From b00551716bb5c1e33bb8227c7374d53b24b071ec Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Nils=20M=C3=BCller?= Date: Sat, 1 Feb 2025 18:52:56 +0100 Subject: [PATCH] feat(ring-mqtt): add pvc and init-container to persist token and config - add backup --- .../ring-mqtt/app/helm-release.yaml | 23 +++++++++++--- .../ring-mqtt/app/kustomization.yaml | 4 +++ .../app/persistent-volume-claim.yaml | 16 ++++++++++ .../app/replication-destination.yaml | 31 +++++++++++++++++++ .../ring-mqtt/app/replication-source.yaml | 28 +++++++++++++++++ .../ring-mqtt/app/secret.sops.yaml | 31 +++++++++++++++++++ 6 files changed, 129 insertions(+), 4 deletions(-) create mode 100644 kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/persistent-volume-claim.yaml create mode 100644 kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-destination.yaml create mode 100644 kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-source.yaml create mode 100644 kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/secret.sops.yaml diff --git a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/helm-release.yaml b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/helm-release.yaml index 0cd9f4fa7..35262fc6a 100644 --- a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/helm-release.yaml +++ b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/helm-release.yaml @@ -31,6 +31,21 @@ spec: ring-mqtt: annotations: reloader.stakater.com/auto: "true" + initContainers: + copy-config: + image: + repository: busybox + tag: 1.33.1 + command: + - sh + - -c + - | + if [ ! -f /data/config.json ]; then + cp /config/config.json /data/config.json + fi + if [ ! -f /data/ring-state.json ]; then + cp /config/ring-state.json /data/ring-state.json + fi containers: app: env: @@ -97,18 +112,18 @@ spec: persistence: data: - type: emptyDir + existingClaim: ring-mqtt-data globalMounts: - path: /data credentials: type: secret name: ring-mqtt-config advancedMounts: - ring-mqtt: + copy-config: config: - - path: /data/config.json + - path: /config/config.json subPath: config.json readOnly: true - - path: /data/ring-state.json + - path: /config/ring-state.json subPath: ring-state.json readOnly: true diff --git a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/kustomization.yaml b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/kustomization.yaml index 36a7c3a4e..3d755de83 100644 --- a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/kustomization.yaml +++ b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/kustomization.yaml @@ -4,4 +4,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - external-secret.yaml + - secret.sops.yaml + - persistent-volume-claim.yaml + - replication-source.yaml + - replication-destination.yaml - helm-release.yaml diff --git a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/persistent-volume-claim.yaml b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/persistent-volume-claim.yaml new file mode 100644 index 000000000..d65de7f27 --- /dev/null +++ b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/persistent-volume-claim.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: ring-mqtt-data +spec: + accessModes: + - ReadWriteOnce + dataSourceRef: + kind: ReplicationDestination + apiGroup: volsync.backube + name: ring-mqtt-data + resources: + requests: + storage: 10Mi + storageClassName: ceph-block diff --git a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-destination.yaml b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-destination.yaml new file mode 100644 index 000000000..d6c7e5915 --- /dev/null +++ b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-destination.yaml @@ -0,0 +1,31 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationdestination_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationDestination +metadata: + name: ring-mqtt-data + labels: + # https://fluxcd.io/flux/components/kustomize/kustomizations/#controlling-the-apply-behavior-of-resources + kustomize.toolkit.fluxcd.io/ssa: IfNotPresent +spec: + trigger: + manual: restore-once + restic: + repository: ring-mqtt-volsync + copyMethod: Snapshot + volumeSnapshotClassName: csi-ceph-blockpool + cacheStorageClassName: ceph-block + cacheAccessModes: + - ReadWriteOnce + cacheCapacity: 10Mi + storageClassName: ceph-block + accessModes: + - ReadWriteOnce + capacity: 10Mi + moverSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + enableFileDeletion: true + cleanupCachePVC: true + cleanupTempPVC: true diff --git a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-source.yaml b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-source.yaml new file mode 100644 index 000000000..33cc0c5b1 --- /dev/null +++ b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/replication-source.yaml @@ -0,0 +1,28 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/volsync.backube/replicationsource_v1alpha1.json +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: ring-mqtt-data +spec: + sourcePVC: ring-mqtt-data + trigger: + schedule: "15 * * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 1 + repository: ring-mqtt-volsync + volumeSnapshotClassName: csi-ceph-blockpool + cacheCapacity: 10Mi + cacheStorageClassName: ceph-block + cacheAccessModes: + - ReadWriteOnce + storageClassName: ceph-block + accessModes: + - ReadWriteOnce + moverSecurityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + retain: + hourly: 24 diff --git a/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/secret.sops.yaml b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/secret.sops.yaml new file mode 100644 index 000000000..6a1f16328 --- /dev/null +++ b/kubernetes/talos-flux/apps/home-automation/ring-mqtt/app/secret.sops.yaml @@ -0,0 +1,31 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: ring-mqtt-volsync +type: Opaque +stringData: + RESTIC_REPOSITORY: ENC[AES256_GCM,data:cKZ32zpgkuv9c9N2vIpykoQ2O0foCkhDwXKG0Sstuq4xaI0aS2J+ilOWWk0wCYaBK+MNG7ov0ESoilqisdidBKTYpMDRj7Y=,iv:AMNP9Gx/Ik/j/MKtqdTiGYttZPITlcxUqS9aXVSpurE=,tag:GsH0fbCWFDv4e3sRzGmr9g==,type:str] + RESTIC_PASSWORD: ENC[AES256_GCM,data:aZN+GSkhZ1lkUNjhN5F6Ve2hRwU3Jguna7tV6wP25xJmx7OEA+6lH7WyPqD2PoUUUi1msrx85NToxFxOec2jHg==,iv:SwySPIfWkgVngdMunyjk1KWEzQ/aa3/L7zvy5Z7+xJo=,tag:EbHYG9o0g6Vqp7kubkny+w==,type:str] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:JEXZW41lEw==,iv:pduvJsbyBRNMiP6rJ5T7mz79rdW5VLpR/Y3lOXHKU8A=,tag:HZKS59FvxO4FwZrb3LhKmg==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:aguU70F7QhX2FSEJFmknY8+31PbPIXdF0iGArAkBIihiGhAfOMkD6upDfpZmuZYQcJJgRPpH2jk=,iv:I/9UIpgz0uXHzhhlbV4481gS9KRtm1ZhzvoxJScGsxg=,tag:ax0t2h1ltyPkk+0TgnMCIg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age16zqeqx5y6ay3flwz0d06rn83yjv9ckys3j8tpkysf9v6295fhc6sf4r0uj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzYjdZeVptaDlPZW9idmtP + UkRGdmxyb0REM2s4dnZVSERQNFFSRHlqVkcwClJlZHVhQUVnUm16QVloazMyUUFx + Q24vakF5RUEvMTExZ0lPa1RXblFEV3cKLS0tIFNMcGx3NzRQT0U4MTZER0FQUzh3 + SThDODl4ZFFMMUlxM3BneWlrNDdjdUUKm16agevW+HLV4al0q2m5W/SyS84E5SXh + QfWlkG1byRaLRQ+tMeTuCN0tk2A2asmSPygQ1IKo4AO9kMirDEjQ6w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-02-01T17:41:56Z" + mac: ENC[AES256_GCM,data:4zhtkkc0AASF4O2bWCnxkNj6zfw0nfq7wc2RA9RvH9UDf1LasqchFf3dPeVtKRQpx3RaFgIwhxWgA8NzdT95bor0ZmIJJaTYl6MLVygp0a19jhLqxk8ZAdURp/JuOOVfqRkIt3KWlSuDffRUaY4SXttB7U+IVil0IvYnvsVf+0A=,iv:r3UQ81IDllGoCS4AxVkM7kTOZEL83Sd4rS56euaP3iw=,tag:SaTWt6KwXfkik+ms81goKw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.3