Initial velero setup

infrastructure/controllers/kustomization.yaml

@@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cert-manager
-  - traefik
+  - traefik
+  - velero

infrastructure/controllers/velero/kustomization.yaml

@@ -0,0 +1,8 @@
+# /infrastructure/controllers/velero/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secret.enc.yaml
+  - repository.yaml
+  - release.yaml

infrastructure/controllers/velero/namespace.yaml

@@ -0,0 +1,5 @@
+# /infrastructure/controllers/velero/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: velero

infrastructure/controllers/velero/release.yaml

@@ -0,0 +1,86 @@
+# /infrastructure/controllers/velero/release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: velero
+  namespace: velero
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: velero
+      version: 8.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: vmware-tanzu
+        namespace: velero
+  values:
+    # Deploy restic daemon set for volume backup
+    deployRestic: true
+
+    # Configuration settings
+    configuration:
+      provider: aws
+      
+      # Configure backup storage location
+      backupStorageLocation:
+        name: default
+        provider: aws
+        default: true
+        bucket: ${VELERO_BUCKET}
+        config:
+          region: fr-par
+          s3ForcePathStyle: true
+          s3Url: https://s3.fr-par.scw.cloud
+          publicUrl: https://s3.fr-par.scw.cloud
+
+      # Use restic for all pod volumes by default
+      defaultVolumesToRestic: true
+      
+    # Backup schedules
+    schedules:
+      daily-backup:
+        schedule: "0 2 * * *"  # Every day at 2 AM
+        template:
+          includedNamespaces:
+            - gitea
+          storageLocation: default
+          ttl: "168h"  # Keep backups for 1 week
+          includedResources:
+            - persistentvolumeclaims
+            - persistentvolumes
+          labels:
+            type: scheduled
+            period: daily
+
+    # Resource requests and limits
+    resources:
+      requests:
+        cpu: 200m
+        memory: 256Mi
+      limits:
+        cpu: 1000m
+        memory: 512Mi
+
+    # Credentials from a pre-existing secret
+    credentials:
+      existingSecret: velero-s3-credentials
+
+    # Configure restic settings
+    restic:
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 500m
+          memory: 256Mi
+
+    # Configure init containers resources
+    initContainers:
+      - name: velero-plugin-for-aws
+        image: velero/velero-plugin-for-aws:v1.11.1
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+          - mountPath: /target
+            name: plugins

infrastructure/controllers/velero/repository.yaml

@@ -0,0 +1,9 @@
+# /infrastructure/controllers/vellero/repository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: velero-helm-repo
+  namespace: velero
+spec:
+  interval: 24h
+  url: https://vmware-tanzu.github.io/helm-charts

infrastructure/controllers/velero/secret.enc.yaml

@@ -0,0 +1,28 @@
+#ENC[AES256_GCM,data:yGVtwMZGmZORQ4NLcBUoeZoIYGAcgLHs0AT+OIKwenn0FX5a0+FlbC97IKvKxM4=,iv:G5IQPV+kFGNVBw/rr3eRYTso89BksveSWLvsZwihI9c=,tag:ZanPgWaQ2ZsTKiblRZHPNw==,type:comment]
+apiVersion: v1
+kind: Secret
+metadata:
+    name: velero-s3-credentials
+    namespace: velero
+stringData:
+    cloud: ENC[AES256_GCM,data:zEXjmiGstB5h+GrIro48JKZZQlVUIQ2tuAf9NipGWcCRUZ1FZVPdLQvwoCr9xLLn7lwITeTdpZEfTSHYwc0m17SLdKDUSP0cMhqo5uyjJ1EDwR8GrUVgo66mF06yOX0sB1iPqKgKNnMpB3ujzf0J,iv:QTmUUw/Z0+TKmMyW5EDcLqvM0bCKqthe5yIun2cD9KM=,tag:pRxBiLLd4IvW5c5pKtkdZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOFFhMG8ySnNKSmZicm44
+            d3cvT1JTWDF5UCsxMmdSNlJvelJBOE1yb0ZFCmxCZXA3em02a0g3OExWRFc4L1l2
+            TDYrYUlkdUw4aVVDK1lVNGFqS2RZaFkKLS0tIC9ETVR2dWR3YkFGQzczeWVmSWRM
+            bEFQMWpNUzBzSzFvNGRuQkRJLzM3QTQK8V9YrrhRkXIBuXWz8hhJzY7LVNOIm6nR
+            LZxSlHOj+ydw37u5Npj3mSDNqtmUp9BdrD6lMNwmnZZXLU0VVLOUog==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-10T23:11:10Z"
+    mac: ENC[AES256_GCM,data:9mBG+oGHvwiZ7Zlq7eyMqcXNLgVjwqUiXOOmEmImWIlx3o3g0DBFx3AovnusMkg12jIXKXM7u2vdna0zKA062TLUyUmRtjNsPEmHlE4QXjqYowdUaHPlXrn6KR996kZKnU7ABsRZF2wAG8HPLNJ0KKna7T/9qqi3Y1txby+PNxw=,iv:mFZ8di9k2Vb6EdCXg4QAGMkjUsMcRtyudqfHsWpMR50=,tag:a6kTnSpopkNPd8wIBNFOiQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.1