Site icon Ron Ekins' – Oracle Technology, DevOps and Kubernetes Blog

How to backup Oracle Container Engine for Kubernetes (OKE) Applications with Portworx PX-Backup – Part 1

In this blog post I am going to share how to install and configure Portworx PX-Backup to perform a backup of an application using the Oracle Container Engine for Kubernetes (OKE) managed Kubernetes service running on Oracle Cloud Infrastructure (OCI).

Kubernetes Cluster

For this post I have built a 3 node Kubernetes v1.25.4 cluster in the uk-london-1 region, we can confirm the topology using kubectl get nodes -L, for example.

% kubectl get nodes -L, 
NAME          STATUS   ROLES   AGE    VERSION   REGION        ZONE   Ready    node    3d4h   v1.25.4   uk-london-1   UK-LONDON-1-AD-1   Ready    node    3d4h   v1.25.4   uk-london-1   UK-LONDON-1-AD-3   Ready    node    3d4h   v1.25.4   uk-london-1   UK-LONDON-1-AD-2

I have also installed PX-Enterprise into my OKE cluster, which we can see using pxctl -v.

% PX_POD=$(kubectl get pods -l name=portworx -n kube-system -o jsonpath='{.items[0]}')
% alias pxctl='kubectl exec -n kube-system ${PX_POD} -it -- /opt/pwx/bin/pxctl'
% pxctl -v
Defaulted container "portworx" out of: portworx, csi-node-driver-registrar
pxctl version 2.13.0-f9b46cd

I will start by creating a new Kubernetes Storage Class for our Portworx backups specifying 3 way replication, using the example ( px-backup-sc.yaml ) below.

kind: StorageClass
    name: px-backup-sc
    repl: "3"

And applying using kubectl apply

% kubectl apply -f px-backup-sc.yaml created

% kubectl get sc/px-backup-sc
px-backup-sc   Delete          Immediate           false                  4h59m


Now visit PX-Central and logon, from the Product Catalog Welcome screen select Portworx PX-Backup on-premises and hit Continue.

Provide Namespace, select Helm 3 and Cloud and provide the Storage Class Name just created, then click Next, read and agree backup licence agreement.

PX-Backup – Spec Details

Copy the helm commands and switch to Kubernetes terminal to install.

PX-Backup – Complete

Paste helm repo add command

% helm repo add portworx && helm repo update
"portworx" has been added to your repositories
Hang tight while we grab the latest from your chart repositories...
...Successfully got an update from the "portworx" chart repository
...Successfully got an update from the "stable" chart repository
Update Complete. ⎈Happy Helming!⎈

Paste helm install px-central

% helm install px-central portworx/px-central --namespace central --create-namespace --version 2.3.2 --set persistentStorage.enabled=true,persistentStorage.storageClassName="px-backup-sc",pxbackup.enabled=true
NAME: px-central
LAST DEPLOYED: Fri Feb  3 10:58:47 2023
NAMESPACE: central
STATUS: deployed
Your Release is named: "px-central"
PX-Central is deployed in the namespace: central
Chart Version: 2.3.2

Monitor PX-Central Install:
Wait for job "pxcentral-post-install-hook" status to be in "Completed" state.

    kubectl get po --namespace central -ljob-name=pxcentral-post-install-hook  -o wide | awk '{print $1, $3}' | grep -iv error

Features Summary:
PX-Backup: enabled
PX-Monitor: disabled
PX-License-Server: disabled

Access PX-Central UI:
Using port forwarding:

    kubectl port-forward service/px-backup-ui 8080:80 --namespace central

To access PX-Central:  http://localhost:8080
Login with the following credentials:

    Username: admin
    Password: admin

For more information:


We can see the that a new namespace called central has been created.

% kubectl get ns central     
central   Active   82s

And new PVCs for the PX-Backup database using the px-backup-sc storage class.

% kubectl get pvc -n central
NAME                                                      STATUS   VOLUME                                     CAPACITY   ACCESS MODES   STORAGECLASS   AGE
pxc-mongodb-data-pxc-backup-mongodb-0                     Bound    pvc-6f8f8f38-07ac-4c53-b674-395641fd9894   64Gi       RWO            px-backup-sc   6m33s
pxc-mongodb-data-pxc-backup-mongodb-1                     Bound    pvc-df209ed8-eea8-40a8-ab16-1f2c23fc19d5   64Gi       RWO            px-backup-sc   6m32s
pxc-mongodb-data-pxc-backup-mongodb-2                     Bound    pvc-3ffa1665-2d14-42d2-9908-bbd568b6cda7   64Gi       RWO            px-backup-sc   6m32s
pxcentral-keycloak-data-pxcentral-keycloak-postgresql-0   Bound    pvc-ffa5ac65-7a91-4197-8235-945dff315581   10Gi       RWO            px-backup-sc   6m33s
pxcentral-mysql-pvc                                       Bound    pvc-f49d9ea8-4019-4404-9c5d-2dd4bf018c11   100Gi      RWO            px-backup-sc   6m34s
theme-pxcentral-keycloak-0                                Bound    pvc-0fa5073b-ec1f-484e-b115-a31903097fe9   5Gi        RWO            px-backup-sc   6m33s

Wait until all the pods are running with watch kubectl get pods -n central or kubectl get pods -n central –watch

% kubectl get pods -n central 
NAME                                       READY   STATUS      RESTARTS   AGE
NAME                                       READY   STATUS      RESTARTS        AGE
px-backup-6457d9f6fc-wkt9g                 1/1     Running     2 (5m55s ago)   7m
pxc-backup-mongodb-0                       1/1     Running     0               7m
pxc-backup-mongodb-1                       1/1     Running     0               7m
pxc-backup-mongodb-2                       1/1     Running     0               7m
pxcentral-apiserver-57b88685-hm797         1/1     Running     0               7m
pxcentral-backend-5d58bfd4cc-fl9xl         1/1     Running     0               3m23s
pxcentral-frontend-64897ffb4b-5gzbd        1/1     Running     0               3m23s
pxcentral-keycloak-0                       1/1     Running     0               7m
pxcentral-keycloak-postgresql-0            1/1     Running     0               7m
pxcentral-lh-middleware-5ff4bb6678-b8nwf   1/1     Running     0               3m23s
pxcentral-mysql-0                          1/1     Running     0               7m
pxcentral-post-install-hook-vkq4d          0/1     Completed   0               7m

Once all the pods are reporting a running status check for errors, using the below.

% kubectl get po --namespace central -ljob-name=pxcentral-post-install-hook  -o wide | awk '{print $1, $3}' | grep -iv error
pxcentral-post-install-hook-vkq4d Completed

Use kubectl get svc to find the OCI LoadBalancer IP address, we will need this to logon to the PX Central UI.

 % kubectl get svc -n central
NAME                                     TYPE           CLUSTER-IP      EXTERNAL-IP       PORT(S)               AGE
px-backup                                ClusterIP     <none>            10002/TCP,10001/TCP   8m13s
px-backup-ui                             LoadBalancer   80:31664/TCP          8m13s
px-central-ui                            LoadBalancer    80:30680/TCP          8m13s
pxc-backup-mongodb-headless              ClusterIP      None            <none>            27017/TCP             8m13s
pxcentral-apiserver                      ClusterIP    <none>            10005/TCP,10006/TCP   8m13s
pxcentral-backend                        ClusterIP     <none>            80/TCP                8m13s
pxcentral-frontend                       ClusterIP    <none>            80/TCP                8m13s
pxcentral-keycloak-headless              ClusterIP      None            <none>            80/TCP,8443/TCP       8m13s
pxcentral-keycloak-http                  ClusterIP   <none>            80/TCP,8443/TCP       8m13s
pxcentral-keycloak-postgresql            ClusterIP    <none>            5432/TCP              8m13s
pxcentral-keycloak-postgresql-headless   ClusterIP      None            <none>            5432/TCP              8m13s
pxcentral-lh-middleware                  ClusterIP   <none>            8091/TCP,8092/TCP     8m13s
pxcentral-mysql                          ClusterIP    <none>            3306/TCP              8m13s

Configure Service Account

Create Service Account

Using the example yaml ( px-backup-sa.yaml ) create a service account called pxbackup-sa

apiVersion: v1
kind: ServiceAccount
  name: pxbackup-sa
  namespace: kube-system
kind: ClusterRoleBinding
  name: pxbackup-sa-clusterrolebinding
- kind: ServiceAccount
  name: pxbackup-sa
  namespace: kube-system
  kind: ClusterRole
  name: cluster-admin

Create token

As of Kubernetes 1.24, service accounts do not automatically create secrets, we need to do this manually for example.

% kubectl create token pxbackup-sa -n kube-system

Create secret

Create a secret for the service account ( px-backup-secret.yaml )

apiVersion: v1
kind: Secret
  name: pxbackup-sa
  namespace: kube-system
  annotations: "pxbackup-sa"

Cluster Info

Get Kubenetes API endpoint

Update file with service account, namespace and API endpoint

% kubectl cluster-info
Kubernetes control plane is running at https://150.XXX.XXX.XXX:6443
CoreDNS is running at https://150.XXX.XXX.XXX:6443/api/v1/namespaces/kube-system/services/kube-dns:dns/proxy

To further debug and diagnose cluster problems, use 'kubectl cluster-info dump'.

Generate Kubeconfig

Update the SERVER and run the below ( ) to create a kubeconfig file and save for use later.


SERVICE_ACCOUNT_TOKEN=$(kubectl -n ${NAMESPACE} get secret ${SERVICE_ACCOUNT} -o "jsonpath={.data.token}" | base64 --decode)
SERVICE_ACCOUNT_CERTIFICATE=$(kubectl -n ${NAMESPACE} get secret ${SERVICE_ACCOUNT} -o "jsonpath={.data['ca\.crt']}")

cat <<END
apiVersion: v1
kind: Config
- name: default-cluster
    certificate-authority-data: ${SERVICE_ACCOUNT_CERTIFICATE}
    server: ${SERVER}
- name: default-context
    cluster: default-cluster
    namespace: ${NAMESPACE}
    user: ${SERVICE_ACCOUNT}
current-context: default-context


Using the above logon to the px-central UI using initial credentials provided, and change password as prompted, and provide email, first name and surname.

For this post I will perform a guided install using the UI Wizard, on future installs, click ‘Cancel’ for manual configuration

Configure S3 Target

Select Cloud Settings

Select AWS / S3 Compliant Object Store, provide descriptive Cloud Account Name, OCI Access Key and Secret Key.

Add Cloud Account

Enter Backup Location, providing a descriptive Name, Cloud Account, OCI Object Store Bucket, Region and Endpoint, you will need to include :443 at the end of the endpoint as OCI Object Storage uses https

The OCI Object Store Endpoint format is <OCI Namespace>.compat.objectstorage.<region>

Add Backup Location

You can determine your Object Storage Namespace from the within OCI by navigating to Profile -> Tenancy and from there you will see the Object storage namespace.

Alternatively use oci os ns get.

% oci os ns get
  "data": "lxxxxxxxxxx"

Configure Kuberenete Cluster

Confirm Stork version, it needs to be higher the 2.4.

% kubectl get deployment stork -n kube-system -o wide
NAME    READY   UP-TO-DATE   AVAILABLE   AGE    CONTAINERS   IMAGES                               SELECTOR
stork   3/3     3            3           3d1h   stork   name=stork,tier=control-plane

Select Other, and enter Cluster Name and paste Kubeconfig previously generated, and click Add Cluster

The new Cluster should now be visible.

If we click on the Cluster Name we can now see the Kubernetes namespaces.


In this post I have shared how to setup PX-Backup with OKE, in Part 2 I will detail how PX-Backup can be used to protect an OKE application.

All the examples used in this post are available in my PX-Backup-OKE GitHub repository.

Exit mobile version