Azure Blob Storage Backup

This guide covers configuring VolumeBackup with Azure Blob Storage as the repository backend.

Repository URL Format

azure:container-name/path

Example: azure:my-backup-container/kubernetes/app-data

Credentials Secret

Create a Secret with your Azure storage credentials and Restic repository password:

Access KeySAS Token

apiVersion: v1
kind: Secret
metadata:
  name: azure-backup-credentials
  namespace: default
type: Opaque
stringData:
  AZURE_ACCOUNT_NAME: "mystorageaccount"
  AZURE_ACCOUNT_KEY: "your-storage-account-key"
  RESTIC_PASSWORD: "your-restic-repository-password"

apiVersion: v1
kind: Secret
metadata:
  name: azure-backup-credentials
  namespace: default
type: Opaque
stringData:
  AZURE_ACCOUNT_NAME: "mystorageaccount"
  AZURE_ACCOUNT_SAS: "your-sas-token"
  RESTIC_PASSWORD: "your-restic-repository-password"

Full Example

apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeBackup
metadata:
  name: azure-volume-backup
  namespace: default
spec:
  volumeClaimRef:
    name: my-data-pvc

  schedule: "0 3 * * *"

  repository:
    type: azure
    url: azure:my-backup-container/kubernetes/my-data
    secretRef:
      name: azure-backup-credentials

  retention:
    keepLast: 15
    keepDaily: 7
    keepWeekly: 4
    keepMonthly: 6

  cache:
    enabled: true
    size: "5Gi"

Required Permissions

The storage account or SAS token needs the following permissions on the container:

• Read, Write, Delete, List (for blob operations)
• Create (for container initialization on first run)

If using a SAS token, ensure it has sufficient expiry time to cover your backup retention period.

Troubleshooting

"authorization failed" errors

• Verify AZURE_ACCOUNT_NAME and AZURE_ACCOUNT_KEY or AZURE_ACCOUNT_SAS in the Secret
• Check that the storage account firewall allows access from the cluster's egress IP

"container not found" errors

• The container must exist before creating the VolumeBackup
• Verify the container name in the repository URL matches exactly