diff --git a/cluster-vars/prod/secret.enc.yaml b/cluster-vars/prod/secret.enc.yaml index af76cc4..f6ed2ef 100644 --- a/cluster-vars/prod/secret.enc.yaml +++ b/cluster-vars/prod/secret.enc.yaml @@ -4,14 +4,15 @@ metadata: name: cluster-vars-prod namespace: flux-system stringData: - DOMAIN: ENC[AES256_GCM,data:+jyZeJE1/Kao,iv:FahMvgbRTegky37Wer513KT8c3lmLv3+SS0aZYPZOX8=,tag:pxy+ZBmJarhsRCOM5SMMWw==,type:str] - GITEA_DOMAIN: ENC[AES256_GCM,data:fjzyJeCyLX+MdGVEKA==,iv:g+cui2RdWvBHD1F3Jkc7xuv/NBwsajqvTE2NYdNz9Xc=,tag:AWHr+o1VTnrMgi5uZzeFMA==,type:str] - AUTHELIA_DOMAIN: ENC[AES256_GCM,data:3ZSdjxDGPcf1NmAFzGo=,iv:DxaaSir4uTTFjQV+++fjAxrFJSlwSP8HFkkm8PAvqFs=,tag:R0BSbuu2hCbdawuNDVPvgA==,type:str] - TRAEFIK_DOMAIN: ENC[AES256_GCM,data:rPowzwswvOI2ynrn+NAAdkk=,iv:s8S3jKaLQWkD65L53OvFlK0kjsJi33eGKarzuDnFq00=,tag:pu46HYe/ry5ItTtH4m7+3A==,type:str] - LEMMA_DOMAIN: ENC[AES256_GCM,data:vhdzucsXurkW4x2CAwbX,iv:RkA9Rghvgrwb3CHeXZG/DX8jpKMBoBhpsowuhpAP16Y=,tag:IBvdLX/V8YFAPa4yynb7yg==,type:str] - K9S_DOMAIN: ENC[AES256_GCM,data:utYEFrLJlLO3UsrdTA==,iv:jsYa2UkD1jALiWuHbRIihxV94+oyjY7CiA1DNi6d05I=,tag:aszZwOrw2EX/HS/yB5Y4bQ==,type:str] - LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:xi0ZHebYX2CdqDqmdRtbbrs9lP1nZZo=,iv:M370GDfYLEkzHQm+c6lCPZsjR3gP+WdZcsAfzYs0XcY=,tag:rEIXERPg6hnWZNWODA8OpA==,type:str] - GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:iaWY/pfRd/5YTTs7d2hbwVk=,iv:nbQ5+YY/qhA4hHZG7DPtr9ob8d5s537MHRvyiDbdq/w=,tag:x1jiDV/hNTYK7jw/v7wDCA==,type:str] + DOMAIN: ENC[AES256_GCM,data:E5Vu4lZBe8J8,iv:BQ60rtqut0ME3RSiE+Afh5y4XxLEeDhssh7eSBYRvHM=,tag:+cHVuRSpxAjDl05x2pUo/A==,type:str] + GITEA_DOMAIN: ENC[AES256_GCM,data:7GTEM1Me2KN78zWm/g==,iv:dHfYDR4Rk6iXsmpSt0CaCp/MHRD2dLHfQCP3ly4gixM=,tag:r05ueelCxvmwMeg6hBWwBg==,type:str] + AUTHELIA_DOMAIN: ENC[AES256_GCM,data:R2D9+g59TDNe/jB9Mwo=,iv:5Ai0Mx/CbCotfUsMuRZhSUJlw5QDP5Fx+/lck/aMnhk=,tag:P8geek7CkIEVuK3UP1eZMQ==,type:str] + TRAEFIK_DOMAIN: ENC[AES256_GCM,data:t2SKcY81OKO+2765biNnyfU=,iv:tPlAovgxXp7+qrWWyF0Q67ql+Ey+itgKX+igOLQrXlA=,tag:lL2uP7PtboK12dQ52bZCWw==,type:str] + LEMMA_DOMAIN: ENC[AES256_GCM,data:ZXSvD4FDU8jCVExJhPe+,iv:AuHra0K+xV01ZPfF9JqRzdzAhEWbEOXdtaWk08cnWpc=,tag:UXd3a3AvTMlHB3b0WHn7mA==,type:str] + K9S_DOMAIN: ENC[AES256_GCM,data:iHGo7NkwbZAoXYV64w==,iv:N10BV/ZSAVDdEBZVZaYKA9TgOzB09YkC1Fwc3Ujs2/M=,tag:iSbE8S/sn3rMUaYEdIADbg==,type:str] + LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:cQi3FMrdySRc6ovINX/rCDYF38SiSjo=,iv:vem+/Mdw6NU1wSZfrR8D5YRV8QcHviA4bsTuyXm6J3o=,tag:ACTYLo0EDxVfMXFnGd5+iA==,type:str] + GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:Vt7TbkkdfxLmaGbgekvlgjM=,iv:48dqiXfFozpmEGyox/STp0JPC6V79ZdUhMLboZOqN90=,tag:OQ9tKOoBUsWfgFuqwMrFIg==,type:str] + VELERO_BUCKET: ENC[AES256_GCM,data:+1E2KO3Fm4ehw2r3swyVA9+NoFE=,iv:1LEiHiy54GQhQrdkZH7MfjiQkC4BYLVCe+h4gEViO6c=,tag:hwy3vRZlfdpg7LVi4lyrUw==,type:str] sops: kms: [] gcp_kms: [] @@ -21,14 +22,14 @@ sops: - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVm9tTnkwaWNtS3llWDdj - NHhWWGJsdWdqQkxyeENWMTROdlNtLzlyeVZnCi94dVJMRjZ3WXU5Qy9xNks4RUdD - Z3dCditYSmwwOXdNRDV5UGFRejFLRncKLS0tIEpudDB4T0lFZTBPZDRrcnNsZUVs - NEdkTVJrZnllM3ltUng4M25lK3NUdW8KgANcIiGl224KsKehO4qUhu/8+bhqgPFa - KKhSXCIvJXlUIIJvmVBfWNJ8/7kGYOZIcXHT63r4EEqdd0D8GOj51Q== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWlZ3ajBOM2tFZVk1b2lK + QVhrU056aitoSHNUL2JTcjZOaWNGMDd2Nnp3CnVNU3paWnhuZEtVV0tpbFRlZUd0 + SzBFYk1UNmg4LzZpOWtyNTFHRXM3Y2sKLS0tIERMZ0haMTAyRkV6ZW5vMGZ2czhh + QW5EUXpYSUxCOXArSGs3aitpSDkxOWcKGGFfZaLa9otWDUJJXl7FE24GNXd8d+CO + yp0UzIyikSoHd+3UvNLWKa7Cz+0Ys8Jyd4E2ZS+egsgmIkQsB2+Taw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-30T19:58:11Z" - mac: ENC[AES256_GCM,data:nn5Ldl+mYbUDE/Uef0QQPhvJiYrKtrfxULDBhq1JE4NrWOTPgLlUf2oVYGFbmOJzfaWL7mWVRoSeUK1vOINbMlWNRjS9TNpZFMWfF6Sfr0owWKlpnsCsqc/Lsnp6L4zd2/orle6hyq3pp/g8A0mQcOM0xBvBz39Fu3h54beT5vo=,iv:In4aNC2duiPQ/aKgVJSwSeLysc+IGWrXOQuWY5kHJv4=,tag:eb+xyQ5VkEpGuiXyGXcNhA==,type:str] + lastmodified: "2025-01-10T23:05:24Z" + mac: ENC[AES256_GCM,data:eEBJ+fUvEspCV0mkaBPNdwmUMMzjeZtTMhDxLvwA8yKsYNASWxdHt4xuqjOMbNy/toCoiz9KTCg79zGzJonnBhipfFfH7UaO1uQO3dnPuhrB2+AHwYIv/sPwcOi80GJhrk/B1ORZEPK+NCpWtO+QoRSSpp3/x0vMf8pCJ5lX8+M=,iv:rPkNX509VTLrrVl1RP/iqRYR1oWz0ilW75ZJJRe4ukI=,tag:ecym+skxO2BBu10aG4ZvbQ==,type:str] pgp: [] unencrypted_regex: ^(apiVersion|metadata|kind|type)$ - version: 3.9.0 + version: 3.9.1 diff --git a/infrastructure/controllers/kustomization.yaml b/infrastructure/controllers/kustomization.yaml index a842e1e..f14ccc9 100644 --- a/infrastructure/controllers/kustomization.yaml +++ b/infrastructure/controllers/kustomization.yaml @@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - cert-manager - - traefik \ No newline at end of file + - traefik + - velero \ No newline at end of file diff --git a/infrastructure/controllers/velero/kustomization.yaml b/infrastructure/controllers/velero/kustomization.yaml new file mode 100644 index 0000000..a8d638f --- /dev/null +++ b/infrastructure/controllers/velero/kustomization.yaml @@ -0,0 +1,8 @@ +# /infrastructure/controllers/velero/kustomization.yaml +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - secret.enc.yaml + - repository.yaml + - release.yaml diff --git a/infrastructure/controllers/velero/namespace.yaml b/infrastructure/controllers/velero/namespace.yaml new file mode 100644 index 0000000..4f425b8 --- /dev/null +++ b/infrastructure/controllers/velero/namespace.yaml @@ -0,0 +1,5 @@ +# /infrastructure/controllers/velero/namespace.yaml +apiVersion: v1 +kind: Namespace +metadata: + name: velero diff --git a/infrastructure/controllers/velero/release.yaml b/infrastructure/controllers/velero/release.yaml new file mode 100644 index 0000000..3f0b1d8 --- /dev/null +++ b/infrastructure/controllers/velero/release.yaml @@ -0,0 +1,86 @@ +# /infrastructure/controllers/velero/release.yaml +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: velero + namespace: velero +spec: + interval: 1h + chart: + spec: + chart: velero + version: 8.2.0 + sourceRef: + kind: HelmRepository + name: vmware-tanzu + namespace: velero + values: + # Deploy restic daemon set for volume backup + deployRestic: true + + # Configuration settings + configuration: + provider: aws + + # Configure backup storage location + backupStorageLocation: + name: default + provider: aws + default: true + bucket: ${VELERO_BUCKET} + config: + region: fr-par + s3ForcePathStyle: true + s3Url: https://s3.fr-par.scw.cloud + publicUrl: https://s3.fr-par.scw.cloud + + # Use restic for all pod volumes by default + defaultVolumesToRestic: true + + # Backup schedules + schedules: + daily-backup: + schedule: "0 2 * * *" # Every day at 2 AM + template: + includedNamespaces: + - gitea + storageLocation: default + ttl: "168h" # Keep backups for 1 week + includedResources: + - persistentvolumeclaims + - persistentvolumes + labels: + type: scheduled + period: daily + + # Resource requests and limits + resources: + requests: + cpu: 200m + memory: 256Mi + limits: + cpu: 1000m + memory: 512Mi + + # Credentials from a pre-existing secret + credentials: + existingSecret: velero-s3-credentials + + # Configure restic settings + restic: + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi + + # Configure init containers resources + initContainers: + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.11.1 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /target + name: plugins \ No newline at end of file diff --git a/infrastructure/controllers/velero/repository.yaml b/infrastructure/controllers/velero/repository.yaml new file mode 100644 index 0000000..4e4399f --- /dev/null +++ b/infrastructure/controllers/velero/repository.yaml @@ -0,0 +1,9 @@ +# /infrastructure/controllers/vellero/repository.yaml +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: velero-helm-repo + namespace: velero +spec: + interval: 24h + url: https://vmware-tanzu.github.io/helm-charts \ No newline at end of file diff --git a/infrastructure/controllers/velero/secret.enc.yaml b/infrastructure/controllers/velero/secret.enc.yaml new file mode 100644 index 0000000..c48de84 --- /dev/null +++ b/infrastructure/controllers/velero/secret.enc.yaml @@ -0,0 +1,28 @@ +#ENC[AES256_GCM,data:yGVtwMZGmZORQ4NLcBUoeZoIYGAcgLHs0AT+OIKwenn0FX5a0+FlbC97IKvKxM4=,iv:G5IQPV+kFGNVBw/rr3eRYTso89BksveSWLvsZwihI9c=,tag:ZanPgWaQ2ZsTKiblRZHPNw==,type:comment] +apiVersion: v1 +kind: Secret +metadata: + name: velero-s3-credentials + namespace: velero +stringData: + cloud: ENC[AES256_GCM,data:zEXjmiGstB5h+GrIro48JKZZQlVUIQ2tuAf9NipGWcCRUZ1FZVPdLQvwoCr9xLLn7lwITeTdpZEfTSHYwc0m17SLdKDUSP0cMhqo5uyjJ1EDwR8GrUVgo66mF06yOX0sB1iPqKgKNnMpB3ujzf0J,iv:QTmUUw/Z0+TKmMyW5EDcLqvM0bCKqthe5yIun2cD9KM=,tag:pRxBiLLd4IvW5c5pKtkdZA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOFFhMG8ySnNKSmZicm44 + d3cvT1JTWDF5UCsxMmdSNlJvelJBOE1yb0ZFCmxCZXA3em02a0g3OExWRFc4L1l2 + TDYrYUlkdUw4aVVDK1lVNGFqS2RZaFkKLS0tIC9ETVR2dWR3YkFGQzczeWVmSWRM + bEFQMWpNUzBzSzFvNGRuQkRJLzM3QTQK8V9YrrhRkXIBuXWz8hhJzY7LVNOIm6nR + LZxSlHOj+ydw37u5Npj3mSDNqtmUp9BdrD6lMNwmnZZXLU0VVLOUog== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-01-10T23:11:10Z" + mac: ENC[AES256_GCM,data:9mBG+oGHvwiZ7Zlq7eyMqcXNLgVjwqUiXOOmEmImWIlx3o3g0DBFx3AovnusMkg12jIXKXM7u2vdna0zKA062TLUyUmRtjNsPEmHlE4QXjqYowdUaHPlXrn6KR996kZKnU7ABsRZF2wAG8HPLNJ0KKna7T/9qqi3Y1txby+PNxw=,iv:mFZ8di9k2Vb6EdCXg4QAGMkjUsMcRtyudqfHsWpMR50=,tag:a6kTnSpopkNPd8wIBNFOiQ==,type:str] + pgp: [] + unencrypted_regex: ^(apiVersion|metadata|kind|type)$ + version: 3.9.1