feat: Switch Velero to S3 backend on Mac Mini for full PVC backup support

ams0 · claude · ams0 · commit db9f209b5016 · 2026-03-31T13:55:22.000+02:00
Replace local-volume-provider with velero-plugin-for-aws pointing at
RustFS on feynman.rhino-butterfly.ts.net:9000. This enables Kopia
repository for proper PVC file-level backups. Credentials managed
via Ansible vault as velero-s3-credentials secret.

Co-Authored-By: Claude Opus 4.6 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/gitops/velero/velero-helmrelease.yaml b/gitops/velero/velero-helmrelease.yaml
@@ -27,26 +27,28 @@ spec:
       retries: 3
   values:
     initContainers:
-      - name: velero-plugin-local-volume
-        image: replicated/local-volume-provider:v0.6.7
+      - name: velero-plugin-for-aws
+        image: velero/velero-plugin-for-aws:v1.9.2
         imagePullPolicy: IfNotPresent
         volumeMounts:
           - mountPath: /target
             name: plugins
 
     credentials:
-      useSecret: false
+      useSecret: true
+      existingSecret: velero-s3-credentials
 
     configuration:
       backupStorageLocation:
         - name: feynman
-          provider: replicated.com/hostpath
-          bucket: velero-backups
+          provider: aws
+          bucket: velero
           default: true
           accessMode: ReadWrite
           config:
-            path: /mnt/feynman_velero
-            resticRepoPrefix: /var/velero-local-volume-provider/velero-backups/restic
+            region: us-east-1
+            s3ForcePathStyle: "true"
+            s3Url: http://feynman.rhino-butterfly.ts.net:9000
 
       volumeSnapshotLocation: []
       defaultVolumesToFsBackup: true
@@ -63,14 +65,6 @@ spec:
           memory: 256Mi
         limits:
           memory: 1Gi
-      extraVolumes:
-        - name: feynman-velero
-          hostPath:
-            path: /mnt/feynman_velero
-            type: DirectoryOrCreate
-      extraVolumeMounts:
-        - name: feynman-velero
-          mountPath: /mnt/feynman_velero
 
     resources:
       requests:
@@ -79,17 +73,6 @@ spec:
       limits:
         memory: 512Mi
 
-    # CIFS/SMB mount to Mac Mini — kernel-level mount, visible to containers
-    extraVolumes:
-      - name: feynman-velero
-        hostPath:
-          path: /mnt/feynman_velero
-          type: DirectoryOrCreate
-
-    extraVolumeMounts:
-      - name: feynman-velero
-        mountPath: /mnt/feynman_velero
-
     schedules:
       daily-all-apps:
         disabled: false
diff --git a/group_vars/oracle_hosts/main.yml b/group_vars/oracle_hosts/main.yml
@@ -77,4 +77,8 @@ rustfs_access_key: "{{ vault_rustfs_access_key }}"
 rustfs_secret_key: "{{ vault_rustfs_secret_key }}"
 
 # SMB mount configuration (Mac Mini)
-smb_password: "{{ vault_smb_password }}"
+smb_password: "{{ vault_smb_password }}"
+
+# Velero S3 credentials (Mac Mini RustFS)
+velero_s3_access_key: "{{ vault_velero_s3_access_key }}"
+velero_s3_secret_key: "{{ vault_velero_s3_secret_key }}"
diff --git a/roles/flux/tasks/main.yml b/roles/flux/tasks/main.yml
@@ -283,3 +283,29 @@
   when:
     - alarik_secret_check.rc != 0
     - alarik_admin_password is defined
+
+- name: Create velero namespace if not exists
+  shell: kubectl create namespace velero --dry-run=client -o yaml | kubectl apply -f -
+  changed_when: false
+
+- name: Check if velero S3 credentials secret exists
+  shell: kubectl -n velero get secret velero-s3-credentials
+  register: velero_secret_check
+  failed_when: false
+  changed_when: false
+
+- name: Create velero S3 credentials secret
+  shell: |
+    cat <<'CREDEOF' > /tmp/velero-credentials
+    [default]
+    aws_access_key_id={{ velero_s3_access_key }}
+    aws_secret_access_key={{ velero_s3_secret_key }}
+    CREDEOF
+    kubectl -n velero create secret generic velero-s3-credentials \
+      --from-file=cloud=/tmp/velero-credentials
+    rm -f /tmp/velero-credentials
+  no_log: true
+  when:
+    - velero_secret_check.rc != 0
+    - velero_s3_access_key is defined
+    - velero_s3_secret_key is defined
