Skip to content

Commit 80f3883

Browse files
committed
volsync: finalize zero-touch backup system
Changes: - Removed obsolete volsync-restore-mutate.yaml.disabled - Cleaned up kustomization.yaml references - Updated docs to reflect new workflow: * PVCs bind immediately (no dataSource blocking) * Kyverno auto-generates all VolSync resources * Backups run automatically on labeled PVCs * Manual restore only when explicitly needed Path structure now: volsync-backup/namespace/pvcname (cleaner hierarchy)
1 parent d301486 commit 80f3883

3 files changed

Lines changed: 97 additions & 134 deletions

File tree

docs/secrets/volsync-secrets.md

Lines changed: 97 additions & 19 deletions
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,27 @@
22

33
## ✅ Fully Automated via Kyverno
44

5-
**You only need ONE 1Password item - Kyverno auto-generates everything else!**
5+
**Zero-touch backup system: Create PVC with label → automatic backups!**
6+
7+
### How It Works
8+
9+
1. **Label a PVC** with `backup: "hourly"` or `backup: "daily"`
10+
2. **Kyverno auto-generates**:
11+
- Secret with S3 credentials (unique path per PVC)
12+
- ReplicationSource (backup scheduler)
13+
- ReplicationDestination (restore capability)
14+
3. **Backups run automatically** on schedule
15+
4. **PVCs bind immediately** to fresh storage (no restore blocking)
16+
17+
### Disaster Recovery (Manual Restore)
18+
19+
When you need to restore from backup:
20+
1. Create new PVC (without dataSource)
21+
2. Wait for PVC to bind
22+
3. Patch PVC to add `dataSourceRef` pointing to ReplicationDestination
23+
4. VolSync populates PVC from latest backup snapshot
24+
25+
No manual YAML creation. No pending PVCs. **Set and forget.**
626

727
## Required 1Password Item
828

@@ -18,9 +38,14 @@ Create a **Password** item in your 1Password vault:
1838
| **restic_password** | A strong random password (32+ characters) |
1939
| **restic_repository** | `s3:http://192.168.10.133:30292/volsync-backup/` |
2040

21-
The `restic_password` encrypts all backup repositories stored in S3.
41+
**Path Structure:** Kyverno computes unique paths as `volsync-backup/namespace/pvcname`
2242

23-
The `restic_repository` is the S3 endpoint - each PVC will have its namespace and name appended automatically.
43+
Example paths:
44+
- `volsync-backup/karakeep/data-pvc`
45+
- `volsync-backup/immich/library`
46+
- `volsync-backup/home-assistant/config`
47+
48+
The `restic_password` encrypts all backup repositories stored in S3.
2449

2550
**Generate a secure password:**
2651
```bash
@@ -30,23 +55,37 @@ openssl rand -base64 32
3055
Example output: `K7x9mP2nL4qR8vT1wY5zA3cF6hJ0bN+dG=`
3156

3257
**That's it!** When you add `backup: "hourly"` or `backup: "daily"` to a PVC, Kyverno automatically:
33-
1. Generates an ExternalSecret pulling from the `rustfs` 1Password item
34-
2. Creates a Kubernetes Secret with S3 credentials
35-
3. No manual YAML creation needed!
58+
1. Removes any `dataSource` field (prevents binding issues)
59+
2. Generates Secret with S3 credentials (unique path: `namespace/pvcname`)
60+
3. Creates ReplicationSource (backup scheduler)
61+
4. Creates ReplicationDestination (restore capability)
62+
5. PVC binds immediately to fresh storage and backups begin
63+
64+
**No manual YAML. No pending PVCs. No touching VolSync resources directly.**
3665

3766
## Verification
3867

39-
After creating the `rustfs` item and labeling PVCs, verify auto-generated ExternalSecrets:
68+
After creating the `rustfs` item and labeling PVCs, verify auto-generated resources:
4069

4170
```bash
42-
# Check all auto-generated ExternalSecrets (Kyverno created these!)
43-
kubectl get externalsecret -A | grep volsync
71+
# Check all PVCs with backup labels
72+
kubectl get pvc -A -l backup
73+
74+
# Check auto-generated Secrets (Kyverno created these!)
75+
kubectl get secret -A -l volsync.backube/secret-type=restic
76+
77+
# Check ReplicationSources (backup schedulers)
78+
kubectl get replicationsource -A
4479

45-
# View a specific auto-generated ExternalSecret
46-
kubectl get externalsecret karakeep-data-volsync-secret -n karakeep -o yaml
80+
# Check backup status
81+
kubectl get replicationsource -n <namespace> <pvc>-backup -o yaml
4782
```
4883

49-
All ExternalSecrets should show `SecretSynced` status.
84+
All Secrets should have the `volsync.backube/secret-type: restic` label and contain:
85+
- `RESTIC_REPOSITORY` (unique path: `s3:.../volsync-backup/namespace/pvcname`)
86+
- `RESTIC_PASSWORD`
87+
- `AWS_ACCESS_KEY_ID`
88+
- `AWS_SECRET_ACCESS_KEY`
5089

5190
## S3 Bucket Setup
5291

@@ -62,19 +101,58 @@ mc alias set rustfs http://192.168.10.133:30292 <access_key> <secret_key>
62101
mc mb rustfs/volsync-backup
63102
```
64103

65-
## Auto-Generated Secret Structure
104+
## Auto-Generated Resources
66105

67-
Kyverno generates an ExternalSecret for each labeled PVC that creates:
106+
For each PVC with `backup: hourly` or `backup: daily`, Kyverno creates:
68107

108+
### Secret
69109
```yaml
70110
apiVersion: v1
71111
kind: Secret
72112
metadata:
73113
name: <pvc-name>-volsync-secret
74114
namespace: <pvc-namespace>
115+
labels:
116+
volsync.backube/secret-type: restic
75117
type: Opaque
76-
stringData:
77-
RESTIC_REPOSITORY: s3:http://192.168.10.133:30292/volsync-backup/<namespace>-<pvc>
78-
RESTIC_PASSWORD: <from 1Password rustfs.restic_password>
79-
AWS_ACCESS_KEY_ID: <from 1Password rustfs.access_key>
80-
AWS_SECRET_ACCESS_KEY: <from 1Password rustfs.secret_key>
118+
data:
119+
RESTIC_REPOSITORY: <base64: s3://.../<namespace>/<pvcname>>
120+
RESTIC_PASSWORD: <base64: from 1Password>
121+
AWS_ACCESS_KEY_ID: <base64: from 1Password>
122+
AWS_SECRET_ACCESS_KEY: <base64: from 1Password>
123+
```
124+
125+
### ReplicationSource (Backup Scheduler)
126+
```yaml
127+
apiVersion: volsync.backube/v1alpha1
128+
kind: ReplicationSource
129+
metadata:
130+
name: <pvc-name>-backup
131+
spec:
132+
sourcePVC: <pvc-name>
133+
trigger:
134+
schedule: "0 * * * *" # hourly tier
135+
manual: "initial" # allows manual triggers
136+
restic:
137+
repository: <pvc-name>-volsync-secret
138+
pruneIntervalDays: 7
139+
retain:
140+
hourly: 24
141+
daily: 7
142+
```
143+
144+
### ReplicationDestination (Restore Capability)
145+
```yaml
146+
apiVersion: volsync.backube/v1alpha1
147+
kind: ReplicationDestination
148+
metadata:
149+
name: <pvc-name>-restore
150+
spec:
151+
trigger:
152+
manual: restore-once
153+
restic:
154+
repository: <pvc-name>-volsync-secret
155+
copyMethod: Direct
156+
```
157+
158+
**All generated automatically by Kyverno ClusterPolicy `generate-volsync-backup`**

infrastructure/controllers/kyverno/kustomization.yaml

Lines changed: 0 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -6,7 +6,6 @@ resources:
66
- rbac-patch.yaml
77
- volsync-clusterpolicy.yaml
88
- remove-pvc-datasource.yaml
9-
# - volsync-restore-mutate.yaml # TEMP DISABLED: needs fix for handling missing RD
109
helmCharts:
1110
- name: kyverno
1211
repo: https://kyverno.github.io/kyverno

infrastructure/controllers/kyverno/volsync-restore-mutate.yaml.disabled

Lines changed: 0 additions & 114 deletions
This file was deleted.

0 commit comments

Comments
 (0)