Skip to main content

OpenShift Backup and Restore with OAPD

Red Hat’s OpenShift-native data protection framework deploys and manages Velero to perform consistent backup and restore of Kubernetes resources and persistent volume data. In the Virtana Platform, this enables operators to capture namespace-scoped backups and reliably restore applications, configuration, and storage after accidental deletion, failed upgrades, or cluster or application incidents.

In this setup, MinIO provides an in-cluster, S3-compatible object storage backend where Velero stores backup artifacts (metadata and volume backup data by the node agent), giving users a self-contained backup target without relying on external cloud storage.

Prerequisites

Make sure you have the following prerequisites and update the cluster or tooling where needed before moving on.

  • OpenShift cluster with OADP operator installed.

  • Helm installed for MinIO chart deployment.

  • Need oc/kubectl CLI access.

  • Internet access to pull Helm charts and container images.

  • Pod annotations for each pod in spec.template.metadata.annotations is as follows:

    annotations: backup.velero.io/backup-volumes: "*"

Install MinIO (Object Storage)

It provisions an in-cluster, S3-compatible object store that Velero or OADP uses as the backup target where backup metadata and volume backup data are uploaded. The installation is performed using the MinIO Helm chart. You add the MinIO Helm repository, create a minio-values.yaml file to define the deployment mode, and then run helm upgrade --install to deploy MinIO into a dedicated minio namespace.

On OpenShift, you need to grant the MinIO service account the required Security Context Constraints (SCC) to run successfully. Finally, use the MinIO client (mc) inside the pod to create the Velero bucket and a dedicated Velero user with read/write permissions.

Add Helm repo and update

In this step, you configure your local Helm client to trust and pull charts from the official MinIO Helm chart repository. Run the following command to add the MinIO Helm repository and refresh chart indices.

helm repo add minio https://charts.min.io/
helm repo update

helm repo add registers the MinIO chart repository URL with your local Helm configuration, and helm repo update refreshes Helm’s local chart index so it can discover the latest available chart versions before you install or upgrade MinIO.

Create MinIO values file

The values file lets you customize the MinIO deployment in a repeatable, version-controlled way. Here, it is used to set MinIO to standalone mode, enable persistent storage for backups, specify resource requests, configure service exposure, and control optional components like the MinIO console.

Create a file named minio-values.yaml with the following configuration:

mode: standalone
persistence:
  enabled: true
  size: 50Gi
resources:
  requests:
    memory: 512Mi
    cpu: 250m
rootUser: "minioadmin"
rootPassword: "minioadmin"
service:
  type: ClusterIP
replicas: 1
console:
  enabled: false

The following table provides the details of each field of the above configuration file:

Table 115.

Field

Description

Default value

mode

MinIO deployment mode. standalone runs a single instance.

standalone

persistence.enabled

Ensures data is stored on a PersistentVolume and survives pod restarts.

true

persistence.size

Requested PV capacity for object data.

50Gi

resources.requests.memory/cpu

Minimum guaranteed resources for stable performance.

rootUser/rootPassword

Bootstrap admin credentials for MinIO.

service.type

Exposure method inside the cluster. ClusterIP limits access to in-cluster clients.

ClusterIP

replicas

Number of MinIO pods. 1 for standalone.

1

console.enabled

Enables/disables MinIO Web Console. Disabled here for simplicity and minimal attack surface.

false



Install MinIO

Run the following command to install MinIO in its own namespace using the values file.

helm upgrade --install minio minio/minio \
  -n minio --create-namespace \
  -f minio-values.yaml \
  --version 5.4.0

Assign SCC for OpenShift

In this step, you grant the MinIO workload the Security Context Constraints (SCC) permissions it may need to run correctly on OpenShift. Run the following command to bind the required SCC to the MinIO service account in the minio namespace, then verify who is allowed to use it:

oc adm policy add-scc-to-user anyuid -z minio-sa -n minio
oc adm policy who-can use scc anyuid

Configure Buckets with MinIO client (mc)

This step prepares MinIO so that Velero has a known bucket to store backups and a dedicated set of credentials with the right permissions. Open a terminal inside the MinIO container, configure an mc (MinIO Client) alias to point to the MinIO service endpoint. After establishing the connection, create the required bucket, provision a user, and assign the appropriate access permissions.

kubectl exec -it deploy/minio -n minio -- bash
# Inside pod:
mc alias set localminio http://minio:9000 minioadmin minioadmin
mc mb localminio/velero
mc admin user add localminio velero-user vP@assWoRd
mc admin policy attach localminio readwrite --user velero-user
mc ls localminio

Configure cloud credentials for Velero

Configuring cloud credentials enables Velero to authenticate to the MinIO object storage in order to write backups and read them back during restores. You do this by creating a Kubernetes Secret named cloud-credentials.yaml in the OADP namespace, containing an AWS-style credentials file.

apiVersion: v1
kind: Secret
metadata:
  name: cloud-credentials
  namespace: openshift-adp
stringData:
  cloud: |
    [default]
    aws_access_key_id = velero-user
    aws_secret_access_key = vP@assWoRd

The following table defines each field of the above configuration:

Table 116.

Field

Description

Default value

metadata.name

Secret name referenced by OADP/Velero.

cloud-credentials

metadata.namespace

Must match the OADP operator namespace.

openshift-adp

stringData.cloud

AWS-style credentials file. Values are injected into Velero for S3-compatible access to MinIO. Replace with your secure credentials.



Run the command to apply the secret to the OADP namespace so that OADP/Velero can use these credentials to access the MinIO S3 bucket for backups and restores.

kubectl apply -f cloud-credentials.yaml

Deploy OADP DataProtectionApplication (DPA)

The deployment of the DPA custom resource lets OADP configure Velero with the correct settings. This defines Velero’s configuration, plugins, and backup location.

Create a dpa.yaml file in the OADP namespace with your Velero configuration:

apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
  name: velero-dpa
  namespace: openshift-adp
spec:
  configuration:
    nodeAgent:
      enable: true
      uploaderType: kopia
    velero:
      disableFsBackup: false
      defaultPlugins:
        - openshift
        - aws
        - kubevirt
  backupLocations:
    - velero:
        provider: aws
        objectStorage:
          bucket: velero
          prefix: backups
        config:
          region: minio
          s3ForcePathStyle: "true"
          s3Url: http://minio.minio.svc.cluster.local:9000
        credential:
          name: cloud-credentials
          key: cloud
        default: true

The following table defines each field of the above configuration:

Table 117.

Field

Description

Default value

metadata.namespace

OADP operator namespace ensures that the operator can manage this DPA.

openshift-adp

spec.configuration.nodeAgent.enable

When true, deploys a Node Agent DaemonSet on every node to support file-system-level backups of persistent volumes.

true

spec.configuration.nodeAgent.uploaderType

The tool used by the Node Agent to upload PV data.

kopia

spec.configuration.velero.disableFsBackup

When false, allows file-system-based backups of volumes.

false

spec.configuration.velero.defaultPlugins

List of Velero plugins to install automatically.

openshift for OpenShift API integration.

aws for S3-compatible object storage.

kubevirt if backing up KubeVirt VMs.

spec.backupLocations[].velero.provider

The storage provider type.

aws

objectStorage.bucket/prefix

Target bucket and prefix path within MinIO for backup objects.

config.region

Arbitrary region label. Must be non-empty for AWS plugin; using minio.

minio

config.s3ForcePathStyle

When true, uses path-style URLs instead of virtual-hosted-style.

true

config.s3Url

The endpoint URL of the S3-compatible object store.

http://minio.minio.svc.cluster.local:9000

credential.name/key

Reference to the Secret and key holding the AWS-style credentials content.

default

Marks this backup location as the default for Velero operations

true



Run the following command to apply, and then verify that the Velero/OADP pods are running:

kubectl apply -f dpa.yaml
kubectl get pods -n openshift-adp

Create a tuned Backup Storage Location (BSL) (optional)

The Velero configuration uses the information to know where backups are stored (bucket/prefix) and how to connect to that storage. The BSL points Velero to the MinIO S3-compatible service and the velero bucket, so backups and restore artifacts are consistently written to the correct location.

Create a tuned BSL for faster uploads, backup-storage-location.yaml.

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
  name: velero-bsl
  namespace: openshift-adp
spec:
  provider: aws
  objectStorage:
    bucket: velero
    prefix: backups
  config:
    region: minio
    s3ForcePathStyle: 'true'
    s3Url: 'http://minio.minio.svc.cluster.local:9000'
    maxParallel: "10"
    maxRetries: "5"
    maxRetriesBackoff: "2s"
    partSize: "104857600"
  credential:
    name: cloud-credentials
    key: cloud
  default: true

The following table defines each field of the above configuration:

Table 118.

Field

Description

Default value

metadata.namespace

The namespace where Velero is running.

openshift-adp

spec.provider

The storage provider type.

aws

objectStorage.bucket/prefix

Components where backup objects are written within MinIO.

config.region/s3ForcePathStyle/s3Url

The endpoint URL of the S3-compatible object store, pointing to the in-cluster MinIO service.

http://minio.minio.svc.cluster.local:9000

config.maxParallel

The maximum number of parallel upload/download operations Velero performs against this storage location.

10

config.maxRetries

The maximum number of times Velero retries a failed S3 operation before marking it as failed.

5

config.maxRetriesBackoff

The wait duration between retries, using an exponential backoff strategy.

2s

config.partSize

The size of each part in a multipart upload to S3.

104857600

credential.name/key

The name of the Kubernetes Secret that contains the S3 access key and secret key.

default

When true, this location is used as the default destination for all Velero backups unless another location is explicitly specified in the backup command.

true



After applying the backup-storage-location.yaml, you can reference it by name, for example, velero-bsl, in backup specs through the storageLocation to ensure backups use the tuned settings. Run the following command:

kubectl apply -f backup-storage-location.yaml

Create a backup

Creating a backup is the step where you define what data and Kubernetes resources Velero should capture and how the backup should be executed and retained.

Create a backup.yaml, adjust names/namespaces:

apiVersion: velero.io/v1
kind: Backup
metadata:
  name: virtana-io-backup-16sep-01
  namespace: openshift-adp
spec:
  csiSnapshotTimeout: 120m0s
  defaultVolumesToFsBackup: true
  includedNamespaces:
    - virtana-io
  itemOperationTimeout: 10h0m0s
  snapshotMoveData: false
  storageLocation: velero-bsl
  ttl: 72h0m0s

The following table defines each field of the above configuration:

Table 119.

Field

Description

Default value

metadata.namespace

Velero/OADP control namespace where CRDs are reconciled.

openshift-adp

spec.csiSnapshotTimeout

The maximum time Velero waits for a CSI volume snapshot to become ready before marking it as failed.

120m0s

spec.defaultVolumesToFsBackup

When true, all persistent volumes in the included namespaces are backed up using file-system-level backup by default.

true

spec.includedNamespaces

A list of namespaces to include in this backup. Only resources within the specified namespaces are captured.

virtana-io

spec.itemOperationTimeout

Maximum time allowed for long-running backup item operations to complete.

10h0m0s

spec.snapshotMoveData

When false, CSI volume snapshots remain in the source storage location and are not moved or copied to the backup storage location.

false

spec.storageLocation

The name of the BackupStorageLocation resource where backup artifacts are stored.

velero-bsl

spec.ttl

Time to live shares details such as how long this backup is retained before Velero automatically deletes it.

72h0m0s



Run the following command to apply the backup resource to start the Velero backup job, then list backups in the openshift-adp namespace to confirm it was created and to monitor its status.

kubectl apply -f backup.yaml
velero backup get -n openshift-adp`

Restore from backup

In this step, you use Velero through OADP to recreate Kubernetes/OpenShift resources and recover persistent data from a previously completed backup stored in MinIO.

Create a restore.yaml that points to the desired backupName, optionally tunes restore behavior:

apiVersion: velero.io/v1
kind: Restore
metadata:
  name: virtana-io-restore-16sep-01
  namespace: openshift-adp
spec:
  uploaderConfig:
    parallelFilesDownload: 16
  includedNamespaces:
    - virtana-io
  backupName: virtana-io-backup-16sep-01
  restorePVs: true
  restoreVolumes: true
  itemOperationTimeout: 12h

The following table defines each field of the above configuration:

Table 120.

Field

Description

Default value

metadata.namespace

The namespace where Velero is running.

openshift-adp

spec.uploaderConfig.parallelFilesDownload

The number of files downloaded in parallel from the backup storage location during a file-system-level restore.

16

spec.includedNamespaces

A list of namespaces to restore. Only resources belonging to the specified namespaces are recovered from the backup.

virtana-io

spec.backupName

The name of the Backup resource to restore from.

virtana-io-backup-16sep-01

spec.restorePVs

When true, Velero restores PersistentVolume (PV) objects from the backup, re-creating the underlying storage resources.

true

spec.restoreVolumes

When true, Velero restores the actual volume data back into the restored PVCs.

true

spec.restoreVolumes

Maximum time allowed for long-running restore item operations to complete.

12h



Run the following command to apply restore.yaml and monitor progress and confirm completion using the Velero CLI.

kubectl apply -f restore.yaml
velero restore get -n openshift-adp

Validation

In this step, confirm that your Velero/OADP backup and restore actually succeeded at both the Velero control-plane level and at the application level. Validate the resources and application behavior in the restored namespace.

Check backups

Use the following command to confirm the backup object exists, see its status, and inspect what Velero captured.

velero backup get -n openshift-adp
velero backup describe virtana-io-backup-16sep-01 -n openshift-adp

If the backup is not Completed:

  • Re-check your MinIO connectivity (S3 URL, bucket, credentials) and that the BackupStorageLocation/DPA is valid.

  • Review Velero/OADP logs.

Check restores

Use the following command to confirm the restore object exists, see its status, and inspect the restored items.

velero restore get -n openshift-adp
velero restore describe virtana-io-restore-16sep-01 -n openshift-adp

In the describe output, verify:

  • The restore is using the intended backupName.

  • Any reported warnings/errors.

  • Restore duration and item counts.

Verify in the namespace

It verifies that Velero has completed, the restored application is healthy, and the data is correct.

Minimum checks to perform in the target namespace:

  • Workloads are present and running.

  • PVCs and PVs are restored with correct data and bound.

  • Ensure Services exist and endpoints are populated.

  • Validate that PV-backed application data is present.

UI Validation

User-facing sanity check to confirm the Virtana Platform is functioning correctly after a backup or restore. After Velero reports the restore as Completed, log in to the application UI and navigate through key pages to verify that core features load, expected data is present, and common actions behave normally.