edp-doc/docs/technical-documentation/project/bootstrapping/backup/_index.md

---
title: Backup of the Bootstrapping Cluster
weight: 30
description: Backup and Restore of the Contents of the Bootstrapping Cluster
---

## Velero

We are using [Velero](https://velero.io/) for backup and restore of the deployed applications.

## Installing Velero Tools

To manage a Velero install in a cluster, you need to have Velero command line tools installed locally. Please follow the instructions for [Basic Install](https://velero.io/docs/v1.9/basic-install).

## Setting Up Velero For a Cluster

Installing and configuring Velero for a cluster can be accomplished with the CLI.

1. Create a file with the credentials for the S3 compatible bucket that is storing the backups, for example `credentials.ini`.

```ini
[default]
aws_access_key_id = "Access Key Value"
aws_secret_access_key = "Secret Key Value"
```

2. Install Velero in the cluster

```
velero install \
    --provider aws \
    --plugins velero/velero-plugin-for-aws:v1.2.1 \
    --bucket osc-backup \
    --secret-file ./credentials.ini \
    --use-volume-snapshots=false \
    --use-node-agent=true \
    --backup-location-config region=minio,s3ForcePathStyle="true",s3Url=https://obs.eu-de.otc.t-systems.com
```

3. Delete `credentials.ini`, it is not needed anymore (a secret has been created in the cluster).
4. Create a schedule to back up the relevant resources in the cluster:
```
velero schedule create devfw-bootstrap --schedule="23 */2 * * *" "--include-namespaces=forgejo"
```

## Working with Velero

You can now use Velero to create backups, restore them, or perform other operations. Please refer to the [Velero Documentation](https://velero.io/docs/main/backup-reference/).

To list all currently available backups:
```
velero backup get
```

## Setting up a Service Account for Access to the OTC Object Storage Bucket

We are using the S3-compatible Open Telekom Cloud Object Storage service to make available some storage for the backups. We picked OTC specifically because we're not using it for anything else, so no matter what catastrophy we create in Open Sovereign Cloud, the backups should be safe.

### Create an Object Storage Service Bucket

1. Log in to the [OTC Console with the correct tenant](https://auth.otc.t-systems.com/authui/federation/websso?domain_id=81e7dbd7ec9f4b03a58120dfaa61d3db&idp=ADFS_MMS_OTC00000000001000113497&protocol=saml).
1. Navigate to [Object Storage Service](https://console.otc.t-systems.com/obs/?agencyId=WEXsFwkkVdGYULIrZT1icF4nmHY1dgX2&region=eu-de&locale=en-us#/obs/manager/buckets).
1. Click Create Bucket in the upper right hand corner. Give your bucket a name. No further configuration should be necessary.

### Create a Service User to Access the Bucket

1. Log in to the [OTC Console with the correct tenant](https://auth.otc.t-systems.com/authui/federation/websso?domain_id=81e7dbd7ec9f4b03a58120dfaa61d3db&idp=ADFS_MMS_OTC00000000001000113497&protocol=saml).
1. Navigate to [Identity and Access Management](https://console.otc.t-systems.com/iam/?agencyId=WEXsFwkkVdGYULIrZT1icF4nmHY1dgX2&region=eu-de&locale=en-us#/iam/users).
1. Navigate to User Groups, and click Create User Group in the upper right hand corner.
1. Enter a suitable name ("OSC Cloud Backup") and click OK.
1. In the group list, locate the group just created and click its name.
1. Click Authorize to add the necessary roles. Enter "OBS" in the search box to filter for Object Storage roles.
1. Select "OBS OperateAccess", if there are two roles, select them both.
1. **2024-10-15** Also select the "OBS Administrator" role. It is unclear why the "OBS OperateAccess" role is not sufficient, but without the admin role, the service user will not have write access to the bucket.
1. Click Next to save the roles, then click OK to confirm, then click Finish.
1. Navigate to Users, and click Create User in the upper right hand corner.
1. Give the user a sensible name ("ipcei-cis-devfw-osc-backups").
1. Disable Management console access
1. Enable Access key, disable Password, disable Login protection.
1. Click Next
1. Pick the group created earlier.
1. Download the access key when prompted.

The access key is a CSV file with the Access Key and the Secret Key listed in the second line.
doc(technical-documentation): Added the rest of technical documentation, WiP 2024-12-19 17:28:49 +00:00			`---`
			`title: Backup of the Bootstrapping Cluster`
			`weight: 30`
			`description: Backup and Restore of the Contents of the Bootstrapping Cluster`
			`---`

			`## Velero`

			`We are using [Velero](https://velero.io/) for backup and restore of the deployed applications.`

			`## Installing Velero Tools`

			`To manage a Velero install in a cluster, you need to have Velero command line tools installed locally. Please follow the instructions for [Basic Install](https://velero.io/docs/v1.9/basic-install).`

			`## Setting Up Velero For a Cluster`

			`Installing and configuring Velero for a cluster can be accomplished with the CLI.`

			1. Create a file with the credentials for the S3 compatible bucket that is storing the backups, for example `credentials.ini`.

			```ini
			`[default]`
			`aws_access_key_id = "Access Key Value"`
			`aws_secret_access_key = "Secret Key Value"`
			```

			`2. Install Velero in the cluster`

			```
			`velero install \`
			`--provider aws \`
			`--plugins velero/velero-plugin-for-aws:v1.2.1 \`
			`--bucket osc-backup \`
			`--secret-file ./credentials.ini \`
			`--use-volume-snapshots=false \`
			`--use-node-agent=true \`
			`--backup-location-config region=minio,s3ForcePathStyle="true",s3Url=https://obs.eu-de.otc.t-systems.com`
			```

			3. Delete `credentials.ini`, it is not needed anymore (a secret has been created in the cluster).
			`4. Create a schedule to back up the relevant resources in the cluster:`
			```
			`velero schedule create devfw-bootstrap --schedule="23 /2 * *" "--include-namespaces=forgejo"`
			```

			`## Working with Velero`

			`You can now use Velero to create backups, restore them, or perform other operations. Please refer to the [Velero Documentation](https://velero.io/docs/main/backup-reference/).`

			`To list all currently available backups:`
			```
			`velero backup get`
			```

			`## Setting up a Service Account for Access to the OTC Object Storage Bucket`

			`We are using the S3-compatible Open Telekom Cloud Object Storage service to make available some storage for the backups. We picked OTC specifically because we're not using it for anything else, so no matter what catastrophy we create in Open Sovereign Cloud, the backups should be safe.`

			`### Create an Object Storage Service Bucket`

			`1. Log in to the [OTC Console with the correct tenant](https://auth.otc.t-systems.com/authui/federation/websso?domain_id=81e7dbd7ec9f4b03a58120dfaa61d3db&idp=ADFS_MMS_OTC00000000001000113497&protocol=saml).`
			`1. Navigate to [Object Storage Service](https://console.otc.t-systems.com/obs/?agencyId=WEXsFwkkVdGYULIrZT1icF4nmHY1dgX2&region=eu-de&locale=en-us#/obs/manager/buckets).`
			`1. Click Create Bucket in the upper right hand corner. Give your bucket a name. No further configuration should be necessary.`

			`### Create a Service User to Access the Bucket`

			`1. Log in to the [OTC Console with the correct tenant](https://auth.otc.t-systems.com/authui/federation/websso?domain_id=81e7dbd7ec9f4b03a58120dfaa61d3db&idp=ADFS_MMS_OTC00000000001000113497&protocol=saml).`
			`1. Navigate to [Identity and Access Management](https://console.otc.t-systems.com/iam/?agencyId=WEXsFwkkVdGYULIrZT1icF4nmHY1dgX2&region=eu-de&locale=en-us#/iam/users).`
			`1. Navigate to User Groups, and click Create User Group in the upper right hand corner.`
			`1. Enter a suitable name ("OSC Cloud Backup") and click OK.`
			`1. In the group list, locate the group just created and click its name.`
			`1. Click Authorize to add the necessary roles. Enter "OBS" in the search box to filter for Object Storage roles.`
			`1. Select "OBS OperateAccess", if there are two roles, select them both.`
			`1. 2024-10-15 Also select the "OBS Administrator" role. It is unclear why the "OBS OperateAccess" role is not sufficient, but without the admin role, the service user will not have write access to the bucket.`
			`1. Click Next to save the roles, then click OK to confirm, then click Finish.`
			`1. Navigate to Users, and click Create User in the upper right hand corner.`
			`1. Give the user a sensible name ("ipcei-cis-devfw-osc-backups").`
			`1. Disable Management console access`
			`1. Enable Access key, disable Password, disable Login protection.`
			`1. Click Next`
			`1. Pick the group created earlier.`
			`1. Download the access key when prompted.`

			`The access key is a CSV file with the Access Key and the Secret Key listed in the second line.`