Skip to main content

Set up on-site backups with MinIO

This guide walks through setting up Velero with a local MinIO instance to back up and restore your OpenZiti deployment. MinIO provides S3-compatible object storage that Velero talks to using its AWS plugin. This is a good option for environments that can't use cloud-hosted S3 or need to keep backup data on-site.

Prerequisites

  • A Linux node with systemd (the same node running your cluster, or a dedicated storage node)
  • kubectl configured with access to your cluster
  • helm (v3+)
  • Sufficient disk space on the node for backup data

Install the Velero CLI

Download the latest Velero CLI from github.com/vmware-tanzu/velero/releases and place it on your PATH:

# Example for v1.15.2 on linux/amd64
curl -fsSL https://github.com/vmware-tanzu/velero/releases/download/v1.15.2/velero-v1.15.2-linux-amd64.tar.gz | tar xz
sudo mv velero-v1.15.2-linux-amd64/velero /usr/local/bin/

Steps

  1. Run the minio-setup.sh script on the Linux node. It downloads the MinIO server and client binaries, creates a minio-user system account, sets up a systemd service, and creates a velero bucket.

    sudo ./velero/minio-setup.sh

    When the script finishes, note the S3 API endpoint from the output — you'll need it in step 3:

    ==========================================
    MinIO setup complete!
      S3 API endpoint : http://<node_ip>:9000
      Web console     : http://<node_ip>:9001
      Bucket          : velero
      Access key      : minioadmin
      Secret key      : minioadmin
    ==========================================

  2. Create ~/credentials-velero with the MinIO access key and secret key:

    cat > ~/credentials-velero <<EOF
    [default]
    aws_access_key_id = minioadmin
    aws_secret_access_key = minioadmin
    EOF

  3. Install Velero. Replace <node_ip> with the S3 API endpoint IP from step 1.

    velero install \
      --provider aws \
      --plugins velero/velero-plugin-for-aws:v1.12.2 \
      --bucket velero \
      --secret-file ~/credentials-velero \
      --use-node-agent \
      --default-volumes-to-fs-backup \
      --backup-location-config region=minio,s3ForcePathStyle=true,s3Url=http://<node_ip>:9000 \
      --snapshot-location-config region=minio

  4. Confirm the backup location is available:

    velero backup-location get

    You should see the default location with phase Available.

Backup

On-demand backup

Back up the ziti and cert-manager namespaces (including cluster-scoped resources) with a 7-day retention:

velero backup create ziti-backup --include-namespaces ziti,cert-manager --include-cluster-resources --ttl 168h

Check backup status:

velero backup describe ziti-backup

Scheduled backup

Create a nightly backup at 2 AM UTC:

velero schedule create ziti-nightly \
  --schedule="0 2 * * *" \
  --include-namespaces ziti,cert-manager \
  --include-cluster-resources \
  --ttl 168h

Restore

Velero can't overwrite existing PVCs on K3s. Delete the namespace first, then restore:

kubectl delete namespace ziti
velero restore create --from-backup ziti-backup

Monitor restore progress:

velero restore describe <restore-name>