Credentials - IAM User
Use this if you intend to have Velero store the backup snapshots in an AWS s3 endpoint that is configured to allow access using IAM credentials that are securely managed in a Vault server. This configuration utilizes the controller's turnkey integration with Vault and can be made operational in minutes with a simple annotation.
# To fecth AWS IAM credentials from vault
podAnnotations:
rafay.dev/secretstore: vault
vault.secretstore.rafay.dev/role: "km-velero"
vault.secretstore.rafay.dev/filesecret-config-velero-credentials: |
{
"vaultSecretRef": "velero-secrets/data/s3-credentials#data.cloud",
"secretFileName": "cloud",
"volumeMountPath": "/credentials"
}
# Velero plugin to use (since we are backing upto AWS S3 or minio, we are using AWS plugin).
initContainers:
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.1.0
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /target
name: plugins
##
## Parameters for the `default` BackupStorageLocation and VolumeSnapshotLocation,
## and additional server settings.
##
configuration:
# Cloud provider being used (e.g. aws, azure, gcp).
provider: aws
# Parameters for the `default` BackupStorageLocation. See
# https://velero.io/docs/v1.0.0/api-types/backupstoragelocation/
backupStorageLocation:
# Cloud provider where backups should be stored. Usually should
# match `configuration.provider`. Required.
name: aws
# Provider for the backup storage location. If omitted
# `configuration.provider` will be used instead.
provider:
# Bucket to store backups in. Required.
bucket: velero-backups
# Prefix within bucket under which to store backups. Optional.
prefix:
# Additional provider-specific configuration. See link above
# for details of required/optional fields for your provider.
config:
region: us-east-1
# Parameters for the `default` VolumeSnapshotLocation. See
# https://velero.io/docs/v1.0.0/api-types/volumesnapshotlocation/
volumeSnapshotLocation:
# Cloud provider where volume snapshots are being taken. Usually
# should match `configuration.provider`. Required.,
name: aws
# Provider for the backup storage location. If omitted
# `configuration.provider` will be used instead.
provider:
# Additional provider-specific configuration. See link above
# for details of required/optional fields for your provider.
config:
region: us-east-1
# additional key/value pairs to be used as environment variables such as "AWS_CLUSTER_NAME: 'yourcluster.domain.tld'"
extraEnvVars:
AWS_SHARED_CREDENTIALS_FILE: /credentials/cloud
serviceAccount:
server:
create: true
name: velero-demo
annotations:
# Info about the secret to be used by the Velero deployment, which
# should contain credentials for the cloud provider IAM account you've
# set up for Velero.
credentials:
# Whether a secret should be used as the source of IAM account
# credentials. Set to false if, for example, using kube2iam or
# kiam to provide IAM credentials for the Velero pod.
useSecret: false
# Whether to deploy the restic daemonset.
deployRestic: false
# Automatic backup of the cluster every hour
schedules:
mybackup:
schedule: "0 * * * *"
template:
ttl: "240h"
storageLocation: aws