Backups

CAPL supports performing etcd backups by provisioning an Object Storage bucket and access keys. This feature is not enabled by default and can be configured as an addon.

Warning

Enabling this addon requires enabling Object Storage in the account where the resources will be provisioned. Please refer to the Pricing information in Linode's Object Storage documentation.

Enabling Backups

To enable backups, use the addon flag during provisioning to select the etcd-backup-restore addon

clusterctl generate cluster $CLUSTER_NAME \
  --kubernetes-version v1.29.1 \
  --infrastructure linode-linode \
  --flavor etcd-backup-restore \
  | kubectl apply -f -

For more fine-grain control and to know more about etcd backups, refer to the backups section of the etcd page

Object Storage

Additionally, CAPL can be used to provision Object Storage buckets and access keys for general purposes by configuring LinodeObjectStorageBucket and LinodeObjectStorageKey resources.

Warning

Using this feature requires enabling Object Storage in the account where the resources will be provisioned. Please refer to the Pricing information in Linode's Object Storage documentation.

Bucket Creation

The following is the minimal required configuration needed to provision an Object Storage bucket.

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeObjectStorageBucket
metadata:
  name: <unique-bucket-label>
  namespace: <namespace>
spec:
  region: <object-storage-region>

Upon creation of the resource, CAPL will provision a bucket in the region specified using the .metadata.name as the bucket's label.

Warning

The bucket label must be unique within the region across all accounts. Otherwise, CAPL will populate the resource status fields with errors to show that the operation failed.

Bucket Status

Upon successful provisioning of a bucket, the LinodeObjectStorageBucket resource's status will resemble the following:

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeObjectStorageBucket
metadata:
  name: <unique-bucket-label>
  namespace: <namespace>
spec:
  region: <object-storage-region>
status:
  ready: true
  conditions:
    - type: Ready
      status: "True"
      lastTransitionTime: <timestamp>
  hostname: <hostname-for-bucket>
  creationTime: <bucket-creation-timestamp>

Access Key Creation

The following is the minimal required configuration needed to provision an Object Storage key.

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeObjectStorageKey
metadata:
  name: <unique-key-label>
  namespace: <namespace>
spec:
  bucketAccess:
    - bucketName: <unique-bucket-label>
      permissions: read_only
      region: <object-storage-region>
  generatedSecret:
    type: Opaque

Upon creation of the resource, CAPL will provision an access key in the region specified using the .metadata.name as the key's label.

The credentials for the provisioned access key will be stored in a Secret. By default, the Secret is generated in the same namespace as the LinodeObjectStorageKey:

apiVersion: v1
kind: Secret
metadata:
  name: <unique-bucket-label>-obj-key
  namespace: <same-namespace-as-object-storage-bucket>
  ownerReferences:
    - apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
      kind: LinodeObjectStorageBucket
      name: <unique-bucket-label>
      controller: true
      uid: <unique-uid>
data:
  access_key: <base64-encoded-access-key>
  secret_key: <base64-encoded-secret-key>

The secret is owned and managed by CAPL during the life of the LinodeObjectStorageBucket.

Access Key Status

Upon successful provisioning of a key, the LinodeObjectStorageKey resource's status will resemble the following:

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeObjectStorageKey
metadata:
  name: <unique-key-label>
  namespace: <namespace>
spec:
  bucketAccess:
    - bucketName: <unique-bucket-label>
      permissions: read_only
      region: <object-storage-region>
  generatedSecret:
    type: Opaque
status:
  ready: true
  conditions:
    - type: Ready
      status: "True"
      lastTransitionTime: <timestamp>
  accessKeyRef: <object-storage-key-id>
  creationTime: <key-creation-timestamp>
  lastKeyGeneration: 0

Access Key Rotation

The following configuration with keyGeneration set to a new value (different from .status.lastKeyGeneration) will instruct CAPL to rotate the access key.

apiVersion: infrastructure.cluster.x-k8s.io/v1alpha2
kind: LinodeObjectStorageKey
metadata:
  name: <unique-key-label>
  namespace: <namespace>
spec:
  bucketAccess:
    - bucketName: <unique-bucket-label>
      permissions: read_only
      region: <object-storage-region>
  generatedSecret:
    type: Opaque
  keyGeneration: 1
# status:
#   lastKeyGeneration: 0

Resource Deletion

When deleting a LinodeObjectStorageKey resource, CAPL will deprovision the access key and delete the managed secret. However, when deleting a LinodeObjectStorageBucket resource, CAPL will retain the underlying bucket to avoid unintended data loss.