You are looking at the documentation of a prior release. To read the documentation of the latest release, please visit here.
Stash supports AWS S3 or S3 compatible storage services like Minio servers, Rook Object Store, DigitalOceans Space as a backend. This tutorial will show you how to use this backend.
In order to use S3 or S3 compatible storage service as backend, you have to create a
Secret and a
Repository object pointing to the desired bucket.
If the bucket does not exist yet, Stash will create it automatically in the default region (
us-east-1) during the first backup. In this case, you have to make sure that the bucket name is unique across all S3 buckets. Currently, it is not possible for Stash to create bucket in different region. You have to create the bucket in your desired region before using it in Stash.
To configure storage secret for this backend, following secret keys are needed:
|Password that will be used to encrypt the backup snapshots.|
|AWS / Minio / Rook / DigitalOcean Spaces access key ID|
|AWS / Minio / Rook / DigitalOcean Spaces secret access key|
|CA certificate used by storage backend. This can be used to pass the root certificate that has been used to sign the server certificate of a TLS secured Minio server.|
Create storage secret as below,
$ echo -n 'changeit' > RESTIC_PASSWORD $ echo -n '<your-aws-access-key-id-here>' > AWS_ACCESS_KEY_ID $ echo -n '<your-aws-secret-access-key-here>' > AWS_SECRET_ACCESS_KEY $ kubectl create secret generic -n demo s3-secret \ --from-file=./RESTIC_PASSWORD \ --from-file=./AWS_ACCESS_KEY_ID \ --from-file=./AWS_SECRET_ACCESS_KEY secret/s3-secret created
For TLS secured Minio Server, create secret as below,
$ echo -n 'changeit' > RESTIC_PASSWORD $ echo -n '<your-minio-access-key-id-here>' > AWS_ACCESS_KEY_ID $ echo -n '<your-minio-secret-access-key-here>' > AWS_SECRET_ACCESS_KEY $ cat ./directory/of/root/certificate/ca.crt > CA_CERT_DATA $ kubectl create secret generic -n demo minio-secret \ --from-file=./RESTIC_PASSWORD \ --from-file=./AWS_ACCESS_KEY_ID \ --from-file=./AWS_SECRET_ACCESS_KEY \ --from-file=./CA_CERT_DATA secret/minio-secret created
Now, you have to create a
Repository crd. You have to provide the storage secret that we have created earlier in
Following parameters are available for
|For S3, use |
|Name of Bucket. If the bucket does not exist yet it will be created in the default location (|
|Specify the region of your bucket.|
|Path prefix inside the bucket where the backed up data will be stored.|
Below, the YAML of a sample
Repository crd that uses an
S3 bucket as a backend.
apiVersion: stash.appscode.com/v1alpha1 kind: Repository metadata: name: s3-repo namespace: demo spec: backend: s3: endpoint: s3.amazonaws.com # use server URL for s3 compatible other storage service bucket: stash-demo region: us-west-1 prefix: /backup/demo/deployment/stash-demo storageSecretName: s3-secret
For S3 compatible Minio and other storage services, specify the endpoint with connection scheme (
apiVersion: stash.appscode.com/v1alpha1 kind: Repository metadata: name: minio-repo namespace: demo spec: backend: s3: endpoint: https://my-minio-service.minio-namespace.svc bucket: stash-demo prefix: /backup/demo/deployment/stash-demo storageSecretName: s3-secret
s3-repo Repository we have shown above using the following command,
$ kubectl apply -f https://github.com/stashed/docs/raw/v2023.01.05/docs/guides/backends/s3/examples/s3.yaml repository/s3-repo created
Now, we are ready to use this backend to backup our desired data using Stash.