From 06717dc65f8bc52c92a3226eb10b3613e48ee6ef Mon Sep 17 00:00:00 2001 From: moelsayed Date: Tue, 9 Jul 2019 22:27:43 +0200 Subject: [PATCH] Add documentation about using IAM roles for S3 backup --- .../v2.x/en/cluster-admin/backing-up-etcd/_index.md | 12 ++++++++++-- content/rke/latest/en/etcd-snapshots/_index.md | 8 ++++---- 2 files changed, 14 insertions(+), 6 deletions(-) diff --git a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md index 857ddd1f624..6601b09625f 100644 --- a/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md +++ b/content/rancher/v2.x/en/cluster-admin/backing-up-etcd/_index.md @@ -39,7 +39,7 @@ By default, the `local` backup target is selected. The benefits of this option i #### S3 Backup Target -The `S3` backup target allows users to configure a S3 compatible backend to store the snapshots. The primary benefit of this option is that if the cluster loses all the etcd nodes, the cluster can still be restored as the snapshots are stored externally. Rancher recommends external targets like `S3` backup, however its configuration reuqirements do require additional effort that should be considered. +The `S3` backup target allows users to configure a S3 compatible backend to store the snapshots. The primary benefit of this option is that if the cluster loses all the etcd nodes, the cluster can still be restored as the snapshots are stored externally. Rancher recommends external targets like `S3` backup, however its configuration requirements do require additional effort that should be considered. | Option | Description | Required| |---|---|---| @@ -49,13 +49,21 @@ The `S3` backup target allows users to configure a S3 compatible backend to stor |S3 Access Key|S3 access key with permission to access the backup bucket|*| |S3 Secret Key|S3 secret key with permission to access the backup bucket|*| +##### IAM Support +The `S3` backup target supports using IAM authentication to AWS API in addition to using API credentials. To use IAM authentication, the following requirements must be met: + * The cluster etcd nodes must have an instance role that has read/write access to the designated backup bucket. + * The cluster etcd nodes must have network access to the specified S3 endpoint. + * The Rancher Server node(s) must have an instance role that has read/write to the designated backup bucket. + * The Rancher Server node(s) must have network access to the specified S3 endpoint. + + ### Snapshot Creation Period and Retention Count Select how often you want recurring snapshots to be taken as well as how many snapshots to keep. The amount of time is measured in hours. With timestamped snapshots, the user has the ability to do a point-in-time recovery. ## One-Time Snapshots -In addition to recurring snapshots, you may want to take a "one-time" snapshot. For example, before upgrading the Kubernetes version of a cluster it's best to backup the state of the cluster to protect against upgrade failure. +In addition to recurring snapshots, you may want to take a "one-time" snapshot. For example, before upgrading the Kubernetes version of a cluster it's best to backup the state of the cluster to protect against upgrade failure. 1. In the **Global** view, navigate to the cluster that you want to take a one-time snapshot. diff --git a/content/rke/latest/en/etcd-snapshots/_index.md b/content/rke/latest/en/etcd-snapshots/_index.md index b691f0e8f11..ca7b68826b1 100644 --- a/content/rke/latest/en/etcd-snapshots/_index.md +++ b/content/rke/latest/en/etcd-snapshots/_index.md @@ -36,6 +36,9 @@ As of v0.2.0, the one-time snapshot can be uploaded to a S3 compatible backend b | `--ssh-agent-auth` | [Use SSH Agent Auth defined by SSH_AUTH_SOCK]({{< baseurl >}}/rke/latest/en/config-options/#ssh-agent) | | | `--ignore-docker-version` | [Disable Docker version check]({{< baseurl >}}/rke/latest/en/config-options/#supported-docker-versions) | +##### IAM Support +In addition to API access keys, RKE supports using IAM roles for S3 authentication. The cluster etcd nodes must be assigned an IAM role that has read/write access to the designated backup bucket on S3. Also, the nodes must have network access to the S3 endpoint specified. + ### Local One-Time Snapshot Example ``` @@ -257,7 +260,7 @@ nodes: After the new node is added to the `cluster.yml`, run `rke etcd snapshot-restore` to launch `etcd` from the backup. The snapshot and `pki.bundle.tar.gz` file are expected to be saved at `/opt/rke/etcd-snapshots`. As of v0.2.0, if you want to directly retrieve the snapshot from S3, add in the [S3 options](#options-for-rke-etcd-snapshot-restore). -> **Note:** As of v0.2.0, the file **pki.bundle.tar.gz** is no longer required for the restore process as the certificates required to restore are preserved within the `cluster.rkestate` +> **Note:** As of v0.2.0, the file **pki.bundle.tar.gz** is no longer required for the restore process as the certificates required to restore are preserved within the `cluster.rkestate` ``` $ rke etcd snapshot-restore --name snapshot.db --config cluster.yml @@ -298,6 +301,3 @@ docker container inspect rke-bundle-cert ``` The important thing to note is the mounts of the container and location of the **pki.bundle.tar.gz**. - - -