alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

restore operations

Browse Source
This commit is contained in:
Alex Lebens
2025-03-02 22:50:23 -06:00
parent 6802f95c05
commit 673d7860fb
2 changed files with 530 additions and 530 deletions
Download Patch File Download Diff File Expand all files Collapse all files

768
clusters/cl01tl/platform/vault/templates/external-secret.yaml
View File

@@ -1,390 +1,390 @@
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-snapshot-agent-token name: vault-snapshot-agent-token
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-snapshot-agent-token app.kubernetes.io/name: vault-snapshot-agent-token
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: VAULT_APPROLE_ROLE_ID - secretKey: VAULT_APPROLE_ROLE_ID
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/snapshot key: /cl01tl/vault/snapshot
# metadataPolicy: None metadataPolicy: None
# property: VAULT_APPROLE_ROLE_ID property: VAULT_APPROLE_ROLE_ID
# - secretKey: VAULT_APPROLE_SECRET_ID - secretKey: VAULT_APPROLE_SECRET_ID
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/snapshot key: /cl01tl/vault/snapshot
# metadataPolicy: None metadataPolicy: None
# property: VAULT_APPROLE_SECRET_ID property: VAULT_APPROLE_SECRET_ID
# --- ---
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-snapshot-s3 name: vault-snapshot-s3
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-snapshot-s3 app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: AWS_ACCESS_KEY_ID - secretKey: AWS_ACCESS_KEY_ID
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None metadataPolicy: None
# property: AWS_ACCESS_KEY_ID property: AWS_ACCESS_KEY_ID
# - secretKey: AWS_SECRET_ACCESS_KEY - secretKey: AWS_SECRET_ACCESS_KEY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /digital-ocean/home-infra/vault-backup key: /digital-ocean/home-infra/vault-backup
# metadataPolicy: None metadataPolicy: None
# property: AWS_SECRET_ACCESS_KEY property: AWS_SECRET_ACCESS_KEY
# --- ---
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-s3cmd-config name: vault-s3cmd-config
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-snapshot-s3 app.kubernetes.io/name: vault-snapshot-s3
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: snapshot app.kubernetes.io/component: snapshot
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: .s3cfg - secretKey: .s3cfg
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/snapshot key: /cl01tl/vault/snapshot
# metadataPolicy: None metadataPolicy: None
# property: s3cfg property: s3cfg
# --- ---
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-unseal-config-1 name: vault-unseal-config-1
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-unseal-key-1 app.kubernetes.io/name: vault-unseal-key-1
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: ENVIRONMENT - secretKey: ENVIRONMENT
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: ENVIRONMENT property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL - secretKey: CHECK_INTERVAL
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: CHECK_INTERVAL property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL - secretKey: MAX_CHECK_INTERVAL
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: MAX_CHECK_INTERVAL property: MAX_CHECK_INTERVAL
# - secretKey: NODES - secretKey: NODES
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: NODES property: NODES
# - secretKey: TLS_SKIP_VERIFY - secretKey: TLS_SKIP_VERIFY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: TLS_SKIP_VERIFY property: TLS_SKIP_VERIFY
# - secretKey: TOKENS - secretKey: TOKENS
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: TOKENS property: TOKENS
# - secretKey: EMAIL_ENABLED - secretKey: EMAIL_ENABLED
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: EMAIL_ENABLED property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-1 key: /cl01tl/vault/unseal/config-1
# metadataPolicy: None metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY property: NOTIFY_QUEUE_DELAY
# --- ---
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-unseal-config-2 name: vault-unseal-config-2
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-unseal-key-2 app.kubernetes.io/name: vault-unseal-key-2
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: ENVIRONMENT - secretKey: ENVIRONMENT
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: ENVIRONMENT property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL - secretKey: CHECK_INTERVAL
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: CHECK_INTERVAL property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL - secretKey: MAX_CHECK_INTERVAL
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: MAX_CHECK_INTERVAL property: MAX_CHECK_INTERVAL
# - secretKey: NODES - secretKey: NODES
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: NODES property: NODES
# - secretKey: TLS_SKIP_VERIFY - secretKey: TLS_SKIP_VERIFY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: TLS_SKIP_VERIFY property: TLS_SKIP_VERIFY
# - secretKey: TOKENS - secretKey: TOKENS
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: TOKENS property: TOKENS
# - secretKey: EMAIL_ENABLED - secretKey: EMAIL_ENABLED
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: EMAIL_ENABLED property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-2 key: /cl01tl/vault/unseal/config-2
# metadataPolicy: None metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY property: NOTIFY_QUEUE_DELAY
# --- ---
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-unseal-config-3 name: vault-unseal-config-3
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-unseal-config-3 app.kubernetes.io/name: vault-unseal-config-3
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: unseal app.kubernetes.io/component: unseal
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: ENVIRONMENT - secretKey: ENVIRONMENT
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: ENVIRONMENT property: ENVIRONMENT
# - secretKey: CHECK_INTERVAL - secretKey: CHECK_INTERVAL
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: CHECK_INTERVAL property: CHECK_INTERVAL
# - secretKey: MAX_CHECK_INTERVAL - secretKey: MAX_CHECK_INTERVAL
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: MAX_CHECK_INTERVAL property: MAX_CHECK_INTERVAL
# - secretKey: NODES - secretKey: NODES
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: NODES property: NODES
# - secretKey: TLS_SKIP_VERIFY - secretKey: TLS_SKIP_VERIFY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: TLS_SKIP_VERIFY property: TLS_SKIP_VERIFY
# - secretKey: TOKENS - secretKey: TOKENS
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: TOKENS property: TOKENS
# - secretKey: EMAIL_ENABLED - secretKey: EMAIL_ENABLED
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: EMAIL_ENABLED property: EMAIL_ENABLED
# - secretKey: NOTIFY_MAX_ELAPSED - secretKey: NOTIFY_MAX_ELAPSED
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: NOTIFY_MAX_ELAPSED property: NOTIFY_MAX_ELAPSED
# - secretKey: NOTIFY_QUEUE_DELAY - secretKey: NOTIFY_QUEUE_DELAY
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/unseal/config-3 key: /cl01tl/vault/unseal/config-3
# metadataPolicy: None metadataPolicy: None
# property: NOTIFY_QUEUE_DELAY property: NOTIFY_QUEUE_DELAY
# --- ---
# apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
# kind: ExternalSecret kind: ExternalSecret
# metadata: metadata:
# name: vault-token name: vault-token
# namespace: {{ .Release.Namespace }} namespace: {{ .Release.Namespace }}
# labels: labels:
# app.kubernetes.io/name: vault-token app.kubernetes.io/name: vault-token
# app.kubernetes.io/instance: {{ .Release.Name }} app.kubernetes.io/instance: {{ .Release.Name }}
# app.kubernetes.io/version: {{ .Chart.AppVersion }} app.kubernetes.io/version: {{ .Chart.AppVersion }}
# app.kubernetes.io/component: token app.kubernetes.io/component: token
# app.kubernetes.io/part-of: {{ .Release.Name }} app.kubernetes.io/part-of: {{ .Release.Name }}
# spec: spec:
# secretStoreRef: secretStoreRef:
# kind: ClusterSecretStore kind: ClusterSecretStore
# name: vault name: vault
# data: data:
# - secretKey: token - secretKey: token
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/token key: /cl01tl/vault/token
# metadataPolicy: None metadataPolicy: None
# property: token property: token
# - secretKey: unseal_key_1 - secretKey: unseal_key_1
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/token key: /cl01tl/vault/token
# metadataPolicy: None metadataPolicy: None
# property: unseal_key_1 property: unseal_key_1
# - secretKey: unseal_key_2 - secretKey: unseal_key_2
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/token key: /cl01tl/vault/token
# metadataPolicy: None metadataPolicy: None
# property: unseal_key_2 property: unseal_key_2
# - secretKey: unseal_key_3 - secretKey: unseal_key_3
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/token key: /cl01tl/vault/token
# metadataPolicy: None metadataPolicy: None
# property: unseal_key_3 property: unseal_key_3
# - secretKey: unseal_key_4 - secretKey: unseal_key_4
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/token key: /cl01tl/vault/token
# metadataPolicy: None metadataPolicy: None
# property: unseal_key_4 property: unseal_key_4
# - secretKey: unseal_key_5 - secretKey: unseal_key_5
# remoteRef: remoteRef:
# conversionStrategy: Default conversionStrategy: Default
# decodingStrategy: None decodingStrategy: None
# key: /cl01tl/vault/token key: /cl01tl/vault/token
# metadataPolicy: None metadataPolicy: None
# property: unseal_key_5 property: unseal_key_5

292
clusters/cl01tl/platform/vault/values.yaml
View File

@@ -150,149 +150,149 @@ vault:
for: 5m for: 5m
labels: labels:
severity: critical severity: critical
# snapshot: snapshot:
# global: global:
# fullnameOverride: vault-snapshot fullnameOverride: vault-snapshot
# controllers: controllers:
# snapshot: snapshot:
# type: cronjob type: cronjob
# cronjob: cronjob:
# suspend: false suspend: false
# concurrencyPolicy: Forbid concurrencyPolicy: Forbid
# timeZone: US/Central timeZone: US/Central
# schedule: 0 4 * * * schedule: 0 4 * * *
# startingDeadlineSeconds: 90 startingDeadlineSeconds: 90
# successfulJobsHistory: 3 successfulJobsHistory: 3
# failedJobsHistory: 3 failedJobsHistory: 3
# backoffLimit: 3 backoffLimit: 3
# parallelism: 1 parallelism: 1
# initContainers: initContainers:
# snapshot: snapshot:
# image: image:
# repository: hashicorp/vault repository: hashicorp/vault
# tag: 1.18.5 tag: 1.18.5
# pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# command: command:
# - /bin/ash - /bin/ash
# args: args:
# - -ec - -ec
# - | - |
# apk add --no-cache jq; apk add --no-cache jq;
# export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token); export VAULT_TOKEN=$(vault write auth/approle/login role_id=$VAULT_APPROLE_ROLE_ID secret_id=$VAULT_APPROLE_SECRET_ID -format=json | jq -r .auth.client_token);
# vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap; vault operator raft snapshot save /opt/backup/vault-snapshot-latest.snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap; cp /opt/backup/vault-snapshot-latest.snap /opt/backup/vault-snapshot-s3.snap;
# envFrom: envFrom:
# - secretRef: - secretRef:
# name: vault-snapshot-agent-token name: vault-snapshot-agent-token
# env: env:
# - name: VAULT_ADDR - name: VAULT_ADDR
# value: http://vault-active.vault.svc.cluster.local:8200 value: http://vault-active.vault.svc.cluster.local:8200
# resources: resources:
# requests: requests:
# cpu: 10m cpu: 10m
# memory: 64Mi memory: 64Mi
# containers: containers:
# backup: backup:
# image: image:
# repository: d3fk/s3cmd repository: d3fk/s3cmd
# tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9 tag: latest@sha256:4bdc8e5817cbdd048e6dc487f42e3d96a6b58af69b4be6f256de5e2416da90e9
# pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# command: command:
# - /bin/sh - /bin/sh
# args: args:
# - -ec - -ec
# - | - |
# s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap; s3cmd put --no-check-md5 --no-check-certificate /opt/backup/vault-snapshot-s3.snap s3://vault-backups-bcc1e1433e0ce4be526561cb/cl01tl/cl01tl-vault-snapshots/vault-snapshot-$(date +"%Y%m%d-%H-%M").snap;
# rm -f /opt/backup/vault-snapshot-s3.snap; rm -f /opt/backup/vault-snapshot-s3.snap;
# envFrom: envFrom:
# - secretRef: - secretRef:
# name: vault-snapshot-s3 name: vault-snapshot-s3
# resources: resources:
# requests: requests:
# cpu: 10m cpu: 10m
# memory: 64Mi memory: 64Mi
# serviceAccount: serviceAccount:
# create: true create: true
# persistence: persistence:
# config: config:
# existingClaim: vault-nfs-storage-backup existingClaim: vault-nfs-storage-backup
# advancedMounts: advancedMounts:
# snapshot: snapshot:
# snapshot: snapshot:
# - path: /opt/backup - path: /opt/backup
# readOnly: false readOnly: false
# backup: backup:
# - path: /opt/backup - path: /opt/backup
# readOnly: false readOnly: false
# s3cmd-config: s3cmd-config:
# enabled: true enabled: true
# type: secret type: secret
# name: vault-s3cmd-config name: vault-s3cmd-config
# advancedMounts: advancedMounts:
# snapshot: snapshot:
# backup: backup:
# - path: /root/.s3cfg - path: /root/.s3cfg
# readOnly: true readOnly: true
# mountPropagation: None mountPropagation: None
# subPath: .s3cfg subPath: .s3cfg
# unseal: unseal:
# global: global:
# fullnameOverride: vault-unseal fullnameOverride: vault-unseal
# controllers: controllers:
# unseal-1: unseal-1:
# type: deployment type: deployment
# replicas: 1 replicas: 1
# strategy: Recreate strategy: Recreate
# revisionHistoryLimit: 3 revisionHistoryLimit: 3
# containers: containers:
# main: main:
# image: image:
# repository: ghcr.io/lrstanley/vault-unseal repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0 tag: 0.7.0
# pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# envFrom: envFrom:
# - secretRef: - secretRef:
# name: vault-unseal-config-1 name: vault-unseal-config-1
# resources: resources:
# requests: requests:
# cpu: 10m cpu: 10m
# memory: 24Mi memory: 24Mi
# unseal-2: unseal-2:
# type: deployment type: deployment
# replicas: 1 replicas: 1
# strategy: Recreate strategy: Recreate
# revisionHistoryLimit: 3 revisionHistoryLimit: 3
# containers: containers:
# main: main:
# image: image:
# repository: ghcr.io/lrstanley/vault-unseal repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0 tag: 0.7.0
# pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# envFrom: envFrom:
# - secretRef: - secretRef:
# name: vault-unseal-config-2 name: vault-unseal-config-2
# resources: resources:
# requests: requests:
# cpu: 10m cpu: 10m
# memory: 24Mi memory: 24Mi
# unseal-3: unseal-3:
# type: deployment type: deployment
# replicas: 1 replicas: 1
# strategy: Recreate strategy: Recreate
# revisionHistoryLimit: 3 revisionHistoryLimit: 3
# containers: containers:
# main: main:
# image: image:
# repository: ghcr.io/lrstanley/vault-unseal repository: ghcr.io/lrstanley/vault-unseal
# tag: 0.7.0 tag: 0.7.0
# pullPolicy: IfNotPresent pullPolicy: IfNotPresent
# envFrom: envFrom:
# - secretRef: - secretRef:
# name: vault-unseal-config-3 name: vault-unseal-config-3
# resources: resources:
# requests: requests:
# cpu: 10m cpu: 10m
# memory: 24Mi memory: 24Mi
# serviceAccount: serviceAccount:
# create: true create: true