ForgeOps

Backup and restore using volume snapshots

Kubernetes volume snapshots provide a standardized way to create copies of the content of persistent volumes at a point in time, without creating new volumes. Backing up your directory data with volume snapshots lets you perform rapid recovery from the last snapshot point. Volume snapshot backups can also facilitate testing by letting you initialize a directory with sample data.

When you create a Kubernetes cluster for deploying the CDM, you create a Kubernetes volume snapshot class named ds-snapshot-class. The DS operator uses this class for creating snapshots. Volume snapshot backups are based on configuration in the /path/to/forgeops/kustomize/base/ds-idrepo/ds-idrepo.yaml file:

ForgeOps Backup with volume snapshots.

The next sections include example steps to back up and restore the ds-idrepo directory. To back up and restore the ds-cts directory, follow similar steps.

Back up the ds-idrepo directory

To start taking volume snapshot backups of the ds-idrepo directory:

  1. Set the active namespace in your local Kubernetes context to the namespace in which the CDM is deployed.

  2. Run the kubectl get pvc command to get the size of the volume that holds the ds-idrepo directory’s data. The CAPACITY column contains the volume size:

    $ kubectl get pvc
NAME               STATUS   VOLUME                                     CAPACITY . . .
. . .
data-ds-idrepo-0   Bound    pvc-04293c38-05a8-44b0-b137-0db259854971   100Gi     . . .
data-ds-idrepo-1   Bound    pvc-04ab2617-a9a2-4f71-9094-6d3a4b7c0082   100Gi     . . .
data-ds-idrepo-2   Bound    pvc-19a9915e-46f4-4ba5-b3fa-7d1ff83f38aa   100Gi     . . .
. . .

  3. Update the /path/to/forgeops/kustomize/base/ds-idrepo/ds-idrepo.yaml file, which contains the snapshot backup and restore configuration for the ds-idrepo directory instance:

    1. Set the value of replicas to 3.

    2. Set the value of storage in the volumeClaimSpec/resources/requests: section to the size of the volume that holds the ds-idrepo directory’s data.

    3. Uncomment the dataSource section by removing the # character from the four lines staring with #dataSource:.

      The dataSource section tells the CDM which snapshot to use when restoring one of the data-ds-idrepo PVCs. The PVCs are restored from a snapshot if:

      • The PVC does not exist.

      • The snapshot backup configured in the dataSource section does exist.

    4. Configure the snaphots section so that snapshot backups will start after you restart the ds-idrepo-1 pod:

      1. Set enabled to true.

      2. Set periodMinutes to the interval, in minutes, between snapshots.

      3. Set snapshotsRetained to the number of snapshots to keep.

      4. Set directoryInstance to 1, and uncomment the line if it is commented. This setting configures the DS operator to snapshot the ds-idrepo-1 instance—a secondary instance.

    5. Save and close the file.

  4. Apply the changes to the DS configuration:

    $ cd /path/to/forgeops/kustomize/base
$ kubectl apply -f ds-idrepo/ds-idrepo.yaml
directoryservice.directory.forgerock.io/ds-idrepo configured

  5. After allowing enough time for one or more snapshots to be created, run the kubectl get volumesnapshots command.

    You should see one or more snapshots that are ready to use listed in the command output:

    NAME                   READYTOUSE   SOURCEPVC          . . .    AGE
ds-idrepo-1653077404   true         data-ds-idrepo-1   . . .    44s

Restore the ds-idrepo directory

To test restoring DS instances from a snapshot:

  1. In a browser window, log in to the Ping Identity Platform admin UI, and then create an example identity using the Identities > Manage option.

    You’ll use this identity to verify that the restore test worked correctly.

  2. Log out of the Ping Identity Platform admin UI.

  3. Run the kubectl get volumesnapshots command until you can verify that a new snapshot was created after you created the example identity:

    NAME                   READYTOUSE   SOURCEPVC          . . .    AGE
ds-idrepo-1653077404   true         data-ds-idrepo-1   . . .    6m3s
ds-idrepo-1653077584   true         data-ds-idrepo-1   . . .    3m3s
ds-idrepo-1653077765   true         data-ds-idrepo-1   . . .    3s

    Note the name of the latest snapshot. Because the data source name has the value "$(latest)" in the ds-idrepo.yaml file, the latest snapshot is used when you restore the ds-idrepo directory service.

  4. Disable taking snapshots:

    1. Set enabled : false in the 'snapshots` section of the ds-idrepo.yaml file.

    2. Apply the changes:

      $ cd /path/to/forgeops/kustomize/base
$ kubectl apply -f ds-idrepo/ds-idrepo.yaml
directoryservice.directory.forgerock.io/ds-idrepo configured

  5. Delete the ds-idrepo directory service custom resource:

    $ cd /path/to/forgeops
$ ./bin/forgeops delete ds-idrepo

  6. Delete the ds-idrepo PVCs:

    $ kubectl delete pvc data-ds-idrepo-0 data-ds-idrepo-1 data-ds-idrepo-2
persistentvolumeclaim "data-ds-idrepo-0" deleted
persistentvolumeclaim "data-ds-idrepo-1" deleted
persistentvolumeclaim "data-ds-idrepo-2" deleted

  7. Redeploy ds-idrepo:

    $ cd /path/to/forgeops
$ ./bin/forgeops install ds-idrepo

  8. Use the kubectl get pods command to monitor the status of the ds-idrepo pods. Wait until these pods are in the Running state before proceeding to the next step.

  9. The preceding events also force the IDM pods to restart. Wait until these pod have restarted before proceeding to the next step.

  10. Log back in to the Ping Identity Platform admin UI, and then select the Identities > Manage option.

    You should see your example identity.

  11. Run the kubectl describe pvc data-ds-idrepo-0 command and review the output under the label, DataSource:

    DataSource:
  APIGroup:  snapshot.storage.k8s.io
  Kind:      VolumeSnapshot
  Name:      ds-idrepo-1653077765

    The Kind field should have a value of VolumeSnapshot, indicating that the source of the PVC was a volume snapshot.

    The value in the Name field should match the name of the latest volume snapshot that was taken before you deleted the ds-idrepo directory instance.

  12. Run the kubectl describe pvc data-ds-idrepo-1 and kubectl describe pvc data-ds-idrepo-1 commands. The output should be similar to what you observed in the previous step.

  13. Optionally, re-enable taking volume snapshots:

    1. Set enabled : true in the 'snapshots` section of the ds-idrepo.yaml file.

    2. Apply the changes:

      $ cd /path/to/forgeops/kustomize/base
$ kubectl apply -f ds-idrepo/ds-idrepo.yaml
directoryservice.directory.forgerock.io/ds-idrepo configured