This section shows how to configure backups on StackGres using Microsoft Azure Blob Storage. You will need the Azure CLI installed to create the required resources.
Let’s create the storage account and container with the following characteristics (that you may change):
stackgres-rgeastusstackgresbackupssgbackupsaz group create \
--name stackgres-rg \
--location eastus
az storage account create \
--name stackgresbackups \
--resource-group stackgres-rg \
--location eastus \
--sku Standard_LRS \
--kind StorageV2
az storage container create \
--name sgbackups \
--account-name stackgresbackups
Retrieve the storage account access key:
az storage account keys list \
--account-name stackgresbackups \
--resource-group stackgres-rg \
--query '[0].value' \
--output tsv
Save this key securely - you’ll need it for the Kubernetes Secret.
Create a Kubernetes Secret with the Azure storage account credentials:
# Set your values
STORAGE_ACCOUNT="stackgresbackups"
ACCESS_KEY="your-access-key-from-previous-step"
kubectl create secret generic azure-backup-secret \
--from-literal=storageAccount="$STORAGE_ACCOUNT" \
--from-literal=accessKey="$ACCESS_KEY"
Or using a YAML manifest:
apiVersion: v1
kind: Secret
metadata:
name: azure-backup-secret
type: Opaque
stringData:
storageAccount: stackgresbackups
accessKey: your-storage-account-access-key
Create the object storage configuration using the SGObjectStorage CRD:
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: azure-backup-storage
spec:
type: azureBlob
azureBlob:
bucket: sgbackups
azureCredentials:
secretKeySelectors:
storageAccount:
name: azure-backup-secret
key: storageAccount
accessKey:
name: azure-backup-secret
key: accessKey
Apply the configuration:
kubectl apply -f sgobjectstorage.yaml
Reference the SGObjectStorage in your cluster configuration:
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
name: my-cluster
spec:
instances: 3
postgres:
version: '16'
pods:
persistentVolume:
size: '10Gi'
configurations:
backups:
- sgObjectStorage: azure-backup-storage
cronSchedule: '0 5 * * *'
retention: 7
You can specify a path within the container to organize backups:
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: azure-backup-storage
spec:
type: azureBlob
azureBlob:
bucket: sgbackups/production/postgres
azureCredentials:
secretKeySelectors:
storageAccount:
name: azure-backup-secret
key: storageAccount
accessKey:
name: azure-backup-secret
key: accessKey
The bucket field can include path segments after the container name.
Here’s a complete example with all resources:
apiVersion: v1
kind: Secret
metadata:
name: azure-backup-secret
namespace: default
type: Opaque
stringData:
storageAccount: stackgresbackups
accessKey: "xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx=="
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: azure-backup-storage
namespace: default
spec:
type: azureBlob
azureBlob:
bucket: sgbackups
azureCredentials:
secretKeySelectors:
storageAccount:
name: azure-backup-secret
key: storageAccount
accessKey:
name: azure-backup-secret
key: accessKey
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
name: production-cluster
namespace: default
spec:
instances: 3
postgres:
version: '16'
pods:
persistentVolume:
size: '50Gi'
configurations:
backups:
- sgObjectStorage: azure-backup-storage
cronSchedule: '0 */6 * * *' # Every 6 hours
retention: 14 # Keep 14 backups
path: /production # Optional subfolder
To create a manual backup:
apiVersion: stackgres.io/v1
kind: SGBackup
metadata:
name: manual-backup
spec:
sgCluster: production-cluster
managedLifecycle: false
To restore a cluster from an Azure backup:
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
name: restored-cluster
spec:
instances: 3
postgres:
version: '16'
pods:
persistentVolume:
size: '50Gi'
initialData:
restore:
fromBackup:
name: manual-backup
To add encryption to your Azure backups, see the Backup Encryption guide:
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: encrypted-azure-storage
spec:
type: azureBlob
encryption:
method: sodium
sodium:
key:
name: backup-encryption-key
key: key
keyTransform: hex
azureBlob:
bucket: sgbackups
azureCredentials:
secretKeySelectors:
storageAccount:
name: azure-backup-secret
key: storageAccount
accessKey:
name: azure-backup-secret
key: accessKey
For enhanced security, you can configure Azure Storage to use private endpoints. The storage account remains accessible from your AKS cluster via the private network.
Azure Blob Storage supports different access tiers. StackGres uses the default tier (Hot) for backups. You can configure lifecycle management policies in Azure to move older backups to cooler tiers for cost optimization:
Note: Backups in Archive tier require rehydration before restore, which can take hours.