Skip to main content

On-site backup and restore with Velero + MinIO

This guide walks through setting up Velero with a local MinIO instance to back up and restore your Ziti deployment. MinIO provides S3-compatible object storage that Velero talks to using its AWS plugin. This is a good option for environments that cannot use cloud-hosted S3 or need to keep backup data on-site.

Prerequisites

  • A Linux node with systemd (the same node running your cluster, or a dedicated storage node)
  • kubectl configured with access to your cluster
  • helm (v3+)
  • Sufficient disk space on the node for backup data

Install the Velero CLI

Download the latest Velero CLI from github.com/vmware-tanzu/velero/releases and place it on your PATH:

# Example for v1.15.2 on linux/amd64
curl -fsSL https://github.com/vmware-tanzu/velero/releases/download/v1.15.2/velero-v1.15.2-linux-amd64.tar.gz | tar xz
sudo mv velero-v1.15.2-linux-amd64/velero /usr/local/bin/

Step 1: Install MinIO

Run the minio-setup.sh script on the Linux node. It downloads the MinIO server and client binaries, creates a minio-user system account, sets up a systemd service, and creates a velero bucket.

sudo ./velero/minio-setup.sh

When the script finishes it prints output like this — note the S3 API endpoint for the next steps:

==========================================
MinIO setup complete!
  S3 API endpoint : http://<node_ip>:9000
  Web console     : http://<node_ip>:9001
  Bucket          : velero
  Access key      : minioadmin
  Secret key      : minioadmin
==========================================

Step 2: Create the Velero credentials file

Create ~/credentials-velero with the MinIO access key and secret key:

cat > ~/credentials-velero <<EOF
[default]
aws_access_key_id = minioadmin
aws_secret_access_key = minioadmin
EOF

Step 3: Install Velero

Replace <node_ip> below with the S3 API endpoint IP from the script output.

velero install \
  --provider aws \
  --plugins velero/velero-plugin-for-aws:v1.12.2 \
  --bucket velero \
  --secret-file ~/credentials-velero \
  --use-node-agent \
  --default-volumes-to-fs-backup \
  --backup-location-config region=minio,s3ForcePathStyle=true,s3Url=http://<node_ip>:9000 \
  --snapshot-location-config region=minio

Step 4: Verify

Confirm the backup location is available:

velero backup-location get

You should see the default location with phase Available.

Backup

On-demand backup

Back up the ziti and cert-manager namespaces (including cluster-scoped resources) with a 7-day retention:

velero backup create ziti-backup --include-namespaces ziti,cert-manager --include-cluster-resources --ttl 168h

Check backup status:

velero backup describe ziti-backup

Scheduled backup

Create a nightly backup at 2 AM UTC:

velero schedule create ziti-nightly \
  --schedule="0 2 * * *" \
  --include-namespaces ziti,cert-manager \
  --include-cluster-resources \
  --ttl 168h

Restore

Velero cannot overwrite existing PVCs on K3s. Delete the namespace first, then restore:

kubectl delete namespace ziti
velero restore create --from-backup ziti-backup

Monitor restore progress:

velero restore describe <restore-name>