You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
- If you delete and re-add the app, data restores automatically
73
-
- If you rebuild the cluster, data restores automatically
74
-
- If it's a fresh install, the app starts with empty storage (as expected)
85
+
### Component Roles
75
86
76
-
### What You Should NEVER Have To Do
77
-
78
-
- Click "restore" in any UI
79
-
- Run restore commands manually
80
-
- Edit configuration to switch between "fresh" and "restore" modes
81
-
- Remember which apps have backups
82
-
- Manually trigger backup jobs
87
+
| Component | Resource | Purpose |
88
+
| :--- | :--- | :--- |
89
+
|**Kyverno**|`ClusterPolicy/volsync-smart-restore`|**The Brain.** Performs an `apiCall` to S3 to check if a backup exists. If yes, generates the `ReplicationDestination`. |
90
+
|**Kyverno**|`ClusterPolicy/generate-volsync-backup`|**The Safety.** Automatically generates the `ReplicationSource` so future backups happen. |
91
+
|**VolSync**|`Service/rustfs`|**The Bridge.** Maps the external TrueNAS IP (192.168.10.133) to an internal DNS name so Kyverno can reach it. |
92
+
|**VolSync**|`ReplicationDestination`|**The Restore.** Instructs VolSync to populate a PVC from S3. Validates data integrity before binding. |
83
93
84
94
---
85
95
@@ -90,188 +100,55 @@ Everything else is automatic:
90
100
You're setting up a brand new cluster with no previous data.
91
101
92
102
**What happens:**
93
-
1. You deploy your apps via ArgoCD
94
-
2. Each app with `backup: "hourly"` starts with empty storage
95
-
3. Backups begin automatically in the background
96
-
4. S3 now has your data for future restores
103
+
1. You deploy your apps via ArgoCD.
104
+
2. Kyverno checks S3 for `s3://backups/ns/app`. Result: **404 Not Found**.
105
+
3. Kyverno allows the PVC to be created *without* a restore source.
106
+
4. App starts with empty storage.
107
+
5. Kyverno generates a `ReplicationSource`, starting hourly backups.
97
108
98
-
**Result:** Apps work normally, backups are set up for the future.
### Q: What if I don't want an app to be backed up?
238
-
239
-
Don't add the `backup` label to its PVC. Simple.
240
-
241
-
### Q: How often do backups run?
242
-
243
-
With `backup: "hourly"`, backups run every hour. You can also use `backup: "daily"`.
244
-
245
-
### Q: How much storage do backups use?
246
-
247
-
Backups use restic which does deduplication. Only changed blocks are stored after the first backup.
248
-
249
-
### Q: Can I restore to a specific point in time?
250
-
251
-
Not automatically. The system always restores from the latest backup. For point-in-time recovery, you'd need manual intervention.
252
-
253
-
### Q: What happens if S3 is unavailable during restore?
254
-
255
-
The PVC will be stuck pending until S3 is available. The system doesn't fall back to fresh storage automatically (that could cause data loss).
256
-
257
-
### Q: Is database data safe to backup this way?
129
+
### The "Bridge" (Service)
130
+
Since policies run inside the cluster, they need to reach external storage reliably. We create a Service `rustfs` that points to `192.168.10.133`.
131
+
-**Why?** It allows using `http://rustfs/...` in policies instead of hardcoded IPs.
132
+
-**Benefit:** If the Storage IP changes, you update one Service file, not 50 policies.
258
133
259
-
For simple databases, yes. For production databases like PostgreSQL, you should use database-native backup tools (like pgBackRest) that ensure consistency. This system is best for:
260
-
- Application config files
261
-
- Media libraries
262
-
- Simple SQLite databases
263
-
- User uploads
134
+
### The "Smart" Policy (apiCall)
135
+
Kyverno 1.10+ supports `apiCall` context variables. We use this to perform an HTTP HEAD request.
136
+
-**Method:**`HEAD` (lightweight, just checks existence)
0 commit comments