Backups
CAPL supports performing etcd backups by provisioning an Object Storage bucket and access keys. This feature is not enabled by default and can be configured as an addon.
Enabling this addon requires enabling Object Storage in the account where the resources will be provisioned. Please refer to the Pricing information in Linode's Object Storage documentation.
Enabling Backups
To enable backups, use the addon flag during provisioning to select the etcd-backup-restore addon
clusterctl generate cluster $CLUSTER_NAME \
--kubernetes-version v1.29.1 \
--infrastructure linode-linode \
--flavor etcd-backup-restore \
| kubectl apply -f -
For more fine-grain control and to know more about etcd backups, refer to the backups section of the etcd page
Object Storage
Additionally, CAPL can be used to provision Object Storage buckets and access keys for general purposes by configuring a LinodeObjectStorageBucket resource.
Using this feature requires enabling Object Storage in the account where the resources will be provisioned. Please refer to the Pricing information in Linode's Object Storage documentation.
Bucket Creation
The following is the minimal required configuration needed to provision an Object Storage bucket and set of access keys.
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: <unique-bucket-label>
namespace: <namespace>
spec:
cluster: <object-storage-region>
secretType: Opaque
Upon creation of the resource, CAPL will provision a bucket in the region specified using the .metadata.name as the bucket's label.
The bucket label must be unique within the region across all accounts. Otherwise, CAPL will populate the resource status fields with errors to show that the operation failed.
Access Keys Creation
CAPL will also create read_write and read_only access keys for the bucket and store credentials in a secret in the same namespace where the LinodeObjectStorageBucket was created along with other details about the Linode OBJ Bucket:
apiVersion: v1
kind: Secret
metadata:
name: <unique-bucket-label>-bucket-details
namespace: <same-namespace-as-object-storage-bucket>
ownerReferences:
- apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
name: <unique-bucket-label>
controller: true
uid: <unique-uid>
data:
bucket_name: <unique-bucket-label>
bucket_region: <linode-obj-bucket-region>
bucket_endpoint: <hostname-to-access-bucket>
access_key_rw: <base64-encoded-access-key>
secret_key_rw: <base64-encoded-secret-key>
access_key_ro: <base64-encoded-access-key>
secret_key_ro: <base64-encoded-secret-key>
The bucket-details secret is owned and managed by CAPL during the life of the LinodeObjectStorageBucket.
Access Keys Rotation
The following configuration with keyGeneration set to a new value (different from .status.lastKeyGeneration) will instruct CAPL to rotate the access keys.
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: <unique-bucket-label>
namespace: <namespace>
spec:
cluster: <object-storage-region>
secretType: Opaque
keyGeneration: 1
# status:
# lastKeyGeneration: 0
Bucket Status
Upon successful provisioning of a bucket and keys, the LinodeObjectStorageBucket resource's status will resemble the following:
apiVersion: infrastructure.cluster.x-k8s.io/v1alpha1
kind: LinodeObjectStorageBucket
metadata:
name: <unique-bucket-label>
namespace: <namespace>
spec:
cluster: <object-storage-region>
secretType: Opaque
keyGeneration: 0
status:
ready: true
conditions:
- type: Ready
status: "True"
lastTransitionTime: <timestamp>
hostname: <hostname-for-bucket>
creationTime: <bucket-creation-timestamp>
lastKeyGeneration: 0
keySecretName: <unique-bucket-label>-bucket-details
accessKeyRefs:
- <access-key-rw-id>
- <access-key-ro-id>
Resource Deletion
When deleting a LinodeObjectStorageBucket resource, CAPL will deprovision the access keys and managed secret but retain the underlying bucket to avoid unintended data loss.