# Velero backup and restore

[Velero](https://velero.io/) is an open-source tool for backing up and restoring Kubernetes cluster resources and persistent volumes. Subsalt supports Velero on AKS with Azure Workload Identity for credential-free authentication.

### Overview

Velero backs up two categories of data:

* **Kubernetes resources** — Deployments, Services, ConfigMaps, Secrets, etc.
* **Persistent volume data** — CSI volume snapshots are taken and transferred to Azure Blob Storage via [Kopia](https://kopia.io/), ensuring backup data is stored outside the cluster.

Authentication to Azure Blob Storage uses [Azure Workload Identity](https://learn.microsoft.com/en-us/azure/aks/workload-identity-overview), which injects short-lived tokens into Velero pods automatically. No storage account keys or static credentials are stored in the cluster.

### Setup

Velero is installed via the official Helm chart from the [vmware-tanzu](https://vmware-tanzu.github.io/helm-charts) repository. Setup requires:

1. **An Azure Managed Identity** for Velero with a federated credential bound to the Velero ServiceAccount
2. **RBAC role assignments** — `Storage Blob Data Contributor` on the backup storage account and `Contributor` on the resource group for CSI disk snapshots
3. **An Azure Blob Storage container** to store backup data
4. **Helm values** configured with `useAAD: "true"` and `credentials.useSecret: false`

For detailed setup instructions, refer to the [Velero Plugin for Microsoft Azure](https://github.com/vmware-tanzu/velero-plugin-for-microsoft-azure#option-3-use-azure-ad-workload-identity) documentation.

{% hint style="info" %}
When using the Velero Helm chart (rather than the `velero install` CLI), the ServiceAccount is named `velero-server`, not `velero`. The federated identity credential subject must match: `system:serviceaccount:velero:velero-server` unless a custom name is specified.
{% endhint %}

### Usage

Official velero documentation can be found here: <https://velero.io/docs/main/>. The following are simple examples for getting started.

#### Creating a backup

To back up the Subsalt namespace:

```bash
velero backup create my-backup --include-namespaces subsalt --wait
```

Check the backup status:

```bash
velero backup describe my-backup
```

#### Restoring from a backup

To restore from a backup:

```bash
velero restore create --from-backup my-backup --wait
```

Verify the restore:

```bash
velero restore describe <restore-name>
kubectl get pods -n subsalt
```

{% hint style="info" %}
Persistent volumes use CSI snapshots with data movement. New volumes are provisioned during restore and populated from blob storage. Pods will remain in `Pending` until their volumes are ready.
{% endhint %}

#### Scheduling recurring backups

To create an automated backup schedule:

```bash
velero schedule create daily-subsalt \
  --schedule="0 2 * * *" \
  --include-namespaces subsalt \
  --ttl 168h
```

This creates a daily backup at 2:00 AM UTC and retains backups for 7 days. Adjust the cron expression and TTL as needed.

List existing schedules:

```bash
velero schedule get
```


---

# Agent Instructions: Querying This Documentation

If you need additional information that is not directly available in this page, you can query the documentation dynamically by asking a question.

Perform an HTTP GET request on the current page URL with the `ask` query parameter:

```
GET https://docs.subsalt.io/administration/disaster-recovery/velero-backup-and-restore.md?ask=<question>
```

The question should be specific, self-contained, and written in natural language.
The response will contain a direct answer to the question and relevant excerpts and sources from the documentation.

Use this mechanism when the answer is not explicitly present in the current page, you need clarification or additional context, or you want to retrieve related documentation sections.