Stash supports AWS S3 or S3 compatible storage services like Minio servers, Rook Object Store, DigitalOceans Space as a backend. This tutorial will show you how to use this backend.
In order to use S3 or S3 compatible storage service as backend, you have to create a Secret and a Repository object pointing to the desired bucket.
To configure storage secret for this backend, following secret keys are needed:
| Key | Type | Description |
|---|---|---|
RESTIC_PASSWORD |
Required |
Password that will be used to encrypt the backup snapshots. |
AWS_ACCESS_KEY_ID |
Required |
AWS / Minio / Rook / DigitalOcean Spaces access key ID |
AWS_SECRET_ACCESS_KEY |
Required |
AWS / Minio / Rook / DigitalOcean Spaces secret access key |
CA_CERT_DATA |
optional |
CA certificate used by storage backend. This can be used to pass the root certificate that has been used to sign the server certificate of a TLS secured Minio server. |
Create storage secret as below,
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-aws-access-key-id-here>' > AWS_ACCESS_KEY_ID
$ echo -n '<your-aws-secret-access-key-here>' > AWS_SECRET_ACCESS_KEY
$ kubectl create secret generic -n demo s3-secret \
--from-file=./RESTIC_PASSWORD \
--from-file=./AWS_ACCESS_KEY_ID \
--from-file=./AWS_SECRET_ACCESS_KEY
secret/s3-secret created
For TLS secured Minio Server, create secret as below,
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-minio-access-key-id-here>' > AWS_ACCESS_KEY_ID
$ echo -n '<your-minio-secret-access-key-here>' > AWS_SECRET_ACCESS_KEY
$ cat ./directory/of/root/certificate/ca.crt > CA_CERT_DATA
$ kubectl create secret generic -n demo minio-secret \
--from-file=./RESTIC_PASSWORD \
--from-file=./AWS_ACCESS_KEY_ID \
--from-file=./AWS_SECRET_ACCESS_KEY \
--from-file=./CA_CERT_DATA
secret/minio-secret created
Now, you have to create a Repository crd. You have to provide the storage secret that we have created earlier in spec.backend.storageSecretName field.
Following parameters are available for S3 backend.
| Parameter | Type | Description |
|---|---|---|
s3.endpoint |
Required |
For S3, use s3.amazonaws.com. If your bucket is in a different location, S3 server (s3.amazonaws.com) will redirect Stash to the correct endpoint. For DigitalOCean, use nyc3.digitaloceanspaces.com etc. depending on your bucket region. For S3-compatible other storage services like Minio / Rook use URL of the server. |
s3.bucket |
Required |
Name of Bucket. If the bucket does not exist yet it will be created in the default location (us-east-1 for S3). It is not possible at the moment for Stash to create a new bucket in a different location, so you need to create it using a different program. |
s3.prefix |
Optional |
Path prefix inside the bucket where the backed up data will be stored. |
Below, the YAML of a sample Repository crd that uses an S3 bucket as a backend.
apiVersion: stash.appscode.com/v1alpha1
kind: Repository
metadata:
name: s3-repo
namespace: demo
spec:
backend:
s3:
endpoint: s3.amazonaws.com # use server URL for s3 compatible other storage service
bucket: stash-demo
prefix: /backup/demo/deployment/stash-demo
storageSecretName: s3-secret
Create the Repository we have shown above using the following command,
$ kubectl apply -f https://github.com/stashed/docs/raw/v0.9.0-rc.0/docs/examples/guides/latest/backends/s3.yaml
repository/s3-repo created
Now, we are ready to use this backend to backup our desired data using Stash.