This page describes how to create a backup repository for virtual machines (VMs) in Google Distributed Cloud (GDC) air-gapped.
Before creating backups or snapshots, you must define at least one backup repository that can be shared among several backups or snapshots. A backup repository tells the backup system where to store or retrieve backups. Backup repositories for VMs are restricted to Management API server.
Before you begin
Before you create a backup repository, you must provision the underlying storage and configure the necessary permissions, including:
- An object storage bucket and an S3-compatible endpoint.
- A service account with granted access to the bucket, and its S3 credentials.
The necessary IAM roles:
- Organization Backup Admin: manages backup resources such as backup and restore plans in user clusters.
- Secret Viewer: views Kubernetes secrets in projects.
Ask your Organization IAM Admin to grant you the Organization Backup Admin (
organization-backup-admin) and Secret Viewer (secret-viewer) roles. For more information, see Role definitions.
Create a backup repository
Create a repository using the GDC console or the API.
Console
- Sign into the GDC console.
- In the navigation menu, click Backup for Virtual Machines > Repositories.
- Click Create repository.
- Enter a repository name and an optional description.
- In the S3 URI endpoint field, enter an endpoint with the fully-qualified domain name of your object storage site.
- In the Bucket name field, enter the name of the bucket.
- In the Bucket region field, enter the region where the bucket was created.
- In the Access Key ID list, enter the access key ID.
- In the Access key field, enter the access key.
- Click Create.
API
Create a BackupRepository custom resource using your credentials.
Get the name of the secret that contains S3 credentials:
export PROJECT_NAME=PROJECT_NAME export SA_NAME=SA_NAME kubectl get secrets --namespace $PROJECT_NAME -o json | jq -r --arg USER_NAME "${SA_NAME:?}" '.items[] | select( (.metadata.annotations."object.gdc.goog/subject"==$USER_NAME)) | .metadata.name'Make sure to record the secret name returned by the command and use it as
SECRET_NAMEin the next step.Replace the following:
PROJECT_NAME: the name of your project.SA_NAME: the name of the service account used to access object storage.
To get bucket details like FQDN and endpoints, extract the
fullyQualifiedNameandzonalEndpointsvalues from the output:kubectl get buckets -n PROJECT_NAME BUCKET_NAME -o yamlCreate a
BackupRepositorywithin the Management API server:apiVersion: backup.gdc.goog/v1 kind: BackupRepository metadata: name: REPOSITORY_NAME spec: secretReference: namespace: PROJECT_NAME name: SECRET_NAME endpoint: ENDPOINT type: "S3" s3Options: bucket: BUCKET_FQDN region: REGION forcePathStyle: FORCE_PATH_STYLE importPolicy: IMPORT_POLICYReplace the following:
REPOSITORY_NAME: the name of the backup repository.PROJECT_NAME: the name of your project.SA_NAME: the name of the service account used to access object storage.SECRET_NAME: the name of the secret returned from thekubectl get secretscommand.ENDPOINT: the fully qualified domain name for the storage system, for example,https://objectstorage.google.gdch.test. For thetypefield, only a value ofS3is supported.BUCKET_FQDN: the fully qualified name of the bucket.REGION: the region where the bucket was created.FORCE_PATH_STYLE: use theforcePathStylefield to force path style URLs for objects. This field must have a value oftrueorfalse.IMPORT_POLICY: set to one of the following:ReadWrite: This repository can be used to schedule or create backups, backup plans, and restores.ReadOnly: This repository can only be used to import and view backups. No new backups or resources can be created in this repository, but restores can use and reference read-only backups for restoration. There is no restriction on how often a backup repository can be used as ReadOnly.
The
BackupRepositorycreates a read-write enabledBackupRepositoryresource in the Management API server that has the same name.