AWS S3

Stash supports AWS S3 service or S3 compatible services like Minio servers, Rook Object store as backend. This tutorial will show you how to configure Restic and storage Secret for AWS S3 backend.

Create Storage Secret

To configure storage secret for this backend, following secret keys are needed:

Key Description
RESTIC_PASSWORD Required. Password used to encrypt snapshots by restic
AWS_ACCESS_KEY_ID Required. AWS / Minio / DigitalOcean Spaces access key ID
AWS_SECRET_ACCESS_KEY Required. AWS / Minio / DigitalOcean Spaces secret access key
CA_CERT_DATA optional. CA certificate used by storage backend. This can be used to pass a self-signed ca used with Minio server.

Create storage secret as below,

$ echo -n 'changeit' > RESTIC_PASSWORD
$ echo -n '<your-aws-access-key-id-here>' > AWS_ACCESS_KEY_ID
$ echo -n '<your-aws-secret-access-key-here>' > AWS_SECRET_ACCESS_KEY
$ kubectl create secret generic s3-secret \
    --from-file=./RESTIC_PASSWORD \
    --from-file=./AWS_ACCESS_KEY_ID \
    --from-file=./AWS_SECRET_ACCESS_KEY
secret "s3-secret" created

Verify that the secret has been created with respective keys,

$ kubectl get secret s3-secret -o yaml

apiVersion: v1
data:
  AWS_ACCESS_KEY_ID: PHlvdXItYXdzLWFjY2Vzcy1rZXktaWQtaGVyZT4=
  AWS_SECRET_ACCESS_KEY: PHlvdXItYXdzLXNlY3JldC1hY2Nlc3Mta2V5LWhlcmU+
  RESTIC_PASSWORD: Y2hhbmdlaXQ=
kind: Secret
metadata:
  creationTimestamp: 2017-06-28T12:22:33Z
  name: s3-secret
  namespace: default
  resourceVersion: "2511"
  selfLink: /api/v1/namespaces/default/secrets/s3-secret
  uid: 766d78bf-5bfc-11e7-bb52-08002711f4aa
type: Opaque

Configure Restic

Now, you have to configure Restic crd to use AWS S3 backend. You have to provide previously created storage secret in spec.backend.storageSecretName field.

Following parameters are available for S3 backend.

Parameter Description
s3.endpoint Required. For S3, use s3.amazonaws.com. If your bucket is in a different location, S3 server (s3.amazonaws.com) will redirect restic to the correct endpoint. For DigitalOCean, use nyc3.digitaloceanspaces.com etc. depending on your bucket region. For an S3-compatible server that is not Amazon (like Minio), or is only available via HTTP, you can specify the endpoint like this: http://server:port.
s3.bucket Required. Name of Bucket. If the bucket does not exist yet it will be created in the default location (us-east-1 for S3). It is not possible at the moment to have restic create a new bucket in a different location, so you need to create it using a different program.
s3.prefix Optional. Path prefix into bucket where repository will be created.

Below, the YAML for Restic crd configured to use AWS S3 backend.

apiVersion: stash.appscode.com/v1alpha1
kind: Restic
metadata:
  name: s3-restic
  namespace: default
spec:
  selector:
    matchLabels:
      app: s3-restic
  fileGroups:
  - path: /source/data
    retentionPolicyName: 'keep-last-5'
  backend:
    s3:
      endpoint: 's3.amazonaws.com'
      bucket: stash-qa
      prefix: demo
    storageSecretName: s3-secret
  schedule: '@every 1m'
  volumeMounts:
  - mountPath: /source/data
    name: source-data
  retentionPolicies:
  - name: 'keep-last-5'
    keepLast: 5
    prune: true

Now, create the Restic we have configured above for s3 backend,

$ kubectl apply -f ./docs/examples/backends/s3/s3-restic.yaml
restic "s3-restic" created

Next Steps

  • Learn how to use Stash in Amazon Elastic Container Service for Kubernetes (EKS) from here.
  • Learn how to use Stash with S3 compatible Mino Storage Server from here.
  • Learn how to use Stash with S3 comptatibe Rook Storage Service from here.
  • Learn how to use Stash to backup a Kubernetes deployment from here.
  • Learn how to recover from backed up snapshot from here.

Take your team where it needs to go.

Create your cluster in minutes. Our team is here to help and would be happy to chat with you.