Skip to content

Configure a backup storage

Afi offers both Afi-managed and customer-managed backup storage options which allows you to store backups in your own Google Cloud Storage bucket and have full control over your data.

Afi-managed backup storage option is a default one and is provisioned immediately upon a Kubernetes cluster onboarding in a region of your choice. At the moment the following Afi data locations are available:

  • The United States (Google datacenter us-central1)
  • Europe, Netherlands (Google datacenter eu-west4)

If you prefer to store backups in your own bucket, you can create a custom backup storage for your Afi account and configure Kubernetes tenants under your Afi account to back up data in the provided storage. To set up a storage, you will need to install the Afi data service instance in one of your Kubernetes clusters and this data service instance will serve as a backup gateway for one or several of your clusters.

If you want to store backup data in several Google Cloud Platform regions, you will need to set up a separate storage and Afi data service instance in each region and configure Kubernetes clusters in each region to work with the corresponding storage. For enhanced backup reliability you can also configure a single Kubernetes cluster to back up data in several storages which allows you to have a copy of your data in the cluster's region and a reserve copy in another region in a different geographic location.

Both Afi-managed and customer-managed backup storage options allow you to use either Afi-managed data encryption key or your own Google KMS key. Please see our article on BYOK encryption setup for more details.

The rest of the article explains how to set up a custom backup storage with your own Google Cloud Storage bucket, install the Afi data service and configure your Kubernetes clusters to use the configured storage.

Create a storage

Backup storages available for your Afi account are managed at an organization level and can be used by any cluster under your organization. To initialize a new storage, please go to the Configuration → Storages tab in the Afi portal and click on the Add storage button.

The prompted dialog will allow you to choose between provisioning an additional Afi storage or configuring your own bucket for backup storage.

Provision an additional Afi storage

If you want to store a backup data for any of your clusters in several Afi data regions, you will need to connect an Afi data storage from the corresponding regions to your Afi account. A default Afi data storage instance is provisioned automatically upon a tenant onboarding based on an Afi region that you choose.

Choose an Afi data region to connect to your account and click Save to create a storage.

Configure a storage with your own bucket

Create a service account

This section explains how to create a service account and generate a credentials file that an Afi data service instance will use to connect to your Google Cloud Storage bucket.

Save the following role configuration for a service account as role.yaml:

title: "dataservice"
description: "dataservice role"
stage: "ALPHA"
includedPermissions:
- roles/storage.objectAdmin

Create a custom role (replace ${project} with your own GCP project name):

gcloud iam roles create k8sDataServiceRole \
    --project ${project} \
    --file=role.yaml

Next you need to create GCP IAM service account data-service-sa and bind the created role to this service account:

gcloud iam service-accounts create data-service-sa \
    --display-name "service account for the Afi data service"

Bind the role to the service account (${data-service-sa-email} is an email identifier of the newly created service account in your GCP project ${project} - data-service-sa@${project}.iam.gserviceaccount.com):

data-service-sa-email=$(gcloud iam service-accounts list --filter "data-service-sa" --format="value(email)")

gcloud projects add-iam-policy-binding ${project} \
    --member serviceAccount:${data-service-sa-email} \
    --role projects/${project}/roles/k8sDataServiceRole

Generate and save service account credentials:

gcloud iam service-accounts keys create \
    --iam-account=${data-service-sa-email} data-service-sa-key.json

Provision a storage

After selecting a custom backup storage option, please specify the following parameters and click Save:

  • Storage name (should be an RFC1123 label)
  • Storage description
  • Google Cloud Platform region where your bucket resides
  • Bucket name
  • Service account credentials for bucket access

Install the Afi data service instance

After a storage is created, please download the installation helm chart provided by Afi and install the Afi data service in a Kubernetes cluster residing in the same region:

helm install -n data-service afi-k8s-backup afi/afi-data-service \
    --create-namespace --wait -f data-service-config.yaml

Once the data service instance is installed, you can check its status on the Configuration → Storages tab. Afi monitors availability of configured data service instances and will generate an alert if a data service instance gets disconnected or when an update is available.

You can upgrade your data service to the newest version by running the following command when connected to a cluster where it is running:

helm upgrade -n backup-agent afi-k8s-backup afi/afi-k8s-backup

Create a backup policy

Once a backup storage is created, please go to the Service → Settings → SLA tab, click Add new SLA and select your newly created storage from the available storage list in an SLA policy settings. Please see our backup configuration and BYOK setup article for further details regarding a backup SLA setup.

Please note that it is not possible to change a backup storage for a backup SLA policy once the policy is created.

Protect your cluster with a custom storage backup policy

Once a backup SLA policy with a custom storage is configured, you can protect your Kubernetes namespaces by selecting all or specific namespaces on the Service → Protection tab, clicking on the Assign SLA button and selecting the policy from the provided list.