--- layout: page parent: Custom resources overview title: ArangoBackup --- # ArangoBackup Custom Resource [Full CustomResourceDefinition reference ->](./api/ArangoBackup.V1.md) The ArangoBackup Operator creates and maintains ArangoBackups in a Kubernetes cluster, given a Backup specification. This deployment specification is a `CustomResource` following a `CustomResourceDefinition` created by the operator. ## Defining a secret for backup upload or download `credentialsSecretName` in `spec.download` and `spec.upload` expects the next structure for secret: ```yaml apiVersion: v1 data: token: <json token> kind: Secret metadata: name: <name> type: Opaque ``` `JSON Token` options are described on the [rclone](https://rclone.org/) page. We can define more than one protocols at same time in one secret. This field is defined in json format: ```json { "<protocol>": { "type":"<type>", ...parameters } } ``` AWS S3 example - based on [rclone S3](https://rclone.org/s3/) documentation and interactive process: ```json { "S3": { "type": "s3", # Choose s3 type "provider": "AWS", # Choose one of the providers "env_auth": "false", # Define credentials in next step instead of using ENV "access_key_id": "xxx", "secret_access_key": "xxx", "region": "eu-west-2", # Choose region "acl": "private", # Set permissions on newly created remote object } } ``` and you can from now use `S3://bucket/path`. ##### Use IAM with Amazon EKS Instead of creating and distributing your AWS credentials to the containers or using the Amazon EC2 instance's role, you can associate an IAM role with a Kubernetes service account and configure pods to use the service account. 1. Create a Policy to access the S3 bucket. ```bash aws iam create-policy \ --policy-name S3-ACCESS_ROLE \ --policy-document \ '{ "Version": "2012-10-17", "Statement": [ { "Effect": "Allow", "Action": "s3:ListAllMyBuckets", "Resource": "*" }, { "Effect": "Allow", "Action": "*", "Resource": "arn:aws:s3:::MY_BUCKET" }, { "Effect": "Allow", "Action": "*", "Resource": "arn:aws:s3:::MY_BUCKET/*" } ] }' ``` 2. Create an IAM role for the service account (SA). ```bash eksctl create iamserviceaccount \ --name SA_NAME \ --namespace NAMESPACE \ --cluster CLUSTER_NAME \ --attach-policy-arn arn:aws:iam::ACCOUNT_ID:policy/S3-ACCESS_ROLE \ --approve ``` 3. Ensure that you use that SA in your ArangoDeployment for `dbservers` and `coordinators`. ```yaml apiVersion: database.arangodb.com/v1 kind: ArangoDeployment metadata: name: cluster spec: image: arangodb/enterprise mode: Cluster dbservers: serviceAccountName: SA_NAME coordinators: serviceAccountName: SA_NAME ``` 4. Create a `Secret` Kubernetes object with a configuration for S3. ```yaml apiVersion: v1 kind: Secret metadata: name: arangodb-cluster-backup-credentials type: Opaque stringData: token: | { "s3": { "type": "s3", "provider": "AWS", "env_auth": "true", "location_constraint": "eu-central-1", "region": "eu-central-1", "acl": "private", "no_check_bucket": "true" } } ``` 5. Create an `ArangoBackup` Kubernetes object with upload to S3. ```yaml apiVersion: "backup.arangodb.com/v1alpha" kind: "ArangoBackup" metadata: name: backup spec: deployment: name: MY_DEPLOYMENT upload: repositoryURL: "s3:MY_BUCKET" credentialsSecretName: arangodb-cluster-backup-credentials ``` ## Examples: ### Create simple Backup ```yaml apiVersion: "backup.arangodb.com/v1" kind: "ArangoBackup" metadata: name: "example-arangodb-backup" namespace: "arangodb" spec: deployment: name: "my-deployment" ``` Action: Create Backup on ArangoDeployment named `my-deployment` ### Create and upload Backup ```yaml apiVersion: "backup.arangodb.com/v1" kind: "ArangoBackup" metadata: name: "example-arangodb-backup" namespace: "arangodb" spec: deployment: name: "my-deployment" upload: repositoryURL: "S3:test/kube-test" credentialsSecretName: "my-s3-rclone-credentials" ``` Action: Create Backup on ArangoDeployment named `my-deployment` and upload it to `S3://test/kube-test`. ### Download Backup ```yaml apiVersion: "backup.arangodb.com/v1" kind: "ArangoBackup" metadata: name: "example-arangodb-backup" namespace: "arangodb" spec: deployment: name: "my-deployment" download: repositoryURL: "S3:test/kube-test" credentialsSecretName: "my-s3-rclone-credentials" id: "backup-id" ``` Download Backup with id `backup-id` from `S3://test/kube-test` on ArangoDeployment named `my-deployment` ## Restore To restore a data for deployment for specific backup, use `spec.restoreFrom` field of [ArangoDeployment](api/ArangoDeployment.V1.md#specrestorefrom-string).