Previously, when the spec.configuration.velero.disableFsBackup field from a Data Protection Application (DPA) was set to true, the backup partially failed with an error, which was not informative.

This update makes error messages more useful for troubleshooting issues. For example, error messages indicating that disableFsBackup: true is the issue in a DPA or not having access to a DPA if it is for non-administrator users.

OADP-5952

Handles AWS STS credentials in the parseAWSSecret

Previously, AWS credentials using STS authentication were not properly validated.

With this update, the parseAWSSecret function detects STS-specific fields, and updates the ensureSecretDataExists function to handle STS profiles correctly.

OADP-6105

The repositoryMaintenance job affinity config is available to configure

Previously, the new configurations for repository maintenance job pod affinity was missing from a DPA specification.

With this update, the repositoryMaintenance job affinity config is now available to map a BackupRepository identifier to its configuration.

OADP-6134

The ValidationErrors field fades away once the CR specification is correct

Previously, when a schedule CR was created with a wrong spec.schedule value and the same was later patched with a correct value, the ValidationErrors field still existed. Consequently, the ValidationErrors field was displaying incorrect information even though the spec was correct.

With this update, the ValidationErrors field fades away once the CR specification is correct.

OADP-5419

The volumeSnapshotContents custom resources are restored when the includedNamesapces field is used in restoreSpec

Previously, when a restore operation was triggered with the includedNamespace field in a restore specification, restore operation was completed successfully but no volumeSnapshotContents custom resources (CR) were created and the PVCs were in a Pending status.

With this update, volumeSnapshotContents CR are restored even when the includedNamesapces field is used in restoreSpec. As a result, an application pod is in a Running state after restore.

OADP-5939

OADP operator successfully creates bucket on top of AWS

Previously, the container was configured with the readOnlyRootFilesystem: true setting for security, but the code attempted to create temporary files in the /tmp directory using the os.CreateTemp() function. Consequently, while using the AWS STS authentication with the Cloud Credential Operator (CCO) flow, OADP failed to create temporary files that were required for AWS credential handling with the following error: 

ERROR unable to determine if bucket exists. {"error": "open /tmp/aws-shared-credentials1211864681: read-only file system"}
Copy to Clipboard Toggle word wrap

With this update, the following changes are added to address this issue:

  • A new emptyDir volume named tmp-dir to the controller pod specification.
  • A volume mount to the container, which mounts this volume to the /tmp directory.
  • For security best practices, the readOnlyRootFilesystem: true is maintained.
  • Replaced the deprecated ioutil.TempFile() function with the recommended os.CreateTemp() function.
  • Removed the unnecessary io/ioutil import, which is no longer needed.

OADP-6019

For a complete list of all issues resolved in this release, see the list of OADP 1.5.0 resolved issues in Jira.

1.2.1.4.3. Known issues
Copy link

Kopia does not delete all the artifacts after backup expiration

Even after deleting a backup, Kopia does not delete the volume artifacts from the ${bucket_name}/kopia/$openshift-adp on the S3 location after the backup expired. Information related to the expired and removed data files remains in the metadata. To ensure that OpenShift API for Data Protection (OADP) functions properly, the data is not deleted, and it exists in the /kopia/ directory, for example:

  • kopia.repository: Main repository format information such as encryption, version, and other details.
  • kopia.blobcfg: Configuration for how data blobs are named.
  • kopia.maintenance: Tracks maintenance owner, schedule, and last successful build.
  • log: Log blobs.

OADP-5131

For a complete list of all known issues in this release, see the list of OADP 1.5.0 known issues in Jira.

1.2.1.4.4. Deprecated features
Copy link

The configuration.restic specification field has been deprecated

With OpenShift API for Data Protection (OADP) 1.5.0, the configuration.restic specification field has been deprecated. Use the nodeAgent section with the uploaderType field for selecting kopia or restic as a uploaderType. Note that, Restic is deprecated in OpenShift API for Data Protection (OADP) 1.5.0.

OADP-5158

1.2.1.4.5. Technology Preview
Copy link

Support for HyperShift hosted OpenShift clusters is available as a Technology Preview

OADP can support and facilitate application migrations within HyperShift hosted OpenShift clusters as a Technology Preview. It ensures a seamless backup and restore operation for applications in hosted clusters.

For more information about the support scope of Red Hat Technology Preview features, see Technology Preview Features Support Scope.

OADP-3930

1.2.1.5. Upgrading OADP 1.4 to 1.5
Copy link
Note

Always upgrade to the next minor version. Do not skip versions. To update to a later version, upgrade only one channel at a time. For example, to upgrade from OADP 1.1 to 1.3, upgrade first to 1.2, and then to 1.3.

1.2.1.5.1. Changes from OADP 1.4 to 1.5
Copy link

The Velero server has been updated from version 1.14 to 1.16.

This changes the following:

Version Support changes
OpenShift API for Data Protection implements a streamlined version support policy. Red Hat supports only one version of OpenShift API for Data Protection (OADP) on one OpenShift version to ensure better stability and maintainability. OADP 1.5.0 is only supported on OpenShift 4.19 version.
OADP Self-Service

OADP 1.5.0 introduces a new feature named OADP Self-Service, enabling namespace admin users to back up and restore applications on the Red Hat OpenShift Service on AWS. In the earlier versions of OADP, you needed the cluster-admin role to perform OADP operations such as backing up and restoring an application, creating a backup storage location, and so on.

From OADP 1.5.0 onward, you do not need the cluster-admin role to perform the backup and restore operations. You can use OADP with the namespace admin role. The namespace admin role has administrator access only to the namespace the user is assigned to. You can use the Self-Service feature only after the cluster administrator installs the OADP Operator and provides the necessary permissions.

backupPVC and restorePVC configurations

A backupPVC resource is an intermediate persistent volume claim (PVC) to access data during the data movement backup operation. You create a readonly backup PVC by using the nodeAgent.backupPVC section of the DataProtectionApplication (DPA) custom resource.

A restorePVC resource is an intermediate PVC that is used to write data during the Data Mover restore operation.

You can configure restorePVC in the DPA by using the ignoreDelayBinding field.

1.2.1.5.2. Backing up the DPA configuration
Copy link

You must back up your current DataProtectionApplication (DPA) configuration.

Procedure

  • Save your current DPA configuration by running the following command:

    Example command

    $ oc get dpa -n openshift-adp -o yaml > dpa.orig.backup
    Copy to Clipboard Toggle word wrap

1.2.1.5.3. Upgrading the OADP Operator
Copy link

You can upgrade the OpenShift API for Data Protection (OADP) Operator using the following procedure.

Note

Do not install OADP 1.5.0 on a OpenShift 4.18 cluster.

Prerequisites

  • You have installed the latest OADP 1.4.6.
  • You have backed up your data.

Procedure

  1. Upgrade OpenShift 4.18 to OpenShift 4.19.

    Note

    OpenShift API for Data Protection (OADP) 1.4 is not supported on OpenShift 4.19.

  2. Change your subscription channel for the OADP Operator from stable-1.4 to stable.
  3. Wait for the Operator and containers to update and restart.

The OpenShift API for Data Protection (OADP) 1.4 is not supported on OpenShift 4.19. You can convert Data Protection Application (DPA) to the new OADP 1.5 version by using the new spec.configuration.nodeAgent field and its sub-fields.

Procedure

  1. To configure nodeAgent daemon set, use the spec.configuration.nodeAgent parameter in DPA. See the following example:

    Example DataProtectionApplication configuration

    ...
 spec:
   configuration:
     nodeAgent:
       enable: true
       uploaderType: kopia
...
    Copy to Clipboard Toggle word wrap

  2. To configure nodeAgent daemon set by using the ConfigMap resource named node-agent-config, see the following example configuration:

    Example config map

    ...
 spec:
   configuration:
     nodeAgent:
       backupPVC:
         ...
       loadConcurrency:
         ...
       podResources:
         ...
       restorePVC:
        ...
...
    Copy to Clipboard Toggle word wrap

1.2.1.5.5. Verifying the upgrade
Copy link

You can verify the OpenShift API for Data Protection (OADP) upgrade by using the following procedure.

Procedure

  1. Verify that the DataProtectionApplication (DPA) has been reconciled successfully: 

    $ oc get dpa dpa-sample -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    NAME            RECONCILED   AGE
dpa-sample      True         2m51s
    Copy to Clipboard Toggle word wrap

    Note

    The RECONCILED column must be True.

  2. Verify that the installation finished by viewing the OADP resources by running the following command: 

    $ oc get all -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                                                    READY   STATUS    RESTARTS   AGE
pod/node-agent-9pjz9                                    1/1     Running   0          3d17h
pod/node-agent-fmn84                                    1/1     Running   0          3d17h
pod/node-agent-xw2dg                                    1/1     Running   0          3d17h
pod/openshift-adp-controller-manager-76b8bc8d7b-kgkcw   1/1     Running   0          3d17h
pod/velero-64475b8c5b-nh2qc                             1/1     Running   0          3d17h

NAME                                                       TYPE        CLUSTER-IP       EXTERNAL-IP   PORT(S)    AGE
service/openshift-adp-controller-manager-metrics-service   ClusterIP   172.30.194.192   <none>        8443/TCP   3d17h
service/openshift-adp-velero-metrics-svc                   ClusterIP   172.30.190.174   <none>        8085/TCP   3d17h

NAME                        DESIRED   CURRENT   READY   UP-TO-DATE   AVAILABLE   NODE SELECTOR   AGE
daemonset.apps/node-agent   3         3         3       3            3           <none>          3d17h

NAME                                               READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/openshift-adp-controller-manager   1/1     1            1           3d17h
deployment.apps/velero                             1/1     1            1           3d17h

NAME                                                          DESIRED   CURRENT   READY   AGE
replicaset.apps/openshift-adp-controller-manager-76b8bc8d7b   1         1         1       3d17h
replicaset.apps/openshift-adp-controller-manager-85fff975b8   0         0         0       3d17h
replicaset.apps/velero-64475b8c5b                             1         1         1       3d17h
replicaset.apps/velero-8b5bc54fd                              0         0         0       3d17h
replicaset.apps/velero-f5c9ffb66                              0         0         0       3d17h
    Copy to Clipboard Toggle word wrap

    Note

    The node-agent pods are created only while using restic or kopia in DataProtectionApplication (DPA). In OADP 1.4.0 and OADP 1.3.0 version, the node-agent pods are labeled as restic.

  3. Verify the backup storage location and confirm that the PHASE is Available by running the following command: 

    $ oc get backupstoragelocations.velero.io -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    NAME           PHASE       LAST VALIDATED   AGE     DEFAULT
dpa-sample-1   Available   1s               3d16h   true
    Copy to Clipboard Toggle word wrap

1.3. OADP performance
Copy link

1.4. OADP features and plugins
Copy link

OpenShift API for Data Protection (OADP) features provide options for backing up and restoring applications.

The default plugins enable Velero to integrate with certain cloud providers and to back up and restore Red Hat OpenShift Service on AWS resources.

1.4.1. OADP features
Copy link

OpenShift API for Data Protection (OADP) supports the following features:

Backup

You can use OADP to back up all applications on the OpenShift Platform, or you can filter the resources by type, namespace, or label.

OADP backs up Kubernetes objects and internal images by saving them as an archive file on object storage. OADP backs up persistent volumes (PVs) by creating snapshots with the native cloud snapshot API or with the Container Storage Interface (CSI). For cloud providers that do not support snapshots, OADP backs up resources and PV data with Restic.

Note

You must exclude Operators from the backup of an application for backup and restore to succeed.

Restore

You can restore resources and PVs from a backup. You can restore all objects in a backup or filter the objects by namespace, PV, or label.

Note

You must exclude Operators from the backup of an application for backup and restore to succeed.

Schedule
You can schedule backups at specified intervals.
Hooks
You can use hooks to run commands in a container on a pod, for example, fsfreeze to freeze a file system. You can configure a hook to run before or after a backup or restore. Restore hooks can run in an init container or in the application container.

1.4.2. OADP plugins
Copy link

The OpenShift API for Data Protection (OADP) provides default Velero plugins that are integrated with storage providers to support backup and snapshot operations. You can create custom plugins based on the Velero plugins.

OADP also provides plugins for Red Hat OpenShift Service on AWS resource backups, OpenShift Virtualization resource backups, and Container Storage Interface (CSI) snapshots.

Expand
Table 1.3. OADP plugins
OADP pluginFunctionStorage location

aws

Backs up and restores Kubernetes objects.

AWS S3

Backs up and restores volumes with snapshots.

AWS EBS

openshift

Backs up and restores Red Hat OpenShift Service on AWS resources. [1]

Object store

kubevirt

Backs up and restores OpenShift Virtualization resources. [2]

Object store

csi

Backs up and restores volumes with CSI snapshots. [3]

Cloud storage that supports CSI snapshots

hypershift

Backs up and restores HyperShift hosted cluster resources. [4]

Object store

  1. Mandatory.
  2. Virtual machine disks are backed up with CSI snapshots or Restic.

  3. The csi plugin uses the Kubernetes CSI snapshot API.

    • OADP 1.1 or later uses snapshot.storage.k8s.io/v1
    • OADP 1.0 uses snapshot.storage.k8s.io/v1beta1
  4. Do not add the hypershift plugin in the DataProtectionApplication custom resource if the cluster is not a HyperShift hosted cluster.

1.4.3. About OADP Velero plugins
Copy link

You can configure two types of plugins when you install Velero:

  • Default cloud provider plugins
  • Custom plugins

Both types of plugin are optional, but most users configure at least one cloud provider plugin.

1.4.3.1. Default Velero cloud provider plugins
Copy link

You can install any of the following default Velero cloud provider plugins when you configure the oadp_v1alpha1_dpa.yaml file during deployment:

  • aws (Amazon Web Services)
  • openshift (OpenShift Velero plugin)
  • csi (Container Storage Interface)
  • kubevirt (KubeVirt)

You specify the desired default plugins in the oadp_v1alpha1_dpa.yaml file during deployment.

Example file

The following .yaml file installs the openshift, aws, azure, and gcp plugins: 

 apiVersion: oadp.openshift.io/v1alpha1
 kind: DataProtectionApplication
 metadata:
   name: dpa-sample
 spec:
   configuration:
     velero:
       defaultPlugins:
       - openshift
       - aws
       - azure
       - gcp
Copy to Clipboard Toggle word wrap
1.4.3.2. Custom Velero plugins
Copy link

You can install a custom Velero plugin by specifying the plugin image and name when you configure the oadp_v1alpha1_dpa.yaml file during deployment.

You specify the desired custom plugins in the oadp_v1alpha1_dpa.yaml file during deployment.

Example file

The following .yaml file installs the default openshift, azure, and gcp plugins and a custom plugin that has the name custom-plugin-example and the image quay.io/example-repo/custom-velero-plugin: 

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
 name: dpa-sample
spec:
 configuration:
   velero:
     defaultPlugins:
     - openshift
     - azure
     - gcp
     customPlugins:
     - name: custom-plugin-example
       image: quay.io/example-repo/custom-velero-plugin
Copy to Clipboard Toggle word wrap

1.4.4. OADP and FIPS
Copy link

Federal Information Processing Standards (FIPS) are a set of computer security standards developed by the United States federal government in line with the Federal Information Security Management Act (FISMA).

OpenShift API for Data Protection (OADP) has been tested and works on FIPS-enabled Red Hat OpenShift Service on AWS clusters.

1.4.5. Avoiding the Velero plugin panic error
Copy link

A missing secret can cause a panic error for the Velero plugin during image stream backups.

When the backup and the Backup Storage Location (BSL) are managed outside the scope of the Data Protection Application (DPA), the OADP controller does not create the relevant oadp-<bsl_name>-<bsl_provider>-registry-secret parameter.

During the backup operation, the OpenShift Velero plugin panics on the imagestream backup, with the following panic error: 

024-02-27T10:46:50.028951744Z time="2024-02-27T10:46:50Z" level=error msg="Error backing up item"
backup=openshift-adp/<backup name> error="error executing custom action (groupResource=imagestreams.image.openshift.io,
namespace=<BSL Name>, name=postgres): rpc error: code = Aborted desc = plugin panicked:
runtime error: index out of range with length 1, stack trace: goroutine 94…
Copy to Clipboard Toggle word wrap

Use the following workaround to avoid the Velero plugin panic error.

Procedure

  1. Label the custom BSL with the relevant label by using the following command: 

    $ oc label backupstoragelocations.velero.io <bsl_name> app.kubernetes.io/component=bsl
    Copy to Clipboard Toggle word wrap

  2. After the BSL is labeled, wait until the DPA reconciles.

    Note

    You can force the reconciliation by making any minor change to the DPA itself.

Verification

  • After the DPA is reconciled, confirm that the parameter has been created and that the correct registry data has been populated into it by entering the following command: 

    $ oc -n openshift-adp get secret/oadp-<bsl_name>-<bsl_provider>-registry-secret -o json | jq -r '.data'
    Copy to Clipboard Toggle word wrap

If you configure a Data Protection Application (DPA) with both cloudstorage and restic enabled, the openshift-adp-controller-manager pod crashes and restarts indefinitely until the pod fails with a crash loop segmentation fault.

Define either velero or cloudstorage when you configure a DPA. Otherwise, the openshift-adp-controller-manager pod fails with a crash loop segmentation fault due to the following settings:

  • If you define both velero and cloudstorage, the openshift-adp-controller-manager fails.
  • If you do not define both velero and cloudstorage, the openshift-adp-controller-manager fails.

For more information about this issue, see OADP-1054.

1.5. OADP use cases
Copy link

To back up and restore workloads on ROSA, you can use OADP. You can create a backup of a workload, restore it from the backup, and verify the restoration. You can also clean up the OADP Operator, backup storage, and AWS resources when they are no longer needed.

The following example hello-world application has no persistent volumes (PVs) attached. Perform a backup by using OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS.

Either Data Protection Application (DPA) configuration will work.

Procedure

  1. Create a workload to back up by running the following commands: 

    $ oc create namespace hello-world
    Copy to Clipboard Toggle word wrap 
    $ oc new-app -n hello-world --image=docker.io/openshift/hello-openshift
    Copy to Clipboard Toggle word wrap

  2. Expose the route by running the following command: 

    $ oc expose service/hello-openshift -n hello-world
    Copy to Clipboard Toggle word wrap

  3. Check that the application is working by running the following command: 

    $ curl `oc get route/hello-openshift -n hello-world -o jsonpath='{.spec.host}'`
    Copy to Clipboard Toggle word wrap

    You should see an output similar to the following example: 

    Hello OpenShift!
    Copy to Clipboard Toggle word wrap

  4. Back up the workload by running the following command: 

    $ cat << EOF | oc create -f -
  apiVersion: velero.io/v1
  kind: Backup
  metadata:
    name: hello-world
    namespace: openshift-adp
  spec:
    includedNamespaces:
    - hello-world
    storageLocation: ${CLUSTER_NAME}-dpa-1
    ttl: 720h0m0s
EOF
    Copy to Clipboard Toggle word wrap

  5. Wait until the backup is complete, and then run the following command: 

    $ watch "oc -n openshift-adp get backup hello-world -o json | jq .status"
    Copy to Clipboard Toggle word wrap

    You should see an output similar to the following example: 

    {
  "completionTimestamp": "2022-09-07T22:20:44Z",
  "expiration": "2022-10-07T22:20:22Z",
  "formatVersion": "1.1.0",
  "phase": "Completed",
  "progress": {
    "itemsBackedUp": 58,
    "totalItems": 58
  },
  "startTimestamp": "2022-09-07T22:20:22Z",
  "version": 1
}
    Copy to Clipboard Toggle word wrap

  6. Delete the demo workload by running the following command: 

    $ oc delete ns hello-world
    Copy to Clipboard Toggle word wrap

  7. Restore the workload from the backup by running the following command: 

    $ cat << EOF | oc create -f -
  apiVersion: velero.io/v1
  kind: Restore
  metadata:
    name: hello-world
    namespace: openshift-adp
  spec:
    backupName: hello-world
EOF
    Copy to Clipboard Toggle word wrap

  8. Wait for the Restore to finish by running the following command: 

    $ watch "oc -n openshift-adp get restore hello-world -o json | jq .status"
    Copy to Clipboard Toggle word wrap

    You should see an output similar to the following example: 

    {
  "completionTimestamp": "2022-09-07T22:25:47Z",
  "phase": "Completed",
  "progress": {
    "itemsRestored": 38,
    "totalItems": 38
  },
  "startTimestamp": "2022-09-07T22:25:28Z",
  "warnings": 9
}
    Copy to Clipboard Toggle word wrap

  9. Check that the workload is restored by running the following command: 

    $ oc -n hello-world get pods
    Copy to Clipboard Toggle word wrap

    You should see an output similar to the following example: 

    NAME                              READY   STATUS    RESTARTS   AGE
hello-openshift-9f885f7c6-kdjpj   1/1     Running   0          90s
    Copy to Clipboard Toggle word wrap

  10. Check the JSONPath by running the following command: 

    $ curl `oc get route/hello-openshift -n hello-world -o jsonpath='{.spec.host}'`
    Copy to Clipboard Toggle word wrap

    You should see an output similar to the following example: 

    Hello OpenShift!
    Copy to Clipboard Toggle word wrap
Note

For troubleshooting tips, see the troubleshooting documentation.

If you need to uninstall the OpenShift API for Data Protection (OADP) Operator together with the backups and the S3 bucket from this example, follow these instructions.

Procedure

  1. Delete the workload by running the following command: 

    $ oc delete ns hello-world
    Copy to Clipboard Toggle word wrap

  2. Delete the Data Protection Application (DPA) by running the following command: 

    $ oc -n openshift-adp delete dpa ${CLUSTER_NAME}-dpa
    Copy to Clipboard Toggle word wrap

  3. Delete the cloud storage by running the following command: 

    $ oc -n openshift-adp delete cloudstorage ${CLUSTER_NAME}-oadp
    Copy to Clipboard Toggle word wrap
    Warning

    If this command hangs, you might need to delete the finalizer by running the following command: 

    $ oc -n openshift-adp patch cloudstorage ${CLUSTER_NAME}-oadp -p '{"metadata":{"finalizers":null}}' --type=merge
    Copy to Clipboard Toggle word wrap

  4. If the Operator is no longer required, remove it by running the following command: 

    $ oc -n openshift-adp delete subscription oadp-operator
    Copy to Clipboard Toggle word wrap

  5. Remove the namespace from the Operator: 

    $ oc delete ns openshift-adp
    Copy to Clipboard Toggle word wrap

  6. If the backup and restore resources are no longer required, remove them from the cluster by running the following command: 

    $ oc delete backups.velero.io hello-world
    Copy to Clipboard Toggle word wrap

  7. To delete backup, restore and remote objects in AWS S3 run the following command: 

    $ velero backup delete hello-world
    Copy to Clipboard Toggle word wrap

  8. If you no longer need the Custom Resource Definitions (CRD), remove them from the cluster by running the following command: 

    $ for CRD in `oc get crds | grep velero | awk '{print $1}'`; do oc delete crd $CRD; done
    Copy to Clipboard Toggle word wrap

  9. Delete the AWS S3 bucket by running the following commands: 

    $ aws s3 rm s3://${CLUSTER_NAME}-oadp --recursive
    Copy to Clipboard Toggle word wrap 
    $ aws s3api delete-bucket --bucket ${CLUSTER_NAME}-oadp
    Copy to Clipboard Toggle word wrap

  10. Detach the policy from the role by running the following command: 

    $ aws iam detach-role-policy --role-name "${ROLE_NAME}"  --policy-arn "${POLICY_ARN}"
    Copy to Clipboard Toggle word wrap

  11. Delete the role by running the following command: 

    $ aws iam delete-role --role-name "${ROLE_NAME}"
    Copy to Clipboard Toggle word wrap

Following is a use case for using OADP and ODF to back up an application.

In this use case, you back up an application by using OADP and store the backup in an object storage provided by Red Hat OpenShift Data Foundation (ODF).

  • You create an object bucket claim (OBC) to configure the backup storage location. You use ODF to configure an Amazon S3-compatible object storage bucket. ODF provides MultiCloud Object Gateway (NooBaa MCG) and Ceph Object Gateway, also known as RADOS Gateway (RGW), object storage service. In this use case, you use NooBaa MCG as the backup storage location.
  • You use the NooBaa MCG service with OADP by using the aws provider plugin.
  • You configure the Data Protection Application (DPA) with the backup storage location (BSL).
  • You create a backup custom resource (CR) and specify the application namespace to back up.
  • You create and verify the backup.

Prerequisites

  • You installed the OADP Operator.
  • You installed the ODF Operator.
  • You have an application with a database running in a separate namespace.

Procedure

  1. Create an OBC manifest file to request a NooBaa MCG bucket as shown in the following example: 

    apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: test-obc
  namespace: openshift-adp
spec:
  storageClassName: openshift-storage.noobaa.io
  generateBucketName: test-backup-bucket
    Copy to Clipboard Toggle word wrap

    where:

    test-obc
    Specifies the name of the object bucket claim.
    test-backup-bucket
    Specifies the name of the bucket.

  2. Create the OBC by running the following command: 

    $ oc create -f <obc_file_name>
    Copy to Clipboard Toggle word wrap

    where:

    <obc_file_name>
    Specifies the file name of the object bucket claim manifest.

  3. When you create an OBC, ODF creates a secret and a config map with the same name as the object bucket claim. The secret has the bucket credentials, and the config map has information to access the bucket. To get the bucket name and bucket host from the generated config map, run the following command: 

    $ oc extract --to=- cm/test-obc
    Copy to Clipboard Toggle word wrap

    test-obc is the name of the OBC.

    Example output

    # BUCKET_NAME
backup-c20...41fd
# BUCKET_PORT
443
# BUCKET_REGION

# BUCKET_SUBREGION

# BUCKET_HOST
s3.openshift-storage.svc
    Copy to Clipboard Toggle word wrap

  4. To get the bucket credentials from the generated secret, run the following command: 

    $ oc extract --to=- secret/test-obc
    Copy to Clipboard Toggle word wrap

    Example output

    # AWS_ACCESS_KEY_ID
ebYR....xLNMc
# AWS_SECRET_ACCESS_KEY
YXf...+NaCkdyC3QPym
    Copy to Clipboard Toggle word wrap

  5. Get the public URL for the S3 endpoint from the s3 route in the openshift-storage namespace by running the following command: 

    $ oc get route s3 -n openshift-storage
    Copy to Clipboard Toggle word wrap

  6. Create a cloud-credentials file with the object bucket credentials as shown in the following command: 

    [default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
    Copy to Clipboard Toggle word wrap

  7. Create the cloud-credentials secret with the cloud-credentials file content as shown in the following command: 

    $ oc create secret generic \
  cloud-credentials \
  -n openshift-adp \
  --from-file cloud=cloud-credentials
    Copy to Clipboard Toggle word wrap

  8. Configure the Data Protection Application (DPA) as shown in the following example: 

    apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: oadp-backup
  namespace: openshift-adp
spec:
  configuration:
    nodeAgent:
      enable: true
      uploaderType: kopia
    velero:
      defaultPlugins:
        - aws
        - openshift
        - csi
      defaultSnapshotMoveData: true
  backupLocations:
    - velero:
        config:
          profile: "default"
          region: noobaa
          s3Url: https://s3.openshift-storage.svc
          s3ForcePathStyle: "true"
          insecureSkipTLSVerify: "true"
        provider: aws
        default: true
        credential:
          key: cloud
          name:  cloud-credentials
        objectStorage:
          bucket: <bucket_name>
          prefix: oadp
    Copy to Clipboard Toggle word wrap

    where:

    defaultSnapshotMoveData
    Set to true to use the OADP Data Mover to enable movement of Container Storage Interface (CSI) snapshots to a remote object storage.
    s3Url
    Specifies the S3 URL of ODF storage.
    <bucket_name>
    Specifies the bucket name.

  9. Create the DPA by running the following command: 

    $ oc apply -f <dpa_filename>
    Copy to Clipboard Toggle word wrap

  10. Verify that the DPA is created successfully by running the following command. In the example output, you can see the status object has type field set to Reconciled. This means, the DPA is successfully created. 

    $ oc get dpa -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    apiVersion: v1
items:
- apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionApplication
  metadata:
    namespace: openshift-adp
    #...#
  spec:
    backupLocations:
    - velero:
        config:
          #...#
  status:
    conditions:
    - lastTransitionTime: "20....9:54:02Z"
      message: Reconcile complete
      reason: Complete
      status: "True"
      type: Reconciled
kind: List
metadata:
  resourceVersion: ""
    Copy to Clipboard Toggle word wrap

  11. Verify that the backup storage location (BSL) is available by running the following command: 

    $ oc get backupstoragelocations.velero.io -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    NAME           PHASE       LAST VALIDATED   AGE   DEFAULT
dpa-sample-1   Available   3s               15s   true
    Copy to Clipboard Toggle word wrap

  12. Configure a backup CR as shown in the following example: 

    apiVersion: velero.io/v1
kind: Backup
metadata:
  name: test-backup
  namespace: openshift-adp
spec:
  includedNamespaces:
  - <application_namespace>
    Copy to Clipboard Toggle word wrap

    where:

    <application_namespace>
    Specifies the namespace for the application to back up.

  13. Create the backup CR by running the following command: 

    $ oc apply -f <backup_cr_filename>
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the backup object is in the Completed phase by running the following command. For more details, see the example output. 

    $ oc describe backup test-backup -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    Name:         test-backup
Namespace:    openshift-adp
# ....#
Status:
  Backup Item Operations Attempted:  1
  Backup Item Operations Completed:  1
  Completion Timestamp:              2024-09-25T10:17:01Z
  Expiration:                        2024-10-25T10:16:31Z
  Format Version:                    1.1.0
  Hook Status:
  Phase:  Completed
  Progress:
    Items Backed Up:  34
    Total Items:      34
  Start Timestamp:    2024-09-25T10:16:31Z
  Version:            1
Events:               <none>
    Copy to Clipboard Toggle word wrap

Following is a use case for using OADP to restore a backup to a different namespace.

Restore a backup of an application by using OADP to a new target namespace, test-restore-application. To restore a backup, you create a restore custom resource (CR) as shown in the following example. In the restore CR, the source namespace refers to the application namespace that you included in the backup. You then verify the restore by changing your project to the new restored namespace and verifying the resources.

Prerequisites

  • You installed the OADP Operator.
  • You have the backup of an application to be restored.

Procedure

  1. Create a restore CR as shown in the following example: 

    apiVersion: velero.io/v1
kind: Restore
metadata:
  name: test-restore
  namespace: openshift-adp
spec:
  backupName: <backup_name>
  restorePVs: true
  namespaceMapping:
    <application_namespace>: test-restore-application
    Copy to Clipboard Toggle word wrap

    where:

    test-restore
    Specifies the name of the restore CR.
    <backup_name>
    Specifies the name of the backup.
    <application_namespace>
    Specifies the target namespace to restore to. namespaceMapping maps the source application namespace to the target application namespace. test-restore-application is the name of target namespace where you want to restore the backup.

  2. Apply the restore CR by running the following command: 

    $ oc apply -f <restore_cr_filename>
    Copy to Clipboard Toggle word wrap

Verification

  1. Verify that the restore is in the Completed phase by running the following command: 

    $ oc describe restores.velero.io <restore_name> -n openshift-adp
    Copy to Clipboard Toggle word wrap

  2. Change to the restored namespace test-restore-application by running the following command: 

    $ oc project test-restore-application
    Copy to Clipboard Toggle word wrap

  3. Verify the restored resources such as persistent volume claim (pvc), service (svc), deployment, secret, and config map by running the following command: 

    $ oc get pvc,svc,deployment,secret,configmap
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                          STATUS   VOLUME
persistentvolumeclaim/mysql   Bound    pvc-9b3583db-...-14b86

NAME               TYPE        CLUSTER-IP     EXTERNAL-IP   PORT(S)    AGE
service/mysql      ClusterIP   172....157     <none>        3306/TCP   2m56s
service/todolist   ClusterIP   172.....15     <none>        8000/TCP   2m56s

NAME                    READY   UP-TO-DATE   AVAILABLE   AGE
deployment.apps/mysql   0/1     1            0           2m55s

NAME                                         TYPE                      DATA   AGE
secret/builder-dockercfg-6bfmd               kubernetes.io/dockercfg   1      2m57s
secret/default-dockercfg-hz9kz               kubernetes.io/dockercfg   1      2m57s
secret/deployer-dockercfg-86cvd              kubernetes.io/dockercfg   1      2m57s
secret/mysql-persistent-sa-dockercfg-rgp9b   kubernetes.io/dockercfg   1      2m57s

NAME                                 DATA   AGE
configmap/kube-root-ca.crt           1      2m57s
configmap/openshift-service-ca.crt   1      2m57s
    Copy to Clipboard Toggle word wrap

You can include a self-signed Certificate Authority (CA) certificate in the Data Protection Application (DPA) and then back up an application. You store the backup in a NooBaa bucket provided by Red Hat OpenShift Data Foundation (ODF).

The s3.openshift-storage.svc service, provided by ODF, uses a Transport Layer Security protocol (TLS) certificate that is signed with the self-signed service CA.

To prevent a certificate signed by unknown authority error, you must include a self-signed CA certificate in the backup storage location (BSL) section of DataProtectionApplication custom resource (CR). For this situation, you must complete the following tasks:

  • Request a NooBaa bucket by creating an object bucket claim (OBC).
  • Extract the bucket details.
  • Include a self-signed CA certificate in the DataProtectionApplication CR.
  • Back up an application.

Prerequisites

  • You installed the OADP Operator.
  • You installed the ODF Operator.
  • You have an application with a database running in a separate namespace.

Procedure

  1. Create an OBC manifest to request a NooBaa bucket as shown in the following example: 

    apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
  name: test-obc
  namespace: openshift-adp
spec:
  storageClassName: openshift-storage.noobaa.io
  generateBucketName: test-backup-bucket
    Copy to Clipboard Toggle word wrap

    where:

    test-obc
    Specifies the name of the object bucket claim.
    test-backup-bucket
    Specifies the name of the bucket.

  2. Create the OBC by running the following command: 

    $ oc create -f <obc_file_name>
    Copy to Clipboard Toggle word wrap

  3. When you create an OBC, ODF creates a secret and a ConfigMap with the same name as the object bucket claim. The secret object contains the bucket credentials, and the ConfigMap object contains information to access the bucket. To get the bucket name and bucket host from the generated config map, run the following command: 

    $ oc extract --to=- cm/test-obc
    Copy to Clipboard Toggle word wrap

    test-obc is the name of the OBC.

    Example output

    # BUCKET_NAME
backup-c20...41fd
# BUCKET_PORT
443
# BUCKET_REGION

# BUCKET_SUBREGION

# BUCKET_HOST
s3.openshift-storage.svc
    Copy to Clipboard Toggle word wrap

  4. To get the bucket credentials from the secret object, run the following command: 

    $ oc extract --to=- secret/test-obc
    Copy to Clipboard Toggle word wrap

    Example output

    # AWS_ACCESS_KEY_ID
ebYR....xLNMc
# AWS_SECRET_ACCESS_KEY
YXf...+NaCkdyC3QPym
    Copy to Clipboard Toggle word wrap

  5. Create a cloud-credentials file with the object bucket credentials by using the following example configuration: 

    [default]
aws_access_key_id=<AWS_ACCESS_KEY_ID>
aws_secret_access_key=<AWS_SECRET_ACCESS_KEY>
    Copy to Clipboard Toggle word wrap

  6. Create the cloud-credentials secret with the cloud-credentials file content by running the following command: 

    $ oc create secret generic \
  cloud-credentials \
  -n openshift-adp \
  --from-file cloud=cloud-credentials
    Copy to Clipboard Toggle word wrap

  7. Extract the service CA certificate from the openshift-service-ca.crt config map by running the following command. Ensure that you encode the certificate in Base64 format and note the value to use in the next step. 

    $ oc get cm/openshift-service-ca.crt \
  -o jsonpath='{.data.service-ca\.crt}' | base64 -w0; echo
    Copy to Clipboard Toggle word wrap

    Example output

    LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0...
....gpwOHMwaG9CRmk5a3....FLS0tLS0K
    Copy to Clipboard Toggle word wrap

  8. Configure the DataProtectionApplication CR manifest file with the bucket name and CA certificate as shown in the following example: 

    apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: oadp-backup
  namespace: openshift-adp
spec:
  configuration:
    nodeAgent:
      enable: true
      uploaderType: kopia
    velero:
      defaultPlugins:
        - aws
        - openshift
        - csi
      defaultSnapshotMoveData: true
  backupLocations:
    - velero:
        config:
          profile: "default"
          region: noobaa
          s3Url: https://s3.openshift-storage.svc
          s3ForcePathStyle: "true"
          insecureSkipTLSVerify: "false"
        provider: aws
        default: true
        credential:
          key: cloud
          name:  cloud-credentials
        objectStorage:
          bucket: <bucket_name>
          prefix: oadp
          caCert: <ca_cert>
    Copy to Clipboard Toggle word wrap

    where:

    insecureSkipTLSVerify
    Specifies whether SSL/TLS security is enabled. If set to true, SSL/TLS security is disabled. If set to false, SSL/TLS security is enabled.
    <bucket_name>
    Specifies the name of the bucket extracted in an earlier step.
    <ca_cert>
    Specifies the Base64 encoded certificate from the previous step.

  9. Create the DataProtectionApplication CR by running the following command: 

    $ oc apply -f <dpa_filename>
    Copy to Clipboard Toggle word wrap

  10. Verify that the DataProtectionApplication CR is created successfully by running the following command: 

    $ oc get dpa -o yaml
    Copy to Clipboard Toggle word wrap

    Example output

    apiVersion: v1
items:
- apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionApplication
  metadata:
    namespace: openshift-adp
    #...#
  spec:
    backupLocations:
    - velero:
        config:
          #...#
  status:
    conditions:
    - lastTransitionTime: "20....9:54:02Z"
      message: Reconcile complete
      reason: Complete
      status: "True"
      type: Reconciled
kind: List
metadata:
  resourceVersion: ""
    Copy to Clipboard Toggle word wrap

  11. Verify that the backup storage location (BSL) is available by running the following command: 

    $ oc get backupstoragelocations.velero.io -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    NAME           PHASE       LAST VALIDATED   AGE   DEFAULT
dpa-sample-1   Available   3s               15s   true
    Copy to Clipboard Toggle word wrap

  12. Configure the Backup CR by using the following example: 

    apiVersion: velero.io/v1
kind: Backup
metadata:
  name: test-backup
  namespace: openshift-adp
spec:
  includedNamespaces:
  - <application_namespace>
    Copy to Clipboard Toggle word wrap

    where:

    <application_namespace>
    Specifies the namespace for the application to back up.

  13. Create the Backup CR by running the following command: 

    $ oc apply -f <backup_cr_filename>
    Copy to Clipboard Toggle word wrap

Verification

  • Verify that the Backup object is in the Completed phase by running the following command: 

    $ oc describe backup test-backup -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    Name:         test-backup
Namespace:    openshift-adp
# ....#
Status:
  Backup Item Operations Attempted:  1
  Backup Item Operations Completed:  1
  Completion Timestamp:              2024-09-25T10:17:01Z
  Expiration:                        2024-10-25T10:16:31Z
  Format Version:                    1.1.0
  Hook Status:
  Phase:  Completed
  Progress:
    Items Backed Up:  34
    Total Items:      34
  Start Timestamp:    2024-09-25T10:16:31Z
  Version:            1
Events:               <none>
    Copy to Clipboard Toggle word wrap

1.6. Installing and configuring OADP
Copy link

1.6.1. Installing OADP
Copy link

You can use OpenShift API for Data Protection (OADP) with Red Hat OpenShift Service on AWS clusters to back up and restore application data.

Before installing OpenShift API for Data Protection (OADP), you must set up role and policy credentials for OADP so that it can use the Amazon Web Services API.

This process is performed in the following two stages:

  1. Prepare AWS credentials
  2. Install the OADP Operator and give it an IAM role
1.6.1.1. Preparing AWS credentials for OADP
Copy link

An Amazon Web Services account must be prepared and configured to accept an OpenShift API for Data Protection (OADP) installation.

Procedure

  1. Create the following environment variables by running the following commands:

    Important

    Change the cluster name to match your cluster, and ensure you are logged into the cluster as an administrator. Ensure that all fields are outputted correctly before continuing. 

    $ export CLUSTER_NAME=my-cluster
    Copy to Clipboard Toggle word wrap
    • my-cluster: Replace my-cluster with your cluster name. 
    $ export ROSA_CLUSTER_ID=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .id)
    Copy to Clipboard Toggle word wrap 
    $ export REGION=$(rosa describe cluster -c ${CLUSTER_NAME} --output json | jq -r .region.id)
    Copy to Clipboard Toggle word wrap 
    $ export OIDC_ENDPOINT=$(oc get authentication.config.openshift.io cluster -o jsonpath='{.spec.serviceAccountIssuer}' | sed 's|^https://||')
    Copy to Clipboard Toggle word wrap 
    $ export AWS_ACCOUNT_ID=$(aws sts get-caller-identity --query Account --output text)
    Copy to Clipboard Toggle word wrap 
    $ export CLUSTER_VERSION=$(rosa describe cluster -c ${CLUSTER_NAME} -o json | jq -r .version.raw_id | cut -f -2 -d '.')
    Copy to Clipboard Toggle word wrap 
    $ export ROLE_NAME="${CLUSTER_NAME}-openshift-oadp-aws-cloud-credentials"
    Copy to Clipboard Toggle word wrap 
    $ export SCRATCH="/tmp/${CLUSTER_NAME}/oadp"
    Copy to Clipboard Toggle word wrap 
    $ mkdir -p ${SCRATCH}
    Copy to Clipboard Toggle word wrap 
    $ echo "Cluster ID: ${ROSA_CLUSTER_ID}, Region: ${REGION}, OIDC Endpoint:
  ${OIDC_ENDPOINT}, AWS Account ID: ${AWS_ACCOUNT_ID}"
    Copy to Clipboard Toggle word wrap

  2. On the AWS account, create an IAM policy to allow access to AWS S3:

    1. Check to see if the policy exists by running the following command: 

      $ POLICY_ARN=$(aws iam list-policies --query "Policies[?PolicyName=='RosaOadpVer1'].{ARN:Arn}" --output text)
      Copy to Clipboard Toggle word wrap
      • RosaOadp: Replace RosaOadp with your policy name.

    2. Enter the following command to create the policy JSON file and then create the policy:

      Note

      If the policy ARN is not found, the command creates the policy. If the policy ARN already exists, the if statement intentionally skips the policy creation. 

      $ if [[ -z "${POLICY_ARN}" ]]; then
  cat << EOF > ${SCRATCH}/policy.json
  {
  "Version": "2012-10-17",
  "Statement": [
    {
      "Effect": "Allow",
      "Action": [
        "s3:CreateBucket",
        "s3:DeleteBucket",
        "s3:PutBucketTagging",
        "s3:GetBucketTagging",
        "s3:PutEncryptionConfiguration",
        "s3:GetEncryptionConfiguration",
        "s3:PutLifecycleConfiguration",
        "s3:GetLifecycleConfiguration",
        "s3:GetBucketLocation",
        "s3:ListBucket",
        "s3:GetObject",
        "s3:PutObject",
        "s3:DeleteObject",
        "s3:ListBucketMultipartUploads",
        "s3:AbortMultipartUpload",
        "s3:ListMultipartUploadParts",
        "ec2:DescribeSnapshots",
        "ec2:DescribeVolumes",
        "ec2:DescribeVolumeAttribute",
        "ec2:DescribeVolumesModifications",
        "ec2:DescribeVolumeStatus",
        "ec2:CreateTags",
        "ec2:CreateVolume",
        "ec2:CreateSnapshot",
        "ec2:DeleteSnapshot"
      ],
      "Resource": "*"
    }
  ]}
EOF

  POLICY_ARN=$(aws iam create-policy --policy-name "RosaOadpVer1" \
  --policy-document file:///${SCRATCH}/policy.json --query Policy.Arn \
  --tags Key=rosa_openshift_version,Value=${CLUSTER_VERSION} Key=rosa_role_prefix,Value=ManagedOpenShift Key=operator_namespace,Value=openshift-oadp Key=operator_name,Value=openshift-oadp \
  --output text)
  fi
      Copy to Clipboard Toggle word wrap
      • SCRATCH: SCRATCH is a name for a temporary directory created for the environment variables.

    3. View the policy ARN by running the following command: 

      $ echo ${POLICY_ARN}
      Copy to Clipboard Toggle word wrap

  3. Create an IAM role trust policy for the cluster:

    1. Create the trust policy file by running the following command: 

      $ cat <<EOF > ${SCRATCH}/trust-policy.json
  {
      "Version": "2012-10-17",
      "Statement": [{
        "Effect": "Allow",
        "Principal": {
          "Federated": "arn:aws:iam::${AWS_ACCOUNT_ID}:oidc-provider/${OIDC_ENDPOINT}"
        },
        "Action": "sts:AssumeRoleWithWebIdentity",
        "Condition": {
          "StringEquals": {
            "${OIDC_ENDPOINT}:sub": [
              "system:serviceaccount:openshift-adp:openshift-adp-controller-manager",
              "system:serviceaccount:openshift-adp:velero"]
          }
        }
      }]
  }
EOF
      Copy to Clipboard Toggle word wrap

    2. Create the role by running the following command: 

      $ ROLE_ARN=$(aws iam create-role --role-name \
  "${ROLE_NAME}" \
  --assume-role-policy-document file://${SCRATCH}/trust-policy.json \
  --tags Key=rosa_cluster_id,Value=${ROSA_CLUSTER_ID} \
         Key=rosa_openshift_version,Value=${CLUSTER_VERSION} \
         Key=rosa_role_prefix,Value=ManagedOpenShift \
         Key=operator_namespace,Value=openshift-adp \
         Key=operator_name,Value=openshift-oadp \
  --query Role.Arn --output text)
      Copy to Clipboard Toggle word wrap

    3. View the role ARN by running the following command: 

      $ echo ${ROLE_ARN}
      Copy to Clipboard Toggle word wrap

  4. Attach the IAM policy to the IAM role by running the following command: 

    $ aws iam attach-role-policy --role-name "${ROLE_NAME}" \
  --policy-arn ${POLICY_ARN}
    Copy to Clipboard Toggle word wrap

AWS Security Token Service (AWS STS) is a global web service that provides short-term credentials for IAM or federated users. Red Hat OpenShift Service on AWS with STS is the recommended credential mode. This document describes how to install OpenShift API for Data Protection (OADP) on clusters with AWS STS.

Important

Restic is unsupported.

Kopia file system backup (FSB) is supported when backing up file systems that do not support Container Storage Interface (CSI) snapshots.

Example file systems include the following:

  • Amazon Elastic File System (EFS)
  • Network File System (NFS)
  • emptyDir volumes
  • Local volumes

For backing up volumes, OADP on ROSA with AWS STS recommends native snapshots and Container Storage Interface (CSI) snapshots. Data Mover backups are supported, but can be slower than native snapshots.

In an Amazon ROSA cluster that uses STS authentication, restoring backed-up data in a different AWS region is not supported.

Prerequisites

  • A Red Hat OpenShift Service on AWS cluster with the required access and tokens. For instructions, see the previous procedure Preparing AWS credentials for OADP. If you plan to use two different clusters for backing up and restoring, you must prepare AWS credentials, including ROLE_ARN, for each cluster.

Procedure

  1. Create a Red Hat OpenShift Service on AWS secret from your AWS token file by entering the following commands:

    1. Create the credentials file: 

      $ cat <<EOF > ${SCRATCH}/credentials
  [default]
  role_arn = ${ROLE_ARN}
  web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
  region = <aws_region>
      1 
      
EOF
      Copy to Clipboard Toggle word wrap
      1
      Replace <aws_region> with the AWS region to use for the STS endpoint.

    2. Create a namespace for OADP: 

      $ oc create namespace openshift-adp
      Copy to Clipboard Toggle word wrap

    3. Create the Red Hat OpenShift Service on AWS secret: 

      $ oc -n openshift-adp create secret generic cloud-credentials \
  --from-file=${SCRATCH}/credentials
      Copy to Clipboard Toggle word wrap
      Note

      In Red Hat OpenShift Service on AWS versions 4.15 and later, the OADP Operator supports a new standardized STS workflow through the Operator Lifecycle Manager (OLM) and Cloud Credentials Operator (CCO). In this workflow, you do not need to create the above secret, you only need to supply the role ARN during the installation of OLM-managed operators using the Red Hat OpenShift Service on AWS web console, for more information see Installing from software catalog using the web console.

      The preceding secret is created automatically by CCO.

  2. Install the OADP Operator:

    1. In the Red Hat OpenShift Service on AWS web console, browse to EcosystemSoftware Catalog.
    2. Search for the OADP Operator.
    3. In the role_ARN field, paste the role_arn that you created previously and click Install.

  3. Create AWS cloud storage using your AWS credentials by entering the following command: 

    $ cat << EOF | oc create -f -
  apiVersion: oadp.openshift.io/v1alpha1
  kind: CloudStorage
  metadata:
    name: ${CLUSTER_NAME}-oadp
    namespace: openshift-adp
  spec:
    creationSecret:
      key: credentials
      name: cloud-credentials
    enableSharedConfig: true
    name: ${CLUSTER_NAME}-oadp
    provider: aws
    region: $REGION
EOF
    Copy to Clipboard Toggle word wrap

  4. Check your application’s storage default storage class by entering the following command: 

    $ oc get pvc -n <namespace>
    Copy to Clipboard Toggle word wrap

    Example output

    NAME     STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
applog   Bound    pvc-351791ae-b6ab-4e8b-88a4-30f73caf5ef8   1Gi        RWO            gp3-csi        4d19h
mysql    Bound    pvc-16b8e009-a20a-4379-accc-bc81fedd0621   1Gi        RWO            gp3-csi        4d19h
    Copy to Clipboard Toggle word wrap

  5. Get the storage class by running the following command: 

    $ oc get storageclass
    Copy to Clipboard Toggle word wrap

    Example output

    NAME                PROVISIONER             RECLAIMPOLICY   VOLUMEBINDINGMODE      ALLOWVOLUMEEXPANSION   AGE
gp2                 kubernetes.io/aws-ebs   Delete          WaitForFirstConsumer   true                   4d21h
gp2-csi             ebs.csi.aws.com         Delete          WaitForFirstConsumer   true                   4d21h
gp3                 ebs.csi.aws.com         Delete          WaitForFirstConsumer   true                   4d21h
gp3-csi (default)   ebs.csi.aws.com         Delete          WaitForFirstConsumer   true                   4d21h
    Copy to Clipboard Toggle word wrap

    Note

    The following storage classes will work:

    • gp3-csi
    • gp2-csi
    • gp3
    • gp2

    If the application or applications that are being backed up are all using persistent volumes (PVs) with Container Storage Interface (CSI), it is advisable to include the CSI plugin in the OADP DPA configuration.

  6. Create the DataProtectionApplication resource to configure the connection to the storage where the backups and volume snapshots are stored:

    1. If you are using only CSI volumes, deploy a Data Protection Application by entering the following command: 

      $ cat << EOF | oc create -f -
  apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionApplication
  metadata:
    name: ${CLUSTER_NAME}-dpa
    namespace: openshift-adp
  spec:
    backupImages: true
      1 
      
    features:
      dataMover:
        enable: false
    backupLocations:
    - bucket:
        cloudStorageRef:
          name: ${CLUSTER_NAME}-oadp
        credential:
          key: credentials
          name: cloud-credentials
        prefix: velero
        default: true
        config:
          region: ${REGION}
    configuration:
      velero:
        defaultPlugins:
        - openshift
        - aws
        - csi
      nodeAgent:
      2 
      
        enable: false
        uploaderType: kopia
      3 
      
EOF
      Copy to Clipboard Toggle word wrap
      1
      Red Hat OpenShift Service on AWS supports internal image backup. Set this field to false if you do not want to use image backup.
      2
      See the important note regarding the nodeAgent attribute at the end of this procedure.
      3
      The type of uploader. The built-in Data Mover uses Kopia as the default uploader mechanism regardless of the value of the uploaderType field.

    2. If you are using CSI or non-CSI volumes, deploy a Data Protection Application by entering the following command: 

      $ cat << EOF | oc create -f -
  apiVersion: oadp.openshift.io/v1alpha1
  kind: DataProtectionApplication
  metadata:
    name: ${CLUSTER_NAME}-dpa
    namespace: openshift-adp
  spec:
    backupImages: true
      1 
      
    backupLocations:
    - bucket:
        cloudStorageRef:
          name: ${CLUSTER_NAME}-oadp
        credential:
          key: credentials
          name: cloud-credentials
        prefix: velero
        default: true
        config:
          region: ${REGION}
    configuration:
      velero:
        defaultPlugins:
        - openshift
        - aws
      nodeAgent:
      2 
      
        enable: false
        uploaderType: restic
    snapshotLocations:
      - velero:
          config:
            credentialsFile: /tmp/credentials/openshift-adp/cloud-credentials-credentials
      3 
      
            enableSharedConfig: "true"
      4 
      
            profile: default
      5 
      
            region: ${REGION}
      6 
      
          provider: aws
EOF
      Copy to Clipboard Toggle word wrap
      1
      Red Hat OpenShift Service on AWS supports internal image backup. Set this field to false if you do not want to use image backup.
      2
      See the important note regarding the nodeAgent attribute at the end of this procedure.
      3
      The credentialsFile field is the mounted location of the bucket credential on the pod.
      4
      The enableSharedConfig field allows the snapshotLocations to share or reuse the credential defined for the bucket.
      5
      Use the profile name set in the AWS credentials file.
      6
      Specify region as your AWS region. This must be the same as the cluster region.

      You are now ready to back up and restore Red Hat OpenShift Service on AWS applications, as described in Backing up applications.

Important

The enable parameter of restic is set to false in this configuration, because OADP does not support Restic in Red Hat OpenShift Service on AWS environments.

If you use OADP 1.2, replace this configuration: 

nodeAgent:
  enable: false
  uploaderType: restic
Copy to Clipboard Toggle word wrap

with the following configuration: 

restic:
  enable: false
Copy to Clipboard Toggle word wrap

If you want to use two different clusters for backing up and restoring, the two clusters must have the same AWS S3 storage names in both the cloud storage CR and the OADP DataProtectionApplication configuration.

While installing the OADP Operator on a Red Hat OpenShift Service on AWS cluster, if you provide an incorrect IAM role Amazon Resource Name (ARN), the openshift-adp-controller pod gives an error. The credential requests that are generated contain the wrong IAM role ARN. To update the credential requests object with the correct IAM role ARN, you can edit the OADP Operator subscription and patch the IAM role ARN with the correct value. By editing the OADP Operator subscription, you do not have to uninstall and reinstall OADP to update the IAM role ARN.

Prerequisites

  • You have a Red Hat OpenShift Service on AWS cluster with the required access and tokens.
  • You have installed OADP on the ROSA STS cluster.

Procedure

  1. To verify that the OADP subscription has the wrong IAM role ARN environment variable set, run the following command: 

    $ oc get sub -o yaml redhat-oadp-operator
    Copy to Clipboard Toggle word wrap

    Example subscription

    apiVersion: operators.coreos.com/v1alpha1
kind: Subscription
metadata:
  annotations:
  creationTimestamp: "2025-01-15T07:18:31Z"
  generation: 1
  labels:
    operators.coreos.com/redhat-oadp-operator.openshift-adp: ""
  name: redhat-oadp-operator
  namespace: openshift-adp
  resourceVersion: "77363"
  uid: 5ba00906-5ad2-4476-ae7b-ffa90986283d
spec:
  channel: stable-1.4
  config:
    env:
    - name: ROLEARN
      value: arn:aws:iam::11111111:role/wrong-role-arn
    1 
    
  installPlanApproval: Manual
  name: redhat-oadp-operator
  source: prestage-operators
  sourceNamespace: openshift-marketplace
  startingCSV: oadp-operator.v1.4.2
    Copy to Clipboard Toggle word wrap

    1
    Verify the value of ROLEARN you want to update.

  2. Update the ROLEARN field of the subscription with the correct role ARN by running the following command: 

    $ oc patch subscription redhat-oadp-operator -p '{"spec": {"config": {"env": [{"name": "ROLEARN", "value": "<role_arn>"}]}}}' --type='merge'
    Copy to Clipboard Toggle word wrap

    where:

    <role_arn>
    Specifies the IAM role ARN to be updated. For example, arn:aws:iam::160…​..6956:role/oadprosa…​..8wlf.

  3. Verify that the secret object is updated with correct role ARN value by running the following command: 

    $ oc get secret cloud-credentials -o jsonpath='{.data.credentials}' | base64 -d
    Copy to Clipboard Toggle word wrap

    Example output

    [default]
sts_regional_endpoints = regional
role_arn = arn:aws:iam::160.....6956:role/oadprosa.....8wlf
web_identity_token_file = /var/run/secrets/openshift/serviceaccount/token
    Copy to Clipboard Toggle word wrap

  4. Configure the DataProtectionApplication custom resource (CR) manifest file as shown in the following example: 

    apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: test-rosa-dpa
  namespace: openshift-adp
spec:
  backupLocations:
  - bucket:
      config:
        region: us-east-1
      cloudStorageRef:
        name: <cloud_storage>
    1 
    
      credential:
        name: cloud-credentials
        key: credentials
      prefix: velero
      default: true
  configuration:
    velero:
      defaultPlugins:
      - aws
      - openshift
    Copy to Clipboard Toggle word wrap
    1
    Specify the CloudStorage CR.

  5. Create the DataProtectionApplication CR by running the following command: 

    $ oc create -f <dpa_manifest_file>
    Copy to Clipboard Toggle word wrap

  6. Verify that the DataProtectionApplication CR is reconciled and the status is set to "True" by running the following command: 

    $  oc get dpa -n openshift-adp -o yaml
    Copy to Clipboard Toggle word wrap

    Example DataProtectionApplication

    apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
...
status:
    conditions:
    - lastTransitionTime: "2023-07-31T04:48:12Z"
      message: Reconcile complete
      reason: Complete
      status: "True"
      type: Reconciled
    Copy to Clipboard Toggle word wrap

  7. Verify that the BackupStorageLocation CR is in an available state by running the following command: 

    $ oc get backupstoragelocations.velero.io -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example BackupStorageLocation

    NAME       PHASE       LAST VALIDATED   AGE   DEFAULT
ts-dpa-1   Available   3s               6s    true
    Copy to Clipboard Toggle word wrap

1.7. OADP backing up
Copy link

1.7.1. Backing up applications
Copy link

Frequent backups might consume storage on the backup storage location. Check the frequency of backups, retention time, and the amount of data of the persistent volumes (PVs) if using non-local backups, for example, S3 buckets. Because all taken backup remains until expired, also check the time to live (TTL) setting of the schedule.

You can back up applications by creating a Backup custom resource (CR). For more information, see Creating a Backup CR. The following are the different backup types for a Backup CR:

The Backup CR creates backup files for Kubernetes resources and internal images on S3 object storage.

OADP backs up application resources based on the type, namespace, or label. This means that you can view the resources after the backup is complete. Similarly, you can view the restored objects based on the namespace, persistent volume (PV), or label after a restore operation is complete. To preview the resources in advance, you can do a dry run of the backup and restore operations.

Prerequisites

  • You have installed the OADP Operator.

Procedure

  1. To preview the resources included in the backup before running the actual backup, run the following command: 

    $ velero backup create <backup-name> --snapshot-volumes false
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the value of --snapshot-volumes parameter as false.

  2. To know more details about the backup resources, run the following command: 

    $ velero describe backup <backup_name> --details
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup.

  3. To preview the resources included in the restore before running the actual restore, run the following command: 

    $ velero restore create --from-backup <backup-name>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup created to review the backup resources.
    Important

    The velero restore create command creates restore resources in the cluster. You must delete the resources created as part of the restore, after you review the resources.

  4. To know more details about the restore resources, run the following command: 

    $ velero describe restore <restore_name> --details
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the restore.

You can create backup hooks to run commands before or after the backup operation. See Creating backup hooks.

You can schedule backups by creating a Schedule CR instead of a Backup CR. See Scheduling backups using Schedule CR.

1.7.1.2. Known issues
Copy link

Red Hat OpenShift Service on AWS 4 enforces a pod security admission (PSA) policy that can hinder the readiness of pods during a Restic restore process.

This issue has been resolved in the OADP 1.1.6 and OADP 1.2.2 releases, therefore it is recommended that users upgrade to these releases.

1.7.3. Creating backup hooks
Copy link

When performing a backup, it is possible to specify one or more commands to execute in a container within a pod, based on the pod being backed up.

The commands can be configured to performed before any custom action processing (Pre hooks), or after all custom actions have been completed and any additional items specified by the custom action have been backed up (Post hooks).

You create backup hooks to run commands in a container in a pod by editing the Backup custom resource (CR).

Procedure

  • Add a hook to the spec.hooks block of the Backup CR, as in the following example: 

    apiVersion: velero.io/v1
kind: Backup
metadata:
  name: <backup>
  namespace: openshift-adp
spec:
  hooks:
    resources:
      - name: <hook_name>
        includedNamespaces:
        - <namespace>
    1 
    
        excludedNamespaces:
    2 
    
        - <namespace>
        includedResources: []
        - pods
    3 
    
        excludedResources: []
    4 
    
        labelSelector:
    5 
    
          matchLabels:
            app: velero
            component: server
        pre:
    6 
    
          - exec:
              container: <container>
    7 
    
              command:
              - /bin/uname
    8 
    
              - -a
              onError: Fail
    9 
    
              timeout: 30s
    10 
    
        post:
    11 
    
...
    Copy to Clipboard Toggle word wrap
    1
    Optional: You can specify namespaces to which the hook applies. If this value is not specified, the hook applies to all namespaces.
    2
    Optional: You can specify namespaces to which the hook does not apply.
    3
    Currently, pods are the only supported resource that hooks can apply to.
    4
    Optional: You can specify resources to which the hook does not apply.
    5
    Optional: This hook only applies to objects matching the label. If this value is not specified, the hook applies to all objects.
    6
    Array of hooks to run before the backup.
    7
    Optional: If the container is not specified, the command runs in the first container in the pod.
    8
    This is the entry point for the init container being added.
    9
    Allowed values for error handling are Fail and Continue. The default is Fail.
    10
    Optional: How long to wait for the commands to run. The default is 30s.
    11
    This block defines an array of hooks to run after the backup, with the same parameters as the pre-backup hooks.

1.7.4. Scheduling backups using Schedule CR
Copy link

The schedule operation allows you to create a backup of your data at a particular time, specified by a Cron expression.

You schedule backups by creating a Schedule custom resource (CR) instead of a Backup CR.

Warning

Leave enough time in your backup schedule for a backup to finish before another backup is created.

For example, if a backup of a namespace typically takes 10 minutes, do not schedule backups more frequently than every 15 minutes.

Prerequisites

  • You must install the OpenShift API for Data Protection (OADP) Operator.
  • The DataProtectionApplication CR must be in a Ready state.

Procedure

  1. Retrieve the backupStorageLocations CRs: 

    $ oc get backupStorageLocations -n openshift-adp
    Copy to Clipboard Toggle word wrap

    Example output

    NAMESPACE       NAME              PHASE       LAST VALIDATED   AGE   DEFAULT
openshift-adp   velero-sample-1   Available   11s              31m
    Copy to Clipboard Toggle word wrap

  2. Create a Schedule CR, as in the following example: 

    $ cat << EOF | oc apply -f -
apiVersion: velero.io/v1
kind: Schedule
metadata:
  name: <schedule>
  namespace: openshift-adp
spec:
  schedule: 0 7 * * *
    1 
    
  template:
    hooks: {}
    includedNamespaces:
    - <namespace>
    2 
    
    storageLocation: <velero-sample-1>
    3 
    
    defaultVolumesToFsBackup: true
    4 
    
    ttl: 720h0m0s
EOF
    Copy to Clipboard Toggle word wrap
1
cron expression to schedule the backup, for example, 0 7 * * * to perform a backup every day at 7:00.
Note

To schedule a backup at specific intervals, enter the <duration_in_minutes> in the following format: 

  schedule: "*/10 * * * *"
Copy to Clipboard Toggle word wrap

Enter the minutes value between quotation marks (" ").

2
Array of namespaces to back up.
3
Name of the backupStorageLocations CR.
4
Optional: In OADP version 1.2 and later, add the defaultVolumesToFsBackup: true key-value pair to your configuration when performing backups of volumes with Restic. In OADP version 1.1, add the defaultVolumesToRestic: true key-value pair when you back up volumes with Restic.

Verification

  • Verify that the status of the Schedule CR is Completed after the scheduled backup runs: 

    $ oc get schedule -n openshift-adp <schedule> -o jsonpath='{.status.phase}'
    Copy to Clipboard Toggle word wrap

1.7.5. Deleting backups
Copy link

You can delete a backup by creating the DeleteBackupRequest custom resource (CR) or by running the velero backup delete command as explained in the following procedures.

The volume backup artifacts are deleted at different times depending on the backup method:

  • Restic: The artifacts are deleted in the next full maintenance cycle, after the backup is deleted.
  • Container Storage Interface (CSI): The artifacts are deleted immediately when the backup is deleted.
  • Kopia: The artifacts are deleted after three full maintenance cycles of the Kopia repository, after the backup is deleted.

You can delete a backup by creating a DeleteBackupRequest custom resource (CR).

Prerequisites

  • You have run a backup of your application.

Procedure

  1. Create a DeleteBackupRequest CR manifest file: 

    apiVersion: velero.io/v1
kind: DeleteBackupRequest
metadata:
  name: deletebackuprequest
  namespace: openshift-adp
spec:
  backupName: <backup_name>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup.

  2. Apply the DeleteBackupRequest CR to delete the backup: 

    $ oc apply -f <deletebackuprequest_cr_filename>
    Copy to Clipboard Toggle word wrap
1.7.5.2. Deleting a backup by using the Velero CLI
Copy link

You can delete a backup by using the Velero CLI.

Prerequisites

  • You have run a backup of your application.
  • You downloaded the Velero CLI and can access the Velero binary in your cluster.

Procedure

  • To delete the backup, run the following Velero command: 

    $ velero backup delete <backup_name> -n openshift-adp
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup.
1.7.5.3. About Kopia repository maintenance
Copy link

There are two types of Kopia repository maintenance:

Quick maintenance
  • Runs every hour to keep the number of index blobs (n) low. A high number of indexes negatively affects the performance of Kopia operations.
  • Does not delete any metadata from the repository without ensuring that another copy of the same metadata exists.
Full maintenance
  • Runs every 24 hours to perform garbage collection of repository contents that are no longer needed.
  • snapshot-gc, a full maintenance task, finds all files and directory listings that are no longer accessible from snapshot manifests and marks them as deleted.
  • A full maintenance is a resource-costly operation, as it requires scanning all directories in all snapshots that are active in the cluster.
1.7.5.3.1. Kopia maintenance in OADP
Copy link

The repo-maintain-job jobs are executed in the namespace where OADP is installed, as shown in the following example: 

pod/repo-maintain-job-173...2527-2nbls                             0/1     Completed   0          168m
pod/repo-maintain-job-173....536-fl9tm                             0/1     Completed   0          108m
pod/repo-maintain-job-173...2545-55ggx                             0/1     Completed   0          48m
Copy to Clipboard Toggle word wrap

You can check the logs of the repo-maintain-job for more details about the cleanup and the removal of artifacts in the backup object storage. You can find a note, as shown in the following example, in the repo-maintain-job when the next full cycle maintenance is due: 

not due for full maintenance cycle until 2024-00-00 18:29:4
Copy to Clipboard Toggle word wrap
Important

Three successful executions of a full maintenance cycle are required for the objects to be deleted from the backup object storage. This means you can expect up to 72 hours for all the artifacts in the backup object storage to be deleted.

1.7.5.4. Deleting a backup repository
Copy link

After you delete the backup, and after the Kopia repository maintenance cycles to delete the related artifacts are complete, the backup is no longer referenced by any metadata or manifest objects. You can then delete the backuprepository custom resource (CR) to complete the backup deletion process.

Prerequisites

  • You have deleted the backup of your application.
  • You have waited up to 72 hours after the backup is deleted. This time frame allows Kopia to run the repository maintenance cycles.

Procedure

  1. To get the name of the backup repository CR for a backup, run the following command: 

    $ oc get backuprepositories.velero.io -n openshift-adp
    Copy to Clipboard Toggle word wrap

  2. To delete the backup repository CR, run the following command: 

    $ oc delete backuprepository <backup_repository_name> -n openshift-adp
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup repository from the earlier step.

1.8. OADP restoring
Copy link

1.8.1. Restoring applications
Copy link

You restore application backups by creating a Restore custom resource (CR). See Creating a Restore CR.

You can create restore hooks to run commands in a container in a pod by editing the Restore CR. See Creating restore hooks.

OADP backs up application resources based on the type, namespace, or label. This means that you can view the resources after the backup is complete. Similarly, you can view the restored objects based on the namespace, persistent volume (PV), or label after a restore operation is complete. To preview the resources in advance, you can do a dry run of the backup and restore operations.

Prerequisites

  • You have installed the OADP Operator.

Procedure

  1. To preview the resources included in the backup before running the actual backup, run the following command: 

    $ velero backup create <backup-name> --snapshot-volumes false
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the value of --snapshot-volumes parameter as false.

  2. To know more details about the backup resources, run the following command: 

    $ velero describe backup <backup_name> --details
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup.

  3. To preview the resources included in the restore before running the actual restore, run the following command: 

    $ velero restore create --from-backup <backup-name>
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the backup created to review the backup resources.
    Important

    The velero restore create command creates restore resources in the cluster. You must delete the resources created as part of the restore, after you review the resources.

  4. To know more details about the restore resources, run the following command: 

    $ velero describe restore <restore_name> --details
    1
    Copy to Clipboard Toggle word wrap
    1
    Specify the name of the restore.
1.8.1.2. Creating a Restore CR
Copy link

You restore a Backup custom resource (CR) by creating a Restore CR.

When you restore a stateful application that uses the azurefile-csi storage class, the restore operation remains in the Finalizing phase.

Prerequisites

  • You must install the OpenShift API for Data Protection (OADP) Operator.
  • The DataProtectionApplication CR must be in a Ready state.
  • You must have a Velero Backup CR.
  • The persistent volume (PV) capacity must match the requested size at backup time. Adjust the requested size if needed.

Procedure

  1. Create a Restore CR, as in the following example: 

    apiVersion: velero.io/v1
kind: Restore
metadata:
  name: <restore>
  namespace: openshift-adp
spec:
  backupName: <backup>
    1 
    
  includedResources: []
    2 
    
  excludedResources:
  - nodes
  - events
  - events.events.k8s.io
  - backups.velero.io
  - restores.velero.io
  - resticrepositories.velero.io
  restorePVs: true
    3
    Copy to Clipboard Toggle word wrap
    1
    Name of the Backup CR.
    2
    Optional: Specify an array of resources to include in the restore process. Resources might be shortcuts (for example, po for pods) or fully-qualified. If unspecified, all resources are included.
    3
    Optional: The restorePVs parameter can be set to false to turn off restore of PersistentVolumes from VolumeSnapshot of Container Storage Interface (CSI) snapshots or from native snapshots when VolumeSnapshotLocation is configured.

  2. Verify that the status of the Restore CR is Completed by entering the following command: 

    $ oc get restores.velero.io -n openshift-adp <restore> -o jsonpath='{.status.phase}'
    Copy to Clipboard Toggle word wrap

  3. Verify that the backup resources have been restored by entering the following command: 

    $ oc get all -n <namespace>
    1
    Copy to Clipboard Toggle word wrap
    1
    Namespace that you backed up.

  4. If you restore DeploymentConfig with volumes or if you use post-restore hooks, run the dc-post-restore.sh cleanup script by entering the following command: 

    $ bash dc-restic-post-restore.sh -> dc-post-restore.sh
    Copy to Clipboard Toggle word wrap
    Note

    During the restore process, the OADP Velero plug-ins scale down the DeploymentConfig objects and restore the pods as standalone pods. This is done to prevent the cluster from deleting the restored DeploymentConfig pods immediately on restore and to allow the restore and post-restore hooks to complete their actions on the restored pods. The cleanup script shown below removes these disconnected pods and scales any DeploymentConfig objects back up to the appropriate number of replicas.

    dc-restic-post-restore.sh → dc-post-restore.sh cleanup script

    #!/bin/bash
set -e

# if sha256sum exists, use it to check the integrity of the file
if command -v sha256sum >/dev/null 2>&1; then
  CHECKSUM_CMD="sha256sum"
else
  CHECKSUM_CMD="shasum -a 256"
fi

label_name () {
    if [ "${#1}" -le "63" ]; then
	echo $1
	return
    fi
    sha=$(echo -n $1|$CHECKSUM_CMD)
    echo "${1:0:57}${sha:0:6}"
}

if [[ $# -ne 1 ]]; then
    echo "usage: ${BASH_SOURCE} restore-name"
    exit 1
fi

echo "restore: $1"

label=$(label_name $1)
echo "label:   $label"

echo Deleting disconnected restore pods
oc delete pods --all-namespaces -l oadp.openshift.io/disconnected-from-dc=$label

for dc in $(oc get dc --all-namespaces -l oadp.openshift.io/replicas-modified=$label -o jsonpath='{range .items[*]}{.metadata.namespace}{","}{.metadata.name}{","}{.metadata.annotations.oadp\.openshift\.io/original-replicas}{","}{.metadata.annotations.oadp\.openshift\.io/original-paused}{"\n"}')
do
    IFS=',' read -ra dc_arr <<< "$dc"
    if [ ${#dc_arr[0]} -gt 0 ]; then
	echo Found deployment ${dc_arr[0]}/${dc_arr[1]}, setting replicas: ${dc_arr[2]}, paused: ${dc_arr[3]}
	cat <<EOF | oc patch dc  -n ${dc_arr[0]} ${dc_arr[1]} --patch-file /dev/stdin
spec:
  replicas: ${dc_arr[2]}
  paused: ${dc_arr[3]}
EOF
    fi
done
    Copy to Clipboard Toggle word wrap

1.8.1.3. Creating restore hooks
Copy link

You create restore hooks to run commands in a container in a pod by editing the Restore custom resource (CR).

You can create two types of restore hooks:

  • An init hook adds an init container to a pod to perform setup tasks before the application container starts.

    If you restore a Restic backup, the restic-wait init container is added before the restore hook init container.

  • An exec hook runs commands or scripts in a container of a restored pod.

Procedure

  • Add a hook to the spec.hooks block of the Restore CR, as in the following example: 

    apiVersion: velero.io/v1
kind: Restore
metadata:
  name: <restore>
  namespace: openshift-adp
spec:
  hooks:
    resources:
      - name: <hook_name>
        includedNamespaces:
        - <namespace>
    1 
    
        excludedNamespaces:
        - <namespace>
        includedResources:
        - pods
    2 
    
        excludedResources: []
        labelSelector:
    3 
    
          matchLabels:
            app: velero
            component: server
        postHooks:
        - init:
            initContainers:
            - name: restore-hook-init
              image: alpine:latest
              volumeMounts:
              - mountPath: /restores/pvc1-vm
                name: pvc1-vm
              command:
              - /bin/ash
              - -c
            timeout:
    4 
    
        - exec:
            container: <container>
    5 
    
            command:
            - /bin/bash
    6 
    
            - -c
            - "psql < /backup/backup.sql"
            waitTimeout: 5m
    7 
    
            execTimeout: 1m
    8 
    
            onError: Continue
    9
    Copy to Clipboard Toggle word wrap
    1
    Optional: Array of namespaces to which the hook applies. If this value is not specified, the hook applies to all namespaces.
    2
    Currently, pods are the only supported resource that hooks can apply to.
    3
    Optional: This hook only applies to objects matching the label selector.
    4
    Optional: Timeout specifies the maximum length of time Velero waits for initContainers to complete.
    5
    Optional: If the container is not specified, the command runs in the first container in the pod.
    6
    This is the entrypoint for the init container being added.
    7
    Optional: How long to wait for a container to become ready. This should be long enough for the container to start and for any preceding hooks in the same container to complete. If not set, the restore process waits indefinitely.
    8
    Optional: How long to wait for the commands to run. The default is 30s.
    9
    Allowed values for error handling are Fail and Continue:
    • Continue: Only command failures are logged.
    • Fail: No more restore hooks run in any container in any pod. The status of the Restore CR will be PartiallyFailed.
Important

During a File System Backup (FSB) restore operation, a Deployment resource referencing an ImageStream is not restored properly. The restored pod that runs the FSB, and the postHook is terminated prematurely.

This happens because, during the restore operation, OpenShift controller updates the spec.template.spec.containers[0].image field in the Deployment resource with an updated ImageStreamTag hash. The update triggers the rollout of a new pod, terminating the pod on which velero runs the FSB and the post restore hook. For more information about image stream trigger, see "Triggering updates on image stream changes".

The workaround for this behavior is a two-step restore process:

  1. First, perform a restore excluding the Deployment resources, for example: 

    $ velero restore create <RESTORE_NAME> \
  --from-backup <BACKUP_NAME> \
  --exclude-resources=deployment.apps
    Copy to Clipboard Toggle word wrap

  2. After the first restore is successful, perform a second restore by including these resources, for example: 

    $ velero restore create <RESTORE_NAME> \
  --from-backup <BACKUP_NAME> \
  --include-resources=deployment.apps
    Copy to Clipboard Toggle word wrap

Legal Notice
Copy link

Copyright © 2025 Red Hat

OpenShift documentation is licensed under the Apache License 2.0 (https://www.apache.org/licenses/LICENSE-2.0).

Modified versions must remove all Red Hat trademarks.

Portions adapted from https://github.com/kubernetes-incubator/service-catalog/ with modifications by Red Hat.

Red Hat, Red Hat Enterprise Linux, the Red Hat logo, the Shadowman logo, JBoss, OpenShift, Fedora, the Infinity logo, and RHCE are trademarks of Red Hat, Inc., registered in the United States and other countries.

Linux® is the registered trademark of Linus Torvalds in the United States and other countries.

Java® is a registered trademark of Oracle and/or its affiliates.

XFS® is a trademark of Silicon Graphics International Corp. or its subsidiaries in the United States and/or other countries.

MySQL® is a registered trademark of MySQL AB in the United States, the European Union and other countries.

Node.js® is an official trademark of Joyent. Red Hat Software Collections is not formally related to or endorsed by the official Joyent Node.js open source or commercial project.

The OpenStack® Word Mark and OpenStack logo are either registered trademarks/service marks or trademarks/service marks of the OpenStack Foundation, in the United States and other countries and are used with the OpenStack Foundation’s permission. We are not affiliated with, endorsed or sponsored by the OpenStack Foundation, or the OpenStack community.

All other trademarks are the property of their respective owners.

Back to top
Red Hat logoGithubredditYoutubeTwitter

Learn

Try, buy, & sell

Communities

About Red Hat Documentation

We help Red Hat users innovate and achieve their goals with our products and services with content they can trust. Explore our recent updates.

Making open source more inclusive

Red Hat is committed to replacing problematic language in our code, documentation, and web properties. For more details, see the Red Hat Blog.

About Red Hat

We deliver hardened solutions that make it easier for enterprises to work across platforms and environments, from the core datacenter to the network edge.

Theme

© 2026 Red Hat