A service provider for managing Velero backup and restore capabilities within a ManagedControlPlane environment. This provider enables disaster recovery and data protection by automatically installing and configuring Velero on workload clusters.
The Velero service provider automates the lifecycle management of Velero installations, including:
- 💾 Backup & Restore - Deploys Velero server for Kubernetes backup and disaster recovery
- 🔌 Plugin Support - Install cloud provider plugins (AWS, Azure, GCP, etc.)
- 🔐 Air-Gapped Support - Full support for private registries and air-gapped environments
- 🔄 Drift Detection - Automatic reconciliation with configurable poll intervals
- 📊 Status Tracking - Real-time status reporting of all managed resources
Platform Cluster Workload Cluster ManagedControlPlane
┌──────────────────────────┐ ┌────────────────────┐ ┌────────────────────┐
│ openmcp-system │ │ Tenant Namespace │ │ velero │
│ ┌────────────────────┐ │ │ ┌──────────────┐ │ │ ┌──────────────┐ │
│ │ service-provider- │ │ │ │ Velero │ │ │ │ Velero CRDs │ │
│ │ velero │──┼────▶│ │ Server │──┼──────▶│ │ (Backup, │ │
│ │ │──┼─────┼──┼──────────────┼──┼──────▶│ │ Restore...) │ │
│ └────────────────────┘ │ │ │ + Plugins │ │ │ └──────────────┘ │
│ ┌────────────────────┐ │ │ └──────────────┘ │ └────────────────────┘
│ │ ProviderConfig │ │ └────────────────────┘
│ │ imagePullSecrets │ │
│ └────────────────────┘ │
└──────────────────────────┘
The Velero server runs on the workload cluster, while the Velero CRDs (Backup, Restore, Schedule, etc.) are installed on the ManagedControlPlane for tenant isolation.
📡 Note: The Kubernetes nodes on the workload cluster where Velero runs must be able to resolve and reach any configured backup storage locations.
- Go 1.21+
- Task (task runner)
- Docker (for building images)
- Access to an openMCP environment
task test-e2eThis uses the openmcp-testing framework to spin up a full test environment.
The Velero resource represents a Velero installation for a ManagedControlPlane.
apiVersion: velero.services.open-control-plane.io/v1alpha1
kind: Velero
metadata:
name: my-velero
namespace: default
spec:
version: "v1.17.2"
plugins:
- name: "aws"
version: "v1.13.2"| Field | Type | Description |
|---|---|---|
spec.version |
string | The version of Velero to install |
spec.plugins |
[]Plugin | List of plugins to install with Velero |
spec.plugins[].name |
string | Plugin name (e.g., aws, azure, gcp) |
spec.plugins[].version |
string | Plugin version |
The ProviderConfig resource configures global settings for all Velero deployments.
apiVersion: velero.services.open-control-plane.io/v1alpha1
kind: ProviderConfig
metadata:
name: velero
spec:
pollInterval: 15m
availableImages:
- name: velero
versions: ["v1.17.2", "v1.16.2"]
image: "velero/velero"
- name: aws
versions: ["v1.13.2", "v1.12.2"]
image: "velero/velero-plugin-for-aws"
imagePullSecrets:
- name: privateregcred| Field | Type | Description |
|---|---|---|
spec.pollInterval |
duration | How often to reconcile and refresh service account tokens |
spec.availableImages |
[]Image | Allowed Velero and plugin images with their versions |
spec.availableImages[].name |
string | Image identifier (velero or plugin name) |
spec.availableImages[].versions |
[]string | Allowed versions for this image |
spec.availableImages[].image |
string | Container image reference |
spec.imagePullSecrets |
[]SecretRef | Secrets for private registry authentication |
⚠️ Note: Only one ProviderConfig may exist per Velero service provider instance, and its name must match the service provider's name.
For air-gapped or enterprise environments, configure private registries via ProviderConfig:
apiVersion: velero.services.open-control-plane.io/v1alpha1
kind: ProviderConfig
metadata:
name: velero
spec:
pollInterval: 15m
availableImages:
- name: velero
versions: ["v1.17.2"]
image: "harbor.internal/velero/velero"
- name: aws
versions: ["v1.13.2"]
image: "harbor.internal/velero/velero-plugin-for-aws"
imagePullSecrets:
- name: harbor-credentials| Command | Description |
|---|---|
task build |
Build the binary |
task build:img:build-test |
Build the container image |
task test |
Run unit tests |
task test-e2e |
Run end-to-end tests |
task generate |
Generate CRDs and code after API changes |
task validate |
Run linters and formatters |
| Criterion | Status | Notes |
|---|---|---|
| Deletion behaviour | A finalizer ensures the Service Provider managed resources like Deployments etc. are cleaned-up. But there is no behaviour that ensures deletion is blocked if custom resources (e.g. Velero' Backup objects) in a ControlPlane still exist. |
|
| Status reporting & error messages | ✅ | |
| Operation annotations | openmcp.cloud/operation: ignore is processed by opencontrolplane-runtime. openmcp.cloud/operation: reconcile is not processed. |
|
| API stability policy | ✅ | |
| Custom CA support | ❌ | Custom CA bundle propagation to Velero components is not implemented. |
| Release artifacts (image + OCM) | ✅ | |
| Testing | ✅ | |
| Ownership and maintenance docs | ✅ |
See the OpenControlPlane Quality Criteria for definitions.
This project is open to feature requests/suggestions, bug reports etc. via GitHub issues. Contribution and feedback are encouraged and always welcome. For more information about how to contribute, the project structure, as well as additional contribution information, see our Contribution Guidelines.
If you find any bug that may be a security problem, please follow our instructions at in our security policy on how to report it. Please do not create GitHub issues for security-related doubts or problems.
We as members, contributors, and leaders pledge to make participation in our community a harassment-free experience for everyone. By participating in this project, you agree to abide by its Code of Conduct at all times.
Copyright OpenControlPlane contributors. Please see our LICENSE for copyright and license information. Detailed information including third-party components and their licensing/copyright information is available via the REUSE tool.
OpenControlPlane is part of ApeiroRA, an EU Important Project of Common European Interest (IPCEI-CIS).
Copyright Linux Foundation Europe. For web site terms of use, trademark policy and other project policies please see https://linuxfoundation.eu/en/policies.