diff --git a/_apps/k8up.yaml b/_apps/k8up.yaml new file mode 100644 index 0000000..283ad1c --- /dev/null +++ b/_apps/k8up.yaml @@ -0,0 +1,21 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: k8up + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + destination: + namespace: k8up + server: https://kubernetes.default.svc + project: default + source: + path: k8up + repoURL: https://git.tbrnt.ch/tobru/gitops-tbrnt.git + targetRevision: HEAD +--- +apiVersion: v1 +kind: Namespace +metadata: + name: k8up diff --git a/k8up/README.md b/k8up/README.md new file mode 100644 index 0000000..3ff55df --- /dev/null +++ b/k8up/README.md @@ -0,0 +1,13 @@ +# K8up installation + +## Edit credentials + +``` +vim ../../gitops-tbrnt-private/k8up/global-backup-secret.yaml +kubeseal --controller-namespace sealed-secrets -o yaml -n k8up < ../../gitops-tbrnt-private/k8up/global-backup-secret.yaml > global-backup-secret.yaml +``` + +``` +vim ../../gitops-tbrnt-private/k8up/global-s3-credentials.yaml +kubeseal --controller-namespace sealed-secrets -o yaml -n k8up < ../../gitops-tbrnt-private/k8up/global-s3-credentials.yaml > global-s3-credentials-secret.yaml +``` diff --git a/k8up/global-backup-secret.yaml b/k8up/global-backup-secret.yaml new file mode 100644 index 0000000..21c10ca --- /dev/null +++ b/k8up/global-backup-secret.yaml @@ -0,0 +1,17 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: global-backup-secret + namespace: k8up +spec: + encryptedData: + secret: AgCabeCFgQ27fELHeM6gKPmdWvLQd7fM6IzydKKsYCetfvkM6WVFW/SLVbHAyBi2G1Dz26LT2KuCASiB45hprkFlQX3ou1E30CXWZVXJPXQv0r8dqYXWJkMVBqg2Fy7HjoQlSBjRg14X7lMiI4D4VghBHQQJ5IY1FGe9LH8Uw0Z2ChCPsdNuIqkuMUaYpvbFznUjDnVaRmp3/C1Vl60wcsis3tCoOQUE6zACJR4OB+ZA1vCkzskDueO2eL+jm30Is8ht2ZJj8cw34lEjvHhSVDXYT3j09UATre4ckh42JHDH1J79JwxpVnKYQRzCAXKNWcJseRrWwzydWE9yKp3T9/PwulWfssGeLZ8lZ3MMFioQlQujCsmBkyzFk3ZlTKSzL0o5tHWW57ReV7G/q7611MjlJlpc45tdHokYBBDtXPPu7Nk8YA49H7c4EblF0ITskTWLVfAm9Gvw4ZC6IFp4k6hPIQXaOXi03mEza4xzZvYaia98fmfzyNzb9zqm+uuYYZKolVzme7wEvDooQIi4E1gpLqwUOUkzNsMa6GokXzcw0+eAmwW4JkkgMhphtEJCRiqa0javqc7wVc3XY4nVZ7E7BIfXS7fo7KX0jKqezywNJ7bNZMA50T0vsYIoVVE2xldyxnThz8FzwEXtrhChi9kkuJ4PdvOUEl9etxORzsSBwDMa7y15mUCRPqmyZeDIb1rnqqcwGg2wX0FaY2tCu2Jxfy3eIm1nNDG69TPYNnPdhXfGX3W29f3kXMgSZy0= + template: + metadata: + creationTimestamp: null + name: global-backup-secret + namespace: k8up + type: Opaque +status: {} + diff --git a/k8up/global-s3-credentials-secret.yam b/k8up/global-s3-credentials-secret.yam new file mode 100644 index 0000000..4d38eac --- /dev/null +++ b/k8up/global-s3-credentials-secret.yam @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: global-s3-credentials + namespace: k8up +spec: + encryptedData: + access-key-id: AgAc6iUhEEjhnFw/b/Rg5k8WWrDp0213O8MqBR5Zr0qwnReh5L+cr4OMfe/wOCDfxutTa5QIAAHc2UkLT7j5yttvH2gGQr8bLylvWNkNL+IaQ9KUDTwKC+CukLpero0Qxvs2ghOglAdmDg/TVKUMLZtvMFVOZ7cRgDpPjPuV3wVbFxBLuuVL/fg1151XrqtjDF7Wwrk4zpHwPl1aJJNEW8Y4C5zcVXiq+770G0lAQs6Hnwn443hbktzyJdLZ76YmAA4eiMoqAPvjkaCdHnjTJDzy0HtY7eU2bwP5FU1IDfNqQC3NmdjoqMmAe5E7FxvNUq1ZKW9cl9W8105uqH/XyK3Uis/ikn+fYI/CdGJK7YVU5OIG7hACo90Ah2NwAFCcLrplVTKMwbcPSnLwMrPIEMliWP44AqJ+3ROUvLdEvkmI6ovKRlKqHBA0KRHrW91tVUXohlciBpBS3pAk9qlyg474bXoelqoxfvwpBMXETZ0eatBaZHoqClvTkeknKEzwub/3zi2/PxIJ+z38LPBlktyiRvK0RxgHK+4G0rcAR4h54vBzMCn2EW1iAK89p9GoJYToHe34HSNqeM6Ny2lBBhx/wXcsN2xld1dAPC7FjfySTHpZ6nb+2uQIQGZL2CMvOA1KPXC4tGctf3KeANsFJhuRuEjflEXCJfxpRLNQKGAZJOrOeMYeZWczGrA++qZmLSSSga7NAmpja/cNbqNw0uqnTrd8SA== + access-key-secret: AgAoETPPcSXpB3pR/SWsJyAODN6j5nsClO6Hgj+v7hkbucAb0XxR/6DhUoVNemQN+4N1se3xIrnftJtVf/RG4wLFIUyva4yBFm/aMAQfuAVpWolTeRJmt+ybaFkfUhNa48hwqNy3WHwupZ00gRxXTw7iKe/pIUvNIDBSKTeZxli89theqQi1xmPHi/90jjPdXDwab1UJ+FhFKvEM78C3dUfgANnDfBrLihTdVvjRGWpBqe3MJXs3hscSiCA9kcrnkNDcnCcMNlaN/qskRysrtmRkWHao4QQtbXMWhjZbV0aoTdPY/b5/aTbCRSGYDT49Fl/yXy+HhhKdd4WHRMN7CWRqDCgDkRRoDfgpWvbNMJNkZ47E6tovTN9DwBb7+gBiSwMA6IeukYOPCt5elgUJCxvUQ5892KhZEOqsjPaXXva0V6PlHlkuzh9ijLzUtZoHdRMcZvzxcu6CtM3ZTPeuxQPRpzCDXO6RmjveBTL2ZOyaZeZ2F8DlNrfDl1IHCqXJMbD99pUiIcrTO7PBEauUUMeSI4hj6/dOHHnEwUVSYTCMzYm1kMVUz94XJqwFwSVDS4/d3lVnr6Te6OZWLYWoajW7gxK0+wb545jfw9gRqBUaC74OeMaXeVjLh1vjGvHxgXaJvLWrav1D3Y/79W4Psdo4Ku0vTg6qf8eUmeO/93RJFyZ+bL1LiR6aAfkX8Oh761/VMsAR080qIMBSB3XsFV9na8CUbdLgZ+LbJgWZaoplYOLEQw3DBzMZ + template: + metadata: + creationTimestamp: null + name: global-s3-credentials + namespace: k8up + type: Opaque +status: {} + diff --git a/k8up/k8up.yaml b/k8up/k8up.yaml new file mode 100644 index 0000000..3e9a882 --- /dev/null +++ b/k8up/k8up.yaml @@ -0,0 +1,197 @@ +apiVersion: v1 +kind: ServiceAccount +metadata: + name: k8up + namespace: k8up + labels: + app: k8up +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + name: k8up + labels: + app: k8up +rules: +- apiGroups: + - apiextensions.k8s.io + resources: + - customresourcedefinitions + verbs: + - get + - watch + - list + - create + - edit + - patch +- apiGroups: + - backup.appuio.ch + resources: + - '*' + verbs: + - '*' +- apiGroups: + - '' + resources: + - pods + - pods/exec + - persistentvolumeclaims + - events + - serviceaccounts + verbs: + - '*' +- apiGroups: + - batch + resources: + - jobs + verbs: + - '*' +- apiGroups: + - rbac.authorization.k8s.io + resources: + - rolebindings + - roles + verbs: + - '*' +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: k8up-edit + labels: + app: k8up + # Add these permissions to the "admin" and "edit" default roles. + rbac.authorization.k8s.io/aggregate-to-admin: "true" + rbac.authorization.k8s.io/aggregate-to-edit: "true" +rules: + - apiGroups: + - backup.appuio.ch + resources: + - "*" + verbs: + - "*" +--- +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: k8up-view + labels: + app: k8up + # Add these permissions to the "view" default role. + rbac.authorization.k8s.io/aggregate-to-view: "true" +rules: + - apiGroups: + - backup.appuio.ch + resources: + - "*" + verbs: + - get + - list + - watch +--- +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1beta1 +metadata: + labels: + app: k8up + name: k8up +subjects: +- kind: ServiceAccount + name: k8up + namespace: k8up +roleRef: + apiGroup: rbac.authorization.k8s.io + name: k8up + kind: ClusterRole +--- +apiVersion: v1 +kind: Service +metadata: + name: k8up-metrics + namespace: k8up + labels: + app: k8up +spec: + ports: + - name: "8080" + port: 8080 + protocol: TCP + targetPort: 8080 + selector: + app: k8up + sessionAffinity: None + type: ClusterIP +--- +apiVersion: apps/v1beta1 +kind: Deployment +metadata: + name: k8up + namespace: k8up + labels: + app: k8up +spec: + replicas: 1 + selector: + matchLabels: + app: k8up + template: + metadata: + labels: + app: k8up + spec: + containers: + - name: k8up-operator + image: docker.io/vshn/k8up:v0.1.7 + imagePullPolicy: Always + env: + - name: BACKUP_IMAGE + value: docker.io/vshn/wrestic:v0.1.8 + - name: BACKUP_GLOBALACCESSKEYID + valueFrom: + secretKeyRef: + name: global-s3-credentials + key: access-key-id + - name: BACKUP_GLOBALSECRETACCESSKEY + valueFrom: + secretKeyRef: + name: global-s3-credentials + key: access-key-secret + - name: BACKUP_GLOBALREPOPASSWORD + valueFrom: + secretKeyRef: + name: global-backup-secret + key: secret + - name: BACKUP_GLOBALS3ENDPOINT + value: http://10.42.42.2:9000 + - name: BACKUP_GLOBALS3BUCKET + value: knurrli-k8up + ports: + - containerPort: 8080 + protocol: TCP + resources: + limits: + cpu: 1 + memory: 2Gi + requests: + cpu: 0.5 + memory: 0.5Gi + serviceAccountName: k8up +--- +apiVersion: monitoring.coreos.com/v1 +kind: ServiceMonitor +metadata: + name: k8up + namespace: k8up + labels: + release: prometheus-operator +spec: + endpoints: + - interval: 30s + path: /metrics + port: http + namespaceSelector: + matchNames: + - k8up + selector: + matchLabels: + app: k8up