Kind: SGBackup
listKind: SGBackupList
plural: sgbackups
singular: sgbackup
shortNames sgbkp
The SGBackup custom resource represents a backup of the Postgres cluster.
Backups are created automatically by a cron job configured using the settings in the backup configuration or manually by creating a SGBackup.
Example:
apiVersion: stackgres.io/v1
kind: SGBackup
metadata:
name: backup
spec:
sgCluster: stackgres
managedLifecycle: true
status:
internalName: base_00000002000000000000000E
sgBackupConfig:
baseBackups:
compression: lz4
storage:
s3Compatible:
awsCredentials:
secretKeySelectors:
accessKeyId:
key: accesskey
name: minio
secretAccessKey:
key: secretkey
name: minio
endpoint: http://minio:9000
enablePathStyleAddressing: true
bucket: stackgres
region: k8s
type: s3Compatible
process:
status: Completed
jobPod: backup-backup-q79zq
managedLifecycle: true
timing:
start: "2020-01-22T10:17:24.983902Z"
stored: "2020-01-22T10:17:27.183Z"
end: "2020-01-22T10:17:27.165204Z"
backupInformation:
hostname: stackgres-1
systemIdentifier: "6784708504968245298"
postgresVersion: "110006"
pgData: /var/lib/postgresql/data
size:
compressed: 6691164
uncompressed: 24037844
lsn:
start: "234881064"
end: "234881272"
startWalFile: 00000002000000000000000E
See also Backups section.
The SGBackup represents a manual or automatically generated backup of an SGCluster configured with an SGObjectStorage.
When a SGBackup is created a Job will perform a full backup of the database and update the status of the SGBackup with the all the information required to restore it and some stats (or a failure message in case something unexpected happened). After an SGBackup is created the same Job performs a reconciliation of the backups by applying the retention window that has been configured in the SGObjectStorage and removing the backups with managed lifecycle and the WAL files older than the ones that fit in the retention window. The reconciliation also removes backups (excluding WAL files) that do not belongs to any SGBackup. If the target storage of the SGObjectStorage is changed deletion of an SGBackup backups with managed lifecycle and the WAL files older than the ones that fit in the retention window and of backups that do not belongs to any SGBackup will not be performed anymore on the previous storage, only on the new target storage.
A manual or automatically generated backup of an SGCluster configured with backups.
When a SGBackup is created a Job will perform a full backup of the database and update the status of the SGBackup with all the information required to restore it and some stats (or a failure message in case something unexpected happened). Backup generated by SGBackup are stored in the object storage configured with an SGObjectStorage together with the WAL files or in a VolumeSnapshot (separated from the WAL files that will be still stored in an object storage) depending on the backup configuration of the targeted SGCluster. After an SGBackup is created the same Job performs a reconciliation of the backups by applying the retention window that has been configured in the SGCluster and removing the backups with managed lifecycle and the WAL files older than the ones that fit in the retention window. The reconciliation also removes backups (excluding WAL files) that do not belong to any SGBackup (including copies). If the target storage is changed deletion of an SGBackup backups with managed lifecycle and the WAL files older than the ones that fit in the retention window and of backups that do not belong to any SGBackup will not be performed anymore on the previous storage, only on the new target storage. If the reconciliation of backups fails the backup itself do not fail and will be re-tried the next time a SGBackup or scheduled backup Job takes place.
Property |
Description |
|---|---|
| apiVersion string |
stackgres.io/v1 Constraints: required, immutable |
| kind string |
SGBackup Constraints: required, immutable |
| metadata object |
Refer to the Kubernetes API documentation for the fields of the metadata field.Constraints: required, updatable |
| spec object |
Constraints: required, updatable |
| status object |
Constraints: optional, updatable |
Property |
Description |
|---|---|
| managedLifecycle boolean |
Indicate if this backup is not permanent and should be removed by the automated
retention policy. Default is
false.
Constraints: optional, updatable |
| maxRetries integer |
The maximum number of retries the backup operation is allowed to do after a failure.
A value of Constraints: optional, updatable |
| reconciliationTimeout integer |
Allow to set a timeout for the reconciliation process that takes place after the backup.
If not set defaults to 300 (5 minutes). If set to 0 it will disable timeout. Failure of reconciliation will not make the backup fail and will be re-tried the next time a SGBackup
or scheduled backup Job takes place.
Constraints: optional, updatable Default: 300 |
| sgCluster string |
The name of the
SGCluster from which this backup is/will be taken.
If this is a copy of an existing completed backup in a different namespace
the value must be prefixed with the namespace of the source backup and a
dot Constraints: optional, updatable |
| timeout integer |
Allow to set a timeout for the backup creation.
If not set it will be disabled and the backup operation will continue until the backup completes or fails. If set to 0 is the same as not being set. Make sure to set a reasonably high value in order to allow for any unexpected delays during backup creation (network low bandwidth, disk low throughput and so forth).
Constraints: optional, updatable |
Property |
Description |
|---|---|
| backupInformation object |
Constraints: optional, updatable |
| backupPath string |
The path where the backup is stored.
Constraints: optional, updatable |
| internalName string |
The name of the backup.
Constraints: optional, updatable |
| process object |
Constraints: optional, updatable |
| sgBackupConfig object |
The backup configuration used to perform this backup.
Constraints: optional, updatable |
| volumeSnapshot object |
The volume snapshot configuration used to restore this backup.
Constraints: optional, updatable |
Property |
Description |
|---|---|
| controlData object |
An object containing data from the output of pg_controldata on the backup.
Constraints: optional, updatable |
| hostname string |
Hostname of the instance where the backup is taken from.
Constraints: optional, updatable |
| lsn object |
Constraints: optional, updatable |
| pgData string |
Data directory where the backup is taken from.
Constraints: optional, updatable |
| postgresVersion string |
Postgres version of the server where the backup is taken from.
Constraints: optional, updatable |
| size object |
Constraints: optional, updatable |
| sourcePod string |
Pod where the backup is taken from.
Constraints: optional, updatable |
| startWalFile string |
WAL segment file name when the backup was started.
Constraints: optional, updatable |
| systemIdentifier string |
Postgres system identifier of the cluster this backup is taken from.
Constraints: optional, updatable |
| timeline string |
Backup timeline.
Constraints: optional, updatable |
Property |
Description |
|---|---|
| end string |
LSN of when the backup finished.
Constraints: optional, updatable |
| start string |
LSN of when the backup started.
Constraints: optional, updatable |
Property |
Description |
|---|---|
| compressed integer |
Size (in bytes) of the compressed backup.
Constraints: optional, updatable Format: int64 |
| uncompressed integer |
Size (in bytes) of the uncompressed backup.
Constraints: optional, updatable Format: int64 |
Property |
Description |
|---|---|
| failure string |
If the status is
failed this field will contain a message indicating the failure reason.
Constraints: optional, updatable |
| jobPod string |
Name of the pod assigned to the backup. StackGres utilizes internally a locking mechanism based on the pod name of the job that creates the backup.
Constraints: optional, updatable |
| managedLifecycle boolean |
Status (may be transient) until converging to
spec.managedLifecycle.
Constraints: optional, updatable |
| status string |
Status of the backup.
Constraints: optional, updatable |
| timing object |
Constraints: optional, updatable |
Property |
Description |
|---|---|
| end string |
End time of backup.
Constraints: optional, updatable |
| start string |
Start time of backup.
Constraints: optional, updatable |
| stored string |
Time at which the backup is safely stored in the object storage.
Constraints: optional, updatable |
The backup configuration used to perform this backup.
Property |
Description |
|---|---|
| storage object |
Object Storage configuration
Constraints: required, updatable |
| baseBackups object |
Base backups configuration.
Constraints: optional, updatable |
Object Storage configuration
Property |
Description |
|---|---|
| type enum |
Determine the type of object storage used for storing the base backups and WAL segments.
Possible values:
*
s3: Amazon Web Services S3 (Simple Storage Service).
* s3Compatible: non-AWS services that implement a compatibility API with AWS S3.
* gcs: Google Cloud Storage.
* azureBlob: Microsoft Azure Blob Storage.
Constraints: required, updatable Enum: s3, s3Compatible, gcs, azureBlob |
| azureBlob object |
Azure Blob Storage configuration.
Constraints: optional, updatable |
| encryption object |
Section to configure object storage encryption of stored files.
Constraints: optional, updatable |
| gcs object |
Google Cloud Storage configuration.
Constraints: optional, updatable |
| s3 object |
Amazon Web Services S3 configuration.
Constraints: optional, updatable |
| s3Compatible object |
AWS S3-Compatible API configuration
Constraints: optional, updatable |
Azure Blob Storage configuration.
Property |
Description |
|---|---|
| azureCredentials object |
The credentials to access Azure Blob Storage for writing and reading.
Constraints: required, updatable |
| bucket string |
Azure Blob Storage bucket name.
Constraints: required, updatable |
The credentials to access Azure Blob Storage for writing and reading.
Property |
Description |
|---|---|
| secretKeySelectors object |
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the
azureCredentials. Note that you may use the same or different Secrets for the storageAccount and the accessKey. In the former case, the keys that identify each must be, obviously, different.
Constraints: optional, updatable |
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the azureCredentials. Note that you may use the same or different Secrets for the storageAccount and the accessKey. In the former case, the keys that identify each must be, obviously, different.
Property |
Description |
|---|---|
| accessKey object |
Constraints: required, updatable |
| storageAccount object |
The Storage Account that contains the Blob bucket to be used.
Constraints: required, updatable |
The storage account access key.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
The Storage Account that contains the Blob bucket to be used.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
Section to configure object storage encryption of stored files.
Property |
Description |
|---|---|
| method string |
Select the storage encryption method.
Possible options are:
When not set no encryption will be applied to stored files.
Constraints: optional, updatable |
| openpgp object |
OpenPGP encryption configuration.
Constraints: optional, updatable |
| sodium object |
libsodium encryption configuration.
Constraints: optional, updatable |
OpenPGP encryption configuration.
Property |
Description |
|---|---|
| key object |
To configure encryption and decryption with OpenPGP standard. You can join multiline
key using
Constraints: required, updatable |
| keyPassphrase object |
If your private key is encrypted with a passphrase, you should set the passphrase for decryption.
Constraints: optional, updatable |
To configure encryption and decryption with OpenPGP standard. You can join multiline
key using \n symbols into one line (mostly used in case of daemontools and envdir).
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: optional, updatable |
| name string |
Name of the referent. More information.
Constraints: optional, updatable |
If your private key is encrypted with a passphrase, you should set the passphrase for decryption.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: optional, updatable |
| name string |
Name of the referent. More information.
Constraints: optional, updatable |
libsodium encryption configuration.
Property |
Description |
|---|---|
| key object |
To configure encryption and decryption with libsodium an algorithm that only requires
a secret key is used. libsodium keys are fixed-size keys of 32 bytes. For optimal
cryptographic security, it is recommended to use a random 32 byte key. To generate a
random key, you can use something like
openssl rand -hex 32 (set keyTransform to hex)
or openssl rand -base64 32 (set keyTransform to base64).
Constraints: required, updatable |
| keyTransform string |
The transform that will be applied to the
key to get the required 32 byte key.
Supported transformations are base64, hex or none (default). The option
none exists for backwards compatibility, the user input will be converted to 32
byte either via truncation or by zero-padding.
Constraints: optional, updatable Default: none |
To configure encryption and decryption with libsodium an algorithm that only requires
a secret key is used. libsodium keys are fixed-size keys of 32 bytes. For optimal
cryptographic security, it is recommended to use a random 32 byte key. To generate a
random key, you can use something like openssl rand -hex 32 (set keyTransform to hex)
or openssl rand -base64 32 (set keyTransform to base64).
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: optional, updatable |
| name string |
Name of the referent. More information.
Constraints: optional, updatable |
Google Cloud Storage configuration.
Property |
Description |
|---|---|
| bucket string |
GCS bucket name.
Constraints: required, updatable |
| gcpCredentials object |
The credentials to access GCS for writing and reading.
Constraints: required, updatable |
The credentials to access GCS for writing and reading.
Property |
Description |
|---|---|
| fetchCredentialsFromMetadataService boolean |
If true, the credentials will be fetched from the GCE/GKE metadata service and the field
secretKeySelectors have to be set to null or omitted.
This is useful when running StackGres inside a GKE cluster using Workload Identity.
Constraints: optional, updatable |
| secretKeySelectors object |
A Kubernetes SecretKeySelector to reference the Secrets that contain the information about the Service Account to access GCS.
Constraints: optional, updatable |
A Kubernetes SecretKeySelector to reference the Secrets that contain the information about the Service Account to access GCS.
Property |
Description |
|---|---|
| serviceAccountJSON object |
A service account key from GCP. In JSON format, as downloaded from the GCP Console.
Constraints: required, updatable |
A service account key from GCP. In JSON format, as downloaded from the GCP Console.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
Amazon Web Services S3 configuration.
Property |
Description |
|---|---|
| awsCredentials object |
The credentials to access AWS S3 for writing and reading.
Constraints: required, updatable |
| bucket string |
AWS S3 bucket name.
Constraints: required, updatable |
| region string |
The AWS S3 region. The Region may be detected using s3:GetBucketLocation, but if you wish to avoid giving permissions to this API call or forbid it from the applicable IAM policy, you must then specify this property.
Constraints: optional, updatable |
| storageClass string |
The Amazon S3 Storage Class to use for the backup object storage. By default, the
STANDARD storage class is used. Other supported values include STANDARD_IA for Infrequent Access and REDUCED_REDUNDANCY.
Constraints: optional, updatable |
The credentials to access AWS S3 for writing and reading.
Property |
Description |
|---|---|
| secretKeySelectors object |
Kubernetes SecretKeySelector(s) to reference the Secrets that contain the information about the
awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
Constraints: optional, updatable |
| useIAMRole boolean |
When set to
true the IAM role credentials will be used instead of the secret key selector.
Constraints: optional, updatable Default: false |
Kubernetes SecretKeySelector(s) to reference the Secrets that contain the information about the awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
Property |
Description |
|---|---|
| accessKeyId object |
Constraints: required, updatable |
| secretAccessKey object |
Constraints: required, updatable |
AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
AWS secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
AWS S3-Compatible API configuration
Property |
Description |
|---|---|
| awsCredentials object |
The credentials to access AWS S3 for writing and reading.
Constraints: required, updatable |
| bucket string |
Bucket name.
Constraints: required, updatable |
| enablePathStyleAddressing boolean |
Enable path-style addressing (i.e.
http://s3.amazonaws.com/BUCKET/KEY) when connecting to an S3-compatible service that lacks support for sub-domain style bucket URLs (i.e. http://BUCKET.s3.amazonaws.com/KEY).
Defaults to false.
Constraints: optional, updatable |
| endpoint string |
Overrides the default url to connect to an S3-compatible service.
For example:
http://s3-like-service:9000.
Constraints: optional, updatable |
| region string |
The AWS S3 region. The Region may be detected using s3:GetBucketLocation, but if you wish to avoid giving permissions to this API call or forbid it from the applicable IAM policy, you must then specify this property.
Constraints: optional, updatable |
| storageClass string |
The Amazon S3 Storage Class to use for the backup object storage. By default, the
STANDARD storage class is used. Other supported values include STANDARD_IA for Infrequent Access and REDUCED_REDUNDANCY.
Constraints: optional, updatable |
The credentials to access AWS S3 for writing and reading.
Property |
Description |
|---|---|
| secretKeySelectors object |
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the
awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
Constraints: required, updatable |
Kubernetes SecretKeySelector(s) to reference the Secret(s) that contain the information about the awsCredentials. Note that you may use the same or different Secrets for the accessKeyId and the secretAccessKey. In the former case, the keys that identify each must be, obviously, different.
Property |
Description |
|---|---|
| accessKeyId object |
Constraints: required, updatable |
| secretAccessKey object |
Constraints: required, updatable |
| caCertificate object |
CA Certificate file to be used when connecting to the S3 Compatible Service.
Constraints: optional, updatable |
AWS access key ID. For example, AKIAIOSFODNN7EXAMPLE.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
AWS secret access key. For example, wJalrXUtnFEMI/K7MDENG/bPxRfiCYEXAMPLEKEY.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
CA Certificate file to be used when connecting to the S3 Compatible Service.
Property |
Description |
|---|---|
| key string |
The key of the secret to select from. Must be a valid secret key.
Constraints: required, updatable |
| name string |
Name of the referent. More information.
Constraints: required, updatable |
Base backups configuration.
Property |
Description |
|---|---|
| compression enum |
Select the backup compression algorithm. Possible options are: lz4, lzma, zstd, brotli. The default method is
lz4. LZ4 is the fastest method, but compression ratio is the worst. LZMA is way slower, but it compresses backups about 6 times better than LZ4. Brotli is a good trade-off between speed and compression ratio, being about 3 times better than LZ4.
Constraints: optional, updatable Enum: lz4, lzma, zstd, brotli |
The volume snapshot configuration used to restore this backup.
Property |
Description |
|---|---|
| backupLabel string |
The content of
backup_label column returned by pg_backup_stop encoded in Base64
Constraints: optional, updatable |
| name string |
The volume snapshot used to store this backup.
Constraints: optional, updatable |
| tablespaceMap string |
The content of
tablespace_map column returned by pg_backup_stop encoded in Base64
Constraints: optional, updatable |