Configure backup storage

Configure backup storage for your backup repositories in the backups.pgbackrest.repos section of the deploy/cr.yaml configuration file.

Follow the instructions relevant to the cloud storage or Persistent Volume you are using for backups.

S3-compatible backup storage Google Cloud Storage Azure Blob Storage (tech preview) Persistent Volume

To use Amazon S3 or any S3-compatible storage for backups, you need to have the following S3-related information:

• The name of S3 bucket;
• The endpoint - the URL to access the bucket
• The region - the location of the bucket
• S3 credentials such as S3 key and secret to access the storage. These are stored in an encoded form in Kubernetes Secrets along with other sensitive information.

Note

The pgBackRest tool does backups based on write-ahead logs (WAL) archiving. If you are using an S3 storage in a region located far away from the region of your PostgreSQL cluster deployment, it could lead to the delay and impossibility to create a new replica/join delayed replica if the primary restarts. A new WAL file is archived in 60 seconds at the backup start by default , causing both full and incremental backups fail in case of long delay.

To prevent issues with PostgreSQL archiving and have faster restores, it’s recommended to use the same S3 region for both the Operator and backup options. Additionally, you can replicate the S3 bucket to another region with tools like Amazon S3 Cross Region Replication .

Configuration steps

1. Encode the S3 credentials and the pgBackRest repository name that you will use for backups. In this example, we use AWS S3 key and S3 key secret and repo2.

   Linux macOS

   $ cat <<EOF | base64 --wrap=0
   [global]
   repo2-s3-key=<YOUR_AWS_S3_KEY>
   repo2-s3-key-secret=<YOUR_AWS_S3_KEY_SECRET>
   repo2-storage-verify-tls=y
   EOF
   

   $ cat <<EOF | base64
   [global]
   repo2-s3-key=<YOUR_AWS_S3_KEY>
   repo2-s3-key-secret=<YOUR_AWS_S3_KEY_SECRET>
   repo2-storage-verify-tls=y
   EOF
   

   The repo2-storage-verify-tls option in the above example enables TLS verification for pgBackRest (when set to y or simply omitted) or disables it, when set to n.

2. Create the Secret configuration file and specify the base64-encoded string from the previous step. The following is the example of the cluster1-pgbackrest-secrets.yaml Secret file:

   apiVersion: v1
   kind: Secret
   metadata:
     name: cluster1-pgbackrest-secrets
   type: Opaque
   data:
     s3.conf: <base64-encoded-configuration-contents>
   

   Note

   This Secret can store credentials for several repositories presented as separate data keys.

3. Create the Secrets object from this YAML file. Replace the <namespace> placeholder with your value:

   $ kubectl apply -f cluster1-pgbackrest-secrets.yaml -n <namespace>
   

4. Update your deploy/cr.yaml configuration. Specify the Secret file you created in the backups.pgbackrest.configuration subsection, and put all other S3 related information in the backups.pgbackrest.repos subsection under the repository name that you intend to use for backups. This name must match the name you used when you encoded S3 credentials on step 1.

For example, the S3 storage for the repo2 repository looks as follows:

...
backups:
  pgbackrest:
    ...
    configuration:
      - secret:
          name: cluster1-pgbackrest-secrets
    ...
    repos:
    - name: repo2
      s3:
        bucket: "<YOUR_AWS_S3_BUCKET_NAME>"
        endpoint: "<YOUR_AWS_S3_ENDPOINT>"
        region: "<YOUR_AWS_S3_REGION>"

1. Create or update the cluster. Replace the <namespace> placeholder with your value:

   $ kubectl apply -f deploy/cr.yaml -n <namespace>
   

To use Google Cloud Storage (GCS) as an object store for backups, you need the following information:

• a proper GCS bucket name. Pass the bucket name to pgBackRest via the gcs.bucket key in the backups.pgbackrest.repos subsection of deploy/cr.yaml.
• your service account key for the Operator to access the storage.

Configuration steps

1. Create your service account key following the official Google Cloud instructions .

2. Export this key from your Google Cloud account.

   You can find your key in the Google Cloud console (select IAM & Admin → Service Accounts in the left menu panel, then click your account and open the KEYS tab):

   

   Click the ADD KEY button, choose Create new key and choose JSON as a key type. These actions will result in downloading a file in JSON format with your new private key and related information (for example, gcs-key.json).

3. Create the Kubernetes Secret . The Secret consists of base64-encoded versions of two files: the gcs-key.json file with the Google service account key you have just downloaded, and the special gcs.conf configuration file.

   • Create the gcs.conf configuration file. The file contents depends on the repository name for backups in the deploy/cr.yaml file. In case of the repo3 repository, it looks as follows:

   [global]
   repo3-gcs-key=/etc/pgbackrest/conf.d/gcs-key.json
   

   • Encode both gcs-key.json and gcs.conf files.

     Linux MacOS

     base64 --wrap=0 <filename>
     

     base64 -i <filename>
     

   • Create the Kubernetes Secret configuration file and specify your cluster name and the base64-encoded contents of the files from previous steps. The following is the example of the cluster1-pgbackrest-secrets.yaml Secret file:

     apiVersion: v1
     kind: Secret
     metadata:
       name: cluster1-pgbackrest-secrets
     type: Opaque
     data:
       gcs-key.json: <base64-encoded-json-file-contents>
       gcs.conf: <base64-encoded-conf-file-contents>
     

   Info This Secret can store credentials for several repositories presented as separate data keys.

4. Create the Secrets object from the Secret configuration file. Replace the <namespace> placeholder with your value:

   $ kubectl apply -f cluster1-pgbackrest-secrets.yaml -n <namespace>
   

5. Update your deploy/cr.yaml configuration. Specify your GCS credentials Secret in the backups.pgbackrest.configuration subsection, and put GCS bucket name into the bucket option in the backups.pgbackrest.repos subsection. The repository name must be the same as the name you specified when you created the gcs.conf file. For example, GCS storage configuration for the repo3 repository would look as follows:

   ...
   backups:
     pgbackrest:
       ...
       configuration:
         - secret:
             name: cluster1-pgbackrest-secrets
       ...
       repos:
       - name: repo3
         gcs:
           bucket: "<YOUR_GCS_BUCKET_NAME>"
   

6. Create or update the cluster. Replace the <namespace> placeholder with your value:

   $ kubectl apply -f deploy/cr.yaml -n <namespace>
   

To use Microsoft Azure Blob Storage for storing backups, you need the following:

• a proper Azure container name.
• Azure Storage credentials. These are stored in an encoded form in the Kubernetes Secret .

Configuration steps

1. Encode the Azure Storage credentials and the pgBackRest repo name that you will use for backups with base64. In this example, we are using repo4.

   Linux macOS

   $ cat <<EOF | base64 --wrap=0
   [global]
   repo4-azure-account=<AZURE_STORAGE_ACCOUNT_NAME>
   repo4-azure-key=<AZURE_STORAGE_ACCOUNT_KEY>
   EOF
   

   $ cat <<EOF | base64
   [global]
   repo4-azure-account=<AZURE_STORAGE_ACCOUNT_NAME>
   repo4-azure-key=<AZURE_STORAGE_ACCOUNT_KEY>
   EOF
   

2. Create the Secret configuration file and specify the base64-encoded string from the previous step. The following is the example of the cluster1-pgbackrest-secrets.yaml Secret file:

   apiVersion: v1
   kind: Secret
   metadata:
     name: cluster1-pgbackrest-secrets
   type: Opaque
   data:
     azure.conf: <base64-encoded-configuration-contents>
   

   Note

   This Secret can store credentials for several repositories presented as separate data keys.

3. Create the Secrets object from this yaml file. Replace the <namespace> placeholder with your value:

   $ kubectl apply -f cluster1-pgbackrest-secrets.yaml -n <namespace>
   

4. Update your deploy/cr.yaml configuration. Specify the Secret file you have created in the previous step in the backups.pgbackrest.configuration subsection. Put Azure container name in the backups.pgbackrest.repos subsection under the repository name that you intend to use for backups. This name must match the name you used when you encoded S3 credentials on step 1.

   For example, the Azure storage for the repo1 repository looks as follows.

   ...
   backups:
     pgbackrest:
       ...
       configuration:
         - secret:
             name: cluster1-pgbackrest-secrets
       ...
       repos:
       - name: repo4
         azure:
           container: "<YOUR_AZURE_CONTAINER>"
   

5. Create or update the cluster. Replace the <namespace> placeholder with your value:

   $ kubectl apply -f deploy/cr.yaml -n <namespace>
   

Percona Operator for PostgreSQL uses Kubernetes Persistent Volumes to store Postgres data. You can also use them to store backups. A Persistent volume is created at the same time when the Operator creates PostgreSQL cluster for you. You can find the Persistent Volume configuration in the backups.pgbackrest.repos section of the cr.yaml file under the repo1 name:

- name: repo1
    volume:
      volumeClaimSpec:
        accessModes:
        - ReadWriteOnce
        resources:
          requests:
            storage: 1Gi

This configuration is sufficient to make a backup.

Next steps

• Make an on-demand backup
• Make a scheduled backup

Get expert help

If you need assistance, visit the community forum for comprehensive and free database knowledge, or contact our Percona Database Experts for professional support and services. Join K8S Squad to benefit from early access to features and “ask me anything” sessions with the Experts.

Community Forum Get a Percona Expert Join K8S Squad

---

Last update: 2024-04-17