DBaaS Disaster Recovery

For Azure

Run following commands after providing the required values:

export SERVER_NAME=<Postgress Server Name can be found from azure UI> #Change IT
export NAMESPACE=netbackup #Change IT
export AKS_SUBNET_NAME=<vnet_name from applied TF-Var file> #Change IT
export KV_NAME=<Key Vault Name can be found from azure UI> #Change IT
export AKS_NAME=<aks_name from applied TF-Var file> #Change IT
export GROUP_NAME=<new_rg_name from applied TF-Var file>
export PG_SUBNET_NAME=<db_subnet_name from applied TF-Var file>
export LOCATION="<location can be found from azure UI>"
export VNET_RESOURCE_GROUP=<vnet_rg_name from applied TF-Var file>
export VNET_NAME=<vnet_name from applied TF-Var file>
export TAGS=""
export PSQL_DNS_ZONE_NAME=<can be found from azure UI go to postgres server then networking and use the name of private DNS Zone being used>
export PRIVATE_DNS_LINK_NAME=<dns_to_vnet_link_name from applied TF-Var file>
export DB_LOGIN_NAME="dbadminlogin"
export DB_SECRET_NAME="dbadminpassword"
export DB_SERVER_NAME="dbserver"
export SECRET_PROVIDER_CLASS_NAME="dbsecret-spc"
export DB_PG_BOUNCER_PORT_NAME="pgbouncerport"
export DB_PORT_NAME="dbport"
export DB_CERT_NAME="dbcertpem"
export CLIENT_ID=$(az aks show -g "${GROUP_NAME}" -n "${AKS_NAME}" --query addonProfiles.azureKeyvaultSecretsProvider.identity.clientId -o tsv 2>/dev/null)
export TENANT_ID=$(az account show --query 'tenantId' -o tsv)
export DB_CERT_URL="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
export TLS_FILE_NAME='/tmp/tls.crt'

Run the following command:
export KEYVAULT_ID=$(az keyvault show --name "${KV_NAME}" --resource-group "${GROUP_NAME}" --query id --output tsv)
az postgres flexible-server parameter set --resource-group "${GROUP_NAME}" --server "${SERVER_NAME}" --name require_secure_transport --value off

Run the following commands:

TLS_FILE_NAME='/tmp/tls.crt'
PROXY_FILE_NAME='/tmp/proxy.pem'
 
rm -f ${TLS_FILE_NAME} ${PROXY_FILE_NAME}
 
DB_CERT_URL="https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
DB_PROXY_CERT_URL="https://www.amazontrust.com/repository/AmazonRootCA1.pem"
 
curl ${DB_CERT_URL} --output ${TLS_FILE_NAME}
curl ${DB_PROXY_CERT_URL} --output ${PROXY_FILE_NAME}
 
cat ${PROXY_FILE_NAME} >> ${TLS_FILE_NAME}
 
kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${TLS_FILE_NAME}

Reset the password and use the same one used at the time of backup.
For more information on resetting the password refer to the Azure-specific procedure in the following section:

For AWS

Create Service Account for service access:

# create secret access policy
cat <<EOF > /tmp/db-secret-access-policy.json
{
  "Version": "2012-10-17",
  "Statement": [ {
     "Effect": "Allow",
     "Action": [
        "secretsmanager:GetSecretValue",
        "secretsmanager:DescribeSecret"
     ],
     "Resource": [
        <admin-secret-arn>,
        <cert-secret-arn>
     ]
    } ]
 }
EOF
 
 
$ aws iam create-policy \
  --policy-name db-secret-access-policy \
  --policy-document file:///tmp/db-secret-access-policy.json
 
# create SA and link it with IAM Policy
eksctl create iamserviceaccount \
  --override-existing-serviceaccounts \
  --approve \
  --config-file - <<EOF
apiVersion: eksctl.io/v1alpha5
kind: ClusterConfig
metadata:
  name: $EKS_CLUSTER_NAME
  region: $REGION
  tags:
    OWNER: $OWNER
iam:
  withOIDC: true
  serviceAccounts:
    - metadata:
        name: db-access
        namespace: netbackup
      attachPolicyARNs:
        - $SECRET_ACCESS_POLICY_ARN
      permissionsBoundary: $PERMISSIONS_BOUNDARY
EOF

Run the following command:

TLS_FILE_NAME='/tmp/tls.crt'
PROXY_FILE_NAME='/tmp/proxy.pem'
 
rm -f ${TLS_FILE_NAME} ${PROXY_FILE_NAME}
 
DB_CERT_URL="https://truststore.pki.rds.amazonaws.com/global/global-bundle.pem"
DB_PROXY_CERT_URL="https://www.amazontrust.com/repository/AmazonRootCA1.pem"
 
curl ${DB_CERT_URL} --output ${TLS_FILE_NAME}
curl ${DB_PROXY_CERT_URL} --output ${PROXY_FILE_NAME}
 
cat ${PROXY_FILE_NAME} >> ${TLS_FILE_NAME}
 
kubectl -n netbackup create secret generic postgresql-netbackup-ca --from-file ${TLS_FILE_NAME}

Perform the steps listed in the AWS-specific procedure in the following section to change password and replace with password saved during backup phase:

More Information

Changing database server password in DBaaS

DBaaS Disaster Recovery

Feedback

Feedback