talos-backup is a dead simple backup tool for Talos Linux-based Kubernetes clusters. The goal is simple: run this as a cronjob in a desire cluster, take an etcd snapshot, push said snapshot to s3.
talos-backup runs directly in Kubernetes on a given Talos cluster.
To enable the necessary Talos API access for a pod you will need the following modifications in your machine config:
spec:
machine:
features:
kubernetesTalosAPIAccess:
enabled: true
allowedRoles:
- os:etcd:backup
allowedKubernetesNamespaces:
- defaultYou will need a public/private key pair to encrypt(public key) and decrypt(private key) your backups.
This service uses age for encryption.
Find installation instructions here.
Run age-keygen and backup the keys in a place where you won't lose them.
The file cronjob.sample.yaml specifies a kubernetes CronJob that backs up a cluster every 10 minutes.
Customize it and substitute the age public key.
S3 configurations may be supplied in whatever way the Go AWS SDK v2 expects them, in this example we happen to use environment variables.
Apply the CronJob:
kubectl apply -f cronjob.sample.yamlTo test what you deployed you can trigger the job manually:
kubectl create job --from=cronjob/talos-backup my-test-jobAbout compression, it is disabled by default.
You can turn it on by setting ENABLE_COMPRESSION to "true" in the environement variable list in cronjob.sample.yaml.
Talos backup will compress the etcd snapshot with zstd algorithm before encrypt it.
The easiest way to set retention is to set the lifecycle policy on the storage bucket itself.
You may build the binary with:
make talos-backupor as a container image with:
make REGISTRY=registry.example.com USERNAME=myusername PUSH=true TAG=latest image-talos-backup