Pretty unimpressed that Velero encrypts volumes backups, but stores Secret resources in plain text on S3.
Am I missing a way to encrypt them?
Discussion
Loading...
Post
@thibaultamartin I found this baffling. I put `rclone serve s3` with a crypt backend between velero and the storage.
@clayton_oneill I'm not familiar with rclone. Does it act as a local S3 bucket that then encrypts data and forwards it to the actual S3 provider?
Any docs you would recommend?
@thibaultamartin Rclone is a general purpose “copy/sync files from <storage> to <storage> where storage is one of dozens of different sorts of things like S3, local files, SFTP, etc. It supports almost everything. In `serve s3` mode, it will serve one of the storage backends via a local S3 compatible API. Docs on that specifically are here: https://rclone.org/commands/rclone_serve_s3/. (1/2)
My velero config is here: https://github.com/claytono/infra/tree/main/kubernetes/velero and the script to start rclone in s3 mode specifically is here: https://github.com/claytono/infra/blob/main/kubernetes/velero/start.sh (2/2)
@thibaultamartin That also gives you a lot more options for backends, since you can use anything rclone supports (which is nearly everything).
@thibaultamartin I suppose you'll need to rely on your S3 backend to enable Server-Side-Encryption.
And yes, volumes are encrypted, but with a known default password.
@mydoomfr that password can be changed, with the `velero-repo-credentials` Secret. It needs to be present before you do your first backup.
I'm writing down my thoughts about Velero and my approach to Kubernetes backups. I'll eventually publish that on my blog :)
bonfire.cafe
A space for Bonfire maintainers and contributors to communicate
Automatic federation enabled