Configure Velero storage backends

What you’ll accomplish

You’ll configure Velero’s backup storage destination, provide credentials, and customize the backup schedule and retention to match your environment’s requirements.

Prerequisites

UDS CLI installed
Access to a Kubernetes cluster with UDS Core deployed
An S3-compatible or Azure Blob storage endpoint for backup data

Before you begin

UDS Core ships with these backup defaults:

Setting	Default
Schedule	Daily at 03:00 UTC (`0 3 * * *`)
Retention	10 days (`240h`)
Excluded namespaces	`kube-system`, `velero`
Cluster resources	Included
Volume snapshots	Disabled

Velero’s storage configuration uses two Helm charts:

Chart	Scope
`velero` (upstream)	Credentials, backup storage location, schedule, volume snapshot settings
`uds-velero-config` (UDS)	Storage network egress policy

S3-compatible storage is configured through Zarf variables set in your uds-config.yaml. Azure Blob Storage is configured through bundle overrides.

Steps

Configure your storage destination

S3-compatible storage
Azure Blob Storage

Add the following variables to your uds-config.yaml:

variables:
  core:
    VELERO_BUCKET_PROVIDER_URL: "https://s3.us-east-1.amazonaws.com"
    VELERO_BUCKET: "my-velero-backups"
    VELERO_BUCKET_REGION: "us-east-1"
    VELERO_BUCKET_KEY: "<your-access-key>"
    VELERO_BUCKET_KEY_SECRET: "<your-secret-key>"

The full set of available variables:

Variable	Description	Default
`VELERO_BUCKET_PROVIDER_URL`	S3 endpoint URL	`http://minio.uds-dev-stack.svc.cluster.local:9000`
`VELERO_BUCKET`	Bucket name	`uds`
`VELERO_BUCKET_REGION`	Bucket region	`uds-dev-stack`
`VELERO_BUCKET_KEY`	Access key ID	`uds`
`VELERO_BUCKET_KEY_SECRET`	Secret access key	`uds-secret`
`VELERO_BUCKET_CREDENTIAL_NAME`	Kubernetes Secret name for credentials	`velero-bucket-credentials`
`VELERO_BUCKET_CREDENTIAL_KEY`	Key within the credentials Secret	`cloud`

(Optional) Use an existing credentials Secret — If your environment pre-provisions Kubernetes Secrets (for example, via an external secrets operator), you can reference an existing Secret instead of having Zarf create one:

packages:
  - name: core
    repository: registry.defenseunicorns.com/public/core
    ref: x.x.x-upstream
    overrides:
      velero:
        velero:
          values:
            - path: credentials.existingSecret
              value: "velero-bucket-credentials"

The Secret must follow this format:

apiVersion: v1
kind: Secret
metadata:
  name: velero-bucket-credentials
  namespace: velero
type: Opaque
stringData:
  cloud: |
    [default]
    aws_access_key_id=<your-access-key>
    aws_secret_access_key=<your-secret-key>

Override the Velero credentials and backup storage location to use Azure Blob Storage:

packages:
  - name: core
    repository: registry.defenseunicorns.com/public/core
    ref: x.x.x-upstream
    overrides:
      velero:
        velero:
          values:
            - path: credentials.secretContents.cloud
              value: |
                AZURE_STORAGE_ACCOUNT_ACCESS_KEY=<your-storage-account-access-key>
                AZURE_CLOUD_NAME=<your-cloud-name>
            - path: configuration.backupStorageLocation
              value:
                - name: default
                  provider: azure
                  bucket: <your-container-name>
                  config:
                    storageAccount: <your-storage-account>
                    resourceGroup: <your-resource-group>
                    storageAccountKeyEnvVar: AZURE_STORAGE_ACCOUNT_ACCESS_KEY
                    subscriptionId: <your-subscription-id>

(Optional) Configure storage network egress

By default, Velero’s network policy allows egress to any destination for storage connectivity. To restrict egress to a specific target, add the following overrides to your bundle using the uds-velero-config chart:

Internal storage (in-cluster MinIO or similar):

packages:
  - name: core
    repository: registry.defenseunicorns.com/public/core
    ref: x.x.x-upstream
    overrides:
      velero:
        uds-velero-config:
          values:
            - path: storage.internal.enabled
              value: true
            - path: storage.internal.remoteSelector
              value:
                app: minio
            - path: storage.internal.remoteNamespace
              value: "minio"

CIDR-restricted (known IP range):

packages:
  - name: core
    repository: registry.defenseunicorns.com/public/core
    ref: x.x.x-upstream
    overrides:
      velero:
        uds-velero-config:
          values:
            - path: storage.egressCidr
              value: "10.0.0.0/8"

(Optional) Customize backup schedule and retention

The default backup schedule runs daily at 03:00 UTC with a 10-day retention window. To customize these settings, add the following overrides to your bundle:

packages:
  - name: core
    repository: registry.defenseunicorns.com/public/core
    ref: x.x.x-upstream
    overrides:
      velero:
        velero:
          values:
            # Run backups every 6 hours
            - path: schedules.udsbackup.schedule
              value: "0 */6 * * *"
            # Retain backups for 30 days
            - path: schedules.udsbackup.template.ttl
              value: "720h"

Create and deploy your bundle

Combine all overrides from the steps above into a single bundle configuration, then create and deploy:
Terminal window
```
uds create <path-to-bundle-dir>
uds deploy uds-bundle-<name>-<arch>-<version>.tar.zst
```

Verification

# Velero pod is running
uds zarf tools kubectl get pods -n velero

# Backup storage location shows "Available"
uds zarf tools kubectl get backupstoragelocation -n velero

# Backup schedule exists with correct cron expression
uds zarf tools kubectl get schedule -n velero

Success criteria:

Velero pod is Running
BackupStorageLocation phase is Available
Schedule velero-udsbackup exists with the expected cron expression

To confirm storage is working end-to-end, trigger a manual backup and verify it completes. See Perform a manual backup.

Troubleshooting

Problem: BackupStorageLocation shows “Unavailable”

Symptoms: The BSL phase is Unavailable and no backups are created.

Solution: Check Velero logs for storage connectivity errors:

uds zarf tools kubectl logs -n velero deploy/velero --tail=50

Common causes include incorrect bucket name or region, invalid credentials, and network policies blocking egress to the storage endpoint.

Problem: Velero pod crash-loops

Symptoms: The Velero pod repeatedly restarts.

Solution: Check pod logs for startup errors:

uds zarf tools kubectl logs -n velero deploy/velero --previous --tail=50

Common causes include malformed credential Secrets and missing required configuration values.

Velero: Supported Storage Providers — full list of available storage plugins
Velero: Backup Storage Locations — BSL configuration reference
Velero Helm Chart — full list of upstream Helm values
Backup & restore concepts — how Velero fits into UDS Core

Next steps

These guides and concepts may be useful to explore next:

Enable volume snapshots (AWS EBS) Capture persistent volume data using AWS EBS snapshots on EKS clusters.

Enable volume snapshots (vSphere CSI) Capture persistent volume data using vSphere CSI snapshots on RKE2 clusters.

Perform a manual backup Verify your scheduled backups are running and trigger a manual backup on demand.

Cookie Settings Privacy Policy