OpenShift Backup and Restore with OAPD
Red Hat’s OpenShift-native data protection framework deploys and manages Velero to perform consistent backup and restore of Kubernetes resources and persistent volume data. In the Virtana Platform, this enables operators to capture namespace-scoped backups and reliably restore applications, configuration, and storage after accidental deletion, failed upgrades, or cluster or application incidents.
In this setup, MinIO provides an in-cluster, S3-compatible object storage backend where Velero stores backup artifacts (metadata and volume backup data by the node agent), giving users a self-contained backup target without relying on external cloud storage.
Prerequisites
Make sure you have the following prerequisites and update the cluster or tooling where needed before moving on.
OpenShift cluster with OADP operator installed.
Helm installed for MinIO chart deployment.
Need oc/kubectl CLI access.
Internet access to pull Helm charts and container images.
Pod annotations for each pod in
spec.template.metadata.annotationsis as follows:annotations: backup.velero.io/backup-volumes: "*"
Install MinIO (Object Storage)
It provisions an in-cluster, S3-compatible object store that Velero or OADP uses as the backup target where backup metadata and volume backup data are uploaded. The installation is performed using the MinIO Helm chart. You add the MinIO Helm repository, create a minio-values.yaml file to define the deployment mode, and then run helm upgrade --install to deploy MinIO into a dedicated minio namespace.
On OpenShift, you need to grant the MinIO service account the required Security Context Constraints (SCC) to run successfully. Finally, use the MinIO client (mc) inside the pod to create the Velero bucket and a dedicated Velero user with read/write permissions.
Add Helm repo and update
In this step, you configure your local Helm client to trust and pull charts from the official MinIO Helm chart repository. Run the following command to add the MinIO Helm repository and refresh chart indices.
helm repo add minio https://charts.min.io/ helm repo update
helm repo add registers the MinIO chart repository URL with your local Helm configuration, and helm repo update refreshes Helm’s local chart index so it can discover the latest available chart versions before you install or upgrade MinIO.
Create MinIO values file
The values file lets you customize the MinIO deployment in a repeatable, version-controlled way. Here, it is used to set MinIO to standalone mode, enable persistent storage for backups, specify resource requests, configure service exposure, and control optional components like the MinIO console.
Create a file named minio-values.yaml with the following configuration:
mode: standalone
persistence:
enabled: true
size: 50Gi
resources:
requests:
memory: 512Mi
cpu: 250m
rootUser: "minioadmin"
rootPassword: "minioadmin"
service:
type: ClusterIP
replicas: 1
console:
enabled: falseThe following table provides the details of each field of the above configuration file:
Field | Description | Default value |
|---|---|---|
| MinIO deployment mode. standalone runs a single instance. |
|
| Ensures data is stored on a PersistentVolume and survives pod restarts. |
|
| Requested PV capacity for object data. |
|
| Minimum guaranteed resources for stable performance. | |
| Bootstrap admin credentials for MinIO. | |
| Exposure method inside the cluster. ClusterIP limits access to in-cluster clients. |
|
| Number of MinIO pods. 1 for standalone. |
|
| Enables/disables MinIO Web Console. Disabled here for simplicity and minimal attack surface. |
|
Install MinIO
Run the following command to install MinIO in its own namespace using the values file.
helm upgrade --install minio minio/minio \ -n minio --create-namespace \ -f minio-values.yaml \ --version 5.4.0
Assign SCC for OpenShift
In this step, you grant the MinIO workload the Security Context Constraints (SCC) permissions it may need to run correctly on OpenShift. Run the following command to bind the required SCC to the MinIO service account in the minio namespace, then verify who is allowed to use it:
oc adm policy add-scc-to-user anyuid -z minio-sa -n minio oc adm policy who-can use scc anyuid
Configure Buckets with MinIO client (mc)
This step prepares MinIO so that Velero has a known bucket to store backups and a dedicated set of credentials with the right permissions. Open a terminal inside the MinIO container, configure an mc (MinIO Client) alias to point to the MinIO service endpoint. After establishing the connection, create the required bucket, provision a user, and assign the appropriate access permissions.
kubectl exec -it deploy/minio -n minio -- bash # Inside pod: mc alias set localminio http://minio:9000 minioadmin minioadmin mc mb localminio/velero mc admin user add localminio velero-user vP@assWoRd mc admin policy attach localminio readwrite --user velero-user mc ls localminio
Configure cloud credentials for Velero
Configuring cloud credentials enables Velero to authenticate to the MinIO object storage in order to write backups and read them back during restores. You do this by creating a Kubernetes Secret named cloud-credentials.yaml in the OADP namespace, containing an AWS-style credentials file.
apiVersion: v1
kind: Secret
metadata:
name: cloud-credentials
namespace: openshift-adp
stringData:
cloud: |
[default]
aws_access_key_id = velero-user
aws_secret_access_key = vP@assWoRdThe following table defines each field of the above configuration:
Field | Description | Default value |
|---|---|---|
| Secret name referenced by OADP/Velero. |
|
| Must match the OADP operator namespace. |
|
| AWS-style credentials file. Values are injected into Velero for S3-compatible access to MinIO. Replace with your secure credentials. |
Run the command to apply the secret to the OADP namespace so that OADP/Velero can use these credentials to access the MinIO S3 bucket for backups and restores.
kubectl apply -f cloud-credentials.yaml
Deploy OADP DataProtectionApplication (DPA)
The deployment of the DPA custom resource lets OADP configure Velero with the correct settings. This defines Velero’s configuration, plugins, and backup location.
Create a dpa.yaml file in the OADP namespace with your Velero configuration:
apiVersion: oadp.openshift.io/v1alpha1
kind: DataProtectionApplication
metadata:
name: velero-dpa
namespace: openshift-adp
spec:
configuration:
nodeAgent:
enable: true
uploaderType: kopia
velero:
disableFsBackup: false
defaultPlugins:
- openshift
- aws
- kubevirt
backupLocations:
- velero:
provider: aws
objectStorage:
bucket: velero
prefix: backups
config:
region: minio
s3ForcePathStyle: "true"
s3Url: http://minio.minio.svc.cluster.local:9000
credential:
name: cloud-credentials
key: cloud
default: trueThe following table defines each field of the above configuration:
Field | Description | Default value |
|---|---|---|
| OADP operator namespace ensures that the operator can manage this DPA. |
|
| When |
|
| The tool used by the Node Agent to upload PV data. |
|
| When |
|
| List of Velero plugins to install automatically. |
|
| The storage provider type. |
|
| Target bucket and prefix path within MinIO for backup objects. | |
| Arbitrary region label. Must be non-empty for AWS plugin; using minio. |
|
| When |
|
| The endpoint URL of the S3-compatible object store. |
|
| Reference to the Secret and key holding the AWS-style credentials content. | |
| Marks this backup location as the default for Velero operations |
|
Run the following command to apply, and then verify that the Velero/OADP pods are running:
kubectl apply -f dpa.yaml kubectl get pods -n openshift-adp
Create a tuned Backup Storage Location (BSL) (optional)
The Velero configuration uses the information to know where backups are stored (bucket/prefix) and how to connect to that storage. The BSL points Velero to the MinIO S3-compatible service and the velero bucket, so backups and restore artifacts are consistently written to the correct location.
Create a tuned BSL for faster uploads, backup-storage-location.yaml.
apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
name: velero-bsl
namespace: openshift-adp
spec:
provider: aws
objectStorage:
bucket: velero
prefix: backups
config:
region: minio
s3ForcePathStyle: 'true'
s3Url: 'http://minio.minio.svc.cluster.local:9000'
maxParallel: "10"
maxRetries: "5"
maxRetriesBackoff: "2s"
partSize: "104857600"
credential:
name: cloud-credentials
key: cloud
default: trueThe following table defines each field of the above configuration:
Field | Description | Default value |
|---|---|---|
| The namespace where Velero is running. |
|
| The storage provider type. |
|
| Components where backup objects are written within MinIO. | |
| The endpoint URL of the S3-compatible object store, pointing to the in-cluster MinIO service. |
|
| The maximum number of parallel upload/download operations Velero performs against this storage location. |
|
| The maximum number of times Velero retries a failed S3 operation before marking it as failed. |
|
| The wait duration between retries, using an exponential backoff strategy. |
|
| The size of each part in a multipart upload to S3. |
|
| The name of the Kubernetes Secret that contains the S3 access key and secret key. | |
| When |
|
After applying the backup-storage-location.yaml, you can reference it by name, for example, velero-bsl, in backup specs through the storageLocation to ensure backups use the tuned settings. Run the following command:
kubectl apply -f backup-storage-location.yaml
Create a backup
Creating a backup is the step where you define what data and Kubernetes resources Velero should capture and how the backup should be executed and retained.
Create a backup.yaml, adjust names/namespaces:
apiVersion: velero.io/v1
kind: Backup
metadata:
name: virtana-io-backup-16sep-01
namespace: openshift-adp
spec:
csiSnapshotTimeout: 120m0s
defaultVolumesToFsBackup: true
includedNamespaces:
- virtana-io
itemOperationTimeout: 10h0m0s
snapshotMoveData: false
storageLocation: velero-bsl
ttl: 72h0m0sThe following table defines each field of the above configuration:
Field | Description | Default value |
|---|---|---|
| Velero/OADP control namespace where CRDs are reconciled. |
|
| The maximum time Velero waits for a CSI volume snapshot to become ready before marking it as failed. |
|
| When true, all persistent volumes in the included namespaces are backed up using file-system-level backup by default. |
|
| A list of namespaces to include in this backup. Only resources within the specified namespaces are captured. |
|
| Maximum time allowed for long-running backup item operations to complete. |
|
| When false, CSI volume snapshots remain in the source storage location and are not moved or copied to the backup storage location. |
|
| The name of the |
|
| Time to live shares details such as how long this backup is retained before Velero automatically deletes it. |
|
Run the following command to apply the backup resource to start the Velero backup job, then list backups in the openshift-adp namespace to confirm it was created and to monitor its status.
kubectl apply -f backup.yaml velero backup get -n openshift-adp`
Restore from backup
In this step, you use Velero through OADP to recreate Kubernetes/OpenShift resources and recover persistent data from a previously completed backup stored in MinIO.
Create a restore.yaml that points to the desired backupName, optionally tunes restore behavior:
apiVersion: velero.io/v1
kind: Restore
metadata:
name: virtana-io-restore-16sep-01
namespace: openshift-adp
spec:
uploaderConfig:
parallelFilesDownload: 16
includedNamespaces:
- virtana-io
backupName: virtana-io-backup-16sep-01
restorePVs: true
restoreVolumes: true
itemOperationTimeout: 12hThe following table defines each field of the above configuration:
Field | Description | Default value |
|---|---|---|
| The namespace where Velero is running. |
|
| The number of files downloaded in parallel from the backup storage location during a file-system-level restore. |
|
| A list of namespaces to restore. Only resources belonging to the specified namespaces are recovered from the backup. |
|
| The name of the Backup resource to restore from. |
|
| When |
|
| When true, Velero restores the actual volume data back into the restored PVCs. |
|
| Maximum time allowed for long-running restore item operations to complete. |
|
Run the following command to apply restore.yaml and monitor progress and confirm completion using the Velero CLI.
kubectl apply -f restore.yaml velero restore get -n openshift-adp
Validation
In this step, confirm that your Velero/OADP backup and restore actually succeeded at both the Velero control-plane level and at the application level. Validate the resources and application behavior in the restored namespace.
Check backups
Use the following command to confirm the backup object exists, see its status, and inspect what Velero captured.
velero backup get -n openshift-adp velero backup describe virtana-io-backup-16sep-01 -n openshift-adp
If the backup is not Completed:
Re-check your MinIO connectivity (S3 URL, bucket, credentials) and that the
BackupStorageLocation/DPA is valid.Review Velero/OADP logs.
Check restores
Use the following command to confirm the restore object exists, see its status, and inspect the restored items.
velero restore get -n openshift-adp velero restore describe virtana-io-restore-16sep-01 -n openshift-adp
In the describe output, verify:
The restore is using the intended backupName.
Any reported warnings/errors.
Restore duration and item counts.
Verify in the namespace
It verifies that Velero has completed, the restored application is healthy, and the data is correct.
Minimum checks to perform in the target namespace:
Workloads are present and running.
PVCs and PVs are restored with correct data and bound.
Ensure Services exist and endpoints are populated.
Validate that PV-backed application data is present.
UI Validation
User-facing sanity check to confirm the Virtana Platform is functioning correctly after a backup or restore. After Velero reports the restore as Completed, log in to the application UI and navigate through key pages to verify that core features load, expected data is present, and common actions behave normally.