New to Stash? Please start here.

Stash Backends

Backend is where restic stores snapshots. For any backend, a Kubernetes Secret in the same namespace is needed to provide restic repository credentials. This Secret can be configured by setting spec.backend.storageSecretName field. This document lists the various supported backends for Stash and how to configure those.

Local

Local backend refers to a local path inside stash sidecar container. Any Kubernetes supported persistent volume can be used here. Some examples are: emptyDir for testing, NFS, Ceph, GlusterFS, etc. To configure this backend, following secret keys are needed:

KeyDescription
RESTIC_PASSWORDRequired. Password used to encrypt snapshots by restic
$ echo -n 'changeit' > RESTIC_PASSWORD
$ kubectl create secret generic local-secret --from-file=./RESTIC_PASSWORD
secret "local-secret" created
$ kubectl get secret local-secret -o yaml

apiVersion: v1
data:
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-06-28T12:06:19Z
  name: stash-local
  namespace: default
  resourceVersion: "1440"
  selfLink: /api/v1/namespaces/default/secrets/stash-local
  uid: 31a47380-5bfa-11e7-bb52-08002711f4aa
type: Opaque

Now, you can create a Restic tpr using this secret. Following parameters are available for Local backend.

ParameterDescription
local.mountPathRequired. Path where this volume will be mounted in the sidecar container. Example: /repo
local.subPathOptional. Sub-path inside the referenced volume instead of its root.
local.VolumeSourceRequired. Any Kubernetes volume. Can be specified inlined. Example: hostPath
$ kubectl apply -f ./docs/examples/backends/local/local-restic.yaml
restic "local-restic" created
apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: local-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: local-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    local:
      mountPath: /repo
      hostPath:
        path: /data/stash-test/restic-repo
    storageSecretName: local-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

AWS S3

Stash supports AWS S3 service or Minio servers as backend. To configure this backend, following secret keys are needed:

KeyDescription
RESTIC_PASSWORDRequired. Password used to encrypt snapshots by restic
AWS_ACCESS_KEY_IDRequired. AWS / Minio / DigitalOcean Spaces access key ID
AWS_SECRET_ACCESS_KEYRequired. AWS / Minio / DigitalOcean Spaces secret access key
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-aws-access-key-id-here>' > AWS_ACCESS_KEY_ID
$ echo -n '<your-aws-secret-access-key-here>' > AWS_SECRET_ACCESS_KEY
$ kubectl create secret generic s3-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./AWS_ACCESS_KEY_ID \
    --from-file=./AWS_SECRET_ACCESS_KEY
secret "s3-secret" created
$ kubectl get secret s3-secret -o yaml

apiVersion: v1
data:
  AWS_ACCESS_KEY_ID: PHlvdXItYXdzLWFjY2Vzcy1rZXktaWQtaGVyZT4=
  AWS_SECRET_ACCESS_KEY: PHlvdXItYXdzLXNlY3JldC1hY2Nlc3Mta2V5LWhlcmU+
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-06-28T12:22:33Z
  name: s3-secret
  namespace: default
  resourceVersion: "2511"
  selfLink: /api/v1/namespaces/default/secrets/s3-secret
  uid: 766d78bf-5bfc-11e7-bb52-08002711f4aa
type: Opaque

Now, you can create a Restic tpr using this secret. Following parameters are available for S3 backend.

ParameterDescription
s3.endpointRequired. For S3, use s3.amazonaws.com. If your bucket is in a different location, S3 server (s3.amazonaws.com) will redirect restic to the correct endpoint. For DigitalOCean, use nyc3.digitaloceanspaces.com etc. depending on your bucket region. For an S3-compatible server that is not Amazon (like Minio), or is only available via HTTP, you can specify the endpoint like this: http://server:port.
s3.bucketRequired. Name of Bucket. If the bucket does not exist yet it will be created in the default location (us-east-1 for S3). It is not possible at the moment to have restic create a new bucket in a different location, so you need to create it using a different program.
s3.prefixOptional. Path prefix into bucket where repository will be created.
$ kubectl apply -f ./docs/examples/backends/s3/s3-restic.yaml
restic "s3-restic" created
apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: s3-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: s3-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    s3:
      endpoint: 's3.amazonaws.com'
      bucket: stash-qa
      prefix: demo
    storageSecretName: s3-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

Google Cloud Storage (GCS)

Stash supports Google Cloud Storage(GCS) as backend. To configure this backend, following secret keys are needed:

KeyDescription
RESTIC_PASSWORDRequired. Password used to encrypt snapshots by restic
GOOGLE_PROJECT_IDRequired. Google Cloud project ID
GOOGLE_SERVICE_ACCOUNT_JSON_KEYRequired. Google Cloud service account json key
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-project-id>' > GOOGLE_PROJECT_ID
$ mv downloaded-sa-json.key > GOOGLE_SERVICE_ACCOUNT_JSON_KEY
$ kubectl create secret generic gcs-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./GOOGLE_PROJECT_ID \
    --from-file=./GOOGLE_SERVICE_ACCOUNT_JSON_KEY
secret "gcs-secret" created
$ kubectl get secret gcs-secret -o yaml

apiVersion: v1
data:
  GOOGLE_PROJECT_ID: PHlvdXItcHJvamVjdC1pZD4=
  GOOGLE_SERVICE_ACCOUNT_JSON_KEY: ewogICJ0eXBlIjogInNlcnZpY2VfYWNjb3V...9tIgp9Cg==
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-06-28T13:06:51Z
  name: gcs-secret
  namespace: default
  resourceVersion: "5461"
  selfLink: /api/v1/namespaces/default/secrets/gcs-secret
  uid: a6983b00-5c02-11e7-bb52-08002711f4aa
type: Opaque

Now, you can create a Restic tpr using this secret. Following parameters are available for gcs backend.

ParameterDescription
gcs.bucketRequired. Name of Bucket. If the bucket does not exist yet, it will be created in the default location (US). It is not possible at the moment to have restic create a new bucket in a different location, so you need to create it using a different program.
gcs.prefixOptional. Path prefix into bucket where repository will be created.
$ kubectl apply -f ./docs/examples/backends/gcs/gcs-restic.yaml
restic "gcs-restic" created
apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: gcs-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: gcs-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    gcs:
      bucket: stash-qa
      prefix: demo
    storageSecretName: gcs-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

Microsoft Azure Storage

Stash supports Microsoft Azure Storage as backend. To configure this backend, following secret keys are needed:

KeyDescription
RESTIC_PASSWORDRequired. Password used to encrypt snapshots by restic
AZURE_ACCOUNT_NAMERequired. Azure Storage account name
AZURE_ACCOUNT_KEYRequired. Azure Storage account key
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-azure-storage-account-name>' > AZURE_ACCOUNT_NAME
$ echo -n '<your-azure-storage-account-key>' > AZURE_ACCOUNT_KEY
$ kubectl create secret generic azure-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./AZURE_ACCOUNT_NAME \
    --from-file=./AZURE_ACCOUNT_KEY
secret "azure-secret" created
$ kubectl get secret azure-secret -o yaml

apiVersion: v1
data:
  AZURE_ACCOUNT_KEY: PHlvdXItYXp1cmUtc3RvcmFnZS1hY2NvdW50LWtleT4=
  AZURE_ACCOUNT_NAME: PHlvdXItYXp1cmUtc3RvcmFnZS1hY2NvdW50LW5hbWU+
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-06-28T13:27:16Z
  name: azure-secret
  namespace: default
  resourceVersion: "6809"
  selfLink: /api/v1/namespaces/default/secrets/azure-secret
  uid: 80f658d1-5c05-11e7-bb52-08002711f4aa
type: Opaque

Now, you can create a Restic tpr using this secret. Following parameters are available for Azure backend.

ParameterDescription
azure.containerRequired. Name of Storage container
azure.prefixOptional. Path prefix into bucket where repository will be created.
$ kubectl apply -f ./docs/examples/backends/azure/azure-restic.yaml
restic "azure-restic" created
apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: azure-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: azure-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    azure:
      container: stashqa
      prefix: demo
    storageSecretName: azure-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

OpenStack Swift

Stash supports OpenStack Swift as backend. To configure this backend, following secret keys are needed:

KeyDescription
RESTIC_PASSWORDRequired. Password used to encrypt snapshots by restic
ST_AUTHFor keystone v1 authentication
ST_USERFor keystone v1 authentication
ST_KEYFor keystone v1 authentication
OS_AUTH_URLFor keystone v2 authentication
OS_REGION_NAMEFor keystone v2 authentication
OS_USERNAMEFor keystone v2 authentication
OS_PASSWORDFor keystone v2 authentication
OS_TENANT_IDFor keystone v2 authentication
OS_TENANT_NAMEFor keystone v2 authentication
OS_AUTH_URLFor keystone v3 authentication
OS_REGION_NAMEFor keystone v3 authentication
OS_USERNAMEFor keystone v3 authentication
OS_PASSWORDFor keystone v3 authentication
OS_USER_DOMAIN_NAMEFor keystone v3 authentication
OS_PROJECT_NAMEFor keystone v3 authentication
OS_PROJECT_DOMAIN_NAMEFor keystone v3 authentication
OS_STORAGE_URLFor authentication based on tokens
OS_AUTH_TOKENFor authentication based on tokens
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-auth-url>' > OS_AUTH_URL
$ echo -n '<your-tenant-id>' > OS_TENANT_ID
$ echo -n '<your-tenant-name>' > OS_TENANT_NAME
$ echo -n '<your-username>' > OS_USERNAME
$ echo -n '<your-password>' > OS_PASSWORD
$ echo -n '<your-region>' > OS_REGION_NAME
$ kubectl create secret generic swift-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./OS_AUTH_URL \
    --from-file=./OS_TENANT_ID \
    --from-file=./OS_TENANT_NAME \
    --from-file=./OS_USERNAME \
    --from-file=./OS_PASSWORD \
    --from-file=./OS_REGION_NAME
secret "swift-secret" created
$ kubectl get secret swift-secret -o yaml

apiVersion: v1
data:
  OS_AUTH_URL: PHlvdXItYXV0aC11cmw+
  OS_PASSWORD: PHlvdXItcGFzc3dvcmQ+
  OS_REGION_NAME: PHlvdXItcmVnaW9uPg==
  OS_TENANT_ID: PHlvdXItdGVuYW50LWlkPg==
  OS_TENANT_NAME: PHlvdXItdGVuYW50LW5hbWU+
  OS_USERNAME: PHlvdXItdXNlcm5hbWU+
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-07-03T19:17:39Z
  name: swift-secret
  namespace: default
  resourceVersion: "36381"
  selfLink: /api/v1/namespaces/default/secrets/swift-secret
  uid: 47b4bcab-6024-11e7-879a-080027726d6b
type: Opaque

Now, you can create a Restic tpr using this secret. Following parameters are available for Swift backend.

ParameterDescription
swift.containerRequired. Name of Storage container
swift.prefixOptional. Path prefix into bucket where repository will be created.
$ kubectl apply -f ./docs/examples/backends/swift/swift-restic.yaml
restic "swift-restic" created
apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: swift-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: swift-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    swift:
      container: stashqa
      prefix: demo
    storageSecretName: swift-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

Backblaze B2

Stash supports Backblaze B2 as backend. To configure this backend, following secret keys are needed:

KeyDescription
RESTIC_PASSWORDRequired. Password used to encrypt snapshots by restic
B2_ACCOUNT_IDRequired. Backblaze B2 account id
B2_ACCOUNT_KEYRequired. Backblaze B2 account key
$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-b2-account-id>' > B2_ACCOUNT_ID
$ echo -n '<your-b2-account-key>' > B2_ACCOUNT_KEY
$ kubectl create secret generic b2-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./B2_ACCOUNT_ID \
    --from-file=./B2_ACCOUNT_KEY
secret "b2-secret" created
$ kubectl get secret b2-secret -o yaml

apiVersion: v1
data:
  B2_ACCOUNT_ID: PHlvdXItYXp1cmUtc3RvcmFnZS1hY2NvdW50LWtleT4=
  B2_ACCOUNT_KEY: PHlvdXItYXp1cmUtc3RvcmFnZS1hY2NvdW50LW5hbWU+
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-06-28T13:27:16Z
  name: b2-secret
  namespace: default
  resourceVersion: "6809"
  selfLink: /api/v1/namespaces/default/secrets/b2-secret
  uid: 80f658d1-5c05-11e7-bb52-08002711f4aa
type: Opaque

Now, you can create a Restic tpr using this secret. Following parameters are available for B2 backend.

ParameterDescription
b2.bucketRequired. Name of B2 bucket
b2.prefixOptional. Path prefix into bucket where repository will be created.
$ kubectl apply -f ./docs/examples/backends/b2/b2-restic.yaml
restic "b2-restic" created
apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: b2-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: b2-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    b2:
      bucket: stash-qa
      prefix: demo
    storageSecretName: b2-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

Next Steps

  • Learn how to use Stash to backup a Kubernetes deployment here.
  • Learn about the details of Restic CRD here.
  • To restore a backup see here.
  • Learn about the details of Recovery CRD here.
  • To run backup in offline mode see here
  • See working examples for supported workload types here.
  • Thinking about monitoring your backup operations? Stash works out-of-the-box with Prometheus.
  • Learn about how to configure RBAC roles.
  • Learn about how to configure Stash operator as workload initializer here.
  • Want to hack on Stash? Check our contribution guidelines.