Documentation

main v1.17 v1.16 v1.15 v1.14 v1.13 v1.12 v1.11 v1.10 v1.9 v1.8 v1.7 v1.6 v1.5 v1.4 v1.3.2 v1.3.1 v1.3.0 v1.2.0 v1.1.0 v1.0.0 v0.11.0 v0.10.0 v0.9.0 v0.8.1 v0.8.0 v0.7.1 v0.7.0 v0.6.0 v0.5.0 v0.4.0 v0.3.0

Behind Proxy

This document explains how to make Velero work behind proxy. The procedures described in this document are concluded from the scenario that Velero is deployed behind proxy, and Velero needs to connect to a public MinIO server as storage location. Maybe other scenarios’ configurations are not exactly the same, but basically they should share most parts.

Set the proxy server address

Specify the proxy server address by environment variables in Velero deployment and node-agent DaemonSet. Take the following as an example:

    ...
    spec:
      containers:
      - args:
        - server
        - --features=EnableCSI
        command:
        - /velero
        env:
        ...
        - name: HTTP_PROXY
          value: <proxy_address>
        - name: HTTPS_PROXY
          value: <proxy_address>
        # In case not all destinations that Velero connects to need go through proxy, users can specify the NO_PROXY to bypass proxy. 
        - name: NO_PROXY
          value: <address_list_not_use_proxy>

Set the proxy required certificates

In some cases, the proxy requires certificate to connect. You can provide certificates in the BSL configuration. It’s possible that the object storage also requires certificate, then include both certificates together.

The recommended approach is to store certificates in a Kubernetes Secret and reference them using caCertRef:

  1. Create a file containing all required certificates:

    cat certs
-----BEGIN CERTIFICATE-----
certificates first content
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
certificates second content
-----END CERTIFICATE-----

  2. Create a Secret from the certificate file:

    kubectl create secret generic proxy-ca-certs \
  --from-file=ca-bundle.crt=certs \
  -n velero

  3. Reference the Secret in your BackupStorageLocation:

apiVersion: velero.io/v1
kind: BackupStorageLocation
metadata:
  name: default
  namespace: velero
spec:
  provider: <YOUR_PROVIDER>
  default: true
  objectStorage:
    bucket: velero
    caCertRef:
      name: proxy-ca-certs
      key: ca-bundle.crt
  # ... other configuration

Method 2: Using inline certificates (Deprecated)

Note: The caCert field is deprecated. Use caCertRef for better security and management.

If you must use the inline method, encode the certificate content with base64:

cat certs | base64
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=

apiVersion: velero.io/v1
kind: BackupStorageLocation
# ...
spec:
  # ...
  default: true
  objectStorage:
    bucket: velero
    caCert: LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCmNlcnRpZmljYXRlcyBmaXJzdCBjb250ZW50Ci0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0KCi0tLS0tQkVHSU4gQ0VSVElGSUNBVEUtLS0tLQpjZXJ0aWZpY2F0ZXMgc2Vjb25kIGNvbnRlbnQKLS0tLS1FTkQgQ0VSVElGSUNBVEUtLS0tLQo=
  # ...
Getting Started

To help you get started, see the documentation.

Documentation