Backup and restore prerequisite requirements

Verrazzano provides Velero and rancher-backup for backup and recovery at the component and platform level. Use the following instructions to enable and configure these components in your environment.

NOTE: The backup functionality for OpenSearch can be used only if the components are enabled explicitly in the Verrazzano CR.

Enable backup components

To back up and restore persistent data, first you must enable the velero and rancherBackup components. The following configuration shows how to enable the backup components with a prod installation profile.

kind: Verrazzano
  name: example-verrazzano
  profile: prod
      enabled: true
      enabled: true  

NOTE: rancherBackup will be enabled only in cases when rancher is also enabled.

After they’re enabled, check for Velero pods running in the verrazzano-backup namespace.

# Sample of pods running after enabling the velero component

$ kubectl get pod -n verrazzano-backup
NAME                      READY   STATUS    RESTARTS   AGE
restic-ndxfk              1/1     Running   0          21h
velero-5ff8766fd4-xbn4z   1/1     Running   0          21h

For rancher-backup, the pods will be created in the cattle-resources-system namespace.

# Sample of pods running after enabling the rancherBackup component

$ kubectl get pod -n cattle-resources-system
NAME                              READY   STATUS    RESTARTS   AGE
rancher-backup-5c4b985697-xw7md   1/1     Running   0          2d4h

Configure backup components

Next, meet the following prerequisite requirements for both velero and rancherBackup components:

  • Object store bucket name.

    • Both components require an object store that is Amazon S3 compatible, therefore, you need to have an object storage bucket. This can be an Oracle Cloud Object Storage bucket in any compartment of your Oracle Cloud tenancy.
      • Make a note of the bucket name and tenancy name for reference.
      • For more information about creating a bucket with Object Storage, refer to this page.
    • For private clouds, enterprise networks, or air-gapped environments, this could be MinIO or an equivalent object store solution.
  • Object store prefix name. This will be a child folder under the bucket, which the backup component creates.

  • Object store region information.

  • A signing key, which is required to authenticate with the Amazon S3 compatible object store. Follow these steps to create a Customer Secret Key.

Velero CLI (optional)

The Velero CLI helps you access Velero objects in a more descriptive manner; you can also manage them using kubectl.

If desired, install the Velero CLI on Oracle Linux as follows:

$ rpm -ivh

Component-specific prerequisites

Meet the following component-specific prerequisites:

Velero operator prerequisites

Now, create the following objects:

  • Create a backup-secret.txt file, which has the object store credentials.

    aws_access_key_id=<object store access key>
    aws_secret_access_key=<object store secret key>
  • In the namespace verrazzano-backup, create a Kubernetes secret verrazzano-backup-creds.

    $ kubectl create secret generic -n <backup-namespace> <secret-name> --from-file=<key>=<full_path_to_creds_file>


    $ kubectl create secret generic -n verrazzano-backup verrazzano-backup-creds --from-file=cloud=backup-secret.txt

    NOTE: To avoid misuse of sensitive data, ensure that the backup-secret.txt file is deleted after the Kubernetes secret is created.

  • Create BackupStorageLocation, which the backup component will reference for subsequent backups. See the following BackupStorageLocation example. For more information, see here.

    kind: BackupStorageLocation
      name: verrazzano-backup-location
      namespace: verrazzano-backup
      provider: aws
        bucket: example-verrazzano
        prefix: backup-demo
        name: verrazzano-backup-creds
        key: cloud
        region: us-phoenix-1
        s3ForcePathStyle: "true"

rancher-backup operator prerequisites

Now, in the namespace verrazzano-backup, create a Kubernetes secret rancher-backup-creds.

$ kubectl create secret generic -n <backup-namespace> <secret-name> --from-literal=accessKey=<accesskey> --from-literal=secretKey=<secretKey>


$ kubectl create secret generic -n verrazzano-backup rancher-backup-creds --from-literal=accessKey="s5VLpXwa0xNZQds4UTVV" --from-literal=secretKey="nFFpvyxpQvb0dIQovsl0"