Skip to content

openmcp-project/service-provider-velero

REUSE status

🛡️ service-provider-velero

A service provider for managing Velero backup and restore capabilities within a ManagedControlPlane environment. This provider enables disaster recovery and data protection by automatically installing and configuring Velero on workload clusters.

📖 Overview

The Velero service provider automates the lifecycle management of Velero installations, including:

  • 💾 Backup & Restore - Deploys Velero server for Kubernetes backup and disaster recovery
  • 🔌 Plugin Support - Install cloud provider plugins (AWS, Azure, GCP, etc.)
  • 🔐 Air-Gapped Support - Full support for private registries and air-gapped environments
  • 🔄 Drift Detection - Automatic reconciliation with configurable poll intervals
  • 📊 Status Tracking - Real-time status reporting of all managed resources

🏗️ Architecture

Platform Cluster                  Workload Cluster              ManagedControlPlane
┌──────────────────────────┐     ┌────────────────────┐       ┌────────────────────┐
│  openmcp-system          │     │  Tenant Namespace  │       │  velero            │
│  ┌────────────────────┐  │     │  ┌──────────────┐  │       │  ┌──────────────┐  │
│  │ service-provider-  │  │     │  │ Velero       │  │       │  │ Velero CRDs  │  │
│  │ velero             │──┼────▶│  │ Server       │──┼──────▶│  │ (Backup,     │  │
│  │                    │──┼─────┼──┼──────────────┼──┼──────▶│  │  Restore...) │  │
│  └────────────────────┘  │     │  │ + Plugins    │  │       │  └──────────────┘  │
│  ┌────────────────────┐  │     │  └──────────────┘  │       └────────────────────┘
│  │ ProviderConfig     │  │     └────────────────────┘
│  │ imagePullSecrets   │  │
│  └────────────────────┘  │
└──────────────────────────┘

The Velero server runs on the workload cluster, while the Velero CRDs (Backup, Restore, Schedule, etc.) are installed on the ManagedControlPlane for tenant isolation.

📡 Note: The Kubernetes nodes on the workload cluster where Velero runs must be able to resolve and reach any configured backup storage locations.

🚦 Getting Started

Prerequisites

  • Go 1.21+
  • Task (task runner)
  • Docker (for building images)
  • Access to an openMCP environment

🧪 Running End-to-End Tests

task test-e2e

This uses the openmcp-testing framework to spin up a full test environment.

📝 API Reference

Velero

The Velero resource represents a Velero installation for a ManagedControlPlane.

apiVersion: velero.services.open-control-plane.io/v1alpha1
kind: Velero
metadata:
  name: my-velero
  namespace: default
spec:
  version: "v1.17.2"
  plugins:
    - name: "aws"
      version: "v1.13.2"
Field Type Description
spec.version string The version of Velero to install
spec.plugins []Plugin List of plugins to install with Velero
spec.plugins[].name string Plugin name (e.g., aws, azure, gcp)
spec.plugins[].version string Plugin version

ProviderConfig

The ProviderConfig resource configures global settings for all Velero deployments.

apiVersion: velero.services.open-control-plane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: velero
spec:
  pollInterval: 15m
  availableImages:
    - name: velero
      versions: ["v1.17.2", "v1.16.2"]
      image: "velero/velero"
    - name: aws
      versions: ["v1.13.2", "v1.12.2"]
      image: "velero/velero-plugin-for-aws"
  imagePullSecrets:
    - name: privateregcred
Field Type Description
spec.pollInterval duration How often to reconcile and refresh service account tokens
spec.availableImages []Image Allowed Velero and plugin images with their versions
spec.availableImages[].name string Image identifier (velero or plugin name)
spec.availableImages[].versions []string Allowed versions for this image
spec.availableImages[].image string Container image reference
spec.imagePullSecrets []SecretRef Secrets for private registry authentication

⚠️ Note: Only one ProviderConfig may exist per Velero service provider instance, and its name must match the service provider's name.

🔐 Air-Gapped Environments

For air-gapped or enterprise environments, configure private registries via ProviderConfig:

apiVersion: velero.services.open-control-plane.io/v1alpha1
kind: ProviderConfig
metadata:
  name: velero
spec:
  pollInterval: 15m
  availableImages:
    - name: velero
      versions: ["v1.17.2"]
      image: "harbor.internal/velero/velero"
    - name: aws
      versions: ["v1.13.2"]
      image: "harbor.internal/velero/velero-plugin-for-aws"
  imagePullSecrets:
    - name: harbor-credentials

🔧 Development Tasks

Command Description
task build Build the binary
task build:img:build-test Build the container image
task test Run unit tests
task test-e2e Run end-to-end tests
task generate Generate CRDs and code after API changes
task validate Run linters and formatters

📚 Additional Resources

Quality Criteria

Quality: Incubating

Criterion Status Notes
Deletion behaviour ⚠️ A finalizer ensures the Service Provider managed resources like Deployments etc. are cleaned-up. But there is no behaviour that ensures deletion is blocked if custom resources (e.g. Velero' Backup objects) in a ControlPlane still exist.
Status reporting & error messages
Operation annotations ⚠️ openmcp.cloud/operation: ignore is processed by opencontrolplane-runtime. openmcp.cloud/operation: reconcile is not processed.
API stability policy
Custom CA support Custom CA bundle propagation to Velero components is not implemented.
Release artifacts (image + OCM)
Testing
Ownership and maintenance docs

See the OpenControlPlane Quality Criteria for definitions.

🤝 Support, Feedback, Contributing

This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.

🔒 Security / Disclosure

If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.

📜 Code of Conduct

We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.

📄 Licensing

Copyright OpenControlPlane contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.

BMWK-EU funding logo

OpenControlPlane is part of ApeiroRA, an EU Important Project of Common European Interest (IPCEI-CIS).

Copyright Linux Foundation Europe. For web site terms of use, trademark policy and other project policies please see https://linuxfoundation.eu/en/policies.

About

Service provider Velero manages the lifecycle of Velero instances as-a-Service

Topics

Resources

License

Code of conduct

Contributing

Security policy

Stars

Watchers

Forks

Packages

 
 
 

Contributors

Languages