Skip to content

Commit f5a8315

Browse files
committed
up
1 parent ca5371f commit f5a8315

4 files changed

Lines changed: 34 additions & 4 deletions

File tree

.claude/settings.local.json

Lines changed: 3 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -17,7 +17,8 @@
1717
"Bash(helm:*)",
1818
"Bash(gh:*)",
1919
"WebFetch(domain:*)",
20-
"WebSearch"
20+
"WebSearch",
21+
"WebFetch(domain:github.com)"
2122
],
2223
"deny": [
2324
"Bash(git push:*)",
@@ -35,4 +36,4 @@
3536
"Bash(git cherry-pick:*)"
3637
]
3738
}
38-
}
39+
}

CLAUDE.md

Lines changed: 4 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -628,10 +628,12 @@ kubectl apply -f pvc.yaml
628628
- Keep PVC names consistent for restore to work
629629
- Test restores periodically
630630

631+
**Removing backups**: Just remove the `backup` label from the PVC. The `volsync-orphan-cleanup` ClusterCleanupPolicy runs every 15 minutes and automatically deletes orphaned ReplicationSource, ReplicationDestination, and ExternalSecret resources when the PVC no longer has a backup label.
632+
631633
**DON'T**:
632634
- Add backup labels to system namespace PVCs (auto-excluded)
633635
- Change PVC name if you want automatic restore
634-
- Delete ReplicationSource/ReplicationDestination manually (Kyverno will recreate)
636+
- Delete ReplicationSource/ReplicationDestination manually (Kyverno will recreate them if label still present)
635637
- Use backup labels on non-Longhorn PVCs (snapshot support required)
636638

637639
## Debugging & Troubleshooting
@@ -806,6 +808,7 @@ kubectl exec -it gpu-pod -n app-name -- nvidia-smi
806808
| **Complex app with storage** | `my-apps/media/immich/` |
807809
| **PVC with automatic backup** | `my-apps/ai/khoj/pvc.yaml` (see backup label) |
808810
| **Kyverno backup policies** | `infrastructure/controllers/kyverno/policies/volsync-pvc-backup-restore.yaml` |
811+
| **Kyverno orphan cleanup** | `infrastructure/controllers/kyverno/policies/volsync-orphan-cleanup.yaml` |
809812
| **PVC Plumber (restore checker)** | `infrastructure/controllers/pvc-plumber/` |
810813
| **Full backup/restore flow diagram** | `docs/pvc-plumber-full-flow.md` |
811814
| **VolSync configuration** | `infrastructure/storage/volsync/` |

docs/backup-restore.md

Lines changed: 23 additions & 1 deletion
Original file line numberDiff line numberDiff line change
@@ -95,6 +95,13 @@ PVC Created ──▶ Kyverno Rule 0 ──▶ Calls pvc-plumber ──▶ Backu
9595
- **Rule 3 (generate):** Creates ReplicationSource (backup schedule) - only after PVC is Bound
9696
- **Rule 4 (generate):** Creates ReplicationDestination (restore capability)
9797

98+
### 4a. Kyverno ClusterCleanupPolicy (Orphan Cleanup)
99+
- **Runs every 15 minutes** to clean up orphaned backup resources
100+
- Targets ReplicationSource, ReplicationDestination, and ExternalSecret with labels `app.kubernetes.io/managed-by=kyverno` and `volsync.backup/pvc`
101+
- Checks if the corresponding PVC still has `backup: hourly` or `backup: daily` label
102+
- If label was removed or PVC no longer exists, **deletes the orphaned resources**
103+
- Prevents stale backup/restore jobs from running after backups are disabled
104+
98105
### 5. VolSync
99106
- Performs actual backup/restore operations using **Kopia**
100107
- Uses Longhorn snapshots for consistent backups
@@ -105,6 +112,20 @@ PVC Created ──▶ Kyverno Rule 0 ──▶ Calls pvc-plumber ──▶ Backu
105112
- Accessible at `kopia-ui.{domain}`
106113
- Mounts same NFS share as VolSync
107114

115+
## How to Disable Backup for a PVC
116+
117+
Remove the `backup` label from the PVC:
118+
119+
```yaml
120+
metadata:
121+
labels:
122+
# backup: "hourly" # Comment out or remove to disable backup
123+
```
124+
125+
The `volsync-orphan-cleanup` ClusterCleanupPolicy runs every 15 minutes and automatically deletes the orphaned ReplicationSource, ReplicationDestination, and ExternalSecret. No manual cleanup needed.
126+
127+
**Note:** Removing the label does NOT delete existing backups from NFS. The Kopia repository on TrueNAS retains all previous snapshots. To re-enable backups later, simply re-add the label.
128+
108129
## How to Enable Backup for a PVC
109130

110131
Add a backup label to your PVC:
@@ -252,5 +273,6 @@ The following namespaces are excluded from automatic backup:
252273
| `infrastructure/storage/volsync/` | VolSync Helm chart |
253274
| `infrastructure/controllers/kyverno/policies/volsync-nfs-inject.yaml` | Injects NFS mount into mover pods |
254275
| `infrastructure/storage/kopia-ui/` | Kopia web UI for browsing backups |
255-
| `infrastructure/controllers/kyverno/policies/volsync-pvc-backup-restore.yaml` | Kyverno policy |
276+
| `infrastructure/controllers/kyverno/policies/volsync-pvc-backup-restore.yaml` | Kyverno backup/restore policy |
277+
| `infrastructure/controllers/kyverno/policies/volsync-orphan-cleanup.yaml` | Cleanup orphaned backup resources |
256278
| `monitoring/prometheus-stack/volsync-alerts.yaml` | Prometheus alerting rules |

monitoring/prometheus-stack/values.yaml

Lines changed: 4 additions & 0 deletions
Original file line numberDiff line numberDiff line change
@@ -205,6 +205,10 @@ grafana:
205205
gnetId: 13032
206206
revision: 6
207207
datasource: Prometheus
208+
cloudnative-pg:
209+
gnetId: 20417
210+
revision: 3
211+
datasource: Prometheus
208212
# Additional data sources configuration
209213
additionalDataSources:
210214
- name: Loki

0 commit comments

Comments
 (0)