22
33## ✅ Fully Automated via Kyverno
44
5- ** You only need ONE 1Password item - Kyverno auto-generates everything else!**
5+ ** Zero-touch backup system: Create PVC with label → automatic backups!**
6+
7+ ### How It Works
8+
9+ 1 . ** Label a PVC** with ` backup: "hourly" ` or ` backup: "daily" `
10+ 2 . ** Kyverno auto-generates** :
11+ - Secret with S3 credentials (unique path per PVC)
12+ - ReplicationSource (backup scheduler)
13+ - ReplicationDestination (restore capability)
14+ 3 . ** Backups run automatically** on schedule
15+ 4 . ** PVCs bind immediately** to fresh storage (no restore blocking)
16+
17+ ### Disaster Recovery (Manual Restore)
18+
19+ When you need to restore from backup:
20+ 1 . Create new PVC (without dataSource)
21+ 2 . Wait for PVC to bind
22+ 3 . Patch PVC to add ` dataSourceRef ` pointing to ReplicationDestination
23+ 4 . VolSync populates PVC from latest backup snapshot
24+
25+ No manual YAML creation. No pending PVCs. ** Set and forget.**
626
727## Required 1Password Item
828
@@ -18,9 +38,14 @@ Create a **Password** item in your 1Password vault:
1838| ** restic_password** | A strong random password (32+ characters) |
1939| ** restic_repository** | ` s3:http://192.168.10.133:30292/volsync-backup/ ` |
2040
21- The ` restic_password ` encrypts all backup repositories stored in S3.
41+ ** Path Structure: ** Kyverno computes unique paths as ` volsync-backup/namespace/pvcname `
2242
23- The ` restic_repository ` is the S3 endpoint - each PVC will have its namespace and name appended automatically.
43+ Example paths:
44+ - ` volsync-backup/karakeep/data-pvc `
45+ - ` volsync-backup/immich/library `
46+ - ` volsync-backup/home-assistant/config `
47+
48+ The ` restic_password ` encrypts all backup repositories stored in S3.
2449
2550** Generate a secure password:**
2651``` bash
@@ -30,23 +55,37 @@ openssl rand -base64 32
3055Example output: ` K7x9mP2nL4qR8vT1wY5zA3cF6hJ0bN+dG= `
3156
3257** That's it!** When you add ` backup: "hourly" ` or ` backup: "daily" ` to a PVC, Kyverno automatically:
33- 1 . Generates an ExternalSecret pulling from the ` rustfs ` 1Password item
34- 2 . Creates a Kubernetes Secret with S3 credentials
35- 3 . No manual YAML creation needed!
58+ 1 . Removes any ` dataSource ` field (prevents binding issues)
59+ 2 . Generates Secret with S3 credentials (unique path: ` namespace/pvcname ` )
60+ 3 . Creates ReplicationSource (backup scheduler)
61+ 4 . Creates ReplicationDestination (restore capability)
62+ 5 . PVC binds immediately to fresh storage and backups begin
63+
64+ ** No manual YAML. No pending PVCs. No touching VolSync resources directly.**
3665
3766## Verification
3867
39- After creating the ` rustfs ` item and labeling PVCs, verify auto-generated ExternalSecrets :
68+ After creating the ` rustfs ` item and labeling PVCs, verify auto-generated resources :
4069
4170``` bash
42- # Check all auto-generated ExternalSecrets (Kyverno created these!)
43- kubectl get externalsecret -A | grep volsync
71+ # Check all PVCs with backup labels
72+ kubectl get pvc -A -l backup
73+
74+ # Check auto-generated Secrets (Kyverno created these!)
75+ kubectl get secret -A -l volsync.backube/secret-type=restic
76+
77+ # Check ReplicationSources (backup schedulers)
78+ kubectl get replicationsource -A
4479
45- # View a specific auto-generated ExternalSecret
46- kubectl get externalsecret karakeep-data-volsync-secret -n karakeep -o yaml
80+ # Check backup status
81+ kubectl get replicationsource -n < namespace > < pvc > -backup -o yaml
4782```
4883
49- All ExternalSecrets should show ` SecretSynced ` status.
84+ All Secrets should have the ` volsync.backube/secret-type: restic ` label and contain:
85+ - ` RESTIC_REPOSITORY ` (unique path: ` s3:.../volsync-backup/namespace/pvcname ` )
86+ - ` RESTIC_PASSWORD `
87+ - ` AWS_ACCESS_KEY_ID `
88+ - ` AWS_SECRET_ACCESS_KEY `
5089
5190## S3 Bucket Setup
5291
@@ -62,19 +101,58 @@ mc alias set rustfs http://192.168.10.133:30292 <access_key> <secret_key>
62101mc mb rustfs/volsync-backup
63102```
64103
65- ## Auto-Generated Secret Structure
104+ ## Auto-Generated Resources
66105
67- Kyverno generates an ExternalSecret for each labeled PVC that creates:
106+ For each PVC with ` backup: hourly ` or ` backup: daily ` , Kyverno creates:
68107
108+ ### Secret
69109``` yaml
70110apiVersion : v1
71111kind : Secret
72112metadata :
73113 name : <pvc-name>-volsync-secret
74114 namespace : <pvc-namespace>
115+ labels :
116+ volsync.backube/secret-type : restic
75117type : Opaque
76- stringData :
77- RESTIC_REPOSITORY : s3:http://192.168.10.133:30292/volsync-backup/<namespace>-<pvc>
78- RESTIC_PASSWORD : <from 1Password rustfs.restic_password>
79- AWS_ACCESS_KEY_ID : <from 1Password rustfs.access_key>
80- AWS_SECRET_ACCESS_KEY : <from 1Password rustfs.secret_key>
118+ data :
119+ RESTIC_REPOSITORY : <base64: s3://.../<namespace>/<pvcname>>
120+ RESTIC_PASSWORD : <base64: from 1Password>
121+ AWS_ACCESS_KEY_ID : <base64: from 1Password>
122+ AWS_SECRET_ACCESS_KEY : <base64: from 1Password>
123+ ` ` `
124+
125+ ### ReplicationSource (Backup Scheduler)
126+ ` ` ` yaml
127+ apiVersion : volsync.backube/v1alpha1
128+ kind : ReplicationSource
129+ metadata :
130+ name : <pvc-name>-backup
131+ spec :
132+ sourcePVC : <pvc-name>
133+ trigger :
134+ schedule : " 0 * * * *" # hourly tier
135+ manual : " initial" # allows manual triggers
136+ restic :
137+ repository : <pvc-name>-volsync-secret
138+ pruneIntervalDays : 7
139+ retain :
140+ hourly : 24
141+ daily : 7
142+ ` ` `
143+
144+ ### ReplicationDestination (Restore Capability)
145+ ` ` ` yaml
146+ apiVersion : volsync.backube/v1alpha1
147+ kind : ReplicationDestination
148+ metadata :
149+ name : <pvc-name>-restore
150+ spec :
151+ trigger :
152+ manual : restore-once
153+ restic :
154+ repository : <pvc-name>-volsync-secret
155+ copyMethod : Direct
156+ ` ` `
157+
158+ **All generated automatically by Kyverno ClusterPolicy ` generate-volsync-backup`**
0 commit comments