#!/bin/bash
BUCKET=<name>-velero-backups
PROJECT_ID=<your_project_id>
gcloud config set project $PROJECT_ID
kubectx <your_kubernetes_context>
GSA_NAME=velero
gcloud iam service-accounts create $GSA_NAME \
--display-name "Velero service account"
gcloud iam service-accounts list
SERVICE_ACCOUNT_EMAIL=$(gcloud iam service-accounts list \
--filter="displayName:Velero service account" \
--format 'value(email)')
ROLE_PERMISSIONS=(
compute.disks.get
compute.disks.create
compute.disks.createSnapshot
compute.projects.get
compute.snapshots.get
compute.snapshots.create
compute.snapshots.useReadOnly
compute.snapshots.delete
compute.zones.get
storage.objects.create
storage.objects.delete
storage.objects.get
storage.objects.list
iam.serviceAccounts.signBlob
iam.serviceAccounts.getAccessToken
)
gcloud iam roles create velero.server.custom.platform \
--project $PROJECT_ID \
--title "Custom Velero Server Roles" \
--permissions "$(IFS=","; echo "${ROLE_PERMISSIONS[*]}")"
gcloud projects add-iam-policy-binding $PROJECT_ID \
--member serviceAccount:$SERVICE_ACCOUNT_EMAIL \
--role projects/$PROJECT_ID/roles/velero.server.custom.platform
gsutil iam ch serviceAccount:$SERVICE_ACCOUNT_EMAIL:objectAdmin gs://${BUCKET}
# Create permission
NAMESPACE=velero
kubectl create namespace $NAMESPACE
# WE NEED TO: Disable service account key creation in organization policies: Override parent's policy
gcloud iam service-accounts keys create credentials-velero \
--iam-account $SERVICE_ACCOUNT_EMAIL
# Scheduling backup
velero schedule create daily-full-cluster \
--schedule="0 1 * * *" \
--ttl 720h \
--include-cluster-resources=true \
--include-resources '*' \
--exclude-namespaces kube-system
velero schedule create hourly-critical-ns \
--schedule="0 * * * *" \
--include-namespaces dev,observability,pgbouncer,rabbitmq-system \
--include-cluster-resources=true \
--ttl 168h
# 1. Validate backup
velero backup describe daily-full-cluster-<timestamp> --details
# 2. Test restore (to different namespace)
velero restore create test-full-restore \
--from-backup daily-full-cluster-<timestamp> \
--namespace-mappings dev:dev-test,observability:observability-test \
--include-cluster-resources=true \
--wait
# 3. Production restore
velero restore create prod-full-restore \
--from-backup daily-full-cluster-<timestamp> \
--include-cluster-resources=true \
--wait
# Check backup status
velero backup get
# Check schedule status
velero schedule get
# Check restore status
velero restore get
velero backup create manual-critical-default-ns \
--include-namespaces default \
--include-cluster-resources \
--exclude-resources persistentvolumeclaims,persistentvolumes \
--ttl 168h --wait
velero backup create manual-critical-redis-dev \
--include-namespaces redis-dev --selector "app.kubernetes.io/instance=redis" \
--include-cluster-resources=true \
--snapshot-volumes \
--ttl 168h \
--wait
velero restore create manual-critical-default-v1 \
--from-backup manual-critical-default-ns \
--include-cluster-resources=true \
--wait
velero restore create manual-critical-redis-v1 \
--from-backup manual-critical-redis-dev \
--include-cluster-resources=true \
--wait
velero schedule create daily-full-cluster \
--schedule="0 1 * * *" \
--ttl 720h \
--include-cluster-resources=true \
--include-resources '*' \
--exclude-namespaces kube-system
velero schedule create hourly-critical-ns \
--schedule="0 * * * *" \
--include-namespaces dev,observability,pgbouncer,rabbitmq-system \
--include-cluster-resources=true \
--ttl 168h
# 1. Validate backup
velero backup describe daily-full-cluster-<timestamp> --details
# 2. Test restore (to different namespace)
velero restore create test-full-restore \
--from-backup daily-full-cluster-<timestamp> \
--namespace-mappings dev:dev-test,observability:observability-test \
--include-cluster-resources=true \
--wait
# 3. Production restore
velero restore create prod-full-restore \
--from-backup daily-full-cluster-<timestamp> \
--include-cluster-resources=true \
--wait
# Check backup status
velero backup get
# Check schedule status
velero schedule get
# Check restore status
velero restore get
