velero.md

Create an GCS bucket

BUCKET=my-dev-k8s gsutil mb gs://$BUCKET/

Set permissions with a Service Account

# View your current config settings:
gcloud config list
PROJECT_ID=$(gcloud config get-value project)

# Create a service account:
gcloud iam service-accounts create velero \
    --display-name "Velero service account"

SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
  --filter="displayName:Velero service account" \
  --format 'value(email)')
Attach policies to give velero the necessary permissions to function:

ROLE_PERMISSIONS=(
    compute.disks.get
    compute.disks.create
    compute.disks.createSnapshot
    compute.snapshots.get
    compute.snapshots.create
    compute.snapshots.useReadOnly
    compute.snapshots.delete
    compute.zones.get
)

gcloud iam roles create velero.server \
    --project $PROJECT_ID \
    --title "Velero Server" \
    --permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"

gcloud projects add-iam-policy-binding $PROJECT_ID \
    --member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
    --role projects/$PROJECT_ID/roles/velero.server

gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}

Create a service account key, specifying an output file (credentials-velero) in your local directory:

gcloud iam service-accounts keys create credentials-velero \
    --iam-account $SERVICE_ACCOUNT_EMAIL

# install velero
velero install \
    --provider gcp \
    --plugins velero/velero-plugin-for-gcp:v1.2.0 \
    --bucket $BUCKET \
    --secret-file ./credentials-velero

# check status
kubectl logs deployment/velero -n velero

# get backup location
velero backup-location get

# create schedule
velero create schedule backup-dev --schedule="0 22 * * *" --ttl 72h0m0s

Notification

https://github.com/vitobotta/velero-backup-notification/blob/master/README.md

Restore

velero restore create --from-backup <SCHEDULE NAME>-<TIMESTAMP>

Reference

https://github.com/vmware-tanzu/velero-plugin-for-gcp