From 04335dfbcc47e511e41ecd2be7e2969d1df3aba3 Mon Sep 17 00:00:00 2001 From: Jazzlyn <9011011+jazzlyn@users.noreply.github.com> Date: Tue, 28 Jan 2025 20:32:54 +0100 Subject: [PATCH] feat(vault): setup volsync backup --- .../apps/secops/vault/app/kustomization.yaml | 4 +++ .../vault/app/persistent-volume-claim.yaml | 16 ++++++++++ .../vault/app/replication-destination.yaml | 31 +++++++++++++++++++ .../secops/vault/app/replication-source.yaml | 29 +++++++++++++++++ .../apps/secops/vault/app/secret.sops.yaml | 31 +++++++++++++++++++ 5 files changed, 111 insertions(+) create mode 100644 kubernetes/talos-flux/apps/secops/vault/app/persistent-volume-claim.yaml create mode 100644 kubernetes/talos-flux/apps/secops/vault/app/replication-destination.yaml create mode 100644 kubernetes/talos-flux/apps/secops/vault/app/replication-source.yaml create mode 100644 kubernetes/talos-flux/apps/secops/vault/app/secret.sops.yaml diff --git a/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml b/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml index 51567a423..a0f7043af 100644 --- a/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml +++ b/kubernetes/talos-flux/apps/secops/vault/app/kustomization.yaml @@ -3,4 +3,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - secret.sops.yaml - helm-release.yaml + # - persistent-volume-claim.yaml + - replication-source.yaml + # - replication-destination.yaml diff --git a/kubernetes/talos-flux/apps/secops/vault/app/persistent-volume-claim.yaml b/kubernetes/talos-flux/apps/secops/vault/app/persistent-volume-claim.yaml new file mode 100644 index 000000000..64dedb0f1 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/app/persistent-volume-claim.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: data-vault-0 +spec: + accessModes: + - ReadWriteOnce + dataSourceRef: + kind: ReplicationDestination + apiGroup: volsync.backube + name: data-vault-0 + resources: + requests: + storage: 1Gi + storageClassName: ceph-block diff --git a/kubernetes/talos-flux/apps/secops/vault/app/replication-destination.yaml b/kubernetes/talos-flux/apps/secops/vault/app/replication-destination.yaml new file mode 100644 index 000000000..7a4f4dd6d --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/app/replication-destination.yaml @@ -0,0 +1,31 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationdestination_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationDestination +metadata: + name: data-vault-0 + labels: + # https://fluxcd.io/flux/components/kustomize/kustomizations/#controlling-the-apply-behavior-of-resources + kustomize.toolkit.fluxcd.io/ssa: IfNotPresent +spec: + trigger: + manual: restore-once + restic: + repository: vault-volsync + copyMethod: Snapshot + volumeSnapshotClassName: csi-ceph-blockpool + cacheStorageClassName: ceph-block + cacheAccessModes: + - ReadWriteOnce + cacheCapacity: 1Gi + storageClassName: ceph-block + accessModes: + - ReadWriteOnce + capacity: 1Gi + moverSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + enableFileDeletion: true + cleanupCachePVC: true + cleanupTempPVC: true diff --git a/kubernetes/talos-flux/apps/secops/vault/app/replication-source.yaml b/kubernetes/talos-flux/apps/secops/vault/app/replication-source.yaml new file mode 100644 index 000000000..f1025c8c1 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/app/replication-source.yaml @@ -0,0 +1,29 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: data-vault-0 +spec: + sourcePVC: data-vault-0 + trigger: + schedule: "0 * * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 14 + repository: vault-volsync + volumeSnapshotClassName: csi-ceph-blockpool + cacheCapacity: 1Gi + cacheStorageClassName: ceph-block + cacheAccessModes: + - ReadWriteOnce + storageClassName: ceph-block + accessModes: + - ReadWriteOnce + moverSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + retain: + hourly: 24 + daily: 7 diff --git a/kubernetes/talos-flux/apps/secops/vault/app/secret.sops.yaml b/kubernetes/talos-flux/apps/secops/vault/app/secret.sops.yaml new file mode 100644 index 000000000..e82ee7680 --- /dev/null +++ b/kubernetes/talos-flux/apps/secops/vault/app/secret.sops.yaml @@ -0,0 +1,31 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: vault-volsync +type: Opaque +stringData: + RESTIC_REPOSITORY: ENC[AES256_GCM,data:V1LWj4tIw0SK8gIc1kUSUBcFXiVJJjDNElIxnShLtMKdjFHtimFR9feHJB19/F7XBQg1x/qx8PYGEIAHciF1Y8k=,iv:eV2CHE45Xa0qxvcHhmVNqdMUo5/zDScYqiZOAEco1aM=,tag:F6lCn0mE3Msvb6g4YEAppw==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:d3vlyt/1LiRU0qEulmVs3lb1fig=,iv:5ertT2XYVCb34HVv8mswB2shIWFji2/GeOk9lnKTDCk=,tag:Wt/i1dyob4qNdWI7p0LdLA==,type:str] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:JEXZW41lEw==,iv:pduvJsbyBRNMiP6rJ5T7mz79rdW5VLpR/Y3lOXHKU8A=,tag:HZKS59FvxO4FwZrb3LhKmg==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:aguU70F7QhX2FSEJFmknY8+31PbPIXdF0iGArAkBIihiGhAfOMkD6upDfpZmuZYQcJJgRPpH2jk=,iv:I/9UIpgz0uXHzhhlbV4481gS9KRtm1ZhzvoxJScGsxg=,tag:ax0t2h1ltyPkk+0TgnMCIg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16zqeqx5y6ay3flwz0d06rn83yjv9ckys3j8tpkysf9v6295fhc6sf4r0uj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYjdZeVptaDlPZW9idmtP + UkRGdmxyb0REM2s4dnZVSERQNFFSRHlqVkcwClJlZHVhQUVnUm16QVloazMyUUFx + Q24vakF5RUEvMTExZ0lPa1RXblFEV3cKLS0tIFNMcGx3NzRQT0U4MTZER0FQUzh3 + SThDODl4ZFFMMUlxM3BneWlrNDdjdUUKm16agevW+HLV4al0q2m5W/SyS84E5SXh + QfWlkG1byRaLRQ+tMeTuCN0tk2A2asmSPygQ1IKo4AO9kMirDEjQ6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-28T19:30:41Z" + mac: ENC[AES256_GCM,data:NOB6QrddiPAq34BgrKCAhpe5B0MVEhrslMV1j9ZGcPKeFhOtvJn+heSEcBZwmiowrFOyJp3bDESfi/FIT4XPf1DO34cmrNm/0mc2mxJYrZETWdkTag/7FoVQu4QM4fXKw89Bgt1aETDWhlHtc+hzY4DuAybCbpVNkXd03nhBfNw=,iv:hSO4N72O7Bflgw6Hzmgpqw4Evu4EsmVOcCEMEI9iv40=,tag:JD+IQk+ZmtwPVBXqVKVfcQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.3