API
Below are the configurable environment parameters for the API.
- FIELD is the name of the environment variable to be configured within the velero-api-config ConfigMap.
- Helm KEY is the related key defined in the Helm chart.
Configuration
| FIELD | HELM KEY | TYPE | DEFAULT | DESCRIPTION |
|---|---|---|---|---|
| API_ENABLE_DOCUMENTATION | apiConfig.apiEnableDocumentation | Bool | True | Enabled/Disabled the fastapi documentation user interfaces |
| API_ENDPOINT_PORT | apiConfig.apiEndpointPort | Int | 8001 | Socket bind port |
| API_ENDPOINT_URL | apiConfig.apiEndpointUrl | String | 0.0.0.0 | Socket bind host |
| API_RATE_LIMITER_CUSTOM_L1 (4) | apiConfig.apiRateLimiterCustom1 | String | Security:xxx:60:20 | Rate limiter for specific tag/endpoint: Security (tag) xxx (all endpoints under the tag) 60 seconds max requests 20 |
| API_RATE_LIMITER_CUSTOM_L2 (4) | String | Info:info:60:500 | Rate limiter for specific tag/endpoint: Info (tag) xxx (all endpoints under the tag) 60 seconds max requests 500 | |
| API_RATE_LIMITER_L1 | apiConfig.apiRateLimiterL1 | String | 60:120 | Rate limiter: 60 seconds max requests 10 |
| API_TOKEN_EXPIRATION_MIN | apiConfig.apiTokenExpirationMin | Int | 30 | Token validity after the creation (minutes) |
| API_TOKEN_REFRESH_EXPIRATION_DAYS | apiConfig.apiTokenRefreshExpirationDays | Int | 7 | Token validity after the creation (days) |
| AWS_ACCESS_KEY_ID | apiConfig.awsAccessKeyId | String | AWS_ACCESS_KEY_ID | |
| AWS_SECRET_ACCESS_KEY | apiConfig.awsSecretAccessKey | String | AWS_SECRET_ACCESS_KEY | |
| CONTAINER_MODE | Bool | False | Enabled in is deployed in a container outside k8s cluster | |
| DEBUG_LEVEL | apiConfig.debugLevel | String | info | Print level (Critical, error, warning, info, debug) |
| DEFAULT_ADMIN_USERNAME | apiConfig.defaultAdminPassword | String | admin | Default username for admin user (will be created if does not already exist) |
| DEFAULT_ADMIN_PASSWORD | apiConfig.defaultAdminUsername | String | admin | Default password for admin user (will be created if does not already exist) |
| DOWNLOAD_TMP_FOLDER | apiConfig.downloadTmpFolder | String | /tmp/velero-api | Destination folder when executing velero backup download |
| K8S_IN_CLUSTER_MODE | apiConfig.k8SInClusterMode | Bool | False | Enabled if is deployed in a cluster |
| K8S_VELERO_NAMESPACE | global.veleroNamespace | String | velero | K8s Velero namespace |
| K8S_VELERO_UI_NAMESPACE | String | velero-ui | K8s Velero namespace | |
| NATS_ENABLE | false | |||
| NATS_ENDPOINT_URL | 127.0.0.1 | |||
| NATS_PORT_CLIENT | 4222 | |||
| NATS_USERNAME | user | |||
| NATS_PASSWORD | password | |||
| NATS_ALIVE_SEC | 60 | |||
| NATS_REQUEST_TIMEOUT_SEC | 2 | |||
| NATS_RETRY_REG_SEC | 30 | |||
| NATS_RETRY_CONN_SEC | 20 | |||
| NATS_PORT_MONITORING | 30 | |||
| NATS_CRON_UPDATE_K8S_HEALTH | 300 | |||
| NATS_CRON_UPDATE_STATS_GET | 300 | |||
| NATS_CRON_UPDATE_BACKUP | 300 | |||
| NATS_CRON_UPDATE_RESTORE | 300 | |||
| NATS_CRON_UPDATE_BACKUP_LOCATION | 300 | |||
| NATS_CRON_UPDATE_STORAGE_LOCATION | 300 | |||
| NATS_CRON_UPDATE_REPOSITORIES | 300 | |||
| NATS_CRON_UPDATE_SC_MAPPING | 300 | |||
| ORIGINS_1 (1) | apiConfig.origins1 | String | http://localhost:3000 | Allowed origin |
| ORIGINS_2 (1) | String | http://127.0.0.1:3000 | Allowed origin | |
| ORIGINS_3 (1) | String | * | Allowed origin | |
| SECURITY_DISABLE_USERS_PWD_RATE | apiConfig.securityDisableUsersPwdRate | Bool | False | If True user can have a weak password, otherwise is required a strong password |
| SECURITY_PATH_DATABASE | apiConfig.securityPathDatabase | String | ./test | Path where create the SQL-Lite database used for storing the users credentials |
| SECURITY_REFRESH_TOKEN_KEY (3) | String | Optional: Secret key used for JWT creation (refresh token mechanism) | ||
| SECURITY_TOKEN_KEY (3) | String | Optional: Secret key used for JWT creation | ||
| VELERO_CLI_DEST_PATH | apiConfig.veleroCliDestPath | String | /usr/local/bin | Path where to extract the velero executable file |
| VELERO_CLI_PATH | apiConfig.veleroCliPath | String | /app/velero-client | Path where the compressed velero client archives are located |
| VELERO_CLI_PATH_CUSTOM | apiConfig.veleroCliPathCustom | String | /app/velero-client-binary | Path where the user can store manually the binary file |
| VELERO_CLI_VERSION (2) | apiConfig.veleroCliVersion | String | latest available in velero-api-image | Name of the velero client release to be used |
| RESTIC_PASSWORD | apiConfig.resticPassword | String | static-passw0rd |
-
You can define up to 100 allowed origins that should be permitted to make cross-origin requests. An origin is the combination of protocol (http, https), domain (myapp.com, localhost) and port (80, 443, 8001)
-
The Velero client is downloaded when the pod is started according to the environment variable VELERO_CLI_VERSION. Set VELERO_CLI_VERSION as the following syntax example:
v1.12.2infoIn the event of a connection problem, the version 1.12.1 contained within the Velero API image will be utilized.
-
To generate a fixed secure random secret key use the command:
openssl rand -hex 32infoIf no secret key is provided, the system regenerates new missed keys itself each time it is restarted.
-
You can define up to 100 custom rate limiters (from the key API_RATE_LIMITER_CUSTOM_L1 to API_RATE_LIMITER_CUSTOM_L99). Rules can be designed for a tag (eg Security, Info, Backup, Schedule, etc) or for a specific endpoint (eg backup/update-expitaration, utils/version, etc).
warningReplace the characters \ - in endpoint urls with the _
The description field of each endpoint describes the key to configure the customized rate limiter and the actual setup.
Example : if we want to create a rule for the specific endpoint "/backup/get-storage-classes" (tag: Backup) it will be: Backup:backup_get_storage_classes:60:600 The default rate limiter is defined by the key API_RATE_LIMITER_L1
Swagger UI
To find out all the endpoints exposed by the API project, you can use the Swagger UI documentation
< API IP address >/api/docs
If you disable the api documentation (API_ENABLE_DOCUMENTATION key), you are not able to reach the endpoint /docs.