Skip to content

OpenStack Cinder Snapshot Backups

The VolumeSnapshotBackup CRD creates point-in-time backups by taking OpenStack Cinder volume snapshots and then backing up the snapshot data to a Restic repository. This is ideal for consistent backups of databases and other applications that benefit from filesystem-level snapshots.

Prerequisites

  • PVCs backed by Cinder volumes (via the cinder.csi.openstack.org CSI driver)
  • OpenStack credentials with snapshot and volume permissions
  • The openstacksdk Python package (included in the operator image)

Workflow

The VolumeSnapshotBackup follows a multi-phase workflow:

Phase 1: CreatingSnapshot
  └─ Create Cinder volume snapshot from PVC's backing volume

Phase 2: CreatingVolume
  └─ Create a temporary Cinder volume from the snapshot

Phase 3: CreatingPVC (internal)
  └─ Create a temporary PVC bound to the new volume

Phase 4: Backup
  └─ Run Restic backup Job against the temporary PVC

Phase 5: Cleanup
  └─ Delete temporary PVC, volume, and snapshot (based on retention)

On failure at any phase, all previously created resources are cleaned up automatically.

OpenStack Credentials

Create a Secret with your OpenStack environment variables:

apiVersion: v1
kind: Secret
metadata:
  name: openstack-credentials
  namespace: kube-system
type: Opaque
stringData:
  OS_AUTH_URL: "https://identity.cloud.example.com/v3"
  OS_USERNAME: "backup-service-account"
  OS_PASSWORD: "your-openstack-password"
  OS_PROJECT_NAME: "my-project"
  OS_PROJECT_DOMAIN_NAME: "Default"
  OS_USER_DOMAIN_NAME: "Default"
  OS_REGION_NAME: "RegionOne"

Full Example

apiVersion: backups.k8s.bnerd.com/v1
kind: VolumeSnapshotBackup
metadata:
  name: postgres-snapshot-backup
  namespace: my-app
spec:
  volumeClaimRef:
    name: postgres-data

  openstack:
    credentialsSecretRef:
      name: openstack-credentials
      namespace: kube-system
    autoDiscover: true  # Auto-detect Cinder volume ID from PVC

  snapshot:
    force: true       # Allow snapshots of in-use volumes
    timeout: 600      # Seconds to wait for snapshot to become available
    namePrefix: "backup"

  temporaryVolume:
    timeout: 300      # Seconds to wait for temporary PVC to bind

  repository:
    type: s3
    url: s3:s3.amazonaws.com/my-bucket/backups/postgres
    secretRef:
      name: restic-s3-credentials

  host: "production-postgres"

  paths:
    - "/"

  exclude:
    - "lost+found"
    - "*.tmp"

  retention:
    keepLast: 10
    keepDaily: 7
    keepWeekly: 4
    keepMonthly: 6
    keepYearly: 2

  resources:
    requests:
      memory: "256Mi"
      cpu: "200m"
    limits:
      memory: "2Gi"
      cpu: "2000m"

Configuration Details

Auto-Discovery

When autoDiscover: true (default), the operator reads the Cinder volume ID directly from the PVC's PersistentVolume spec (spec.csi.volumeHandle). This avoids having to manually specify the volume ID.

Snapshot Settings

Field Default Description
snapshot.force true Allow snapshots of volumes currently attached to a VM
snapshot.timeout 600 Seconds to wait for snapshot to reach available status
snapshot.namePrefix "backup" Prefix for snapshot names (format: {prefix}-{namespace}-{pvc}-{timestamp})
snapshot.retention.keepLast 3 Keep the last N OpenStack snapshots
snapshot.retention.keepForDays 7 Keep snapshots created within the last N days

Temporary Volume

Field Default Description
temporaryVolume.storageClass (from source PVC) Storage class for the temporary PVC
temporaryVolume.timeout 300 Seconds to wait for PVC to bind

The temporary PVC and volume are deleted automatically after the backup completes or on failure.

Status Phases

Monitor the progress with:

kubectl get volumesnapshotbackup postgres-snapshot-backup -w
Phase Description
Pending Resource created, not yet processing
CreatingSnapshot Creating OpenStack volume snapshot
CreatingVolume Creating temporary volume from snapshot
Backup Running Restic backup against temporary PVC
Cleanup Cleaning up temporary resources
Succeeded Backup completed successfully
Failed An error occurred (check status.message)

Troubleshooting

"Failed to authenticate with OpenStack"

  • Verify all OS_* variables in the credentials Secret
  • Check that OS_AUTH_URL is reachable from the operator pod
  • Ensure the user has the member role on the project

"Snapshot creation timed out"

  • Increase snapshot.timeout for large volumes
  • Check OpenStack Cinder service health
  • Verify the volume is not in an error state

"Temporary PVC failed to bind"

  • Increase temporaryVolume.timeout
  • Verify the CSI driver can create volumes from snapshots
  • Check that the storage class supports volume creation from snapshots