Velero
Описание
Velero — это модуль, предназначенный для резервного копирования и восстановления данных в кластерах Kubernetes. Он поддерживает как локальные, так и облачные хранилища для хранения резервных копий, обеспечивая гибкость и надежность работы.
Данные для резервной копии:
- Резервная копия всех манифестов кластера
- Создание бекапов Longhorn
Состав модулей для работы:
- snapshot-controller (1)
- velero (2)
- velero-config(3)
- Используется как webhook для взаимодействия velero с longhorn
- Само приложение
- Дополнительные настройки Longhorn
Зависимые модули
Для работы Velero, помимо модулей на данной странице, потребуется включить модуль хранения данных longhorn
Модуль Longhorn
Подключение модуля snapshot-controller
Описание Yaml
Внимание!
Values без описания (1) являются продвинутыми настройками и редактировать их не рекомендовано
- Описание
apiVersion: addon.bootsman.tech/v1alpha1
kind: Config
metadata:
name: CLUSTER_NAME-snapshot-controller
namespace: CLUSTER_NAMESPACE
spec:
enabled: true (1)
values:
controller:
image:
repository: >-
harbor.bootsman.host/bootsman-nimbus/common-artifacts/snapshot-controller
tag: v8.1.0
volumeSnapshotClasses:
- annotations: (2)
snapshot.storage.kubernetes.io/is-default-class: 'true'
deletionPolicy: Delete
driver: driver.longhorn.io
labels:
velero.io/csi-volumesnapshot-class: 'true'
name: longhorn
parameters:
type: bak
webhook:
image:
repository: >-
harbor.bootsman.host/bootsman-nimbus/common-artifacts/snapshot-validation-webhook
tag: v8.1.0
webhook:
failurePolicy: Ignore
- True - включено.
False - выключено
- Подготовленные настройки для резервной копии Longhorn
Настройка в UI
Все Values
Продвинутые настройки
Ниже представлены тонкие настройки модуля.
Используйте их для расширения конфигурации модуля, если потребуется.
Документация
Более полная документация по модулю:
Snapshot Controller Github
Snapshot Controller Chart
Snapshot Controller Values
values:
controller:
enabled: true
replicaCount: 1
revisionHistoryLimit: 10
args:
leaderElection: true
leaderElectionNamespace: "$(NAMESPACE)"
httpEndpoint: ":8080"
image:
repository: harbor.bootsman.host/bootsman-nimbus/common-artifacts/snapshot-controller
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v8.1.0
imagePullSecrets: []
podAnnotations: {}
podLabels: {}
podSecurityContext: {}
# fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
##
pdb: {}
topologySpreadConstraints: []
rbac:
# Specifies whether RBAC resources should be created
create: true
serviceAccount:
# Specifies whether a ServiceAccount should be created
create: true
name: ""
serviceMonitor:
# Specifies whether a ServiceMonitor should be created
create: false
volumeSnapshotClasses:
- annotations:
snapshot.storage.kubernetes.io/is-default-class: 'true'
deletionPolicy: Delete
driver: driver.longhorn.io
labels:
velero.io/csi-volumesnapshot-class: 'true'
name: longhorn
parameters:
type: bak
# - name: linstor-csi-delete
# annotations:
# snapshot.storage.kubernetes.io/is-default-class: "true"
# labels:
# velero.io/csi-volumesnapshot-class: "true"
# driver: linstor.csi.linbit.com
# deletionPolicy: Delete
priorityClassName: ""
# Specifies wether a Priority Class should be attached to deployment pods
# Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
hostNetwork: false
# DNS settings for the controller pod. https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
dnsConfig: {}
# DNS Policy for controller pod. For Pods running with hostNetwork, set to `ClusterFirstWithHostNet`
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
webhook:
enabled: true
replicaCount: 1
revisionHistoryLimit: 10
args:
tlsPrivateKeyFile: /etc/snapshot-validation/tls.key
tlsCertFile: /etc/snapshot-validation/tls.crt
port: 8443
# enableVolumeGroupSnapshotWebhook: true
image:
repository: harbor.bootsman.host/bootsman-nimbus/common-artifacts/snapshot-validation-webhook
pullPolicy: IfNotPresent
# Overrides the image tag whose default is the chart appVersion.
tag: v8.1.0
webhook:
timeoutSeconds: 2
failurePolicy: Ignore
tls:
certificateSecret: ""
autogenerate: true
renew: false
certManagerIssuerRef: {}
imagePullSecrets: []
podAnnotations: {}
podLabels: {}
networkPolicy:
enabled: false
ingress: {}
# - from:
# - ipBlock:
# cidr: 0.0.0.0/0
## Ref: https://kubernetes.io/docs/tasks/run-application/configure-pdb/
##
pdb: {}
priorityClassName:
## Ref: https://kubernetes.io/docs/concepts/scheduling-eviction/topology-spread-constraints/
##
topologySpreadConstraints: []
# - maxSkew: 1
# topologyKey: topology.kubernetes.io/zone
# whenUnsatisfiable: ScheduleAnyway
# labelSelector:
# matchLabels:
# app.kubernetes.io/instance: snapshot-validation-webhook
podSecurityContext: {}
# fsGroup: 2000
securityContext:
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 1000
resources: {}
nodeSelector: {}
tolerations: []
affinity: {}
serviceAccount:
create: true
name: ""
rbac:
create: true
# Change `hostNetwork` to `true` when you want the pod to share its host's network namespace.
hostNetwork: false
# DNS settings for the webhook pod. https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-dns-config
dnsConfig: {}
# DNS Policy for webhook pod. For Pods running with hostNetwork, set to `ClusterFirstWithHostNet`
# For further reference: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy.
dnsPolicy: ClusterFirst
tests:
nodeSelector: { }
tolerations: [ ]
affinity: { }
Подключение модуля velero
Описание Yaml
Внимание!
Values без описания (1) являются продвинутыми настройками и редактировать их не рекомендовано
- Описание
apiVersion: addon.bootsman.tech/v1alpha1
kind: Config
metadata:
name: CLUSTER_NAME-velero
namespace: CLUSTER_NAMESPACE
spec:
enabled: true (1)
values:
configuration:
backupStorageLocation:
- bucket: velero-bucket (2)
config:
checksumAlgorithm: '' (3)
region: ru-central1 (4)
s3Url: https://storage.yandexcloud.net (5)
name: default (6)
prefix: velero-backup (7)
provider: aws
features: EnableCSI
volumeSnapshotLocation:
- config:
region: ru-central1 (4)
name: volume-snapshot-provider-name (8)
provider: aws
credentials:
secretContents:
cloud: | (9)
[default]
aws_access_key_id=awsaccesskeyid
aws_secret_access_key=awssecretaccesskey
image:
repository: harbor.bootsman.host/bootsman-nimbus/common-artifacts/velero
initContainers:
- image: >-
harbor.bootsman.host/bootsman-nimbus/common-artifacts/velero-plugin-for-aws:v1.10.0
imagePullPolicy: IfNotPresent
name: velero-plugin-for-aws
volumeMounts:
- mountPath: /target
name: plugins
kubectl:
image:
repository: harbor.bootsman.host/bootsman-nimbus/common-artifacts/bitnami-kubectl
tag: 1.28.4
- True - включено.
False - выключено
- Имя Bucket в S3 хранилище
- Поддержка проверки контрольных сумм.
Зависит от типа используемого S3
- Регион
- URL для подключения к API S3 хранилища.
- Имя "профиля" Velero для хранения манифестов
- Дополнительная директория внутри Bucket, куда будет помещена резервная копия.
- Имя "профиля" Velero для хранения бекапов Longhorn
- Secret для авторизации в S3 хранилище
Настройка в UI
Все Values
Продвинутые настройки
Ниже представлены тонкие настройки модуля.
Используйте их для расширения конфигурации модуля, если потребуется.
Документация
Более полная документация по модулю:
Velero Docs
Velero Chart
Velero Values
values:
# Labels settings in namespace
namespace:
labels: {}
# Enforce Pod Security Standards with Namespace Labels
# https://kubernetes.io/docs/tasks/configure-pod-container/enforce-standards-namespace-labels/
# - key: pod-security.kubernetes.io/enforce
# value: privileged
# - key: pod-security.kubernetes.io/enforce-version
# value: latest
# - key: pod-security.kubernetes.io/audit
# value: privileged
# - key: pod-security.kubernetes.io/audit-version
# value: latest
# - key: pod-security.kubernetes.io/warn
# value: privileged
# - key: pod-security.kubernetes.io/warn-version
# value: latest
##
## End of namespace-related settings.
##
##
## Configuration settings that directly affect the Velero deployment YAML.
##
# Details of the container image to use in the Velero deployment & daemonset (if
# enabling node-agent). Required.
image:
repository: harbor.bootsman.host/bootsman-nimbus/common-artifacts/velero
tag: v1.14.1
# Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38.
# If used, it will take precedence over the image.tag.
# digest:
pullPolicy: IfNotPresent
# One or more secrets to be used when pulling images
imagePullSecrets: []
# - registrySecretName
nameOverride: ""
fullnameOverride: ""
# Annotations to add to the Velero deployment's. Optional.
#
# If you are using reloader use the following annotation with your VELERO_SECRET_NAME
annotations: {}
# secret.reloader.stakater.com/reload: "<VELERO_SECRET_NAME>"
# Annotations to add to secret
secretAnnotations: {}
# Labels to add to the Velero deployment's. Optional.
labels: {}
# Annotations to add to the Velero deployment's pod template. Optional.
#
# If using kube2iam or kiam, use the following annotation with your AWS_ACCOUNT_ID
# and VELERO_ROLE_NAME filled in:
podAnnotations: {}
# iam.amazonaws.com/role: "arn:aws:iam::<AWS_ACCOUNT_ID>:role/<VELERO_ROLE_NAME>"
# Additional pod labels for Velero deployment's template. Optional
# ref: https://kubernetes.io/docs/concepts/overview/working-with-objects/labels/
podLabels: {}
# Number of old history to retain to allow rollback (If not set, default Kubernetes value is set to 10)
# revisionHistoryLimit: 1
# Resource requests/limits to specify for the Velero deployment.
# https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits
resources: {}
# requests:
# cpu: 500m
# memory: 128Mi
# limits:
# cpu: 1000m
# memory: 512Mi
# Resource requests/limits to specify for the upgradeCRDs job pod. Need to be adjusted by user accordingly.
upgradeJobResources: {}
# requests:
# cpu: 50m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 256Mi
upgradeCRDsJob:
# Extra volumes for the Upgrade CRDs Job. Optional.
extraVolumes: []
# Extra volumeMounts for the Upgrade CRDs Job. Optional.
extraVolumeMounts: []
# Extra key/value pairs to be used as environment variables. Optional.
extraEnvVars: {}
# Configure the dnsPolicy of the Velero deployment
# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ClusterFirst
# Init containers to add to the Velero deployment's pod spec. At least one plugin provider image is required.
# If the value is a string then it is evaluated as a template.
initContainers:
- image: >-
harbor.bootsman.host/bootsman-nimbus/common-artifacts/velero-plugin-for-aws:v1.10.0
imagePullPolicy: IfNotPresent
name: velero-plugin-for-aws
volumeMounts:
- mountPath: /target
name: plugins
# - name: velero-plugin-for-aws
# image: velero/velero-plugin-for-aws:v1.10.0
# imagePullPolicy: IfNotPresent
# volumeMounts:
# - mountPath: /target
# name: plugins
# SecurityContext to use for the Velero deployment. Optional.
# Set fsGroup for `AWS IAM Roles for Service Accounts`
# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
podSecurityContext: {}
# fsGroup: 1337
# Container Level Security Context for the 'velero' container of the Velero deployment. Optional.
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext: {}
# allowPrivilegeEscalation: false
# capabilities:
# drop: ["ALL"]
# add: []
# readOnlyRootFilesystem: true
# Container Lifecycle Hooks to use for the Velero deployment. Optional.
lifecycle: {}
# Pod priority class name to use for the Velero deployment. Optional.
priorityClassName: ""
# The number of seconds to allow for graceful termination of the pod. Optional.
terminationGracePeriodSeconds: 3600
# Liveness probe of the pod
livenessProbe:
httpGet:
path: /metrics
port: http-monitoring
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
# Readiness probe of the pod
readinessProbe:
httpGet:
path: /metrics
port: http-monitoring
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 5
successThreshold: 1
failureThreshold: 5
# Tolerations to use for the Velero deployment. Optional.
tolerations: []
# Affinity to use for the Velero deployment. Optional.
affinity: {}
# Node selector to use for the Velero deployment. Optional.
nodeSelector: {}
# DNS configuration to use for the Velero deployment. Optional.
dnsConfig: {}
# Extra volumes for the Velero deployment. Optional.
extraVolumes: []
# Extra volumeMounts for the Velero deployment. Optional.
extraVolumeMounts: []
# Extra K8s manifests to deploy
extraObjects: []
# - apiVersion: secrets-store.csi.x-k8s.io/v1
# kind: SecretProviderClass
# metadata:
# name: velero-secrets-store
# spec:
# provider: aws
# parameters:
# objects: |
# - objectName: "velero"
# objectType: "secretsmanager"
# jmesPath:
# - path: "access_key"
# objectAlias: "access_key"
# - path: "secret_key"
# objectAlias: "secret_key"
# secretObjects:
# - data:
# - key: access_key
# objectName: client-id
# - key: client-secret
# objectName: client-secret
# secretName: velero-secrets-store
# type: Opaque
# Settings for Velero's prometheus metrics. Enabled by default.
metrics:
enabled: true
scrapeInterval: 30s
scrapeTimeout: 10s
# service metdata if metrics are enabled
service:
annotations: {}
labels: {}
# Pod annotations for Prometheus
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "8085"
prometheus.io/path: "/metrics"
serviceMonitor:
autodetect: true
enabled: false
annotations: {}
additionalLabels: {}
# metrics.serviceMonitor.metricRelabelings Specify Metric Relabelings to add to the scrape endpoint
# ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#relabelconfig
# metricRelabelings: []
# metrics.serviceMonitor.relabelings [array] Prometheus relabeling rules
# relabelings: []
# ServiceMonitor namespace. Default to Velero namespace.
# namespace:
# ServiceMonitor connection scheme. Defaults to HTTP.
# scheme: ""
# ServiceMonitor connection tlsConfig. Defaults to {}.
# tlsConfig: {}
nodeAgentPodMonitor:
autodetect: true
enabled: false
annotations: {}
additionalLabels: {}
# ServiceMonitor namespace. Default to Velero namespace.
# namespace:
# ServiceMonitor connection scheme. Defaults to HTTP.
# scheme: ""
# ServiceMonitor connection tlsConfig. Defaults to {}.
# tlsConfig: {}
prometheusRule:
autodetect: true
enabled: false
# Additional labels to add to deployed PrometheusRule
additionalLabels: {}
# PrometheusRule namespace. Defaults to Velero namespace.
# namespace: ""
# Rules to be deployed
spec: []
# - alert: VeleroBackupPartialFailures
# annotations:
# message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} partialy failed backups.
# expr: |-
# velero_backup_partial_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
# for: 15m
# labels:
# severity: warning
# - alert: VeleroBackupFailures
# annotations:
# message: Velero backup {{ $labels.schedule }} has {{ $value | humanizePercentage }} failed backups.
# expr: |-
# velero_backup_failure_total{schedule!=""} / velero_backup_attempt_total{schedule!=""} > 0.25
# for: 15m
# labels:
# severity: warning
kubectl:
image:
repository: harbor.bootsman.host/bootsman-nimbus/common-artifacts/bitnami-kubectl
# Digest value example: sha256:d238835e151cec91c6a811fe3a89a66d3231d9f64d09e5f3c49552672d271f38.
# If used, it will take precedence over the kubectl.image.tag.
# digest:
# kubectl image tag. If used, it will take precedence over the cluster Kubernetes version.
tag: 1.28.4
# Container Level Security Context for the 'kubectl' container of the crd jobs. Optional.
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext: {}
# Resource requests/limits to specify for the upgrade/cleanup job. Optional
resources: {}
# Annotations to set for the upgrade/cleanup job. Optional.
annotations: {}
# Labels to set for the upgrade/cleanup job. Optional.
labels: {}
# This job upgrades the CRDs.
upgradeCRDs: true
# This job is meant primarily for cleaning up CRDs on CI systems.
# Using this on production systems, especially those that have multiple releases of Velero, will be destructive.
cleanUpCRDs: false
##
## End of deployment-related settings.
##
##
## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation,
## and additional server settings.
##
configuration:
volumeSnapshotLocation:
- config:
region: ru-central1
name: volume-snapshot-provider-name
# Parameters for the BackupStorageLocation(s). Configure multiple by adding other element(s) to the backupStorageLocation slice.
# See https://velero.io/docs/v1.6/api-types/backupstoragelocation/
backupStorageLocation:
# name is the name of the backup storage location where backups should be stored. If a name is not provided,
# a backup storage location will be created with the name "default". Optional.
- name: default
# provider is the name for the backup storage location provider.
provider: aws
# bucket is the name of the bucket to store backups in. Required.
bucket: velero-bucket
# caCert defines a base64 encoded CA bundle to use when verifying TLS connections to the provider. Optional.
caCert:
# prefix is the directory under which all Velero data should be stored within the bucket. Optional.
prefix: velero-backup
# default indicates this location is the default backup storage location. Optional.
default:
# validationFrequency defines how frequently Velero should validate the object storage. Optional.
validationFrequency:
# accessMode determines if velero can write to this backup storage location. Optional.
# default to ReadWrite, ReadOnly is used during migrations and restores.
accessMode: ReadWrite
credential:
# name of the secret used by this backupStorageLocation.
name:
# name of key that contains the secret data to be used.
key:
# Additional provider-specific configuration. See link above
# for details of required/optional fields for your provider.
config:
checksumAlgorithm: ''
region: ru-central1
s3Url: https://storage.yandexcloud.net
# region:
# s3ForcePathStyle:
# s3Url:
# kmsKeyId:
# resourceGroup:
# The ID of the subscription containing the storage account, if different from the cluster’s subscription. (Azure only)
# subscriptionId:
# storageAccount:
# publicUrl:
# Name of the GCP service account to use for this backup storage location. Specify the
# service account here if you want to use workload identity instead of providing the key file.(GCP only)
# serviceAccount:
# Option to skip certificate validation or not if insecureSkipTLSVerify is set to be true, the client side should set the
# flag. For Velero client Command like velero backup describe, velero backup logs needs to add the flag --insecure-skip-tls-verify
# insecureSkipTLSVerify:
# annotations allows adding arbitrary annotations to this BackupStorageLocation resource. Optional.
annotations: {}
# Parameters for the VolumeSnapshotLocation(s). Configure multiple by adding other element(s) to the volumeSnapshotLocation slice.
# See https://velero.io/docs/v1.6/api-types/volumesnapshotlocation/
volumeSnapshotLocation:
# name is the name of the volume snapshot location where snapshots are being taken. Required.
- name:
# provider is the name for the volume snapshot provider.
provider:
credential:
# name of the secret used by this volumeSnapshotLocation.
name:
# name of key that contains the secret data to be used.
key:
# Additional provider-specific configuration. See link above
# for details of required/optional fields for your provider.
config: {}
# region:
# apiTimeout:
# resourceGroup:
# The ID of the subscription where volume snapshots should be stored, if different from the cluster’s subscription. If specified, also requires `configuration.volumeSnapshotLocation.config.resourceGroup`to be set. (Azure only)
# subscriptionId:
# incremental:
# snapshotLocation:
# project:
# annotations allows adding arbitrary annotations to this VolumeSnapshotLocation resource. Optional.
annotations: {}
# These are server-level settings passed as CLI flags to the `velero server` command. Velero
# uses default values if they're not passed in, so they only need to be explicitly specified
# here if using a non-default value. The `velero server` default values are shown in the
# comments below.
# --------------------
# `velero server` default: kopia
uploaderType:
# `velero server` default: 1m
backupSyncPeriod:
# `velero server` default: 4h
fsBackupTimeout:
# `velero server` default: 30
clientBurst:
# `velero server` default: 500
clientPageSize:
# `velero server` default: 20.0
clientQPS:
# Name of the default backup storage location. Default: default
defaultBackupStorageLocation:
# The default duration any single item operation can take before timing out, especially important for large volume schedules. Default 4h
defaultItemOperationTimeout:
# How long to wait by default before backups can be garbage collected. Default: 72h
defaultBackupTTL:
# Name of the default volume snapshot location.
defaultVolumeSnapshotLocations:
# `velero server` default: empty
disableControllers:
# `velero server` default: false
disableInformerCache: false
# `velero server` default: 1h
garbageCollectionFrequency:
# Set log-format for Velero pod. Default: text. Other option: json.
logFormat:
# Set log-level for Velero pod. Default: info. Other options: debug, warning, error, fatal, panic.
logLevel:
# The address to expose prometheus metrics. Default: :8085
metricsAddress:
# Directory containing Velero plugins. Default: /plugins
pluginDir:
# The address to expose the pprof profiler. Default: localhost:6060
profilerAddress:
# `velero server` default: false
restoreOnlyMode:
# `velero server` default: customresourcedefinitions,namespaces,storageclasses,volumesnapshotclass.snapshot.storage.k8s.io,volumesnapshotcontents.snapshot.storage.k8s.io,volumesnapshots.snapshot.storage.k8s.io,persistentvolumes,persistentvolumeclaims,secrets,configmaps,serviceaccounts,limitranges,pods,replicasets.apps,clusterclasses.cluster.x-k8s.io,clusters.cluster.x-k8s.io,clusterresourcesets.addons.cluster.x-k8s.io
restoreResourcePriorities:
# `velero server` default: 1m
storeValidationFrequency:
# How long to wait on persistent volumes and namespaces to terminate during a restore before timing out. Default: 10m
terminatingResourceTimeout:
# Bool flag to configure Velero server to move data by default for all snapshots supporting data movement. Default: false
defaultSnapshotMoveData:
# Comma separated list of velero feature flags. default: empty
features: EnableCSI
features:
# Resource requests/limits to specify for the repository-maintenance job. Optional.
# https://velero.io/docs/v1.14/repository-maintenance/#resource-limitation
repositoryMaintenanceJob:
requests:
# cpu: 500m
# memory: 512Mi
limits:
# cpu: 1000m
# memory: 1024Mi
# Number of latest maintenance jobs to keep for each repository
latestJobsCount: 3
# `velero server` default: velero
namespace:
# additional command-line arguments that will be passed to the `velero server`
# e.g.: extraArgs: ["--foo=bar"]
extraArgs: []
# additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'"
extraEnvVars: {}
# Set true for backup all pod volumes without having to apply annotation on the pod when used file system backup Default: false.
defaultVolumesToFsBackup:
# How often repository maintain is run for repositories by default.
defaultRepoMaintainFrequency:
##
## End of backup/snapshot location settings.
##
##
## Settings for additional Velero resources.
##
rbac:
# Whether to create the Velero role and role binding to give all permissions to the namespace to Velero.
create: true
# Whether to create the cluster role binding to give administrator permissions to Velero
clusterAdministrator: true
# Name of the ClusterRole.
clusterAdministratorName: cluster-admin
# Information about the Kubernetes service account Velero uses.
serviceAccount:
server:
create: true
name:
annotations:
labels:
imagePullSecrets: []
# - registrySecretName
# Info about the secret to be used by the Velero deployment, which
# should contain credentials for the cloud provider IAM account you've
# set up for Velero.
credentials:
# Whether a secret should be used. Set to false if, for examples:
# - using kube2iam or kiam to provide AWS IAM credentials instead of providing the key file. (AWS only)
# - using workload identity instead of providing the key file. (Azure/GCP only)
useSecret: true
# Name of the secret to create if `useSecret` is true and `existingSecret` is empty
name:
# Name of a pre-existing secret (if any) in the Velero namespace
# that should be used to get IAM account credentials. Optional.
existingSecret:
# Data to be stored in the Velero secret, if `useSecret` is true and `existingSecret` is empty.
# As of the current Velero release, Velero only uses one secret key/value at a time.
# The key must be named `cloud`, and the value corresponds to the entire content of your IAM credentials file.
# Note that the format will be different for different providers, please check their documentation.
# Here is a list of documentation for plugins maintained by the Velero team:
# [AWS] https://github.com/vmware-tanzu/velero-plugin-for-aws/blob/main/README.md
# [GCP] https://github.com/vmware-tanzu/velero-plugin-for-gcp/blob/main/README.md
# [Azure] https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure/blob/main/README.md
secretContents:
cloud: |
[default]
aws_access_key_id=awsaccesskeyid
aws_secret_access_key=awssecretaccesskey
# cloud: |
# [default]
# aws_access_key_id=<REDACTED>
# aws_secret_access_key=<REDACTED>
# additional key/value pairs to be used as environment variables such as "DIGITALOCEAN_TOKEN: <your-key>". Values will be stored in the secret.
extraEnvVars: {}
# Name of a pre-existing secret (if any) in the Velero namespace
# that will be used to load environment variables into velero and node-agent.
# Secret should be in format - https://kubernetes.io/docs/concepts/configuration/secret/#use-case-as-container-environment-variables
extraSecretRef: ""
# Whether to create backupstoragelocation crd, if false => do not create a default backup location
backupsEnabled: true
# Whether to create volumesnapshotlocation crd, if false => disable snapshot feature
snapshotsEnabled: true
# Whether to deploy the node-agent daemonset.
deployNodeAgent: false
nodeAgent:
podVolumePath: /var/lib/kubelet/pods
# Pod priority class name to use for the node-agent daemonset. Optional.
priorityClassName: ""
# Resource requests/limits to specify for the node-agent daemonset deployment. Optional.
# https://velero.io/docs/v1.6/customize-installation/#customize-resource-requests-and-limits
resources: {}
# requests:
# cpu: 500m
# memory: 512Mi
# limits:
# cpu: 1000m
# memory: 1024Mi
# Tolerations to use for the node-agent daemonset. Optional.
tolerations: []
# Annotations to set for the node-agent daemonset. Optional.
annotations: {}
# labels to set for the node-agent daemonset. Optional.
labels: {}
# will map /scratch to emptyDir. Set to false and specify your own volume
# via extraVolumes and extraVolumeMounts that maps to /scratch
# if you don't want to use emptyDir.
useScratchEmptyDir: true
# Extra volumes for the node-agent daemonset. Optional.
extraVolumes: []
# Extra volumeMounts for the node-agent daemonset. Optional.
extraVolumeMounts: []
# Key/value pairs to be used as environment variables for the node-agent daemonset. Optional.
extraEnvVars: {}
# Additional command-line arguments that will be passed to the node-agent. Optional.
# e.g.: extraArgs: ["--foo=bar"]
extraArgs: []
# Configure the dnsPolicy of the node-agent daemonset
# See: https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#pod-s-dns-policy
dnsPolicy: ClusterFirst
# SecurityContext to use for the Velero deployment. Optional.
# Set fsGroup for `AWS IAM Roles for Service Accounts`
# see more informations at: https://docs.aws.amazon.com/eks/latest/userguide/iam-roles-for-service-accounts.html
podSecurityContext:
runAsUser: 0
# fsGroup: 1337
# Container Level Security Context for the 'node-agent' container of the node-agent daemonset. Optional.
# See: https://kubernetes.io/docs/tasks/configure-pod-container/security-context/#set-the-security-context-for-a-container
containerSecurityContext: {}
# Container Lifecycle Hooks to use for the node-agent daemonset. Optional.
lifecycle: {}
# Node selector to use for the node-agent daemonset. Optional.
nodeSelector: {}
# Affinity to use with node-agent daemonset. Optional.
affinity: {}
# DNS configuration to use for the node-agent daemonset. Optional.
dnsConfig: {}
# Backup schedules to create.
# Eg:
# schedules:
# mybackup:
# disabled: false
# labels:
# myenv: foo
# annotations:
# myenv: foo
# schedule: "0 0 * * *"
# useOwnerReferencesInBackup: false
# paused: false
# template:
# ttl: "240h"
# storageLocation: default
# includedNamespaces:
# - foo
# # See: https://velero.io/docs/v1.14/resource-filtering/#excludes
# excludedNamespaceScopedResources:
# - persistentVolumeClaims
# excludedClusterScopedResources:
# - persistentVolumes
schedules: {}
# Velero ConfigMaps.
# Eg:
# configMaps:
# See: https://velero.io/docs/v1.11/file-system-backup/
# fs-restore-action-config:
# labels:
# velero.io/plugin-config: ""
# velero.io/pod-volume-restore: RestoreItemAction
# data:
# image: velero/velero-restore-helper:v1.10.2
# cpuRequest: 200m
# memRequest: 128Mi
# cpuLimit: 200m
# memLimit: 128Mi
# secCtx: |
# capabilities:
# drop:
# - ALL
# add: []
# allowPrivilegeEscalation: false
# readOnlyRootFilesystem: true
# runAsUser: 1001
# runAsGroup: 999
configMaps: {}
Подключение модуля velero-config
Описание Yaml
Внимание!
Values без описания (1) являются продвинутыми настройками и редактировать их не рекомендовано
- Описание
apiVersion: addon.bootsman.tech/v1alpha1
kind: Config
metadata:
name: CLUSTER_NAME-velero-config
namespace: CLUSTER_NAMESPACE
spec:
enabled: true (1)
values:
longhornS3Secret:
create: true (2)
name: longhorn-s3 (3)
awsEndpoints: '' (4)
awsAccessKeyId: '' (5)
awsSecretAccessKey: '' (6)
- True - включено.
False - выключено
- true - для создания нововго Secret.
false - при использовании существующего
- Имя Secret. Существующего или созданного.
- S3 key для авторизации
- URL для подключения к API S3 хранилища
- S3 пароль для авторизации
Настройка в UI
Внимание!
Не забудьте добавить информацию а бекапах в конфигурацию Longhorn
Примеры использования
Документация
Более полная документация по модулю:
Velero Docs
Для дальнейшей работы вам понадобится настроить объекты:
- Schedule (1)
- Backup (2)
- Restore (3)
- Основной объект настройки. Создает расписание по которому будут создаваться объекты Backup
- Объект, который запускает процедуру создания резервной копии. Для создания расписания используйте объект Schedule
- Объект восстановления. Требуется для восстановления данных из резервной копии
Описание полей объекта Schedule
Schedule.yaml
apiVersion: velero.io/v1
kind: Schedule
metadata:
name: SCHEDULE_NAME (1)
namespace: velero
spec:
schedule: SCHEDULE (2)
template:
storageLocation: STORAGE_LOCATION_NAME (3)
csiSnapshotTimeout: SNAPSHOT_TIMEOUT (4)
includedNamespaces:
- '*' (5)
itemOperationTimeout: OPERATION_TIMEOUT (6)
ttl: TTL (7)
volumeSnapshotLocations:
- SNAPSHOT_LOCATION_NAME (8)
useOwnerReferencesInBackup: USE_OWNER (9)
- Имя объекта Schedule
- Расписание резервного копирования в формате cron.
Значение указывается в ' '.
Пример: '0 0 * * *' - Запускать в полночь
- Имя "профиля" Velero для хранения манифестов
- Период ожидания создания резервных копий через CSI.
По умолчанию: 10m0s
- Объекты каких Namespace будут затронуты процедурой
- Период ожидания операции над отдельными ресурсами
- Время существования резервной копии.
По умолчанию: 720h0m0s
- Имя "профиля" Velero для хранения бекапов Longhorn 10 Указывает, использовать ли ссылки на владельца ресурсов (Owner References) в резервных копиях
Описание полей объекта Backup
Backup.yaml
apiVersion: velero.io/v1
kind: Backup
metadata:
labels:
velero.io/storage-location: STORAGE_LOCATION_NAME (1)
name: BACKUP_NAME (2)
namespace: velero
spec:
csiSnapshotTimeout: SNAPSHOT_TIMEOUT (3)
defaultVolumesToFsBackup: TO_FS_BACKUP (4)
includedNamespaces:
- '*' (5)
itemOperationTimeout: OPERATION_TIMEOUT (6)
snapshotMoveData: MOVE_DATA (7)
storageLocation: STORAGE_LOCATION_NAME (1)
ttl: TTL (8)
volumeSnapshotLocations:
- SNAPSHOT_LOCATION_NAME (9)
- Имя "профиля" Velero для хранения манифестов
- Имя объекта Backup
- Период ожидания создания резервных копий через CSI.
По умолчанию: 10m0s
- Создавать ли файловые резервные копии.
По умолчанию: false
- Объекты каких Namespace будут затронуты процедурой
- Период ожидания операции над отдельными ресурсами
- true - перемещать данные на S3.
false - оставить в системе
- Время существования резервной копии.
По умолчанию: 720h0m0s
- Имя "профиля" Velero для хранения бекапов Longhorn
Описание полей объекта Restore
Backup.yaml
apiVersion: velero.io/v1
kind: Restore
metadata:
name: RESTORE_NAME (1)
namespace: velero
spec:
backupName: BACKUP_STORAGE_LOCATION_NAME (2)
includedNamespaces:
- '*' (3)
itemOperationTimeout: OPERATION_TIMEOUT (4)
- Имя "профиля" Velero для хранения манифестов
- Имя объекта Backup
- Объекты каких Namespace будут затронуты процедурой
- Период ожидания операции над отдельными ресурсами
Установка и использование velero client
Использовать velero удобнее всего с помощью официального клиента \ Установить его можно следующими способами:
MacOS
brew install velero
GitHub release
- Скачать со страницы релиза
- Распаковать
tar -xvf velero-v1.14.1-<OS>-<ARCH>.tar.gz - Переместить бинарный файл velero в $PATH (н.п.
/usr/local/bin)
velero будет использовать текущий контекст для kubectl
Основные команды
Создание резервной копии:
velero backup create <имя_резервной_копии> \
--storage-location bootsman \
--csi-snapshot-timeout=20m \
--include-namespaces <namespace1>,<namespace2>
Если не указывать include-namespaces, то будет сделана резервная копия всех namespace \
Если необходимо копировать тома большого объема, рекомендуется выставить csi-snapshot-timeout (Значение по-умолчанию 10m)
Просмотр бекапов:
velero backup get
Восстановление резервной копии:
velero restore create --from-backup <имя_резервной_копии>
Просмотр лога резервного копирования/восстановления:
velero backup logs <имя_резервной_копии>
velero restore logs <имя_восстановления>
Создание расписания резервного копирования:
velero schedule create <имя_расписания> \
--schedule "0 */6 * * *" \
--include-namespaces <namespace>