add talos etcd backup

2025-05-15 18:55:22 -05:00
parent 84135b6915
commit 10284f8860
4 changed files with 170 additions and 0 deletions
--- a/clusters/cl01tl/services/talos/Chart.yaml
+++ b/clusters/cl01tl/services/talos/Chart.yaml
@@ -0,0 +1,22 @@
+apiVersion: v2
+name: talos
+version: 1.0.0
+description: Talos
+keywords:
+  - talos
+  - etcd
+  - kubernetes
+home: https://wiki.alexlebens.dev/s/c5ead573-34b6-442b-a286-7819e6e71f78
+sources:
+  - https://github.com/siderolabs/talos-backup
+  - https://github.com/siderolabs/talos-backup/pkgs/container/talos-backup
+  - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+maintainers:
+  - name: alexlebens
+dependencies:
+  - name: app-template
+    alias: etcd-backup
+    repository: https://bjw-s-labs.github.io/helm-charts/
+    version: 3.7.3
+icon: https://avatars.githubusercontent.com/u/13804887?s=200&v=4
+appVersion: v0.1.0-beta.3
--- a/clusters/cl01tl/services/talos/templates/external-secret.yaml
+++ b/clusters/cl01tl/services/talos/templates/external-secret.yaml
@@ -0,0 +1,39 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: talos-etcd-backup-secret
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-etcd-backup-secret
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+  annotations:
+    kubernetes.io/service-account.name: talos-backup-secrets
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: vault
+  data:
+    - secretKey: AWS_ACCESS_KEY_ID
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/etcd-backup
+        metadataPolicy: None
+        property: AWS_ACCESS_KEY_ID
+    - secretKey: AWS_SECRET_ACCESS_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /digital-ocean/home-infra/etcd-backup
+        metadataPolicy: None
+        property: AWS_SECRET_ACCESS_KEY
+    - secretKey: AGE_X25519_PUBLIC_KEY
+      remoteRef:
+        conversionStrategy: Default
+        decodingStrategy: None
+        key: /cl01tl/talos/etcd-backup
+        metadataPolicy: None
+        property: AGE_X25519_PUBLIC_KEY
--- a/clusters/cl01tl/services/talos/templates/service-account.yaml
+++ b/clusters/cl01tl/services/talos/templates/service-account.yaml
@@ -0,0 +1,14 @@
+apiVersion: talos.dev/v1alpha1
+kind: ServiceAccount
+metadata:
+    name: talos-backup-secrets
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: talos-backup-secrets
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/version: {{ .Chart.AppVersion }}
+    app.kubernetes.io/component: storage
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+    roles:
+        - os:etcd:backup
--- a/clusters/cl01tl/services/talos/values.yaml
+++ b/clusters/cl01tl/services/talos/values.yaml
@@ -0,0 +1,95 @@
+etcd-backup:
+  controllers:
+    main:
+      type: cronjob
+      pod:
+        securityContext:
+          runAsUser: 1000
+          runAsGroup: 1000
+          allowPrivilegeEscalation: false
+          runAsNonRoot: true
+          capabilities:
+            drop:
+              - ALL
+          seccompProfile:
+            type: RuntimeDefault
+        affinity:
+          nodeAffinity:
+            requiredDuringSchedulingIgnoredDuringExecution:
+              nodeSelectorTerms:
+                matchExpressions:
+                  - key: node-role.kubernetes.io/control-plane
+                    operator: Exists
+        tolerations:
+          - key: node-role.kubernetes.io/control-plane
+            operator: Exists
+            effect: NoSchedule
+      cronjob:
+        suspend: false
+        concurrencyPolicy: Forbid
+        timeZone: US/Central
+        schedule: "0 0 * * *"
+        startingDeadlineSeconds: 90
+        successfulJobsHistory: 3
+        failedJobsHistory: 3
+        backoffLimit: 3
+        parallelism: 1
+      containers:
+        main:
+          image:
+            repository: ghcr.io/siderolabs/talos-backup
+            tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7
+            pullPolicy: IfNotPresent
+          command:
+            - /talos-backup
+          workingDir: /tmp
+          env:
+            - name: AWS_ACCESS_KEY_ID
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-secret
+                  key: AWS_ACCESS_KEY_ID
+            - name: AWS_SECRET_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-secret
+                  key: AWS_SECRET_ACCESS_KEY
+            - name: AWS_REGION
+              value: nyc3
+            - name: CUSTOM_S3_ENDPOINT
+              value: https://nyc3.digitaloceanspaces.com
+            - name: BUCKET
+              value: talos-backups-bee8585f7b8a4d0239c9b823
+            - name: S3_PREFIX
+              value: "cl01tl"
+            - name: CLUSTER_NAME
+              value: "cl01tl"
+            - name: AGE_X25519_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: talos-etcd-backup-secret
+                  key: AGE_X25519_PUBLIC_KEY
+            - name: USE_PATH_STYLE
+              value: "false"
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+  persistence:
+    transcode:
+      type: emptyDir
+      advancedMounts:
+        main:
+          main:
+            - path: /tmp
+              readOnly: false
+    config:
+      enabled: true
+      type: secret
+      name: talos-etcd-backup-secret
+      advancedMounts:
+        main:
+          main:
+            - path: /var/run/secrets/talos.dev
+              readOnly: true
+              mountPropagation: None