Skip to content

Configuration

component "velero" {
  namespace = "velero"

  # Params default values

  aws = {
    eksRole = "" # optional, IAM Role ARN for EKS RBAC
    iamRole = "" # optional, IAM Role ARN for deploying
  }

  backups = {
    provider = "" # required, storage provider for backups, available: "aws"
                  # other providers in https://velero.io/docs/v1.5/supported-providers/ might work but haven't been tested

    # if using aws for storage, this section is required and must point to an S3 bucket
    s3 = {
      region = ""          # required, bucket region
      endpoint = ""        # required, S3 endpoint
      pathStyle = false    # required, enable to force path-style requests (eg. minio and similar providers)
      insecure = false     # required, enable to skip server certificate validation
      encrypted = true     # required, enable to use server-side encryption
      bucket = ""          # required, bucket name
      prefix = ""          # optional, prefix/directory to upload backups into
      caCert = ""          # optional, base64 encoded CA bundle to be used for verifying TLS connections

      # optional, secret ref to AWS Access key ID (overrides credentialsSecret/credentialsPath)
      accessKeySecret = {
        name = "" # required, name of the secret object
        key = ""  # required, key containing the Access key ID
      }

      # optional, secret ref to AWS Secret access key (overrides credentialsSecret/credentialsPath)
      secretKeySecret = {
        name = "" # required, name of the secret object
        key = ""  # required, key containing the Secret access key
      }
    }
  }

  snapshots = {
    provider = "" # required, storage provider for snapshots, available: "aws"
                  # other providers in https://velero.io/docs/v1.5/supported-providers/ might work but haven't been tested
    region = ""   # required, aws region
  }

  restic = {
    enable = false                          # required, set to true to enable Restic
    podVolumePath = "/var/lib/kubelet/pods" # optional, path to mount with pod volumes
    privileged = false                      # optional, set to true to set Restic pods as privileged
  }

  # optional, use this block if you are storing your credentials in a secure store using external-secret
  credentialsSecret = {
      # override this section only if you are not using the default store from the external-secrets component
      store = {
        name = "default"
        kind = "ClusterSecretStore"
      }
      key = ""            # required, should be the store-specific key to the secret, e.g. the Vault or AWS Secrets Manager key
      property = ""       # optional, should be the store-specific property inside the secret containing the cloud config text if the secret is structured (e.g. a JSON document)
  }

  # optional, path to a AWS credentials file (like the one generated by `aws configure`)
  # this overrides credentialsSecret but is overridden by accessKeySecret/secretKeySecret
  # note that you'll have to manually mount the file at this location
  credentialsPath = ""

  # optional, list of Velero plugins to include
  # note that if you want to add plugins while keeping the default AWS one you have to copy it again, 
  # because the list would be overridden
  plugins = [
    {
      name = "aws",
      image = "velero/velero-plugin-for-aws",
      tag = "v1.3.0",
    }
  ]
}

Bucket

When using AWS as the storage provider you will need to create a S3 bucket.

IAM Role

When assigning an IAM role for Velero on EKS, you should create a role with the following policies:

To backup bucket ARN, for any object ("*")

  • s3:ListBucket
  • s3:PutObject
  • s3:GetObject
  • s3:DeleteObject
  • s3:AbortMultipartUpload
  • s3:ListMultipartUploadParts

To any resource ("*")

  • ec2:DescribeVolumes
  • ec2:DescribeSnapshots
  • ec2:CreateTags
  • ec2:CreateVolume
  • ec2:CreateSnapshot
  • ec2:DeleteSnapshot