This section shows how to set up backups using Google Cloud Storage. You will need to have gsutil installed, to create the bucket on Google Cloud.
Create the bucket with following characteristics (that you may change):
stackgres-projectus-west1my-stackgres-bucketstackgres-backup-usergsutil mb \
-p stackgres-project \
-b on \
-l us-west1 \
"gs://my-stackgres-bucket/"
gcloud iam service-accounts create stackgres-backup-user --project stackgres-project
## grant access to the bucket
gsutil iam ch \
serviceAccount:stackgres-backup-user@stackgres-project.iam.gserviceaccount.com:roles/storage.objectAdmin \
"gs://my-stackgres-bucket/"
Create a Kubernetes namespace, a serviceaccount, the required access, and a Kubernetes secret containing the credentials.
gcloud iam service-accounts keys \
create my-creds.json --iam-account stackgres-backup-user@stackgres-project.iam.gserviceaccount.com
## create secret
kubectl --namespace stackgres create secret \
generic gcs-backup-secret \
--from-file="my-creds.json"
rm -rfv my-creds.json
Having the resources created, we now need to create the object storage configuration and to set the backup configuration. The object storage configuration is governed by the SGObjectStorage CRD. This CRD allows you to specify the object storage technology, required parameters, as well as a reference to the credentials secret.
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: objectstorage
spec:
type: "gcs"
gcs:
bucket: my-stackgres-bucket
gcpCredentials:
secretKeySelectors:
serviceAccountJSON:
name: gcs-backup-secret
key: my-creds.json
For enhanced security on GKE, you can use Workload Identity instead of service account keys. This eliminates the need to manage and store service account JSON keys.
If not already enabled:
gcloud container clusters update my-gke-cluster \
--workload-pool=stackgres-project.svc.id.goog \
--zone=us-west1-a
For new clusters:
gcloud container clusters create my-gke-cluster \
--workload-pool=stackgres-project.svc.id.goog \
--zone=us-west1-a
gcloud iam service-accounts create stackgres-backup-sa \
--project=stackgres-project \
--display-name="StackGres Backup Service Account"
gsutil iam ch \
serviceAccount:stackgres-backup-sa@stackgres-project.iam.gserviceaccount.com:roles/storage.objectAdmin \
"gs://my-stackgres-bucket/"
kubectl create serviceaccount stackgres-backup-ksa \
--namespace default
Allow the Kubernetes service account to impersonate the GCP service account:
gcloud iam service-accounts add-iam-policy-binding \
stackgres-backup-sa@stackgres-project.iam.gserviceaccount.com \
--role roles/iam.workloadIdentityUser \
--member "serviceAccount:stackgres-project.svc.id.goog[default/stackgres-backup-ksa]"
kubectl annotate serviceaccount stackgres-backup-ksa \
--namespace default \
iam.gke.io/gcp-service-account=stackgres-backup-sa@stackgres-project.iam.gserviceaccount.com
apiVersion: stackgres.io/v1beta1
kind: SGObjectStorage
metadata:
name: gcs-workload-identity-storage
spec:
type: gcs
gcs:
bucket: my-stackgres-bucket
gcpCredentials:
fetchCredentialsFromMetadataService: true
apiVersion: stackgres.io/v1
kind: SGCluster
metadata:
name: my-cluster
spec:
# ... other configuration ...
configurations:
backups:
- sgObjectStorage: gcs-workload-identity-storage
cronSchedule: '0 5 * * *'
retention: 7
| Method | Security | Complexity | Use Case |
|---|---|---|---|
| Service Account JSON | Good | Simple | Non-GKE clusters, quick setup |
| Workload Identity | Best | Moderate | Production GKE deployments |
For production GKE deployments, Workload Identity is the recommended approach as it eliminates the need to manage service account keys.