ForgeOps

Backup and restore using volume snapshots

Kubernetes volume snapshots provide a standardized way to create copies of the content of persistent volumes at a point in time, without creating new volumes. Backing up your directory data with volume snapshots lets you perform rapid recovery from the last snapshot point. Volume snapshot backups can also facilitate testing by letting you initialize a directory with sample data.

When you create a Kubernetes cluster for deploying the CDM, you create a Kubernetes volume snapshot class named ds-snapshot-class. The DS operator uses this class for creating snapshots. Volume snapshot backups are based on configuration in the /path/to/forgeops/kustomize/base/ds-idrepo/ds-idrepo.yaml file:

ForgeOps Backup with volume snapshots.

The next sections include example steps to back up and restore the ds-idrepo directory. To back up and restore the ds-cts directory, follow similar steps.

Back up the ds-idrepo directory

To start taking volume snapshot backups of the ds-idrepo directory:

  1. Set the active namespace in your local Kubernetes context to the namespace in which the CDM is deployed.

  2. Run the kubectl get pvc command to get the size of the volume that holds the ds-idrepo directory’s data. The CAPACITY column contains the volume size:

    $ kubectl get pvc
    NAME               STATUS   VOLUME                                     CAPACITY . . .
    . . .
    data-ds-idrepo-0   Bound    pvc-04293c38-05a8-44b0-b137-0db259854971   100Gi     . . .
    data-ds-idrepo-1   Bound    pvc-04ab2617-a9a2-4f71-9094-6d3a4b7c0082   100Gi     . . .
    data-ds-idrepo-2   Bound    pvc-19a9915e-46f4-4ba5-b3fa-7d1ff83f38aa   100Gi     . . .
    . . .
  3. Update the /path/to/forgeops/kustomize/base/ds-idrepo/ds-idrepo.yaml file, which contains the snapshot backup and restore configuration for the ds-idrepo directory instance:

    1. Set the value of replicas to 3.

    2. Set the value of storage in the volumeClaimSpec/resources/requests: section to the size of the volume that holds the ds-idrepo directory’s data.

    3. Uncomment the dataSource section by removing the # character from the four lines staring with #dataSource:.

      The dataSource section tells the CDM which snapshot to use when restoring one of the data-ds-idrepo PVCs. The PVCs are restored from a snapshot if:

      • The PVC does not exist.

      • The snapshot backup configured in the dataSource section does exist.

    4. Configure the snaphots section so that snapshot backups will start after you restart the ds-idrepo-1 pod:

      1. Set enabled to true.

      2. Set periodMinutes to the interval, in minutes, between snapshots.

      3. Set snapshotsRetained to the number of snapshots to keep.

      4. Set directoryInstance to 1, and uncomment the line if it is commented. This setting configures the DS operator to snapshot the ds-idrepo-1 instance—a secondary instance.

    5. Save and close the file.

  4. Apply the changes to the DS configuration:

    $ cd /path/to/forgeops/kustomize/base
    $ kubectl apply -f ds-idrepo/ds-idrepo.yaml
    directoryservice.directory.forgerock.io/ds-idrepo configured
  5. After allowing enough time for one or more snapshots to be created, run the kubectl get volumesnapshots command.

    You should see one or more snapshots that are ready to use listed in the command output:

    NAME                   READYTOUSE   SOURCEPVC          . . .    AGE
    ds-idrepo-1653077404   true         data-ds-idrepo-1   . . .    44s

Restore the ds-idrepo directory

To test restoring DS instances from a snapshot:

  1. In a browser window, log in to the Identity Platform admin UI, and then create an example identity using the Identities > Manage option.

    You’ll use this identity to verify that the restore test worked correctly.

  2. Log out of the Identity Platform admin UI.

  3. Run the kubectl get volumesnapshots command until you can verify that a new snapshot was created after you created the example identity:

    NAME                   READYTOUSE   SOURCEPVC          . . .    AGE
    ds-idrepo-1653077404   true         data-ds-idrepo-1   . . .    6m3s
    ds-idrepo-1653077584   true         data-ds-idrepo-1   . . .    3m3s
    ds-idrepo-1653077765   true         data-ds-idrepo-1   . . .    3s

    Note the name of the latest snapshot. Because the data source name has the value "$(latest)" in the ds-idrepo.yaml file, the latest snapshot is used when you restore the ds-idrepo directory service.

  4. Delete the ds-idrepo PVCs:

    $ kubectl delete pvc data-ds-idrepo-0
    persistentvolumeclaim "data-ds-idrepo-0" deleted
    $ kubectl delete pvc data-ds-idrepo-1
    persistentvolumeclaim "data-ds-idrepo-1" deleted
    $ kubectl delete pvc data-ds-idrepo-2
    persistentvolumeclaim "data-ds-idrepo-2" deleted
  5. Because PVCs might not get deleted immediately when the pods to which they’re attached are running, stop the ds-idrepo pods.

    Using separate terminal windows, stop every ds-idrepo pod using the kubectl delete pod command. This deletes the pods and their attached PVCs.

    Kubernetes automatically restarts the ds-idrepo pods after you delete them. Because you uncommented the dataSource section in the ds-idrepo.yaml file when you set up snapshot backup, the CDM will recreate the PVCs by restoring the ds-idrepo directories from the latest snapshot.

  6. Use the kubectl get pods command to monitor the status of the ds-idrepo pods. Wait until these pods are in the Running state before proceeding to the next step.

  7. The preceding events also force the IDM pods to restart. Wait until these pod have restarted before proceeding to the next step.

  8. Log back in to the Identity Platform admin UI, and then select the Identities > Manage option.

    You should see your example identity.

  9. Run the kubectl describe pvc data-ds-idrepo-0 command and review the output under the label, DataSource:

    DataSource:
      APIGroup:  snapshot.storage.k8s.io
      Kind:      VolumeSnapshot
      Name:      ds-idrepo-1653077765

    The Kind field should have a value of VolumeSnapshot, indicating that the source of the PVC was a volume snapshot.

    The value in the Name field should match the name of the latest volume snapshot that was taken before you deleted the ds-idrepo directory instance.

  10. Run the kubectl describe pvc data-ds-idrepo-1 and kubectl describe pvc data-ds-idrepo-1 commands. The output should be similar to what you ovbserved in the previous step.

Copyright © 2010-2022 ForgeRock, all rights reserved.