Merge branch 'feat/backups' into 'main'

Feat/backups

See merge request indiehost/libre.sh/libre.sh!39

cluster/components/backups/automations/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - schedule-daily.yaml

cluster/components/backups/automations/schedule-daily.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: daily
+  namespace: libresh-system
+spec:
+  schedule: "0 2 * * *"
+  template:
+    includedNamespaces:
+      - "*"

cluster/components/backups/velero/bucket.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: core.libre.sh/v1alpha1
+kind: Bucket
+metadata:
+  name: velero
+spec:
+  policy:
+    preset: private
+  provider: data

cluster/components/backups/velero/gen-policy.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: kyverno.io/v1
+kind: Policy
+metadata:
+  name: velero-local-minio-creds
+spec:
+  generateExisting: true
+  rules:
+    - name: velero-local-minio-creds
+      match:
+        any:
+          - resources:
+              kinds:
+                - Secret
+              names:
+                - velero.bucket.libre.sh
+      generate:
+        synchronize: true
+        apiVersion: v1
+        kind: Secret
+        name: velero-local-minio-creds
+        namespace: libresh-system
+        data:
+          stringData:
+            credential.toml: |-
+              [default]
+              aws_access_key_id={{ request.object.data.accessKey | base64_decode(@) }}
+              aws_secret_access_key={{ request.object.data.secretKey | base64_decode(@) }}

cluster/components/backups/velero/hr.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: velero
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: velero
+      version: 4.1.3
+      sourceRef:
+        kind: HelmRepository
+        name: vmware-tanzu
+        namespace: libresh-system
+      interval: 15m
+  install:
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  valuesFrom:
+    - kind: ConfigMap
+      name: velero-values
+    - kind: Secret
+      name: velero.bucket.libre.sh
+      valuesKey: bucket
+      targetPath: configuration.backupStorageLocation[0].bucket
+    - kind: Secret
+      name: velero.bucket.libre.sh
+      valuesKey: url
+      targetPath: configuration.backupStorageLocation[0].config.s3Url
+    - kind: ConfigMap
+      name: velero-custom-values
+      optional: true

cluster/components/backups/velero/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - bucket.yaml
+  - gen-policy.yaml
+  - values.yaml
+  - hr.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: velero-values
+  files:
+    - values.yaml

cluster/components/backups/velero/values.yaml

@@ -0,0 +1,22 @@
+initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.7.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - mountPath: /target
+        name: plugins
+credentials:
+  useSecret: false
+configuration:
+  backupStorageLocation:
+    - name: local-minio
+      provider: aws
+      default: true
+      accessMode: ReadWrite
+      credential:
+        name: velero-local-minio-creds
+        key: credential.toml
+      config:
+        region: eu
+        s3ForcePathStyle: true
+  volumeSnapshotLocation: []

cluster/components/kyverno/hr.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: kyverno
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: kyverno
+      version: 3.0.2
+      sourceRef:
+        kind: HelmRepository
+        name: kyverno
+        namespace: libresh-system
+      interval: 15m
+  install:
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  valuesFrom:
+  - kind: ConfigMap
+    name: kyverno-values
+    optional: false
+  - kind: ConfigMap
+    name: kyverno-custom-values
+    optional: true

cluster/components/kyverno/kustomization.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - hr.yaml
+generatorOptions:
+  disableNameSuffixHash: true
+configMapGenerator:
+- name: kyverno-values
+  files:
+    - values.yaml

cluster/components/kyverno/values.yaml

@@ -0,0 +1,10 @@
+admissionController:
+  replicas: 3
+backgroundController:
+  replicas: 2
+cleanupController:
+  replicas: 2
+reportsController:
+  replicas: 2
+config:
+  excludeKyvernoNamespace: false

cluster/repositories/kustomization.yaml

@@ -10,4 +10,6 @@ resources:
   - ./minio.yaml
   - ./openebs.yaml
   - ./postgres-zalando.yaml
-  - ./prometheus-community.yaml
+  - ./prometheus-community.yaml
+  - kyverno.yaml
+  - vmware-tanzu.yaml

cluster/repositories/kyverno.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: kyverno
+  namespace: libresh-system
+spec:
+  interval: 10m
+  url: https://kyverno.github.io/kyverno/
+  timeout: 3m

cluster/repositories/vmware-tanzu.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: vmware-tanzu
+  namespace: libresh-system
+spec:
+  interval: 10m
+  url: https://vmware-tanzu.github.io/helm-charts/
+  timeout: 3m