Velero backup and restore

Velero is an open-source tool for backing up and restoring Kubernetes cluster resources and persistent volumes. Subsalt supports Velero on AKS with Azure Workload Identity for credential-free authentication.

Overview

Velero backs up two categories of data:

Kubernetes resources — Deployments, Services, ConfigMaps, Secrets, etc.
Persistent volume data — CSI volume snapshots are taken and transferred to Azure Blob Storage via Kopia, ensuring backup data is stored outside the cluster.

Authentication to Azure Blob Storage uses Azure Workload Identity, which injects short-lived tokens into Velero pods automatically. No storage account keys or static credentials are stored in the cluster.

Setup

Velero is installed via the official Helm chart from the vmware-tanzu repository. Setup requires:

An Azure Managed Identity for Velero with a federated credential bound to the Velero ServiceAccount
RBAC role assignments — Storage Blob Data Contributor on the backup storage account and Contributor on the resource group for CSI disk snapshots
An Azure Blob Storage container to store backup data
Helm values configured with useAAD: "true" and credentials.useSecret: false

For detailed setup instructions, refer to the Velero Plugin for Microsoft Azure documentation.

When using the Velero Helm chart (rather than the velero install CLI), the ServiceAccount is named velero-server, not velero. The federated identity credential subject must match: system:serviceaccount:velero:velero-server unless a custom name is specified.

Usage

Official velero documentation can be found here: https://velero.io/docs/main/. The following are simple examples for getting started.

Creating a backup

To back up the Subsalt namespace:

velero backup create my-backup --include-namespaces subsalt --wait

Check the backup status:

velero backup describe my-backup

Restoring from a backup

To restore from a backup:

velero restore create --from-backup my-backup --wait

Verify the restore:

velero restore describe <restore-name>
kubectl get pods -n subsalt

Persistent volumes use CSI snapshots with data movement. New volumes are provisioned during restore and populated from blob storage. Pods will remain in Pending until their volumes are ready.

Scheduling recurring backups

To create an automated backup schedule:

velero schedule create daily-subsalt \
  --schedule="0 2 * * *" \
  --include-namespaces subsalt \
  --ttl 168h

This creates a daily backup at 2:00 AM UTC and retains backups for 7 days. Adjust the cron expression and TTL as needed.

List existing schedules:

velero schedule get

PreviousDisaster recovery

Last updated 2 months ago