https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.8/html-single/operating_3scale/index#threescale-backup-restore

Migration

Preparation

Export variables that will be used in the instructions.

export OLD_DB_HOST=<old DB host>

export DB_USERNAME=<DB username>
export DB_DATABASE=<DB database>
export DB_HOST=<current DB host>

export WILDCARD_DOMAIN=<new cluster wildcard domain>

Back up

1. Backup PostgreSQL

   pg_dump -U ${DB_USERNAME} -W -h ${OLD_DB_HOST} -F c -v ${DB_DATABASE} -f system-database.dump

2. Backing up system-storage

   oc rsync $(oc get pods -l 'deploymentConfig=system-app' --template="{{ (index .items 0).metadata.name }}"):/opt/system/public/system ./local/dir

3. Backing up backend-redis

   oc cp $(oc get pods -l 'deploymentConfig=backend-redis' --template="{{ (index .items 0).metadata.name }}"):/var/lib/redis/data/dump.rdb ./backend-redis-dump.rdb

4. Backing up system-redis

   oc cp $(oc get pods -l 'deploymentConfig=system-redis' --template="{{ (index .items 0).metadata.name }}"):/var/lib/redis/data/dump.rdb ./system-redis-dump.rdb

   (skipping restoring Zync database)

5. Backing up OpenShift secrets and ConfigMaps

   oc get secrets system-smtp -o json > system-smtp.json
   oc get secrets system-seed -o json > system-seed.json
   oc get secrets system-database -o json > system-database.json
   oc get secrets backend-internal-api -o json > backend-internal-api.json
   oc get secrets system-events-hook -o json > system-events-hook.json
   oc get secrets system-app -o json > system-app.json
   oc get secrets system-recaptcha -o json > system-recaptcha.json
   oc get secrets system-redis -o json > system-redis.json
   oc get secrets zync -o json > zync.json
   oc get secrets system-master-apicast -o json > system-master-apicast.json

   oc get configmaps system-environment -o json > system-environment.json
   oc get configmaps apicast-environment -o json > apicast-environment.json

Restore

1. Create a new project

   oc new-project threescale-apim

2. Create a secret for registry.redhat.io

   Follow instructions in https://access.redhat.com/RegistryAuthentication

   oc create secret generic <pull_secret_name> \
       --from-file=.dockerconfigjson=<path/to/.docker/config.json> \
       --type=kubernetes.io/dockerconfigjson>
   
   oc secrets link default <pull_secret_name> --for=pull

3. Install 3scale operator

4. Restore secrets

   (skipping system-database, system-redis and backend-redis secrets)

   Note	if the namespace name has changed, update to the new 3scale namespace in the new cluster.

   oc apply -f system-smtp.json
   oc apply -f system-seed.json
   oc apply -f backend-internal-api.json
   oc apply -f system-events-hook.json
   oc apply -f system-app.json
   oc apply -f system-recaptcha.json
   oc apply -f zync.json
   oc apply -f system-master-apicast.json

5. Restore configmaps

   oc apply -f system-environment.json
   oc apply -f apicast-environment.json

6. Create database secret

   cat << EOF > system-database-secret.yml
   apiVersion: v1
   kind: Secret
   type: Opaque
   metadata:
     labels:
       app: 3scale-database
     name: system-database
   stringData:
     DB_PASSWORD: ${DB_PASSWORD}
     DB_USER: ${DB_USERNAME}
     URL: postgresql://${DB_USERNAME}:${DB_PASSWORD}@${DB_HOST}/${DB_DATABASE}
   EOF

7. Create Cluster Role for Azure File

   cat << EOF > azure-cloud-provider-secrets.yml
   
   apiVersion: rbac.authorization.k8s.io/v1
   kind: ClusterRole
   metadata:
     name: system:azure-cloud-provider-secrets
   rules:
   - apiGroups:
     - ""
     resources:
     - secrets
     verbs:
     - get
     - create
   EOF
   
   oc apply -f azure-cloud-provider-secrets.yml

   See https://docs.openshift.com/container-platform/4.8/storage/dynamic-provisioning.html#azure-file-definition_dynamic-provisioning.

8. Assign role to service account

   oc adm policy add-cluster-role-to-user system:azure-cloud-provider-secrets system:serviceaccount:kube-system:persistent-volume-binder

9. Get UID range on the 3scale namespace and save it in a variable

   oc describe project threescale-apim | grep uid-range
   export OPENSHIFT_UID=<UID>

10. Create RWX Storage Class for 3scale system-storage

    cat << EOF > azure-file-3scale.yml
    apiVersion: storage.k8s.io/v1
    kind: StorageClass
    metadata:
      name: azure-file-3scale
    mountOptions:
    - uid=${OPENSHIFT_UID}
    - gid=0
    - mfsymlinks
    - cache=strict
    parameters:
      skuName: Standard_LRS
    provisioner: kubernetes.io/azure-file
    reclaimPolicy: Delete
    volumeBindingMode: Immediate
    EOF
    
    oc create -f azure-file-3scale.yml

11. Create temporary Redis instances

    oc new-app -f template-only-redis.yml

    This template has the following changes with regards to the standard one: * all resources not related to Redis are removed * backend-redis storage increased from 1G to 10G * APP_LABEL (the app label on OpenShift resources) changed from 3scale-api-management to 3scale-redis * removed serviceAccount amp from resources definition

Note	add MESSAGE_BUS_URL value

1. Restore Redis databases

   Follow all the steps in https://access.redhat.com/documentation/en-us/red_hat_3scale_api_management/2.11/html/operating_3scale/threescale-backup-restore-using-templates#ensuring-information-consistency

2. Restore PostgreSQL database (the database should exist)

   pg_restore -d ${DATABASE_NAME} -U ${DATABASE_USERNAME} system-database.dump

3. Create APIManager

   cat << EOF > apimanager.yml
   apiVersion: apps.3scale.net/v1alpha1
   kind: APIManager
   metadata:
     name: apimanager
   spec:
     wildcardDomain: ${WILDCARD_DOMAIN}
     resourceRequirementsEnabled: true
     highAvailability:
       enabled: true
     system:
       fileStorage:
         persistentVolumeClaim:
           storageClassName: azure-file-3scale
   EOF
   
   oc apply -f apimanager.yml

4. Update domains to adjust to the new Wildcard Domain

   See solution How to change the Public domain (Developer Portal Domain), the Admin domain (Admin Portal Domain) and the Master Portal domain in 3scale

To do a batch rewrite of the domains, use the following steps:

bundle exec rails console

Print the current values for the domains

Provider.all.to_a.each do |p|
  puts p.domain
  puts p.self_domain
end

Replace the wildcard domain with the new value

Provider.all.to_a.each do |p|
  p.domain = p.domain.gsub("apps.CURRENT", "apps.NEW")
  p.self_domain = p.self_domain.gsub("apps.CURRENT", "apps.NEW")
  p.save!
end

Verify

Get admin username and password

oc get secret system-seed --template="{{.data.ADMIN_USER}}" | base64 -d
oc get secret system-seed --template="{{.data.ADMIN_PASSWORD}}" | base64 -d

Verify RH-SSO connections

Upgrade 3scale

Use Operator to upgrade 3scale, one version at a time: 2.8 to 2.9 2.9 to 2.10 2.10 to 2.11

Update number of replicas on the APIManager resource

In the APIManager instance, change all replicas from replicas: 1 to replicas: 2, except APIcast. For APIcast it is required to have staging gateway to pull the policies, but the production gateway can be disabled if not used.

spec:
  imageStreamTagImportInsecure: false
  resourceRequirementsEnabled: true
  system:
    appSpec:
      replicas: 2
    fileStorage:
      persistentVolumeClaim:
        storageClassName: azure-file-3scale
    sidekiqSpec:
      replicas: 2
    sphinxSpec: {}
  appLabel: 3scale-api-management
  zync:
    appSpec:
      replicas: 2
    queSpec:
      replicas: 2
  backend:
    cronSpec:
      replicas: 2
    listenerSpec:
      replicas: 2
    workerSpec:
      replicas: 2
  tenantName: 3scale
  apicast:
    managementAPI: status
    openSSLVerify: false
    productionSpec:
      replicas: 0
    registryURL: 'http://apicast-staging:8090/policies'
    responseCodes: true
    stagingSpec:
      replicas: 1
  highAvailability:
    enabled: true
  wildcardDomain: <DOMAIN>

Restore system-storage

oc rsync ./local/dir/system/ $(oc get pods -l 'deploymentConfig=system-app' -o json | jq '.items[0].metadata.name' -r):/opt/system/public/system