From 10284f88601e8e7c504b41b20b7f5939f1a463a1 Mon Sep 17 00:00:00 2001 From: Alex Lebens Date: Thu, 15 May 2025 18:55:22 -0500 Subject: [PATCH] add talos etcd backup --- clusters/cl01tl/services/talos/Chart.yaml | 22 +++++ .../talos/templates/external-secret.yaml | 39 ++++++++ .../talos/templates/service-account.yaml | 14 +++ clusters/cl01tl/services/talos/values.yaml | 95 +++++++++++++++++++ 4 files changed, 170 insertions(+) create mode 100644 clusters/cl01tl/services/talos/Chart.yaml create mode 100644 clusters/cl01tl/services/talos/templates/external-secret.yaml create mode 100644 clusters/cl01tl/services/talos/templates/service-account.yaml create mode 100644 clusters/cl01tl/services/talos/values.yaml diff --git a/clusters/cl01tl/services/talos/Chart.yaml b/clusters/cl01tl/services/talos/Chart.yaml new file mode 100644 index 000000000..5c80bf3a9 --- /dev/null +++ b/clusters/cl01tl/services/talos/Chart.yaml @@ -0,0 +1,22 @@ +apiVersion: v2 +name: talos +version: 1.0.0 +description: Talos +keywords: + - talos + - etcd + - kubernetes +home: https://wiki.alexlebens.dev/s/c5ead573-34b6-442b-a286-7819e6e71f78 +sources: + - https://github.com/siderolabs/talos-backup + - https://github.com/siderolabs/talos-backup/pkgs/container/talos-backup + - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template +maintainers: + - name: alexlebens +dependencies: + - name: app-template + alias: etcd-backup + repository: https://bjw-s-labs.github.io/helm-charts/ + version: 3.7.3 +icon: https://avatars.githubusercontent.com/u/13804887?s=200&v=4 +appVersion: v0.1.0-beta.3 diff --git a/clusters/cl01tl/services/talos/templates/external-secret.yaml b/clusters/cl01tl/services/talos/templates/external-secret.yaml new file mode 100644 index 000000000..15713f380 --- /dev/null +++ b/clusters/cl01tl/services/talos/templates/external-secret.yaml @@ -0,0 +1,39 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: talos-etcd-backup-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-etcd-backup-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: storage + app.kubernetes.io/part-of: {{ .Release.Name }} + annotations: + kubernetes.io/service-account.name: talos-backup-secrets +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: AWS_ACCESS_KEY_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/etcd-backup + metadataPolicy: None + property: AWS_ACCESS_KEY_ID + - secretKey: AWS_SECRET_ACCESS_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /digital-ocean/home-infra/etcd-backup + metadataPolicy: None + property: AWS_SECRET_ACCESS_KEY + - secretKey: AGE_X25519_PUBLIC_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/talos/etcd-backup + metadataPolicy: None + property: AGE_X25519_PUBLIC_KEY diff --git a/clusters/cl01tl/services/talos/templates/service-account.yaml b/clusters/cl01tl/services/talos/templates/service-account.yaml new file mode 100644 index 000000000..0674f59c6 --- /dev/null +++ b/clusters/cl01tl/services/talos/templates/service-account.yaml @@ -0,0 +1,14 @@ +apiVersion: talos.dev/v1alpha1 +kind: ServiceAccount +metadata: + name: talos-backup-secrets + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: talos-backup-secrets + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: storage + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + roles: + - os:etcd:backup diff --git a/clusters/cl01tl/services/talos/values.yaml b/clusters/cl01tl/services/talos/values.yaml new file mode 100644 index 000000000..0705d1fac --- /dev/null +++ b/clusters/cl01tl/services/talos/values.yaml @@ -0,0 +1,95 @@ +etcd-backup: + controllers: + main: + type: cronjob + pod: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + allowPrivilegeEscalation: false + runAsNonRoot: true + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + matchExpressions: + - key: node-role.kubernetes.io/control-plane + operator: Exists + tolerations: + - key: node-role.kubernetes.io/control-plane + operator: Exists + effect: NoSchedule + cronjob: + suspend: false + concurrencyPolicy: Forbid + timeZone: US/Central + schedule: "0 0 * * *" + startingDeadlineSeconds: 90 + successfulJobsHistory: 3 + failedJobsHistory: 3 + backoffLimit: 3 + parallelism: 1 + containers: + main: + image: + repository: ghcr.io/siderolabs/talos-backup + tag: v0.1.0-beta.3@sha256:05c86663b251a407551dc948097e32e163a345818117eb52c573b0447bd0c7a7 + pullPolicy: IfNotPresent + command: + - /talos-backup + workingDir: /tmp + env: + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: talos-etcd-backup-secret + key: AWS_ACCESS_KEY_ID + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: talos-etcd-backup-secret + key: AWS_SECRET_ACCESS_KEY + - name: AWS_REGION + value: nyc3 + - name: CUSTOM_S3_ENDPOINT + value: https://nyc3.digitaloceanspaces.com + - name: BUCKET + value: talos-backups-bee8585f7b8a4d0239c9b823 + - name: S3_PREFIX + value: "cl01tl" + - name: CLUSTER_NAME + value: "cl01tl" + - name: AGE_X25519_PUBLIC_KEY + valueFrom: + secretKeyRef: + name: talos-etcd-backup-secret + key: AGE_X25519_PUBLIC_KEY + - name: USE_PATH_STYLE + value: "false" + resources: + requests: + cpu: 100m + memory: 128Mi + persistence: + transcode: + type: emptyDir + advancedMounts: + main: + main: + - path: /tmp + readOnly: false + config: + enabled: true + type: secret + name: talos-etcd-backup-secret + advancedMounts: + main: + main: + - path: /var/run/secrets/talos.dev + readOnly: true + mountPropagation: None