Add Support for GCS and Azure backups (timescale#401)

* add pgbackrest-secrets for gcs service key * add documentation for backing up to gcs * clean up gcs backup documentation and fix example * revert autogenerated toc changes * check for empty pgbackrest secret (for gcs) * remove s3 defaults and add examples for backup providers * add documentation for s3 azure and gcs changes * Fixed linting error * bump chart version * remove trailing space Signed-off-by: Gunnar Sundberg <[email protected]> Co-authored-by: Alex Grönholm <[email protected]>
klaus385 · Apr 26, 2023 · 45b4b37 · 45b4b37
1 parent 23e9697
commit 45b4b37
Show file tree

Hide file tree

Showing 6 changed files with 111 additions and 14 deletions.
diff --git a/charts/timescaledb-single/Chart.yaml b/charts/timescaledb-single/Chart.yaml
@@ -4,7 +4,7 @@
 apiVersion: v1
 name: timescaledb-single
 description: 'TimescaleDB HA Deployment.'
-version: 0.30.0
+version: 0.31.0
 # appVersion specifies the version of the software, which can vary wildly,
 # e.g. TimescaleDB 1.4.1 on PostgreSQL 11 or TimescaleDB 1.5.0 on PostgreSQL 12.
 # https://github.com/helm/helm/blob/master/docs/charts.md#the-appversion-field

diff --git a/charts/timescaledb-single/README.md b/charts/timescaledb-single/README.md
@@ -11,7 +11,7 @@ Please see the included NOTICE for copyright information and LICENSE for a copy
   - [Installing from the Timescale Helm Repo](#installing-from-the-timescale-helm-repo)
 - [Connecting to TimescaleDBs](#connecting-to-timescaledbs)
   - [Connecting from inside the Cluster](#connecting-from-inside-the-cluster)
-- [Create backups to S3](#create-backups-to-s3)
+- [Create backups](#create-backups)
 - [Cleanup](#cleanup)
 - [Further reading](#further-reading)
 
@@ -139,8 +139,9 @@ RELEASE=my-release
 kubectl exec -ti $(kubectl get pod -o name -l role=master,release=$RELEASE) psql
 ```
 
-## Create backups to S3
+## Create backups
 The backup is disabled by default, look at the
+
 [Administrator Guide](docs/admin-guide.md#backups) on how to configure backup location, credentials, schedules, etc.
 
 ## Cleanup

diff --git a/charts/timescaledb-single/docs/admin-guide.md b/charts/timescaledb-single/docs/admin-guide.md
@@ -261,12 +261,78 @@ If you intend to use this Helm chart in any operational capacity, configuring an
 - access key that allows you to login as the IAM user
 
 These configuration items should be part of the `RELEASE-pgbackrest` secret. Once you recreate this secret
-with the correct configurations, you can enable the backup by setting `backup.enabled` to `true`, for example:
+with the correct configurations, you can enable the backup in your `values.yaml`, for example:
+
+```yaml
+# Filename: myvalues.yaml
+secrets:
+  pgbackrest:
+    PGBACKREST_REPO1_S3_REGION: ""
+    PGBACKREST_REPO1_S3_KEY: ""
+    PGBACKREST_REPO1_S3_KEY_SECRET: ""
+    PGBACKREST_REPO1_S3_BUCKET: ""
+    PGBACKREST_REPO1_S3_ENDPOINT: "s3.amazonaws.com"
+
+backup:
+  enabled: true
+  pgBackRest:
+    repo1-type: s3
+    repo1-s3-region: us-east-2
+    repo1-s3-endpoint: s3.amazonaws.com
+```
+```
+helm upgrade --install example -f myvalues.yaml charts/timescaledb-single
+```
+
+### Create backups to Azure
+ the following items are required for you to enable creating backups to Azure:
+
+- an Azure Storage [account](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-create?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal)
+- a container in the storage account
+- [Storage account access key](https://docs.microsoft.com/en-us/azure/storage/common/storage-account-keys-manage?toc=%2Fazure%2Fstorage%2Fblobs%2Ftoc.json&tabs=azure-portal) for authentication (either shared or sas)
+
+Similarly to S3, the access key configuration items should be part of the `RELEASE-pgbackrest` secret. Once you recreate this secret
+with the correct configurations, you can enable the backup in your `values.yaml`, for example:
+
+```yaml
+# Filename: myvalues.yaml
+secrets:
+  pgbackrest:
+    PGBACKREST_REPO1_AZURE_ACCOUNT: ""
+    PGBACKREST_REPO1_AZURE_CONTAINER: ""
+    PGBACKREST_REPO1_AZURE_KEY: ""
+    PGBACKREST_REPO1_AZURE_KEY_TYPE: ""
+
+backup:
+  enabled: true
+  pgBackRest:
+    repo1-type: azure
+    repo1-path: /repo
+```
+```
+helm upgrade --install example -f myvalues.yaml charts/timescaledb-single
+```
+
+### Create backups to GCS
+ the following items are required for you to enable creating backups to GCS:
+
+- a GCS bucket available for your backups
+- a [Service Account](https://cloud.google.com/storage/docs/projects#service-accounts)
+- [IAM Permissions for Cloud Storage](https://docs.aws.amazon.com/AmazonS3/latest/user-guide/add-bucket-policy.html) that allows the service account read and write access to (parts of) the bucket
+- [Service Account Key](https://cloud.google.com/iam/docs/creating-managing-service-account-keys) for authentication
+
+The service account key should be configured through the `RELEASE-pgbackrest-secrets` secret. Once you create this secret
+with the service account key, you can enable backups by setting `backup.enabled` to `true` and configuring `pgabackrest` to use GCS for backups. For example, if `RELEASE-pgbackrest-secrets` was configured as `your-service-key.json`:
 
 ```yaml
 # Filename: myvalues.yaml
 backup:
   enabled: true
+  pgBackRest:
+    repo1-type: gcs
+    repo1-path: /repo
+    repo1-gcs-bucket: your-bucket
+    repo1-gcs-key: /etc/pgbackrest_secrets/your-service-key.json
 ```
 ```
 helm upgrade --install example -f myvalues.yaml charts/timescaledb-single

diff --git a/charts/timescaledb-single/templates/secret-pgbackrest.yaml b/charts/timescaledb-single/templates/secret-pgbackrest.yaml
@@ -14,7 +14,7 @@ metadata:
     "helm.sh/hook-weight": "0"
     "helm.sh/resource-policy": keep
 type: Opaque
-{{- if .Release.IsUpgrade }}
+{{- if and (.Release.IsUpgrade) (ne (len .Values.secrets.pgbackrest) 0) }}
 data: {{ (lookup "v1" "Secret" .Release.Namespace (include "secrets_pgbackrest" .)).data }}
 {{- else }}
 stringData:

diff --git a/charts/timescaledb-single/templates/statefulset-timescaledb.yaml b/charts/timescaledb-single/templates/statefulset-timescaledb.yaml
@@ -293,6 +293,9 @@ spec:
         - mountPath: {{ template "scripts_dir" . }}
           name: timescaledb-scripts
           readOnly: true
+        - mountPath: /etc/pgbackrest_secrets
+          name: pgbackrest-secrets
+          readOnly: true
         - mountPath: "/etc/timescaledb/post_init.d"
           name: post-init
           readOnly: true
@@ -393,6 +396,9 @@ spec:
         - mountPath: {{ template "scripts_dir" . }}
           name: timescaledb-scripts
           readOnly: true
+        - mountPath: /etc/pgbackrest_secrets
+          name: pgbackrest-secrets
+          readOnly: true
         env:
           - name: PGHOST
             value: /var/run/postgresql
@@ -507,6 +513,11 @@ spec:
           name: {{ template "timescaledb.fullname" . }}-pgbackrest
           defaultMode: 416 # 0640 permissions
           optional: true
+      - name: pgbackrest-secrets
+        secret:
+          secretName: {{ template "timescaledb.fullname" . }}-pgbackrest-secrets
+          defaultMode: 416
+          optional: true
       - name: certificate
         secret:
           secretName: {{ template "secrets_certificate" . }}

diff --git a/charts/timescaledb-single/values.yaml b/charts/timescaledb-single/values.yaml
@@ -53,12 +53,19 @@ secrets:
   certificateSecretName: ""
 
   # This secret should contain environment variables that influence pgBackRest.
-  pgbackrest:
-    PGBACKREST_REPO1_S3_REGION: ""
-    PGBACKREST_REPO1_S3_KEY: ""
-    PGBACKREST_REPO1_S3_KEY_SECRET: ""
-    PGBACKREST_REPO1_S3_BUCKET: ""
-    PGBACKREST_REPO1_S3_ENDPOINT: "s3.amazonaws.com"
+  pgbackrest: {}
+    # Example S3 configuration
+    # PGBACKREST_REPO1_S3_REGION: ""
+    # PGBACKREST_REPO1_S3_KEY: ""
+    # PGBACKREST_REPO1_S3_KEY_SECRET: ""
+    # PGBACKREST_REPO1_S3_BUCKET: ""
+    # PGBACKREST_REPO1_S3_ENDPOINT: "s3.amazonaws.com"
+
+    # Example Azure configuration
+    # PGBACKREST_REPO1_AZURE_ACCOUNT: ""
+    # PGBACKREST_REPO1_AZURE_CONTAINER: ""
+    # PGBACKREST_REPO1_AZURE_KEY: ""
+    # PGBACKREST_REPO1_AZURE_KEY_TYPE: ""
 
   # Selector used to provision your own Secret containing pgbackrest configuration details
   # This is mutually exclusive with `pgbackrest` option and takes precedence over it.
@@ -81,10 +88,22 @@ backup:
     start-fast: "y"
     repo1-retention-diff: 2
     repo1-retention-full: 2
-    repo1-type: s3
     repo1-cipher-type: "none"
-    repo1-s3-region: us-east-2
-    repo1-s3-endpoint: s3.amazonaws.com
+
+    # Example S3 configuration
+    # repo1-type: s3
+    # repo1-s3-region: us-east-2
+    # repo1-s3-endpoint: s3.amazonaws.com
+
+    # Example GCS configuration
+    # repo1-type: gcs
+    # repo1-path: /repo
+    # repo1-gcs-bucket: your-bucket
+    # repo1-gcs-key: /etc/pgbackrest_secrets/your-service-key.json
+
+    # Example Azure configuration
+    # repo1-type: azure
+    # repo1-path: /repo
 
   # Overriding the archive-push/archive-get sections is most useful in
   # very high througput situations. Look at values/high_throuhgput_example.yaml for more details