alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

restore operations

Browse Source
This commit is contained in:
Alex Lebens
2025-03-02 22:50:23 -06:00
parent 6802f95c05
commit 673d7860fb
2 changed files with 530 additions and 530 deletions
Download Patch File Download Diff File Expand all files Collapse all files

292
clusters/cl01tl/platform/vault/values.yaml
View File

@@ -150,149 +150,149 @@ vault:
for: 5m
labels:
severity: critical
# snapshot:
# global:
# fullnameOverride: vault-snapshot
# controllers:
# snapshot:
# type: cronjob
# cronjob:
# suspend: false
# concurrencyPolicy: Forbid
# timeZone: US/Central
# schedule: 0 4 * * *
# startingDeadlineSeconds: 90
# successfulJobsHistory: 3
# failedJobsHistory: 3
# backoffLimit: 3
# parallelism: 1
# initContainers:
# snapshot:
# image:
# repository: hashicorp/vault
# tag: 1.18.5
# pullPolicy: IfNotPresent
# command:
# - /bin/ash
# args:
# - -ec
# - |
# apk add --no-cache jq;
# export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
# vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
# envFrom:
# - secretRef:
# name: vault-snapshot-agent-token
# env:
# - name: VAULT_ADDR
# value: http://vault-active.vault.svc.cluster.local:8200
# resources:
# requests:
# cpu: 10m
# memory: 64Mi
# containers:
# backup:
# image:
# repository: d3fk/s3cmd
# tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
# pullPolicy: IfNotPresent
# command:
# - /bin/sh
# args:
# - -ec
# - |
# s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# rm -f /opt/backup/vault-snapshot-s3.snap;
# envFrom:
# - secretRef:
# name: vault-snapshot-s3
# resources:
# requests:
# cpu: 10m
# memory: 64Mi
# serviceAccount:
# create: true
# persistence:
# config:
# existingClaim: vault-nfs-storage-backup
# advancedMounts:
# snapshot:
# snapshot:
# - path: /opt/backup
# readOnly: false
# backup:
# - path: /opt/backup
# readOnly: false
# s3cmd-config:
# enabled: true
# type: secret
# name: vault-s3cmd-config
# advancedMounts:
# snapshot:
# backup:
# - path: /root/.s3cfg
# readOnly: true
# mountPropagation: None
# subPath: .s3cfg
# unseal:
# global:
# fullnameOverride: vault-unseal
# controllers:
# unseal-1:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-1
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# unseal-2:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-2
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# unseal-3:
# type: deployment
# replicas: 1
# strategy: Recreate
# revisionHistoryLimit: 3
# containers:
# main:
# image:
# repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0
# pullPolicy: IfNotPresent
# envFrom:
# - secretRef:
# name: vault-unseal-config-3
# resources:
# requests:
# cpu: 10m
# memory: 24Mi
# serviceAccount:
# create: true
snapshot:
global:
fullnameOverride: vault-snapshot
controllers:
snapshot:
type: cronjob
cronjob:
suspend: false
concurrencyPolicy: Forbid
timeZone: US/Central
schedule: 0 4 * * *
startingDeadlineSeconds: 90
successfulJobsHistory: 3
failedJobsHistory: 3
backoffLimit: 3
parallelism: 1
initContainers:
snapshot:
image:
repository: hashicorp/vault
tag: 1.18.5
pullPolicy: IfNotPresent
command:
- /bin/ash
args:
- -ec
- |
apk add --no-cache jq;
export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-agent-token
env:
- name: VAULT_ADDR
value: http://vault-active.vault.svc.cluster.local:8200
resources:
requests:
cpu: 10m
memory: 64Mi
containers:
backup:
image:
repository: d3fk/s3cmd
tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
pullPolicy: IfNotPresent
command:
- /bin/sh
args:
- -ec
- |
s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
rm -f /opt/backup/vault-snapshot-s3.snap;
envFrom:
- secretRef:
name: vault-snapshot-s3
resources:
requests:
cpu: 10m
memory: 64Mi
serviceAccount:
create: true
persistence:
config:
existingClaim: vault-nfs-storage-backup
advancedMounts:
snapshot:
snapshot:
- path: /opt/backup
readOnly: false
backup:
- path: /opt/backup
readOnly: false
s3cmd-config:
enabled: true
type: secret
name: vault-s3cmd-config
advancedMounts:
snapshot:
backup:
- path: /root/.s3cfg
readOnly: true
mountPropagation: None
subPath: .s3cfg
unseal:
global:
fullnameOverride: vault-unseal
controllers:
unseal-1:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-1
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-2:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-2
resources:
requests:
cpu: 10m
memory: 24Mi
unseal-3:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/lrstanley/vault-unseal
tag: 0.7.0
pullPolicy: IfNotPresent
envFrom:
- secretRef:
name: vault-unseal-config-3
resources:
requests:
cpu: 10m
memory: 24Mi
serviceAccount:
create: true