install k8up

_apps/k8up.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: k8up
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: k8up
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: k8up
+    repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git
+    targetRevision: HEAD
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: k8up

k8up/README.md

@@ -0,0 +1,13 @@
+# K8up installation
+
+## Edit credentials
+
+```
+vim ../../gitops-tbrnt-private/k8up/global-backup-secret.yaml
+kubeseal --controller-namespace sealed-secrets -o yaml -n k8up < ../../gitops-tbrnt-private/k8up/global-backup-secret.yaml > global-backup-secret.yaml
+```
+
+```
+vim ../../gitops-tbrnt-private/k8up/global-s3-credentials.yaml
+kubeseal --controller-namespace sealed-secrets -o yaml -n k8up < ../../gitops-tbrnt-private/k8up/global-s3-credentials.yaml > global-s3-credentials-secret.yaml
+```

k8up/global-backup-secret.yaml

@@ -0,0 +1,17 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: global-backup-secret
+  namespace: k8up
+spec:
+  encryptedData:
+    secret: AgCabeCFgQ27fELHeM6gKPmdWvLQd7fM6IzydKKsYCetfvkM6WVFW/SLVbHAyBi2G1Dz26LT2KuCASiB45hprkFlQX3ou1E30CXWZVXJPXQv0r8dqYXWJkMVBqg2Fy7HjoQlSBjRg14X7lMiI4D4VghBHQQJ5IY1FGe9LH8Uw0Z2ChCPsdNuIqkuMUaYpvbFznUjDnVaRmp3/C1Vl60wcsis3tCoOQUE6zACJR4OB+ZA1vCkzskDueO2eL+jm30Is8ht2ZJj8cw34lEjvHhSVDXYT3j09UATre4ckh42JHDH1J79JwxpVnKYQRzCAXKNWcJseRrWwzydWE9yKp3T9/PwulWfssGeLZ8lZ3MMFioQlQujCsmBkyzFk3ZlTKSzL0o5tHWW57ReV7G/q7611MjlJlpc45tdHokYBBDtXPPu7Nk8YA49H7c4EblF0ITskTWLVfAm9Gvw4ZC6IFp4k6hPIQXaOXi03mEza4xzZvYaia98fmfzyNzb9zqm+uuYYZKolVzme7wEvDooQIi4E1gpLqwUOUkzNsMa6GokXzcw0+eAmwW4JkkgMhphtEJCRiqa0javqc7wVc3XY4nVZ7E7BIfXS7fo7KX0jKqezywNJ7bNZMA50T0vsYIoVVE2xldyxnThz8FzwEXtrhChi9kkuJ4PdvOUEl9etxORzsSBwDMa7y15mUCRPqmyZeDIb1rnqqcwGg2wX0FaY2tCu2Jxfy3eIm1nNDG69TPYNnPdhXfGX3W29f3kXMgSZy0=
+  template:
+    metadata:
+      creationTimestamp: null
+      name: global-backup-secret
+      namespace: k8up
+    type: Opaque
+status: {}
+

k8up/global-s3-credentials-secret.yam

@@ -0,0 +1,18 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: global-s3-credentials
+  namespace: k8up
+spec:
+  encryptedData:
+    access-key-id: AgAc6iUhEEjhnFw/b/Rg5k8WWrDp0213O8MqBR5Zr0qwnReh5L+cr4OMfe/wOCDfxutTa5QIAAHc2UkLT7j5yttvH2gGQr8bLylvWNkNL+IaQ9KUDTwKC+CukLpero0Qxvs2ghOglAdmDg/TVKUMLZtvMFVOZ7cRgDpPjPuV3wVbFxBLuuVL/fg1151XrqtjDF7Wwrk4zpHwPl1aJJNEW8Y4C5zcVXiq+770G0lAQs6Hnwn443hbktzyJdLZ76YmAA4eiMoqAPvjkaCdHnjTJDzy0HtY7eU2bwP5FU1IDfNqQC3NmdjoqMmAe5E7FxvNUq1ZKW9cl9W8105uqH/XyK3Uis/ikn+fYI/CdGJK7YVU5OIG7hACo90Ah2NwAFCcLrplVTKMwbcPSnLwMrPIEMliWP44AqJ+3ROUvLdEvkmI6ovKRlKqHBA0KRHrW91tVUXohlciBpBS3pAk9qlyg474bXoelqoxfvwpBMXETZ0eatBaZHoqClvTkeknKEzwub/3zi2/PxIJ+z38LPBlktyiRvK0RxgHK+4G0rcAR4h54vBzMCn2EW1iAK89p9GoJYToHe34HSNqeM6Ny2lBBhx/wXcsN2xld1dAPC7FjfySTHpZ6nb+2uQIQGZL2CMvOA1KPXC4tGctf3KeANsFJhuRuEjflEXCJfxpRLNQKGAZJOrOeMYeZWczGrA++qZmLSSSga7NAmpja/cNbqNw0uqnTrd8SA==
+    access-key-secret: AgAoETPPcSXpB3pR/SWsJyAODN6j5nsClO6Hgj+v7hkbucAb0XxR/6DhUoVNemQN+4N1se3xIrnftJtVf/RG4wLFIUyva4yBFm/aMAQfuAVpWolTeRJmt+ybaFkfUhNa48hwqNy3WHwupZ00gRxXTw7iKe/pIUvNIDBSKTeZxli89theqQi1xmPHi/90jjPdXDwab1UJ+FhFKvEM78C3dUfgANnDfBrLihTdVvjRGWpBqe3MJXs3hscSiCA9kcrnkNDcnCcMNlaN/qskRysrtmRkWHao4QQtbXMWhjZbV0aoTdPY/b5/aTbCRSGYDT49Fl/yXy+HhhKdd4WHRMN7CWRqDCgDkRRoDfgpWvbNMJNkZ47E6tovTN9DwBb7+gBiSwMA6IeukYOPCt5elgUJCxvUQ5892KhZEOqsjPaXXva0V6PlHlkuzh9ijLzUtZoHdRMcZvzxcu6CtM3ZTPeuxQPRpzCDXO6RmjveBTL2ZOyaZeZ2F8DlNrfDl1IHCqXJMbD99pUiIcrTO7PBEauUUMeSI4hj6/dOHHnEwUVSYTCMzYm1kMVUz94XJqwFwSVDS4/d3lVnr6Te6OZWLYWoajW7gxK0+wb545jfw9gRqBUaC74OeMaXeVjLh1vjGvHxgXaJvLWrav1D3Y/79W4Psdo4Ku0vTg6qf8eUmeO/93RJFyZ+bL1LiR6aAfkX8Oh761/VMsAR080qIMBSB3XsFV9na8CUbdLgZ+LbJgWZaoplYOLEQw3DBzMZ
+  template:
+    metadata:
+      creationTimestamp: null
+      name: global-s3-credentials
+      namespace: k8up
+    type: Opaque
+status: {}
+

k8up/k8up.yaml

@@ -0,0 +1,197 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: k8up
+  namespace: k8up
+  labels:
+    app: k8up
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  name: k8up
+  labels:
+    app: k8up
+rules:
+- apiGroups:
+    - apiextensions.k8s.io
+  resources:
+    - customresourcedefinitions
+  verbs:
+    - get
+    - watch
+    - list
+    - create
+    - edit
+    - patch
+- apiGroups:
+  - backup.appuio.ch
+  resources:
+    - '*'
+  verbs:
+    - '*'
+- apiGroups:
+  - ''
+  resources:
+  - pods
+  - pods/exec
+  - persistentvolumeclaims
+  - events
+  - serviceaccounts
+  verbs:
+  - '*'
+- apiGroups:
+  - batch
+  resources:
+  - jobs
+  verbs:
+  - '*'
+- apiGroups:
+  - rbac.authorization.k8s.io
+  resources:
+  - rolebindings
+  - roles
+  verbs:
+  - '*'
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k8up-edit
+  labels:
+    app: k8up
+    # Add these permissions to the "admin" and "edit" default roles.
+    rbac.authorization.k8s.io/aggregate-to-admin: "true"
+    rbac.authorization.k8s.io/aggregate-to-edit: "true"
+rules:
+  - apiGroups:
+      - backup.appuio.ch
+    resources:
+      - "*"
+    verbs:
+      - "*"
+---
+kind: ClusterRole
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: k8up-view
+  labels:
+    app: k8up
+    # Add these permissions to the "view" default role.
+    rbac.authorization.k8s.io/aggregate-to-view: "true"
+rules:
+  - apiGroups:
+      - backup.appuio.ch
+    resources:
+      - "*"
+    verbs:
+      - get
+      - list
+      - watch
+---
+kind: ClusterRoleBinding
+apiVersion: rbac.authorization.k8s.io/v1beta1
+metadata:
+  labels:
+    app: k8up
+  name: k8up
+subjects:
+- kind: ServiceAccount
+  name: k8up
+  namespace: k8up
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  name: k8up
+  kind: ClusterRole
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: k8up-metrics
+  namespace: k8up
+  labels:
+    app: k8up
+spec:
+  ports:
+  - name: "8080"
+    port: 8080
+    protocol: TCP
+    targetPort: 8080
+  selector:
+    app: k8up
+  sessionAffinity: None
+  type: ClusterIP
+---
+apiVersion: apps/v1beta1
+kind: Deployment
+metadata:
+  name: k8up
+  namespace: k8up
+  labels:
+    app: k8up
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: k8up
+  template:
+    metadata:
+      labels:
+        app: k8up
+    spec:
+      containers:
+      - name: k8up-operator
+        image: docker.io/vshn/k8up:v0.1.7
+        imagePullPolicy: Always
+        env:
+        - name: BACKUP_IMAGE
+          value: docker.io/vshn/wrestic:v0.1.8
+        - name: BACKUP_GLOBALACCESSKEYID
+          valueFrom:
+            secretKeyRef:
+              name: global-s3-credentials
+              key: access-key-id
+        - name: BACKUP_GLOBALSECRETACCESSKEY
+          valueFrom:
+            secretKeyRef:
+              name: global-s3-credentials
+              key: access-key-secret
+        - name: BACKUP_GLOBALREPOPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: global-backup-secret
+              key: secret
+        - name: BACKUP_GLOBALS3ENDPOINT
+          value: http://10.42.42.2:9000
+        - name: BACKUP_GLOBALS3BUCKET
+          value: knurrli-k8up
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        resources:
+          limits:
+            cpu: 1
+            memory: 2Gi
+          requests:
+            cpu: 0.5
+            memory: 0.5Gi
+      serviceAccountName: k8up
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: k8up
+  namespace: k8up
+  labels:
+    release: prometheus-operator
+spec:
+  endpoints:
+  - interval: 30s
+    path: /metrics
+    port: http
+  namespaceSelector:
+    matchNames:
+    - k8up
+  selector:
+    matchLabels:
+      app: k8up