feat(k8s): 新增 Velero 備份系統 (K1.1)

Phase K1 災難恢復:
- MinIO 部署在 192.168.0.188:9000/9001
- Velero v1.13.0 完整安裝 manifests
- velero-backups bucket 已建立
- README 含部署與使用指南

部署方式:
  ssh wooo@192.168.0.120
  sudo kubectl apply -f k8s/velero/velero-install-full.yaml

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

docs/reference/SERVICE-ENDPOINTS.md

@@ -80,6 +80,13 @@
 | **Harbor** | `192.168.0.110:5000` | Container Registry |
 | **GitHub Runner** | - | Self-hosted (awoooi-runner) |
 
+### 備份 (192.168.0.188)
+
+| 服務 | 端點 | 說明 |
+|------|------|------|
+| **MinIO API** | `192.168.0.188:9000` | Velero 備份儲存 |
+| **MinIO Console** | `192.168.0.188:9001` | Web 管理介面 |
+
 ### 安全 (192.168.0.112)
 
 | 服務 | 端點 | 說明 |

k8s/velero/00-namespace.yaml

@@ -0,0 +1,12 @@
+# Velero Namespace
+# 建立者: Claude Code (首席架構師)
+# 日期: 2026-03-28 (台北時間)
+# 用途: K3s 災難恢復備份系統
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: velero
+  labels:
+    app.kubernetes.io/name: velero
+    app.kubernetes.io/component: backup

k8s/velero/01-credentials.yaml

@@ -0,0 +1,14 @@
+# Velero MinIO Credentials
+# 注意: 這是示例，實際部署時應使用 Sealed Secrets 或 External Secrets
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: velero-minio-credentials
+  namespace: velero
+type: Opaque
+stringData:
+  cloud: |
+    [default]
+    aws_access_key_id=minio_admin
+    aws_secret_access_key=Minio_Velero_2026!

k8s/velero/02-velero-install.yaml

@@ -0,0 +1,117 @@
+# Velero Full Installation
+# 來源: velero install --dry-run -o yaml
+# 建立者: Claude Code (首席架構師)
+# 日期: 2026-03-28 (台北時間)
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: velero
+  namespace: velero
+  labels:
+    component: velero
+
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: velero
+  labels:
+    component: velero
+subjects:
+  - kind: ServiceAccount
+    name: velero
+    namespace: velero
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: cluster-admin
+
+---
+apiVersion: velero.io/v1
+kind: BackupStorageLocation
+metadata:
+  name: default
+  namespace: velero
+spec:
+  provider: aws
+  objectStorage:
+    bucket: velero-backups
+  config:
+    region: minio
+    s3ForcePathStyle: "true"
+    s3Url: http://192.168.0.188:9000
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: velero
+  namespace: velero
+  labels:
+    component: velero
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      component: velero
+  template:
+    metadata:
+      labels:
+        component: velero
+    spec:
+      serviceAccountName: velero
+      containers:
+        - name: velero
+          image: velero/velero:v1.13.0
+          imagePullPolicy: IfNotPresent
+          ports:
+            - name: metrics
+              containerPort: 8085
+          command:
+            - /velero
+          args:
+            - server
+            - --features=
+          env:
+            - name: VELERO_SCRATCH_DIR
+              value: /scratch
+            - name: VELERO_NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            - name: LD_LIBRARY_PATH
+              value: /plugins
+            - name: AWS_SHARED_CREDENTIALS_FILE
+              value: /credentials/cloud
+          volumeMounts:
+            - name: plugins
+              mountPath: /plugins
+            - name: scratch
+              mountPath: /scratch
+            - name: cloud-credentials
+              mountPath: /credentials
+          resources:
+            requests:
+              cpu: 500m
+              memory: 128Mi
+            limits:
+              cpu: 1000m
+              memory: 512Mi
+      initContainers:
+        - name: velero-plugin-for-aws
+          image: velero/velero-plugin-for-aws:v1.9.0
+          imagePullPolicy: IfNotPresent
+          volumeMounts:
+            - name: plugins
+              mountPath: /target
+      volumes:
+        - name: cloud-credentials
+          secret:
+            secretName: velero-minio-credentials
+        - name: plugins
+          emptyDir: {}
+        - name: scratch
+          emptyDir: {}
+      restartPolicy: Always

k8s/velero/README.md

@@ -0,0 +1,49 @@
+# Velero Backup System
+
+> **建立日期**: 2026-03-28 (台北時間)
+> **用途**: K3s 叢集災難恢復備份
+
+## 前置條件
+
+1. MinIO 已部署在 192.168.0.188:9000
+2. velero-backups bucket 已建立
+3. 具有 K3s cluster-admin 權限
+
+## 部署步驟
+
+```bash
+# 1. SSH 到 K3s Master
+ssh wooo@192.168.0.120
+
+# 2. 套用 Velero 完整安裝
+sudo kubectl apply -f https://raw.githubusercontent.com/owenhytsai/awoooi/main/k8s/velero/velero-install-full.yaml
+
+# 3. 驗證安裝
+sudo kubectl get pods -n velero
+sudo kubectl get backupstoragelocation -n velero
+```
+
+## 使用方式
+
+```bash
+# 建立備份
+velero backup create awoooi-$(date +%Y%m%d) --include-namespaces awoooi-prod
+
+# 查看備份
+velero backup get
+
+# 還原備份
+velero restore create --from-backup awoooi-20260328
+
+# 建立定時備份 (每日 3:00)
+velero schedule create awoooi-daily --schedule="0 3 * * *" --include-namespaces awoooi-prod --ttl 168h
+```
+
+## MinIO 存取資訊
+
+| 項目 | 值 |
+|------|-----|
+| Endpoint | http://192.168.0.188:9000 |
+| Console | http://192.168.0.188:9001 |
+| User | minio_admin |
+| Bucket | velero-backups |

k8s/velero/crds/velero-crds.yaml

@@ -0,0 +1 @@
+404: Not Found