diff --git a/charts/base-cluster/README.md.gotmpl b/charts/base-cluster/README.md.gotmpl index 7f30fbfc49..1239f18002 100644 --- a/charts/base-cluster/README.md.gotmpl +++ b/charts/base-cluster/README.md.gotmpl @@ -434,4 +434,9 @@ of `.monitoring.tracing.ingester.` - This release disables the trivy-operator by default. To continue using the operator set `.monitoring.securityScanning.enabled` to `true`. + +- This release upgrades velero to the latest version. In that the uploader type changed from restic to kopia and restic +repositories are no longer supported. For the upgrade you have to create a new bucket and configure it as new +`backup.provider.velero.defaultLocation`. Please also delete all old restic repositories. + {{ .Files.Get "values.md" }} diff --git a/charts/base-cluster/templates/backup/velero/velero.yaml b/charts/base-cluster/templates/backup/velero/velero.yaml index c275c6e3c9..c83d18509e 100644 --- a/charts/base-cluster/templates/backup/velero/velero.yaml +++ b/charts/base-cluster/templates/backup/velero/velero.yaml @@ -1,4 +1,9 @@ {{- if (.Values.backup.provider).velero }} +{{- range $index, $repo := (lookup "velero.io/v1" "BackupRepository" "backup" "").items}} + {{- if eq $repo.spec.repositoryType "restic" }} + {{- fail (printf "The Backuprepository '%s' is of unsupported type restic" $repo.metadata.name) }} + {{- end }} +{{- end }} apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: @@ -51,6 +56,16 @@ spec: allowPrivilegeEscalation: false seccompProfile: type: RuntimeDefault + extraVolumeMounts: + - mountPath: /udmrepo + name: udmrepo + - mountPath: /.cache + name: cache + extraVolumes: + - emptyDir: {} + name: udmrepo + - emptyDir: {} + name: cache resources: {{- include "common.resources" .Values.backup | nindent 6 }} priorityClassName: system-cluster-critical deployNodeAgent: true # enable FSB @@ -88,7 +103,7 @@ spec: {{- end }} {{- end }} volumeSnapshotLocation: [] - uploaderType: restic + uploaderType: kopia metrics: serviceMonitor: additionalLabels: diff --git a/charts/base-cluster/templates/kyverno/policies/kyverno-base-policies/kyverno-policies.yaml b/charts/base-cluster/templates/kyverno/policies/kyverno-base-policies/kyverno-policies.yaml index 5aa4230ed6..2b1b242cb9 100644 --- a/charts/base-cluster/templates/kyverno/policies/kyverno-base-policies/kyverno-policies.yaml +++ b/charts/base-cluster/templates/kyverno/policies/kyverno-base-policies/kyverno-policies.yaml @@ -36,6 +36,7 @@ spec: {{- $syncEtcdSecret := dict "resources" (dict "namespaces" (list "monitoring") "kinds" (list "Pod") "names" (list "sync-etcd-secret-*")) -}} {{- $nodeExporter := dict "resources" (dict "namespaces" (list "monitoring") "kinds" (list "Pod") "names" (list "kube-prometheus-stack-prometheus-node-exporter-*")) -}} {{- $nfsServerProvisioner := dict "resources" (dict "namespaces" (list "nfs-server-provisioner") "kinds" (list "Pod") "names" (list "nfs-server-provisioner-0")) -}} + {{- $velero := dict "resources" (dict "namespaces" (list "backup") "kinds" (list "Pod" "Deployment") "names" (list "node-agent-*" "velero-*" "backup-*")) -}} {{- $disallowHostPath := list -}} {{- $runAsNonRoot := list -}} @@ -49,6 +50,13 @@ spec: {{- $disallowHostPath = append $disallowHostPath $alloy -}} {{- $runAsNonRoot = append $runAsNonRoot $alloy -}} {{- end -}} + {{- if (.Values.backup.provider).velero -}} + {{- $disallowHostPath = append $disallowHostPath $velero -}} + {{- $disallowCapabilities = append $disallowCapabilities $velero -}} + {{- $restrictSeccomp = append $restrictSeccomp $velero -}} + {{- $disallowPrivilegeEscalation = append $disallowPrivilegeEscalation $velero -}} + {{- $runAsNonRoot = append $runAsNonRoot $velero -}} + {{- end -}} {{- if .Values.monitoring.prometheus.enabled -}} {{- $disallowHostPath = append $disallowHostPath $syncEtcdSecret -}} {{- $disallowHostPath = append $disallowHostPath $nodeExporter -}} diff --git a/charts/base-cluster/values.yaml b/charts/base-cluster/values.yaml index 088a3e6b96..2ca69281ac 100644 --- a/charts/base-cluster/values.yaml +++ b/charts/base-cluster/values.yaml @@ -210,7 +210,7 @@ global: vmware: url: https://vmware-tanzu.github.io/helm-charts charts: - velero: 7.2.2 + velero: 11.3.2 condition: '{{ ne (.Values.backup.provider).velero nil }}' twin: url: https://twin.github.io/helm-charts