Introduction

Velero allows you to create backups of your k8s clustr. It handles both the resources (the yaml files), and the volumes. But it has a drawback (as of writting): the lack of encryption. In this post, we’re going to see how we can produce encrypted backups, by chaining velero with rclone.

The key point of this post is: rclone is awesome and a Ops’s dream tool. In our case, the 2 features of rclone that we will use are its crypt remote, and its serve (s3) feature.

The goal is to make velero push its backup objects into a “virtual” S3, served by rclone. rclone will then relay the objets through its crypt backend, and then through a S3 backend pointing to your actual backup server. If this is confusing to you, looking at the repository, or the rclone.conf file might help visualize the flow.

This post will not introduce velero or its concepts.

1. Deploying the velero-encrypt chart

This chart includes rclone, and is responsible for the encryption of backups. To install it, simply go to my repository, edit values.yaml, and install the chart to whatever namespace you want (I usually install it in the velero ns).

2. Setup velero

From scratch

This command will install velero:

velero install  --provider aws --plugins velero/velero-plugin-for-aws:v1.0.0 --bucket fakebucket --backup-location-config region=us-east-1 s3Url=https://velero-encrypt.example.com s3ForcePathStyle="true" --secret-file ./creds.toml --use-node-agent --default-volumes-to-fs-backup

before running it:

Replace s3Url by the URL you configured earlier in the velero-encrypt chart (you need a publicly accessible URL because the velero CLI client will access the S3 directly, from the computer invoking it)
create a file creds.toml with the following content:

[default]
aws_access_key_id = user
aws_secret_access_key = S3-SECRET-KEY

From an already existing installation

First of all, if you already have an existing velero installation, don’t forget to delete all your current backups (or make them pass through rclone). Mixing a backup S3 with encrypted and non-encrypted files is probably not a good idea.
The resources you will need to edit are BackupStorageLocation/default (general conection options), and secret/cloud-credentials (which is creds.toml)

Notes

the bucket (fakebucket) in which velero will push is not important, and will be encrypted anyway. The reason we even set a bucket is
because you need to create one yourself within the “virtual S3” thar rclone provides.
Note that we never touched the velero-repo-credentials secret, which is the encryption key for volumes only when using Kopia. Since we are already using rclone for encryption, we can leave the default password (Note to those who would try it: encrypting data twice with the same key is, in general, not a good idea)

Try

Your setup should be done. To verify it, you can try creating a backup with velero backup create helloworld

You should also try velero backup describe helloworld to verify that volumes are correctly displayed (if you have an error, double-check that the restic-encrypt URL is publicly accessible).

Introduction¶

1. Deploying the velero-encrypt chart¶

2. Setup velero¶

From scratch¶

From an already existing installation¶

Notes¶

Try¶