Examples¶
Complete, copy-paste-ready examples for all CRDs.
VolumeBackup¶
Minimal S3 Backup¶
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeBackup
metadata:
name: simple-backup
namespace: default
spec:
volumeClaimRef:
name: my-data-pvc
schedule: "0 3 * * *"
repository:
type: s3
url: s3:s3.amazonaws.com/my-backup-bucket/simple-backup
secretRef:
name: restic-backup-secret
Full-Featured Backup¶
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeBackup
metadata:
name: production-backup
namespace: default
spec:
volumeClaimRef:
name: my-data-pvc
namespace: default
schedule: "0 3 * * *"
repository:
type: s3
url: s3:s3.amazonaws.com/my-backup-bucket/my-data
secretRef:
name: restic-backup-secret
paths:
- /data
exclude:
- "*.tmp"
- "*.log"
retention:
keepLast: 15
keepDaily: 7
keepWeekly: 4
keepMonthly: 6
check:
enabled: true
schedule: "0 4 * * *"
readDataSubset: "10%"
resources:
requests:
memory: "256Mi"
cpu: "200m"
limits:
memory: "1Gi"
cpu: "1000m"
restoreTest:
enabled: true
schedule: "0 5 * * 0"
storage:
type: "emptyDir"
size: "5Gi"
fileCount: 50
verifyChecksums: true
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "8Gi"
cpu: "4000m"
cache:
enabled: true
size: "5Gi"
accessMode: "ReadWriteOnce"
resources:
requests:
memory: "256Mi"
cpu: "200m"
limits:
memory: "1Gi"
cpu: "1000m"
image:
repository: registry.bnerd.com/public/restic
tag: "0.18.1"
pullPolicy: Always
webhooks:
success: "https://hooks.example.com/backup-success"
failure: "https://hooks.example.com/backup-failure"
jobConfig:
keepSuccessfulJobs: 3
keepFailedJobs: 3
VolumeRestore¶
Restore from VolumeBackup¶
apiVersion: v1
kind: Secret
metadata:
name: backup-credentials
namespace: default
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: "your-access-key-id"
AWS_SECRET_ACCESS_KEY: "your-secret-access-key"
RESTIC_PASSWORD: "your-restic-repository-password"
---
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeRestore
metadata:
name: database-restore
namespace: default
spec:
sourceBackup:
volumeBackupRef:
name: database-volume-backup
targetPVC:
createNew: true
name: "restored-database"
size: "15Gi"
storageClass: "fast-ssd"
restoreSpec:
paths: ["/"]
overwrite: "never"
jobConfig:
retries: 3
activeDeadlineSeconds: 3600
Restore from Direct Repository¶
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeRestore
metadata:
name: direct-restore
namespace: default
spec:
sourceRepository:
type: s3
url: "s3:s3.amazonaws.com/my-backup-bucket/app-volume"
secretRef:
name: backup-credentials
host: "production-app-server"
targetPVC:
createNew: false
name: "existing-app-data"
restoreSpec:
paths:
- "/app/data"
- "/app/config"
exclude:
- "*.tmp"
- "*.log"
overwrite: "always"
targetPath: "/restored"
Cross-Namespace Restore¶
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeRestore
metadata:
name: staging-restore
namespace: staging
spec:
sourceBackup:
volumeBackupRef:
name: production-database-backup
namespace: production
targetPVC:
createNew: true
name: "staging-database-data"
size: "10Gi"
storageClass: "standard"
labels:
environment: "staging"
source: "production-restore"
restoreSpec:
paths: ["/"]
overwrite: "always"
jobConfig:
retries: 2
keepSuccessfulJobs: 1
keepFailedJobs: 2
activeDeadlineSeconds: 7200
resources:
requests:
memory: "256Mi"
cpu: "200m"
limits:
memory: "1Gi"
cpu: "500m"
Point-in-Time Restore¶
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeRestore
metadata:
name: point-in-time-restore
namespace: default
spec:
sourceBackup:
volumeBackupRef:
name: config-volume-backup
snapshotDate: "2025-01-10T12:00:00Z"
targetPVC:
createNew: true
restoreSpec:
paths:
- "/etc/config"
- "/var/secrets"
exclude:
- "*.bak"
targetPath: "/recovery"
overwrite: "if-changed"
jobConfig:
retries: 1
activeDeadlineSeconds: 1800
VolumeSnapshotBackup¶
OpenStack Cinder Snapshot Backup¶
apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeSnapshotBackup
metadata:
name: postgres-snapshot-backup
namespace: my-app
spec:
volumeClaimRef:
name: postgres-data
openstack:
credentialsSecretRef:
name: openstack-credentials
namespace: kube-system
autoDiscover: true
snapshot:
force: true
timeout: 600
namePrefix: "backup"
temporaryVolume:
timeout: 300
repository:
type: s3
url: s3:s3.amazonaws.com/my-bucket/backups/postgres
secretRef:
name: restic-s3-credentials
host: "production-postgres"
paths:
- "/"
exclude:
- "lost+found"
- "*.tmp"
- "pg_wal/archive_status/*"
retention:
keepLast: 10
keepDaily: 7
keepWeekly: 4
keepMonthly: 6
keepYearly: 2
resources:
requests:
memory: "256Mi"
cpu: "200m"
limits:
memory: "2Gi"
cpu: "2000m"
S3Backup¶
S3 Bucket Backup¶
apiVersion: v1
kind: Secret
metadata:
name: s3-source-credentials
namespace: default
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: "source-access-key-id"
AWS_SECRET_ACCESS_KEY: "source-secret-access-key"
---
apiVersion: v1
kind: Secret
metadata:
name: s3-repo-credentials
namespace: default
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: "repo-access-key-id"
AWS_SECRET_ACCESS_KEY: "repo-secret-access-key"
RESTIC_PASSWORD: "your-restic-repository-password"
---
apiVersion: backups.k8s.bnerd.com/v1
kind: S3Backup
metadata:
name: my-bucket-backup
namespace: default
spec:
source:
endpoint: "https://storage.muc1.de.bnerd.com"
bucket: "my-source-bucket"
prefix: "data/"
usePathStyle: true
secretRef:
name: s3-source-credentials
schedule: "0 3 * * *"
repository:
type: s3
url: "s3:s3.eu-central-1.amazonaws.com/my-backup-repo/s3-backups"
secretRef:
name: s3-repo-credentials
host: "production-bucket-backup"
exclude:
- "*.tmp"
- "*.log"
retention:
keepLast: 15
keepDaily: 7
keepWeekly: 4
keepMonthly: 6
cache:
enabled: true
size: "10Gi"
resources:
requests:
memory: "512Mi"
cpu: "300m"
limits:
memory: "2Gi"
cpu: "1000m"
check:
enabled: true
schedule: "0 4 * * 0"
readDataSubset: "5%"
restoreTest:
enabled: true
schedule: "0 5 * * 0"
fileCount: 25
verifyChecksums: true
webhooks:
success: "https://example.com/webhook/success"
failure: "https://example.com/webhook/failure"
Credentials Secrets¶
S3 Credentials¶
apiVersion: v1
kind: Secret
metadata:
name: s3-backup-credentials
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: "your-access-key-id"
AWS_SECRET_ACCESS_KEY: "your-secret-access-key"
RESTIC_PASSWORD: "your-restic-repository-password"
# Optional:
# AWS_DEFAULT_REGION: "eu-central-1"
OpenStack Credentials¶
apiVersion: v1
kind: Secret
metadata:
name: openstack-credentials
namespace: kube-system
type: Opaque
stringData:
OS_AUTH_URL: "https://identity.cloud.example.com/v3"
OS_USERNAME: "backup-service-account"
OS_PASSWORD: "your-openstack-password"
OS_PROJECT_NAME: "my-project"
OS_PROJECT_DOMAIN_NAME: "Default"
OS_USER_DOMAIN_NAME: "Default"
OS_REGION_NAME: "RegionOne"