Skip to main content

Automated backups with AWS S3

This page covers setting up scheduled full cluster backups using Velero with AWS S3 storage. For OpenZiti database-only snapshots that run automatically without any setup, see Backup overview.

Prerequisites

  • A running Kubernetes cluster with NetFoundry Self-Hosted installed
  • An AWS S3 bucket with IAM credentials (see S3/IAM prerequisites)
  • Credentials saved to ./velero/s3-credentials-velero

Run the backup setup script

The included backup script handles Velero CLI installation, Velero deployment to the cluster, and scheduled backup creation:

./velero/velero_backup.sh

The script will:

  1. Check if the Velero CLI is installed, and install it if not.

  2. Verify AWS credentials are available (from the environment or the credentials file).

  3. Prompt for the S3 bucket name.

  4. Install the Velero plugin to the velero namespace if not already present. The install method differs based on your cluster type:

    • K3s: Uses filesystem-based backup with --default-volumes-to-fs-backup and --use-node-agent.
    • Multi-node clusters (EKS, etc.): Uses CSI volume snapshots with --features=EnableCSI.

  5. Prompt for the backup interval (in hours) and create scheduled backups for the ziti and cert-manager namespaces and the support namespaces (support, beats) with a 7-day retention.

Verify backups

After setup, check that scheduled backups are configured:

velero schedule get

View completed backups:

velero backup get

Get details on a specific backup:

velero backup describe --details <backup-name>

Create an on-demand backup

To trigger a backup immediately outside the schedule:

velero backup create <backup-name> \
  --include-namespaces ziti,cert-manager \
  --include-cluster-resources \
  --ttl 168h

To also back up the support stack:

velero backup create <backup-name>-support \
  --include-namespaces support,beats \
  --include-cluster-resources \
  --ttl 168h