Merge pull request #4403 from tyriis/feature/vault-setup-volsync-backup

tyriis · Jan 28, 2025 · dc0c797 · dc0c797
2 parents 3625b6e + 04335df
commit dc0c797
Show file tree

Hide file tree

Showing 5 changed files with 111 additions and 0 deletions.
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml b/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml
@@ -3,4 +3,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - secret.sops.yaml
   - helm-release.yaml
+  # - persistent-volume-claim.yaml
+  - replication-source.yaml
+  # - replication-destination.yaml
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/persistent-volume-claim.yaml b/kubernetes/talos-flux/apps/secops/vault/app/persistent-volume-claim.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: data-vault-0
+spec:
+  accessModes:
+    - ReadWriteOnce
+  dataSourceRef:
+    kind: ReplicationDestination
+    apiGroup: volsync.backube
+    name: data-vault-0
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: ceph-block
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/replication-destination.yaml b/kubernetes/talos-flux/apps/secops/vault/app/replication-destination.yaml
@@ -0,0 +1,31 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationdestination_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationDestination
+metadata:
+  name: data-vault-0
+  labels:
+    # https://fluxcd.io/flux/components/kustomize/kustomizations/#controlling-the-apply-behavior-of-resources
+    kustomize.toolkit.fluxcd.io/ssa: IfNotPresent
+spec:
+  trigger:
+    manual: restore-once
+  restic:
+    repository: vault-volsync
+    copyMethod: Snapshot
+    volumeSnapshotClassName: csi-ceph-blockpool
+    cacheStorageClassName: ceph-block
+    cacheAccessModes:
+      - ReadWriteOnce
+    cacheCapacity: 1Gi
+    storageClassName: ceph-block
+    accessModes:
+      - ReadWriteOnce
+    capacity: 1Gi
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    enableFileDeletion: true
+    cleanupCachePVC: true
+    cleanupTempPVC: true
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/replication-source.yaml b/kubernetes/talos-flux/apps/secops/vault/app/replication-source.yaml
@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: data-vault-0
+spec:
+  sourcePVC: data-vault-0
+  trigger:
+    schedule: "0 * * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 14
+    repository: vault-volsync
+    volumeSnapshotClassName: csi-ceph-blockpool
+    cacheCapacity: 1Gi
+    cacheStorageClassName: ceph-block
+    cacheAccessModes:
+      - ReadWriteOnce
+    storageClassName: ceph-block
+    accessModes:
+      - ReadWriteOnce
+    moverSecurityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000
+    retain:
+      hourly: 24
+      daily: 7
diff --git a/kubernetes/talos-flux/apps/secops/vault/app/secret.sops.yaml b/kubernetes/talos-flux/apps/secops/vault/app/secret.sops.yaml
@@ -0,0 +1,31 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: vault-volsync
+type: Opaque
+stringData:
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:V1LWj4tIw0SK8gIc1kUSUBcFXiVJJjDNElIxnShLtMKdjFHtimFR9feHJB19/F7XBQg1x/qx8PYGEIAHciF1Y8k=,iv:eV2CHE45Xa0qxvcHhmVNqdMUo5/zDScYqiZOAEco1aM=,tag:F6lCn0mE3Msvb6g4YEAppw==,type:str]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:d3vlyt/1LiRU0qEulmVs3lb1fig=,iv:5ertT2XYVCb34HVv8mswB2shIWFji2/GeOk9lnKTDCk=,tag:Wt/i1dyob4qNdWI7p0LdLA==,type:str]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:JEXZW41lEw==,iv:pduvJsbyBRNMiP6rJ5T7mz79rdW5VLpR/Y3lOXHKU8A=,tag:HZKS59FvxO4FwZrb3LhKmg==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:aguU70F7QhX2FSEJFmknY8+31PbPIXdF0iGArAkBIihiGhAfOMkD6upDfpZmuZYQcJJgRPpH2jk=,iv:I/9UIpgz0uXHzhhlbV4481gS9KRtm1ZhzvoxJScGsxg=,tag:ax0t2h1ltyPkk+0TgnMCIg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age16zqeqx5y6ay3flwz0d06rn83yjv9ckys3j8tpkysf9v6295fhc6sf4r0uj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYjdZeVptaDlPZW9idmtP
+            UkRGdmxyb0REM2s4dnZVSERQNFFSRHlqVkcwClJlZHVhQUVnUm16QVloazMyUUFx
+            Q24vakF5RUEvMTExZ0lPa1RXblFEV3cKLS0tIFNMcGx3NzRQT0U4MTZER0FQUzh3
+            SThDODl4ZFFMMUlxM3BneWlrNDdjdUUKm16agevW+HLV4al0q2m5W/SyS84E5SXh
+            QfWlkG1byRaLRQ+tMeTuCN0tk2A2asmSPygQ1IKo4AO9kMirDEjQ6w==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-28T19:30:41Z"
+    mac: ENC[AES256_GCM,data:NOB6QrddiPAq34BgrKCAhpe5B0MVEhrslMV1j9ZGcPKeFhOtvJn+heSEcBZwmiowrFOyJp3bDESfi/FIT4XPf1DO34cmrNm/0mc2mxJYrZETWdkTag/7FoVQu4QM4fXKw89Bgt1aETDWhlHtc+hzY4DuAybCbpVNkXd03nhBfNw=,iv:hSO4N72O7Bflgw6Hzmgpqw4Evu4EsmVOcCEMEI9iv40=,tag:JD+IQk+ZmtwPVBXqVKVfcQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.3