teutonet · cwrau · Oct 22, 2025 · Oct 20, 2025
@@ -0,0 +1,7 @@
+global:
+  clusterName: test
+  baseDomain: example.com
+  serviceLevelAgreement: None
+backup:
+  provider:
+    k8up: {}
@@ -7,16 +7,18 @@ flux:
 kyverno:
   enabled: true
 backup:
-  defaultLocation: location
-  backupStorageLocations:
-    location:
-      provider:
-        minio:
-          url: https://minio.com
-          existingSecret:
-            name: secret
-      prefix: /prefix
-      bucket: bucket
+  provider:
+    velero:
+      defaultLocation: location
+      backupStorageLocations:
+        location:
+          provider:
+            minio:
+              url: https://minio.com
+              existingSecret:
+                name: secret
+          prefix: /prefix
+          bucket: bucket
 storage:
   readWriteMany:
     enabled: true

@@ -16,4 +16,4 @@ for prefix in 'prefix="/prod"' ''; do
       yq -y -n "{test$((i++)): ({} | .provider.$provider = ({} | .$url | .$auth | .$existingSecret) | .$prefix | .$bucket)}"
     done
   done
-done | yq -s '{backup: {backupStorageLocations: .[], defaultLocation: "test0"}}'
+done | yq -s '{backup: { provider: { velero: { backupStorageLocations: .[], defaultLocation: "test0"}}}}'
@@ -0,0 +1,61 @@
+{{- if ne (.Values.backup.provider).k8up nil -}}
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: k8up
+  namespace: backup
+  labels: {{- include "common.labels.standard" $ | nindent 4 }}
+    app.kubernetes.io/component: backup
+spec:
+  chart:
+    spec: {{- include "base-cluster.helm.chartSpec" (dict "repo" "k8up" "chart" "k8up" "context" $) | nindent 6 }}
+  interval: 1h
+  driftDetection:
+    mode: enabled
+  {{- if .Values.monitoring.prometheus.enabled }}
+  dependsOn:
+    - name: kube-prometheus-stack
+      namespace: monitoring
+  {{- end }}
+  install:
+    crds: CreateReplace
+  upgrade:
+    crds: CreateReplace
+  values:
+    {{- with .Values.global.imageRegistry }}
+    image:
+      registry: {{ . }}
+    {{- end }}
+    podSecurityContext:
+      fsGroup: 1000
+      runAsUser: 1000
+      runAsGroup: 1000
+      runAsNonRoot: true
+    securityContext:
+      readOnlyRootFilesystem: true
+      privileged: false
+      capabilities:
+        drop:
+          - ALL
+      allowPrivilegeEscalation: false
+      seccompProfile:
+        type: RuntimeDefault
+    resources: {{- include "common.resources" .Values.backup | nindent 6 }}
+    k8up:
+      globalResources: {{- include "common.resources" .Values.backup.runners | nindent 8 }}
+      skipWithoutAnnotation: true
+    priorityClassName: system-cluster-critical
+    {{- if .Values.monitoring.prometheus.enabled }}
+    metrics:
+      serviceMonitor:
+        additionalLabels:
+          monitoring/provisioned-by: base-cluster
+        enabled: true
+      prometheusRule:
+        createDefaultRules: true
+      grafanaDashboard:
+        enabled: true
+        additionalLabels:
+          grafana_dashboard: "1"
+    {{- end }}
+{{- end -}}
@@ -1,4 +1,4 @@
-{{- define "base-cluster.backup.getProviderName" -}}
+{{- define "base-cluster.backup.velero.getProviderName" -}}
   {{- $providers := list "minio" -}}
   {{- $providerName := . | keys | first -}}
   {{- if has $providerName $providers -}}
@@ -8,14 +8,14 @@
   {{- end -}}
 {{- end -}}
 
-{{- define "base-cluster.backup.mapProviderName" -}}
+{{- define "base-cluster.backup.velero.mapProviderName" -}}
   {{- $providerMap := dict "minio" "aws" -}}
   {{- get $providerMap . | required "Missing provider mapping" -}}
 {{- end -}}
 
-{{- define "base-cluster.backup.credential" -}}
-  {{- $providerName := include "base-cluster.backup.getProviderName" . }}
-  {{- $pluginName := include "base-cluster.backup.mapProviderName" $providerName -}}
+{{- define "base-cluster.backup.velero.credential" -}}
+  {{- $providerName := include "base-cluster.backup.velero.getProviderName" . }}
+  {{- $pluginName := include "base-cluster.backup.velero.mapProviderName" $providerName -}}
   {{- $provider := get . $providerName }}
   {{- if eq $pluginName "aws" -}}
     {{- if hasKey $provider "accessKeyID" -}}
@@ -28,9 +28,9 @@ aws_secret_access_key={{ get $provider "secretAccessKey" }}
   {{- end -}}
 {{- end -}}
 
-{{- define "base-cluster.backup.credentialType" -}}
-  {{- $providerName := include "base-cluster.backup.getProviderName" . }}
-  {{- $pluginName := include "base-cluster.backup.mapProviderName" $providerName -}}
+{{- define "base-cluster.backup.velero.credentialType" -}}
+  {{- $providerName := include "base-cluster.backup.velero.getProviderName" . }}
+  {{- $pluginName := include "base-cluster.backup.velero.mapProviderName" $providerName -}}
   {{- $provider := get . $providerName -}}
   {{- if hasKey $provider "existingSecret" -}}
 existingSecret

@@ -1,7 +1,7 @@
-{{- if .Values.backup.backupStorageLocations }}
+{{- if ((.Values.backup.provider).velero).backupStorageLocations }}
 {{- $providerMap := dict "minio" "accessKeyID" -}}
 {{- range $name, $spec := .Values.backup.backupStorageLocations -}}
-  {{- $providerName := include "base-cluster.backup.getProviderName" $spec.provider -}}
+  {{- $providerName := include "base-cluster.backup.velero.getProviderName" $spec.provider -}}
   {{- if dig $providerName (get $providerMap $providerName | required (printf "Credentials for provider '%s' not implemented" $providerName)) false $spec.provider }}
 ---
 apiVersion: v1
@@ -13,7 +13,7 @@ metadata:
     app.kubernetes.io/component: {{ $name }}
     app.kubernetes.io/part-of: backup
 stringData:
-  {{ $providerName }}: |-{{- include "base-cluster.backup.credential" $spec.provider | nindent 4 }}
+  {{ $providerName }}: |-{{- include "base-cluster.backup.velero.credential" $spec.provider | nindent 4 }}
   {{- end -}}
 {{- end }}
 {{- end }}
@@ -0,0 +1,5 @@
+{{- if ((.Values.backup.provider).velero).defaultLocation -}}
+  {{- if not (index .Values.backup.provider.velero.backupStorageLocations .Values.backup.provider.velero.defaultLocation) -}}
+    {{- fail (printf "The `defaultLocation` '%s' must exist in `backupStorageLocations`" .Values.backup.provider.velero.defaultLocation) -}}
+  {{- end -}}
+{{- end -}}
@@ -1,4 +1,4 @@
-{{- if .Values.backup.backupStorageLocations }}
+{{- if (.Values.backup.provider).velero }}
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -55,20 +55,20 @@ spec:
     priorityClassName: system-cluster-critical
     deployNodeAgent: true # enable FSB
     nodeAgent:
-      resources: {{- include "common.resources" .Values.backup.nodeAgent | nindent 8 }}
+      resources: {{- include "common.resources" .Values.backup.runners | nindent 8 }}
       priorityClassName: system-cluster-critical
     configuration:
-      defaultBackupStorageLocation: {{ .Values.backup.defaultLocation | quote }}
-      backupStorageLocation: {{- range $name, $spec := .Values.backup.backupStorageLocations }}
-        {{- $providerName := include "base-cluster.backup.getProviderName" $spec.provider }}
+      defaultBackupStorageLocation: {{ .Values.backup.provider.velero.defaultLocation | quote }}
+      backupStorageLocation: {{- range $name, $spec := .Values.backup.provider.velero.backupStorageLocations }}
+        {{- $providerName := include "base-cluster.backup.velero.getProviderName" $spec.provider }}
         - name: {{ $name | quote }}
-          provider: {{ include "base-cluster.backup.mapProviderName" $providerName | quote }}
+          provider: {{ include "base-cluster.backup.velero.mapProviderName" $providerName | quote }}
           bucket: {{ $spec.bucket | quote }}
           {{- if $spec.prefix }}
           prefix: {{ $spec.prefix | quote }}
           {{- end }}
-          default: {{ eq $name $.Values.backup.defaultLocation }}
-          {{- $credentialType := include "base-cluster.backup.credentialType" $spec.provider }}
+          default: {{ eq $name $.Values.backup.provider.velero.defaultLocation }}
+          {{- $credentialType := include "base-cluster.backup.velero.credentialType" $spec.provider }}
           {{- if eq $credentialType "direct" }}
           credential:
             name: {{ printf "%s-velero-backuplocation-%s" (include "common.names.fullname" $) $name }}
@@ -105,5 +105,4 @@ spec:
             labels:
               severity: critical
               period: WorkingHours
-
 {{- end }}
@@ -171,12 +171,18 @@ dashboards:
       gnetId: 17813
       revision: 2
     {{- end }}
-    {{- if .Values.backup.backupStorageLocations }}
+    {{- if (.Values.backup.provider).velero }}
     velero:
       <<: *dashboard
       gnetId: 11055
       revision: 2
     {{- end }}
+    {{- if ne (.Values.backup.provider).k8up nil }}
+    k8up:
+      <<: *dashboard
+      gnetId: 20166
+      revision: 4
+    {{- end }}
   {{- with .Values.monitoring.grafana.additionalDashboards }}
   {{ toYaml . | nindent 4 }}
   {{- end }}