@@ -5,61 +5,17 @@ metadata:
55 name : volsync-pvc-backup-restore
66 annotations :
77 argocd.argoproj.io/sync-wave : " 4"
8- policies.kyverno.io/title : VolSync PVC Backup and Restore (Kopia)
8+ policies.kyverno.io/title : VolSync PVC Backup and Restore (Kopia NFS )
99 policies.kyverno.io/description : >-
1010 Automatically configures VolSync backup and restore for PVCs with the
11- label backup: "hourly" or backup: "daily". Uses Kopia for faster backups
12- with compression. Checks S3 for existing backup via pvc-plumber and
13- conditionally enables restore via VolumePopulator .
11+ label backup: "hourly" or backup: "daily". Uses Kopia with NFS filesystem
12+ backend for faster backups with compression. MutatingAdmissionPolicy injects
13+ NFS mount into mover pods .
1414spec :
1515 mutateExistingOnPolicyUpdate : false
1616 background : true
1717 rules :
18- # Rule 1: Conditionally add dataSourceRef if backup exists in S3
19- # IMPORTANT: Only trigger on CREATE to avoid race conditions during PVC deletion
20- - name : add-datasource-if-backup-exists
21- match :
22- any :
23- - resources :
24- kinds :
25- - PersistentVolumeClaim
26- operations :
27- - CREATE
28- selector :
29- matchExpressions :
30- - key : backup
31- operator : In
32- values : ["hourly", "daily"]
33- exclude :
34- any :
35- - resources :
36- namespaces :
37- - kube-system
38- - volsync-system
39- - kyverno
40- context :
41- - name : backupCheck
42- apiCall :
43- method : GET
44- service :
45- url : " http://pvc-plumber.volsync-system.svc.cluster.local/exists/{{request.object.metadata.namespace}}/{{request.object.metadata.name}}"
46- preconditions :
47- all :
48- - key : " {{ backupCheck.exists || false }}"
49- operator : Equals
50- value : true
51- - key : " {{ request.object.spec.dataSourceRef || '' }}"
52- operator : Equals
53- value : " "
54- mutate :
55- patchStrategicMerge :
56- spec :
57- dataSourceRef :
58- apiGroup : volsync.backube
59- kind : ReplicationDestination
60- name : " {{request.object.metadata.name}}-restore"
61-
62- # Rule 2: Generate ExternalSecret for per-PVC Kopia repository
18+ # Rule 1: Generate ExternalSecret for Kopia repository credentials
6319 - name : generate-kopia-secret
6420 skipBackgroundRequests : false
6521 match :
@@ -106,28 +62,17 @@ spec:
10662 app.kubernetes.io/managed-by : kyverno
10763 volsync.backup/pvc : " {{request.object.metadata.name}}"
10864 data :
109- # Kopia S3 repository configuration
110- # Full S3 URL with path: s3://bucket/namespace/pvc-name
111- KOPIA_REPOSITORY : " s3://volsync-kopia/{{request.object.metadata.namespace}}/{{request.object.metadata.name}}"
112- # S3 endpoint for non-AWS S3 (RustFS/MinIO)
113- AWS_S3_ENDPOINT : " http://192.168.10.133:30292"
114- # Disable TLS since endpoint is HTTP
115- KOPIA_S3_DISABLE_TLS : " true"
65+ # Kopia NFS filesystem repository configuration
66+ # MutatingAdmissionPolicy injects NFS mount at /repository
67+ KOPIA_REPOSITORY : " filesystem:///repository"
68+ KOPIA_FS_PATH : " /repository"
11669 data :
117- - secretKey : AWS_ACCESS_KEY_ID
118- remoteRef :
119- key : rustfs
120- property : k8s-admin-access-key
121- - secretKey : AWS_SECRET_ACCESS_KEY
122- remoteRef :
123- key : rustfs
124- property : k8s-admin-secret-key
12570 - secretKey : KOPIA_PASSWORD
12671 remoteRef :
12772 key : rustfs
12873 property : kopia_password
12974
130- # Rule 3 : Generate ReplicationSource (backup schedule)
75+ # Rule 2 : Generate ReplicationSource (backup schedule)
13176 - name : generate-replication-source
13277 skipBackgroundRequests : false
13378 match :
@@ -165,16 +110,13 @@ spec:
165110 schedule : " {{ request.object.metadata.labels.backup == 'hourly' && '0 * * * *' || '0 2 * * *' }}"
166111 kopia :
167112 repository : " volsync-{{request.object.metadata.name}}"
168- # Kopia-specific optimizations
169113 compression : zstd-fastest
170114 parallelism : 2
171- # Retention policy
172115 retain :
173116 hourly : 24
174117 daily : 7
175118 weekly : 4
176119 monthly : 2
177- # Snapshot-based backup via Longhorn
178120 copyMethod : Snapshot
179121 storageClassName : longhorn
180122 volumeSnapshotClassName : longhorn-snapclass
@@ -184,7 +126,7 @@ spec:
184126 runAsGroup : 568
185127 fsGroup : 568
186128
187- # Rule 4 : Generate ReplicationDestination (restore capability)
129+ # Rule 3 : Generate ReplicationDestination (restore capability)
188130 - name : generate-replication-destination
189131 skipBackgroundRequests : false
190132 match :
@@ -230,4 +172,4 @@ spec:
230172 moverSecurityContext :
231173 runAsUser : 568
232174 runAsGroup : 568
233- fsGroup : 568
175+ fsGroup : 568
0 commit comments