feat: add S3 endpoint override for S3-compatible storage (#117)

Author: cwrau

.golangci.yaml

@@ -292,7 +292,7 @@ linters:
     rules:
       - linters:
           - lll
-        source: "^//\\+kubebuilder.*"
+        source: "^\\s*//\\+kubebuilder.*"
       - linters:
           - lll
         source: ".*https.*" # URLs are long 🤷

api/v1alpha1/hostedcontrolplane.go

@@ -52,6 +52,30 @@ func (a *Audit) ModeOrDefault() string {
 	return ptr.Deref(a.Mode, defaultMode)
 }
 
+func (ebs *ETCDBackupSecret) HostKeyOrDefault() string {
+	defaultKey := "host"
+	if ebs == nil {
+		return defaultKey
+	}
+	return ptr.Deref(ebs.HostKey, defaultKey)
+}
+
+func (ebs *ETCDBackupSecret) RegionKeyOrDefault() string {
+	defaultKey := "region"
+	if ebs == nil {
+		return defaultKey
+	}
+	return ptr.Deref(ebs.RegionKey, defaultKey)
+}
+
+func (ebs *ETCDBackupSecret) BucketKeyOrDefault() string {
+	defaultKey := "bucket"
+	if ebs == nil {
+		return defaultKey
+	}
+	return ptr.Deref(ebs.BucketKey, defaultKey)
+}
+
 func (ebs *ETCDBackupSecret) AccessKeyIDKeyOrDefault() string {
 	defaultKey := "accessKeyID"
 	if ebs == nil {

api/v1alpha1/hostedcontrolplane_types.go

@@ -145,15 +145,20 @@ type ETCDComponent struct {
 	Backup *ETCDBackup `json:"backup,omitempty"`
 }
 
+// ETCDBackup configures periodic etcd snapshots uploaded to S3-compatible storage.
+// Backup retention is not managed by the operator; configure lifecycle rules on the
+// bucket itself (e.g. S3 Lifecycle Rules) to expire old snapshots automatically.
 type ETCDBackup struct {
+	// Schedule is a standard 5-field cron expression (minute hour day-of-month month day-of-week).
+	// See https://en.wikipedia.org/wiki/Cron#Overview, no `*/5` syntax, no lists and no ranges,
+	// only single values
+	// Additionally, @daily is supported; it is spread across clusters around midnight
+	// to avoid simultaneous backups.
 	//+kubebuilder:validation:Required
+	//+kubebuilder:validation:Pattern=`^(@daily|(\*|[0-9]|[1-5][0-9]) (\*|[0-9]|1[0-9]|2[0-3]) (\*|[1-9]|[1-2][0-9]|3[0-1]) (\*|[1-9]|1[0-2]) (\*|[0-6]))$`
 	Schedule string `json:"schedule"`
 	//+kubebuilder:validation:Required
-	Bucket string `json:"bucket"`
-	//+kubebuilder:validation:Required
 	Secret ETCDBackupSecret `json:"secret"`
-	//+kubebuilder:validation:Optional
-	Region string `json:"region,omitempty"`
 }
 
 type ETCDBackupSecret struct {
@@ -165,6 +170,18 @@ type ETCDBackupSecret struct {
 	AccessKeyIDKey *string `json:"accessKeyIDKey,omitempty"`
 	//+kubebuilder:validation:Optional
 	SecretAccessKeyKey *string `json:"secretAccessKeyKey,omitempty"`
+	// HostKey is the key in the referenced Secret whose value contains the S3 endpoint host.
+	// The Secret value must be a bare host name or host:port, for example
+	// `s3.example.com` or `s3.example.com:9000`. Do not include a URL scheme
+	// such as `http://` or `https://`, and do not include any path component.
+	//+kubebuilder:validation:Optional
+	HostKey *string `json:"hostKey,omitempty"`
+	//+kubebuilder:validation:Optional
+	RegionKey *string `json:"regionKey,omitempty"`
+	// The bucket will be split by `/` and only the first part is the bucket,
+	// the rest is a prefix for the file
+	//+kubebuilder:validation:Optional
+	BucketKey *string `json:"bucketKey,omitempty"`
 }
 
 type APIServerPod struct {

api/v1alpha1/zz_generated.deepcopy.go

@@ -4,10 +4,11 @@ go 1.25.7
 
 require (
 	github.com/aws/aws-sdk-go-v2 v1.41.5
-	github.com/aws/aws-sdk-go-v2/config v1.32.7
-	github.com/aws/aws-sdk-go-v2/credentials v1.19.7
-	github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.2
+	github.com/aws/aws-sdk-go-v2/config v1.32.14
+	github.com/aws/aws-sdk-go-v2/credentials v1.19.14
+	github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.15
 	github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0
+	github.com/aws/smithy-go/tracing/smithyoteltracing v1.0.13
 	github.com/blang/semver/v4 v4.0.0
 	github.com/caarlos0/env/v6 v6.10.1
 	github.com/cert-manager/cert-manager v1.19.3
@@ -55,20 +56,20 @@ require (
 	github.com/NYTimes/gziphandler v1.1.1 // indirect
 	github.com/antlr4-go/antlr/v4 v4.13.1 // indirect
 	github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 // indirect
-	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 // indirect
+	github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 // indirect
-	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 // indirect
+	github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 // indirect
 	github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/checksum v1.9.13 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/presigned-url v1.13.21 // indirect
 	github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 // indirect
-	github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 // indirect
-	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 // indirect
-	github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 // indirect
-	github.com/aws/smithy-go v1.24.2 // indirect
+	github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 // indirect
+	github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 // indirect
+	github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 // indirect
+	github.com/aws/smithy-go v1.24.3 // indirect
 	github.com/beorn7/perks v1.0.1 // indirect
 	github.com/cenkalti/backoff/v5 v5.0.3 // indirect
 	github.com/cespare/xxhash/v2 v2.3.0 // indirect

go.mod

@@ -30,20 +30,20 @@ github.com/aws/aws-sdk-go-v2 v1.41.5 h1:dj5kopbwUsVUVFgO4Fi5BIT3t4WyqIDjGKCangnV
 github.com/aws/aws-sdk-go-v2 v1.41.5/go.mod h1:mwsPRE8ceUUpiTgF7QmQIJ7lgsKUPQOUl3o72QBrE1o=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8 h1:eBMB84YGghSocM7PsjmmPffTa+1FBUeNvGvFou6V/4o=
 github.com/aws/aws-sdk-go-v2/aws/protocol/eventstream v1.7.8/go.mod h1:lyw7GFp3qENLh7kwzf7iMzAxDn+NzjXEAGjKS2UOKqI=
-github.com/aws/aws-sdk-go-v2/config v1.32.7 h1:vxUyWGUwmkQ2g19n7JY/9YL8MfAIl7bTesIUykECXmY=
-github.com/aws/aws-sdk-go-v2/config v1.32.7/go.mod h1:2/Qm5vKUU/r7Y+zUk/Ptt2MDAEKAfUtKc1+3U1Mo3oY=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.7 h1:tHK47VqqtJxOymRrNtUXN5SP/zUTvZKeLx4tH6PGQc8=
-github.com/aws/aws-sdk-go-v2/credentials v1.19.7/go.mod h1:qOZk8sPDrxhf+4Wf4oT2urYJrYt3RejHSzgAquYeppw=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17 h1:I0GyV8wiYrP8XpA70g1HBcQO1JlQxCMTW9npl5UbDHY=
-github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.17/go.mod h1:tyw7BOl5bBe/oqvoIeECFJjMdzXoa/dfVz3QQ5lgHGA=
-github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.2 h1:1q8/WwEqZnM/vO4q1gx2g7lHYmyN+o4P7G6EW4zKbRQ=
-github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.2/go.mod h1:owKRexW+Ir5ACD2UTesmjkQ+w7mcmknLNfwOiKfVLTg=
+github.com/aws/aws-sdk-go-v2/config v1.32.14 h1:opVIRo/ZbbI8OIqSOKmpFaY7IwfFUOCCXBsUpJOwDdI=
+github.com/aws/aws-sdk-go-v2/config v1.32.14/go.mod h1:U4/V0uKxh0Tl5sxmCBZ3AecYny4UNlVmObYjKuuaiOo=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.14 h1:n+UcGWAIZHkXzYt87uMFBv/l8THYELoX6gVcUvgl6fI=
+github.com/aws/aws-sdk-go-v2/credentials v1.19.14/go.mod h1:cJKuyWB59Mqi0jM3nFYQRmnHVQIcgoxjEMAbLkpr62w=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21 h1:NUS3K4BTDArQqNu2ih7yeDLaS3bmHD0YndtA6UP884g=
+github.com/aws/aws-sdk-go-v2/feature/ec2/imds v1.18.21/go.mod h1:YWNWJQNjKigKY1RHVJCuupeWDrrHjRqHm0N9rdrWzYI=
+github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.15 h1:92MfpwB6KjsPIEq9g3DniRPxOe92ew5hUz1h8W8cX7E=
+github.com/aws/aws-sdk-go-v2/feature/s3/transfermanager v0.1.15/go.mod h1:7O129SmOn4acM++3oVfTLAeHmNOsj0y7AA7zmbgnGOk=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21 h1:Rgg6wvjjtX8bNHcvi9OnXWwcE0a2vGpbwmtICOsvcf4=
 github.com/aws/aws-sdk-go-v2/internal/configsources v1.4.21/go.mod h1:A/kJFst/nm//cyqonihbdpQZwiUhhzpqTsdbhDdRF9c=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21 h1:PEgGVtPoB6NTpPrBgqSE5hE/o47Ij9qk/SEZFbUOe9A=
 github.com/aws/aws-sdk-go-v2/internal/endpoints/v2 v2.7.21/go.mod h1:p+hz+PRAYlY3zcpJhPwXlLC4C+kqn70WIHwnzAfs6ps=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4 h1:WKuaxf++XKWlHWu9ECbMlha8WOEGm0OUEZqm4K/Gcfk=
-github.com/aws/aws-sdk-go-v2/internal/ini v1.8.4/go.mod h1:ZWy7j6v1vWGmPReu0iSGvRiise4YI5SkR3OHKTZ6Wuc=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6 h1:qYQ4pzQ2Oz6WpQ8T3HvGHnZydA72MnLuFK9tJwmrbHw=
+github.com/aws/aws-sdk-go-v2/internal/ini v1.8.6/go.mod h1:O3h0IK87yXci+kg6flUKzJnWeziQUKciKrLjcatSNcY=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22 h1:rWyie/PxDRIdhNf4DzRk0lvjVOqFJuNnO8WwaIRVxzQ=
 github.com/aws/aws-sdk-go-v2/internal/v4a v1.4.22/go.mod h1:zd/JsJ4P7oGfUhXn1VyLqaRZwPmZwg44Jf2dS84Dm3Y=
 github.com/aws/aws-sdk-go-v2/service/internal/accept-encoding v1.13.7 h1:5EniKhLZe4xzL7a+fU3C2tfUN4nWIqlLesfrjkuPFTY=
@@ -56,16 +56,18 @@ github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21 h1:ZlvrNcHSFFWUR
 github.com/aws/aws-sdk-go-v2/service/internal/s3shared v1.19.21/go.mod h1:cv3TNhVrssKR0O/xxLJVRfd2oazSnZnkUeTf6ctUwfQ=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0 h1:hlSuz394kV0vhv9drL5lhuEFbEOEP1VyQpy15qWh1Pk=
 github.com/aws/aws-sdk-go-v2/service/s3 v1.99.0/go.mod h1:uoA43SdFwacedBfSgfFSjjCvYe8aYBS7EnU5GZ/YKMM=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.5 h1:VrhDvQib/i0lxvr3zqlUwLwJP4fpmpyD9wYG1vfSu+Y=
-github.com/aws/aws-sdk-go-v2/service/signin v1.0.5/go.mod h1:k029+U8SY30/3/ras4G/Fnv/b88N4mAfliNn08Dem4M=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.9 h1:v6EiMvhEYBoHABfbGB4alOYmCIrcgyPPiBE1wZAEbqk=
-github.com/aws/aws-sdk-go-v2/service/sso v1.30.9/go.mod h1:yifAsgBxgJWn3ggx70A3urX2AN49Y5sJTD1UQFlfqBw=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13 h1:gd84Omyu9JLriJVCbGApcLzVR3XtmC4ZDPcAI6Ftvds=
-github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.13/go.mod h1:sTGThjphYE4Ohw8vJiRStAcu3rbjtXRsdNB0TvZ5wwo=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.6 h1:5fFjR/ToSOzB2OQ/XqWpZBmNvmP/pJ1jOWYlFDJTjRQ=
-github.com/aws/aws-sdk-go-v2/service/sts v1.41.6/go.mod h1:qgFDZQSD/Kys7nJnVqYlWKnh0SSdMjAi0uSwON4wgYQ=
-github.com/aws/smithy-go v1.24.2 h1:FzA3bu/nt/vDvmnkg+R8Xl46gmzEDam6mZ1hzmwXFng=
-github.com/aws/smithy-go v1.24.2/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9 h1:QKZH0S178gCmFEgst8hN0mCX1KxLgHBKKY/CLqwP8lg=
+github.com/aws/aws-sdk-go-v2/service/signin v1.0.9/go.mod h1:7yuQJoT+OoH8aqIxw9vwF+8KpvLZ8AWmvmUWHsGQZvI=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.15 h1:lFd1+ZSEYJZYvv9d6kXzhkZu07si3f+GQ1AaYwa2LUM=
+github.com/aws/aws-sdk-go-v2/service/sso v1.30.15/go.mod h1:WSvS1NLr7JaPunCXqpJnWk1Bjo7IxzZXrZi1QQCkuqM=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19 h1:dzztQ1YmfPrxdrOiuZRMF6fuOwWlWpD2StNLTceKpys=
+github.com/aws/aws-sdk-go-v2/service/ssooidc v1.35.19/go.mod h1:YO8TrYtFdl5w/4vmjL8zaBSsiNp3w0L1FfKVKenZT7w=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10 h1:p8ogvvLugcR/zLBXTXrTkj0RYBUdErbMnAFFp12Lm/U=
+github.com/aws/aws-sdk-go-v2/service/sts v1.41.10/go.mod h1:60dv0eZJfeVXfbT1tFJinbHrDfSJ2GZl4Q//OSSNAVw=
+github.com/aws/smithy-go v1.24.3 h1:XgOAaUgx+HhVBoP4v8n6HCQoTRDhoMghKqw4LNHsDNg=
+github.com/aws/smithy-go v1.24.3/go.mod h1:YE2RhdIuDbA5E5bTdciG9KrW3+TiEONeUWCqxX9i1Fc=
+github.com/aws/smithy-go/tracing/smithyoteltracing v1.0.13 h1:Okz+/GoqkQlPEEzHTa69fOshx6lYjZIcMxR9RpJPTfs=
+github.com/aws/smithy-go/tracing/smithyoteltracing v1.0.13/go.mod h1:zTATuy5kyRLhWPtp33dLfOIRF8eqq091eEJtksR8QKk=
 github.com/beorn7/perks v1.0.1 h1:VlbKKnNfV8bJzeqoa4cOKqO6bYr3WgKZxO8Z16+hsOM=
 github.com/beorn7/perks v1.0.1/go.mod h1:G2ZrVWU2WbWT9wwq4/hrbKbnv/1ERSJQ0ibhJ6rlkpw=
 github.com/blang/semver/v4 v4.0.0 h1:1PFHFE6yCCTv8C1TeyNNarDzntLi7wMI5i/pzqYIsAM=

go.sum

@@ -204,13 +204,14 @@ func setupControllers(
 		) (*alias.WorkloadClusterClient, ciliumclient.Interface, error) {
 			return workload.GetWorkloadClusterClient(
 				ctx,
+				tracingWrapper,
 				managementClusterClient,
 				cluster,
-				tracingWrapper,
 				controllerUsername,
 			)
 		},
-		func(ctx context.Context,
+		func(
+			ctx context.Context,
 			managementClusterClient *alias.ManagementClusterClient,
 			hostedControlPlane *v1alpha1.HostedControlPlane,
 			cluster *capiv2.Cluster,
@@ -225,7 +226,20 @@ func setupControllers(
 				serverPort,
 			)
 		},
-		s3_client.NewS3Client,
+		func(
+			ctx context.Context,
+			managementClusterClient *alias.ManagementClusterClient,
+			hostedControlPlane *v1alpha1.HostedControlPlane,
+			cluster *capiv2.Cluster,
+		) (s3_client.S3Client, error) {
+			return s3_client.NewS3Client(
+				ctx,
+				tracerProvider,
+				managementClusterClient,
+				hostedControlPlane,
+				cluster,
+			)
+		},
 		mgr.GetEventRecorder(hostedControlPlaneControllerName),
 		controllerNamespace,
 		reconcileFilter,

pkg/operator/operator.go

@@ -566,11 +566,10 @@ func (arr *apiServerResourcesReconciler) extractAdditionalVolumesAndMounts(
 		volume := corev1ac.Volume().
 			WithName(name)
 		if mount.Secret != nil {
-			items := mount.Secret.Items
 			volume = volume.WithSecret(corev1ac.SecretVolumeSource().
 				WithSecretName(mount.Secret.SecretName).
 				WithOptional(false).
-				WithItems(convertItems(items)...),
+				WithItems(convertItems(mount.Secret.Items)...),
 			)
 		}
 		if mount.ConfigMap != nil {

pkg/reconcilers/apiserverresources/apiserverresources.go

@@ -0,0 +1,37 @@
+package etcd_cluster
+
+import (
+	"fmt"
+	"hash/fnv"
+
+	"github.com/robfig/cron/v3"
+)
+
+// resolveBackupSchedule converts a schedule string to a concrete 5-field cron expression.
+// Vague terms like "@daily" are expanded to a deterministic time within an 8-hour window
+// around midnight (20:00–03:59), spread by hashing the cluster's namespace and name so that
+// multiple clusters do not all back up at the same moment.
+func resolveBackupSchedule(schedule string, namespace string, name string) (cron.Schedule, error) {
+	resolvedSchedule := schedule
+	if resolvedSchedule == "@daily" {
+		resolvedSchedule = dailyScheduleFor(namespace, name)
+	}
+
+	if cronSchedule, err := cron.ParseStandard(resolvedSchedule); err != nil {
+		return nil, fmt.Errorf("failed to parse schedule: %w", err)
+	} else {
+		return cronSchedule, nil
+	}
+}
+
+// dailyScheduleFor returns a deterministic cron expression within the 8-hour window
+// 20:00–03:59 (480 minutes centered on midnight) for the given cluster identity.
+func dailyScheduleFor(namespace string, name string) string {
+	h := fnv.New32a()
+	_, _ = fmt.Fprintf(h, "%s/%s", namespace, name)
+	offset := int(h.Sum32() % 480) // 0–479 minutes into the window
+	totalMinutes := 20*60 + offset // 1200 = 20:00; wraps through midnight up to 03:59
+	hour := (totalMinutes / 60) % 24
+	minute := totalMinutes % 60
+	return fmt.Sprintf("%d %d * * *", minute, hour)
+}

pkg/reconcilers/etcd_cluster/backup_schedule.go

@@ -0,0 +1,92 @@
+package etcd_cluster
+
+import (
+	"fmt"
+	"testing"
+	"time"
+
+	. "github.com/onsi/gomega"
+)
+
+func TestDailyScheduleFor(t *testing.T) {
+	t.Run("result is within the 20:00–03:59 window", func(t *testing.T) {
+		g := NewWithT(t)
+		identities := [][2]string{
+			{"ns-a", "cluster-1"},
+			{"ns-b", "cluster-2"},
+			{"production", "control-plane"},
+			{"kube-system", "etcd-backup"},
+			{"", "no-namespace"},
+		}
+		for _, id := range identities {
+			expr := dailyScheduleFor(id[0], id[1])
+
+			var minute, hour int
+			_, parseErr := fmt.Sscanf(expr, "%d %d * * *", &minute, &hour)
+			g.Expect(parseErr).NotTo(HaveOccurred(), "expression %q could not be parsed", expr)
+			g.Expect(minute).To(BeNumerically(">=", 0))
+			g.Expect(minute).To(BeNumerically("<=", 59))
+			// Hour must be within the 8-hour window: 20, 21, 22, 23, 0, 1, 2, 3
+			validHours := []int{20, 21, 22, 23, 0, 1, 2, 3}
+			g.Expect(validHours).
+				To(ContainElement(hour), "hour %d is outside the 8-hour window for %s/%s", hour, id[0], id[1])
+		}
+	})
+
+	t.Run("is deterministic for the same cluster", func(t *testing.T) {
+		g := NewWithT(t)
+		g.Expect(dailyScheduleFor("default", "my-cluster")).To(Equal(dailyScheduleFor("default", "my-cluster")))
+	})
+
+	t.Run("produces different schedules for different clusters", func(t *testing.T) {
+		g := NewWithT(t)
+		g.Expect(dailyScheduleFor("ns", "cluster-a")).NotTo(Equal(dailyScheduleFor("ns", "cluster-b")))
+	})
+}
+
+func TestResolveBackupSchedule(t *testing.T) {
+	t.Run("@daily returns a usable schedule within the midnight window", func(t *testing.T) {
+		g := NewWithT(t)
+		schedule, err := resolveBackupSchedule("@daily", "default", "my-cluster")
+		g.Expect(err).NotTo(HaveOccurred())
+
+		// The resolved schedule must fire exactly once per day; its next-run from a known
+		// base should be within 24h and land in the 20:00–03:59 window.
+		base := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+		next := schedule.Next(base)
+		g.Expect(next).NotTo(BeZero())
+		hour := next.Hour()
+		validHours := []int{20, 21, 22, 23, 0, 1, 2, 3}
+		g.Expect(validHours).To(ContainElement(hour))
+	})
+
+	t.Run("@daily is deterministic for the same cluster", func(t *testing.T) {
+		g := NewWithT(t)
+		base := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+		s1, _ := resolveBackupSchedule("@daily", "default", "my-cluster")
+		s2, _ := resolveBackupSchedule("@daily", "default", "my-cluster")
+		g.Expect(s1.Next(base)).To(Equal(s2.Next(base)))
+	})
+
+	t.Run("@daily produces different next-run times for different clusters", func(t *testing.T) {
+		g := NewWithT(t)
+		base := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+		a, _ := resolveBackupSchedule("@daily", "ns", "cluster-a")
+		b, _ := resolveBackupSchedule("@daily", "ns", "cluster-b")
+		g.Expect(a.Next(base)).NotTo(Equal(b.Next(base)))
+	})
+
+	t.Run("standard cron parses successfully", func(t *testing.T) {
+		g := NewWithT(t)
+		schedule, err := resolveBackupSchedule("0 2 * * *", "ns", "cluster")
+		g.Expect(err).NotTo(HaveOccurred())
+		base := time.Date(2024, 1, 1, 0, 0, 0, 0, time.UTC)
+		g.Expect(schedule.Next(base).Hour()).To(Equal(2))
+	})
+
+	t.Run("invalid schedule returns an error", func(t *testing.T) {
+		g := NewWithT(t)
+		_, err := resolveBackupSchedule("invalid cron", "ns", "cluster")
+		g.Expect(err).To(HaveOccurred())
+	})
+}