Set up automated backups with AWS S3
This page covers setting up scheduled full cluster backups using Velero with AWS S3 storage. For OpenZiti database-only snapshots that run automatically without any setup, see Back up your installation.
Prerequisites
- A running Kubernetes cluster with NetFoundry Self-Hosted installed
- An AWS S3 bucket with IAM credentials (see S3/IAM prerequisites)
- Credentials saved to
./velero/s3-credentials-velero(copy froms3-credentials-velero.exampleand fill in your values)
Run the backup setup script
The included backup script handles Velero CLI installation, Velero deployment to the cluster, and scheduled backup creation:
./velero/velero_backup.sh
The script will:
-
Check if the Velero CLI is installed, and install it if not.
-
Verify AWS credentials are available (from the environment or the credentials file).
-
Prompt for the S3 bucket name.
-
Install the Velero plugin to the
veleronamespace if not already present. The install method differs based on your cluster type:- K3s: Uses filesystem-based backup with
--default-volumes-to-fs-backupand--use-node-agent. - Multi-node clusters (EKS, etc.): Uses CSI volume snapshots with
--features=EnableCSI.
- K3s: Uses filesystem-based backup with
-
Prompt for the backup interval (in hours) and create scheduled backups for the
zitiandcert-managernamespaces and the support namespaces (support,beats) with a 7-day retention.
Verify backups
-
Check that scheduled backups are configured:
velero schedule get -
View completed backups:
velero backup get -
Get details on a specific backup:
velero backup describe --details <backup-name>
Create an on-demand backup
Run either or both commands depending on what you want to back up.
Back up the ziti and cert-manager namespaces:
velero backup create <backup-name> \
--include-namespaces ziti,cert-manager \
--include-cluster-resources \
--ttl 168h
Back up the support stack:
velero backup create <backup-name>-support \
--include-namespaces support,beats \
--include-cluster-resources \
--ttl 168h