Kind: SGObjectStorage
listKind: SGObjectStorageList
plural: sgobjectstorages
singular: sgobjectstorage
shortNames sgobjs
The SGObjectStorage custom resource allows to configure where backups are going to be stored.
The object storage represents a persistence location.
Example:
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: objectstorage
spec:
type: s3Compatible
s3Compatible:
bucket: stackgres
region: k8s
enablePathStyleAddressing: true
endpoint: http://my-cluster-minio:9000
awsCredentials:
secretKeySelectors:
accessKeyId:
key: accesskey
name: my-cluster-minio
secretAccessKey:
key: secretkey
name: my-cluster-minio
See also Backup Storage section.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| apiVersion | ✓ | string | stackgres.io/v1beta1 | ||
| kind | ✓ | string | SGObjectStorage | ||
| metadata | ✓ | ✓ | object | Refer to the Kubernetes API documentation for the fields of the metadata field. |
|
| spec | ✓ | ✓ | object |
Object Storage configuration
|
Object Storage configuration
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| azureBlob | ✓ | object |
Azure Blob Storage configuration.
|
||
| encryption | ✓ | object |
Section to configure object storage encryption of stored files.
|
||
| gcs | ✓ | object |
Google Cloud Storage configuration.
|
||
| s3 | ✓ | object |
Amazon Web Services S3 configuration.
|
||
| s3Compatible | ✓ | object |
AWS S3-Compatible API configuration |
||
| type | ✓ | enum |
Determine the type of object storage used for storing the base backups and WAL segments.
Possible values:
* s3: Amazon Web Services S3 (Simple Storage Service).
* s3Compatible: non-AWS services that implement a compatibility API with AWS S3.
* gcs: Google Cloud Storage.
* azureBlob: Microsoft Azure Blob Storage.
Enum: s3, s3Compatible, gcs, azureBlob |
Azure Blob Storage configuration.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| azureCredentials | ✓ | ✓ | object |
The credentials to access Azure Blob Storage for writing and reading.
|
|
| bucket | ✓ | ✓ | string |
Azure Blob Storage bucket name.
|
The credentials to access Azure Blob Storage for writing and reading.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| secretKeySelectors | ✓ | object |
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the azureCredentials. . Note that you may use the same or different Secrets for the storageAccount and the accessKey. In the former case, the keys that identify each must be, obviously, different.
|
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the azureCredentials. . Note that you may use the same or different Secrets for the storageAccount and the accessKey. In the former case, the keys that identify each must be, obviously, different.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| accessKey | ✓ | ✓ | object |
The storage account access key.
|
|
| storageAccount | ✓ | ✓ | object |
The Storage Account that contains the Blob bucket to be used.
|
The storage account access key.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
The Storage Account that contains the Blob bucket to be used.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
Section to configure object storage encryption of stored files.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| method | ✓ | string |
Select the storage encryption method.
Possible options are:
When not set no encryption will be applied to stored files.
|
||
| openpgp | ✓ | object |
OpenPGP encryption configuration. |
||
| sodium | ✓ | object |
libsodium encryption configuration. |
OpenPGP encryption configuration.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | object |
To configure encryption and decryption with OpenPGP standard. You can join multiline
key using |
|
| keyPassphrase | ✓ | object |
If your private key is encrypted with a passphrase, you should set passphrase for decrypt.
|
To configure encryption and decryption with OpenPGP standard. You can join multiline
key using \n symbols into one line (mostly used in case of daemontools and envdir).
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | string |
The key of the secret to select from. Must be a valid secret key. |
||
| name | ✓ | string |
Name of the referent. More information. |
If your private key is encrypted with a passphrase, you should set passphrase for decrypt.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | string |
The key of the secret to select from. Must be a valid secret key. |
||
| name | ✓ | string |
Name of the referent. More information. |
libsodium encryption configuration.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | object |
To configure encryption and decryption with libsodium an algorithm that only requires
a secret key is used. libsodium keys are fixed-size keys of 32 bytes. For optimal
cryptographic security, it is recommened to use a random 32 byte key. To generate a
random key, you can something like openssl rand -hex 32 (set keyTransform to hex)
or openssl rand -base64 32 (set keyTransform to base64).
|
|
| keyTransform | ✓ | string |
The transform that will be applied to the key to get the required 32 byte key.
Supported transformations are base64, hex or none (default). The option
none exists for backwards compatbility, the user input will be converted to 32
byte either via truncation or by zero-padding.
Default: none |
To configure encryption and decryption with libsodium an algorithm that only requires
a secret key is used. libsodium keys are fixed-size keys of 32 bytes. For optimal
cryptographic security, it is recommened to use a random 32 byte key. To generate a
random key, you can something like openssl rand -hex 32 (set keyTransform to hex)
or openssl rand -base64 32 (set keyTransform to base64).
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | string |
The key of the secret to select from. Must be a valid secret key. |
||
| name | ✓ | string |
Name of the referent. More information. |
Google Cloud Storage configuration.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| bucket | ✓ | ✓ | string |
GCS bucket name.
|
|
| gcpCredentials | ✓ | ✓ | object |
The credentials to access GCS for writing and reading.
|
The credentials to access GCS for writing and reading.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| fetchCredentialsFromMetadataService | ✓ | boolean |
If true, the credentials will be fetched from the GCE/GKE metadata service and the field secretKeySelectors have to be set to null or omitted.
This is useful when running StackGres inside a GKE cluster using Workload Identity.
|
||
| secretKeySelectors | ✓ | object |
A Kubernetes SecretKeySelector to reference the Secrets that contain the information about the Service Account to access GCS.
|
A Kubernetes SecretKeySelector to reference the Secrets that contain the information about the Service Account to access GCS.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| serviceAccountJSON | ✓ | ✓ | object |
A service account key from GCP. In JSON format, as downloaded from the GCP Console.
|
A service account key from GCP. In JSON format, as downloaded from the GCP Console.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
Amazon Web Services S3 configuration.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| awsCredentials | ✓ | ✓ | object |
The credentials to access AWS S3 for writing and reading.
|
|
| bucket | ✓ | ✓ | string |
AWS S3 bucket name.
|
|
| region | ✓ | string |
The AWS S3 region. The Region may be detected using s3:GetBucketLocation, but if you wish to avoid giving permissions to this API call or forbid it from the applicable IAM policy, you must then specify this property.
|
||
| storageClass | ✓ | string |
The Amazon S3 Storage Class to use for the backup object storage. By default, the STANDARD storage class is used. Other supported values include STANDARD_IA for Infrequent Access and REDUCED_REDUNDANCY.
|
The credentials to access AWS S3 for writing and reading.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| secretKeySelectors | ✓ | ✓ | object |
Kubernetes SecretKeySelector(s) to reference the Secrets that contain the information about the awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
|
Kubernetes SecretKeySelector(s) to reference the Secrets that contain the information about the awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| accessKeyId | ✓ | ✓ | object |
AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
|
|
| secretAccessKey | ✓ | ✓ | object |
AWS secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
|
AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
AWS secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
AWS S3-Compatible API configuration
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| awsCredentials | ✓ | ✓ | object |
The credentials to access AWS S3 for writing and reading.
|
|
| bucket | ✓ | ✓ | string |
Bucket name.
|
|
| enablePathStyleAddressing | ✓ | boolean |
Enable path-style addressing (i.e. http://s3.amazonaws.com/BUCKET/KEY) when connecting to an S3-compatible service that lacks support for sub-domain style bucket URLs (i.e. http://BUCKET.s3.amazonaws.com/KEY).
Defaults to false.
|
||
| endpoint | ✓ | string |
Overrides the default url to connect to an S3-compatible service.
For example: http://s3-like-service:9000.
|
||
| region | ✓ | string |
The AWS S3 region. The Region may be detected using s3:GetBucketLocation, but if you wish to avoid giving permissions to this API call or forbid it from the applicable IAM policy, you must then specify this property.
|
||
| storageClass | ✓ | string |
The Amazon S3 Storage Class to use for the backup object storage. By default, the STANDARD storage class is used. Other supported values include STANDARD_IA for Infrequent Access and REDUCED_REDUNDANCY.
|
The credentials to access AWS S3 for writing and reading.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| secretKeySelectors | ✓ | ✓ | object |
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
|
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| accessKeyId | ✓ | ✓ | object |
AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
|
|
| secretAccessKey | ✓ | ✓ | object |
AWS secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
|
|
| caCertificate | ✓ | object |
CA Certificate file to be used when connecting to the S3 Compatible Service.
|
AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
AWS secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|
CA Certificate file to be used when connecting to the S3 Compatible Service.
Property |
Required |
Updatable |
May Require Restart |
Type |
Description |
|---|---|---|---|---|---|
| key | ✓ | ✓ | string |
The key of the secret to select from. Must be a valid secret key.
|
|
| name | ✓ | ✓ | string |
Name of the referent. More information.
|