diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
index 93a96c502..e1c976cff 100644
--- a/.pre-commit-config.yaml
+++ b/.pre-commit-config.yaml
@@ -12,7 +12,7 @@ repos:
       - id: check-yaml
         args:
           - --allow-multiple-documents
-        exclude: mkdocs.yml
+        exclude: "mkdocs.yml"
       - id: check-yaml
         name: check-yaml-mkdocs
         # --unsafe is a workaround for the use of !! in mkdocs.yml
diff --git a/.yamllint.yaml b/.yamllint.yaml
index d73a31ae6..7556021ae 100644
--- a/.yamllint.yaml
+++ b/.yamllint.yaml
@@ -1,5 +1,8 @@
 extends: default
 
+ignore:
+  - components/etcdbackup/templates/
+
 rules:
   comments:
     ignore: .github/workflows/
diff --git a/apps/appsets/appset-understack-infra.yaml b/apps/appsets/appset-understack-infra.yaml
index 0d9209321..567255f37 100644
--- a/apps/appsets/appset-understack-infra.yaml
+++ b/apps/appsets/appset-understack-infra.yaml
@@ -70,6 +70,22 @@ spec:
                     - repoURL: '{{ .values.uc_deploy_git_url }}'
                       targetRevision: '{{ .values.uc_deploy_ref }}'
                       path: '{{.name}}/manifests/cilium'
+                - component: etcdbackup
+                  componentNamespace: kube-system
+                  skipComponent: '{{has "etcdbackup" (.values.uc_skip_components | fromJson)}}'
+                  sources:
+                    - repoURL: '{{ .values.uc_repo_git_url }}'
+                      targetRevision: '{{ .values.uc_repo_ref }}'
+                      path: 'components/etcdbackup'
+                      ref: understack
+                      helm:
+                        valueFiles:
+                          - $understack/components/etcdbackup/values.yaml
+                          - $deploy/{{.name}}/helm-configs/etcdbackup.yaml
+                        ignoreMissingValueFiles: true
+                    - repoURL: '{{ .values.uc_deploy_git_url }}'
+                      targetRevision: '{{ .values.uc_deploy_ref }}'
+                      ref: deploy
             selector:
               # by setting the key in the elements 'skipComponent' to 'true' it will skip installing it
               # ArgoCD's templating operates with strings so it's the string "true"
diff --git a/components/etcdbackup/.helmignore b/components/etcdbackup/.helmignore
new file mode 100644
index 000000000..0e8a0eb36
--- /dev/null
+++ b/components/etcdbackup/.helmignore
@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/
diff --git a/components/etcdbackup/Chart.yaml b/components/etcdbackup/Chart.yaml
new file mode 100644
index 000000000..028a1d421
--- /dev/null
+++ b/components/etcdbackup/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: etcdbackup
+description: Local, periodic backup of etcd
+type: application
+version: 0.1.0
diff --git a/components/etcdbackup/templates/_helpers.tpl b/components/etcdbackup/templates/_helpers.tpl
new file mode 100644
index 000000000..5c119a234
--- /dev/null
+++ b/components/etcdbackup/templates/_helpers.tpl
@@ -0,0 +1,48 @@
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "etcdbackup.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "etcdbackup.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "etcdbackup.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "etcdbackup.labels" -}}
+helm.sh/chart: {{ include "etcdbackup.chart" . }}
+{{ include "etcdbackup.selectorLabels" . }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "etcdbackup.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "etcdbackup.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
diff --git a/components/etcdbackup/templates/job-etcd-backup.yaml.tpl b/components/etcdbackup/templates/job-etcd-backup.yaml.tpl
new file mode 100644
index 000000000..f802dfc74
--- /dev/null
+++ b/components/etcdbackup/templates/job-etcd-backup.yaml.tpl
@@ -0,0 +1,69 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: etcd-backup-job
+  namespace: kube-system
+  labels:
+    {{- include "etcdbackup.labels" . | nindent 4 }}
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 5
+  jobTemplate:
+    metadata:
+      name: etcd-backup-cronjob-run
+    spec:
+      completions: 1
+      template:
+        metadata:
+          name: etcd-backup-job-run
+        spec:
+          containers:
+          - command:
+            - etcdctl
+            - --cert=/etc/kubernetes/pki/etcd/server.crt
+            - --key=/etc/kubernetes/pki/etcd/server.key
+            - --cacert=/etc/kubernetes/pki/etcd/ca.crt
+            - --endpoints=127.0.0.1:2379
+            - snapshot
+            - save
+            - /var/backups/{{ .Values.backup.fileName }}
+            env:
+            - name: ETCDCTL_API
+              value: "3"
+            image: registry.k8s.io/etcd:3.5.15-0
+            imagePullPolicy: IfNotPresent
+            name: snapshot
+            resources: {}
+            terminationMessagePath: /dev/termination-log
+            terminationMessagePolicy: File
+            volumeMounts:
+            - mountPath: /var/lib/etcd
+              name: etcd-data
+            - mountPath: /etc/kubernetes/pki/etcd
+              name: etcd-certs
+            - mountPath: /var/backups
+              name: backups
+          dnsPolicy: ClusterFirst
+          nodeName: {{ .Values.backup.nodeName }}
+          hostNetwork: true
+          restartPolicy: OnFailure
+          schedulerName: default-scheduler
+          securityContext: {}
+          terminationGracePeriodSeconds: 30
+          volumes:
+          - hostPath:
+              path: /etc/kubernetes/pki/etcd
+              type: ""
+            name: etcd-certs
+          - hostPath:
+              path: /var/lib/etcd
+              type: ""
+            name: etcd-data
+          - hostPath:
+              path: /var/backups
+              type: ""
+            name: backups
+      ttlSecondsAfterFinished: 604800
+  schedule: 0 0 * * *
+  successfulJobsHistoryLimit: 3
+  suspend: false
diff --git a/components/etcdbackup/values.yaml b/components/etcdbackup/values.yaml
new file mode 100644
index 000000000..0bb77f33e
--- /dev/null
+++ b/components/etcdbackup/values.yaml
@@ -0,0 +1,6 @@
+backup:
+  # hostPath where the backups are to be stored
+  backupPath: /var/backups/
+  # node on which the etcd backup job will be scheduled to
+  nodeName: controlPlane1
+  fileName: mycluster.etcd.snapshot