Initial velero setup

cluster-vars/prod/secret.enc.yaml

@@ -4,14 +4,15 @@ metadata:
     name: cluster-vars-prod
     namespace: flux-system
 stringData:
-    DOMAIN: ENC[AES256_GCM,data:+jyZeJE1/Kao,iv:FahMvgbRTegky37Wer513KT8c3lmLv3+SS0aZYPZOX8=,tag:pxy+ZBmJarhsRCOM5SMMWw==,type:str]
+    DOMAIN: ENC[AES256_GCM,data:E5Vu4lZBe8J8,iv:BQ60rtqut0ME3RSiE+Afh5y4XxLEeDhssh7eSBYRvHM=,tag:+cHVuRSpxAjDl05x2pUo/A==,type:str]
-    GITEA_DOMAIN: ENC[AES256_GCM,data:fjzyJeCyLX+MdGVEKA==,iv:g+cui2RdWvBHD1F3Jkc7xuv/NBwsajqvTE2NYdNz9Xc=,tag:AWHr+o1VTnrMgi5uZzeFMA==,type:str]
+    GITEA_DOMAIN: ENC[AES256_GCM,data:7GTEM1Me2KN78zWm/g==,iv:dHfYDR4Rk6iXsmpSt0CaCp/MHRD2dLHfQCP3ly4gixM=,tag:r05ueelCxvmwMeg6hBWwBg==,type:str]
-    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:3ZSdjxDGPcf1NmAFzGo=,iv:DxaaSir4uTTFjQV+++fjAxrFJSlwSP8HFkkm8PAvqFs=,tag:R0BSbuu2hCbdawuNDVPvgA==,type:str]
+    AUTHELIA_DOMAIN: ENC[AES256_GCM,data:R2D9+g59TDNe/jB9Mwo=,iv:5Ai0Mx/CbCotfUsMuRZhSUJlw5QDP5Fx+/lck/aMnhk=,tag:P8geek7CkIEVuK3UP1eZMQ==,type:str]
-    TRAEFIK_DOMAIN: ENC[AES256_GCM,data:rPowzwswvOI2ynrn+NAAdkk=,iv:s8S3jKaLQWkD65L53OvFlK0kjsJi33eGKarzuDnFq00=,tag:pu46HYe/ry5ItTtH4m7+3A==,type:str]
+    TRAEFIK_DOMAIN: ENC[AES256_GCM,data:t2SKcY81OKO+2765biNnyfU=,iv:tPlAovgxXp7+qrWWyF0Q67ql+Ey+itgKX+igOLQrXlA=,tag:lL2uP7PtboK12dQ52bZCWw==,type:str]
-    LEMMA_DOMAIN: ENC[AES256_GCM,data:vhdzucsXurkW4x2CAwbX,iv:RkA9Rghvgrwb3CHeXZG/DX8jpKMBoBhpsowuhpAP16Y=,tag:IBvdLX/V8YFAPa4yynb7yg==,type:str]
+    LEMMA_DOMAIN: ENC[AES256_GCM,data:ZXSvD4FDU8jCVExJhPe+,iv:AuHra0K+xV01ZPfF9JqRzdzAhEWbEOXdtaWk08cnWpc=,tag:UXd3a3AvTMlHB3b0WHn7mA==,type:str]
-    K9S_DOMAIN: ENC[AES256_GCM,data:utYEFrLJlLO3UsrdTA==,iv:jsYa2UkD1jALiWuHbRIihxV94+oyjY7CiA1DNi6d05I=,tag:aszZwOrw2EX/HS/yB5Y4bQ==,type:str]
+    K9S_DOMAIN: ENC[AES256_GCM,data:iHGo7NkwbZAoXYV64w==,iv:N10BV/ZSAVDdEBZVZaYKA9TgOzB09YkC1Fwc3Ujs2/M=,tag:iSbE8S/sn3rMUaYEdIADbg==,type:str]
-    LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:xi0ZHebYX2CdqDqmdRtbbrs9lP1nZZo=,iv:M370GDfYLEkzHQm+c6lCPZsjR3gP+WdZcsAfzYs0XcY=,tag:rEIXERPg6hnWZNWODA8OpA==,type:str]
+    LETSENCRYPT_EMAIL: ENC[AES256_GCM,data:cQi3FMrdySRc6ovINX/rCDYF38SiSjo=,iv:vem+/Mdw6NU1wSZfrR8D5YRV8QcHviA4bsTuyXm6J3o=,tag:ACTYLo0EDxVfMXFnGd5+iA==,type:str]
-    GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:iaWY/pfRd/5YTTs7d2hbwVk=,iv:nbQ5+YY/qhA4hHZG7DPtr9ob8d5s537MHRvyiDbdq/w=,tag:x1jiDV/hNTYK7jw/v7wDCA==,type:str]
+    GITEA_ADMIN_EMAIL: ENC[AES256_GCM,data:Vt7TbkkdfxLmaGbgekvlgjM=,iv:48dqiXfFozpmEGyox/STp0JPC6V79ZdUhMLboZOqN90=,tag:OQ9tKOoBUsWfgFuqwMrFIg==,type:str]
+    VELERO_BUCKET: ENC[AES256_GCM,data:+1E2KO3Fm4ehw2r3swyVA9+NoFE=,iv:1LEiHiy54GQhQrdkZH7MfjiQkC4BYLVCe+h4gEViO6c=,tag:hwy3vRZlfdpg7LVi4lyrUw==,type:str]
 sops:
     kms: []
     gcp_kms: []
@@ -21,14 +22,14 @@ sops:
         - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
           enc: |
             -----BEGIN AGE ENCRYPTED FILE-----
-            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVm9tTnkwaWNtS3llWDdj
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOWlZ3ajBOM2tFZVk1b2lK
-            NHhWWGJsdWdqQkxyeENWMTROdlNtLzlyeVZnCi94dVJMRjZ3WXU5Qy9xNks4RUdD
+            QVhrU056aitoSHNUL2JTcjZOaWNGMDd2Nnp3CnVNU3paWnhuZEtVV0tpbFRlZUd0
-            Z3dCditYSmwwOXdNRDV5UGFRejFLRncKLS0tIEpudDB4T0lFZTBPZDRrcnNsZUVs
+            SzBFYk1UNmg4LzZpOWtyNTFHRXM3Y2sKLS0tIERMZ0haMTAyRkV6ZW5vMGZ2czhh
-            NEdkTVJrZnllM3ltUng4M25lK3NUdW8KgANcIiGl224KsKehO4qUhu/8+bhqgPFa
+            QW5EUXpYSUxCOXArSGs3aitpSDkxOWcKGGFfZaLa9otWDUJJXl7FE24GNXd8d+CO
-            KKhSXCIvJXlUIIJvmVBfWNJ8/7kGYOZIcXHT63r4EEqdd0D8GOj51Q==
+            yp0UzIyikSoHd+3UvNLWKa7Cz+0Ys8Jyd4E2ZS+egsgmIkQsB2+Taw==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2024-12-30T19:58:11Z"
+    lastmodified: "2025-01-10T23:05:24Z"
-    mac: ENC[AES256_GCM,data:nn5Ldl+mYbUDE/Uef0QQPhvJiYrKtrfxULDBhq1JE4NrWOTPgLlUf2oVYGFbmOJzfaWL7mWVRoSeUK1vOINbMlWNRjS9TNpZFMWfF6Sfr0owWKlpnsCsqc/Lsnp6L4zd2/orle6hyq3pp/g8A0mQcOM0xBvBz39Fu3h54beT5vo=,iv:In4aNC2duiPQ/aKgVJSwSeLysc+IGWrXOQuWY5kHJv4=,tag:eb+xyQ5VkEpGuiXyGXcNhA==,type:str]
+    mac: ENC[AES256_GCM,data:eEBJ+fUvEspCV0mkaBPNdwmUMMzjeZtTMhDxLvwA8yKsYNASWxdHt4xuqjOMbNy/toCoiz9KTCg79zGzJonnBhipfFfH7UaO1uQO3dnPuhrB2+AHwYIv/sPwcOi80GJhrk/B1ORZEPK+NCpWtO+QoRSSpp3/x0vMf8pCJ5lX8+M=,iv:rPkNX509VTLrrVl1RP/iqRYR1oWz0ilW75ZJJRe4ukI=,tag:ecym+skxO2BBu10aG4ZvbQ==,type:str]
     pgp: []
     unencrypted_regex: ^(apiVersion|metadata|kind|type)$
-    version: 3.9.0
+    version: 3.9.1

infrastructure/controllers/kustomization.yaml

@@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - cert-manager
-  - traefik
+  - traefik
+  - velero

infrastructure/controllers/velero/kustomization.yaml

@@ -0,0 +1,8 @@
+# /infrastructure/controllers/velero/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  - secret.enc.yaml
+  - repository.yaml
+  - release.yaml

infrastructure/controllers/velero/namespace.yaml

@@ -0,0 +1,5 @@
+# /infrastructure/controllers/velero/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: velero

infrastructure/controllers/velero/release.yaml

@@ -0,0 +1,86 @@
+# /infrastructure/controllers/velero/release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: velero
+  namespace: velero
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: velero
+      version: 8.2.0
+      sourceRef:
+        kind: HelmRepository
+        name: vmware-tanzu
+        namespace: velero
+  values:
+    # Deploy restic daemon set for volume backup
+    deployRestic: true
+
+    # Configuration settings
+    configuration:
+      provider: aws
+      
+      # Configure backup storage location
+      backupStorageLocation:
+        name: default
+        provider: aws
+        default: true
+        bucket: ${VELERO_BUCKET}
+        config:
+          region: fr-par
+          s3ForcePathStyle: true
+          s3Url: https://s3.fr-par.scw.cloud
+          publicUrl: https://s3.fr-par.scw.cloud
+
+      # Use restic for all pod volumes by default
+      defaultVolumesToRestic: true
+      
+    # Backup schedules
+    schedules:
+      daily-backup:
+        schedule: "0 2 * * *"  # Every day at 2 AM
+        template:
+          includedNamespaces:
+            - gitea
+          storageLocation: default
+          ttl: "168h"  # Keep backups for 1 week
+          includedResources:
+            - persistentvolumeclaims
+            - persistentvolumes
+          labels:
+            type: scheduled
+            period: daily
+
+    # Resource requests and limits
+    resources:
+      requests:
+        cpu: 200m
+        memory: 256Mi
+      limits:
+        cpu: 1000m
+        memory: 512Mi
+
+    # Credentials from a pre-existing secret
+    credentials:
+      existingSecret: velero-s3-credentials
+
+    # Configure restic settings
+    restic:
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 500m
+          memory: 256Mi
+
+    # Configure init containers resources
+    initContainers:
+      - name: velero-plugin-for-aws
+        image: velero/velero-plugin-for-aws:v1.11.1
+        imagePullPolicy: IfNotPresent
+        volumeMounts:
+          - mountPath: /target
+            name: plugins

infrastructure/controllers/velero/repository.yaml

@@ -0,0 +1,9 @@
+# /infrastructure/controllers/vellero/repository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: velero-helm-repo
+  namespace: velero
+spec:
+  interval: 24h
+  url: https://vmware-tanzu.github.io/helm-charts

infrastructure/controllers/velero/secret.enc.yaml

@@ -0,0 +1,28 @@
+#ENC[AES256_GCM,data:yGVtwMZGmZORQ4NLcBUoeZoIYGAcgLHs0AT+OIKwenn0FX5a0+FlbC97IKvKxM4=,iv:G5IQPV+kFGNVBw/rr3eRYTso89BksveSWLvsZwihI9c=,tag:ZanPgWaQ2ZsTKiblRZHPNw==,type:comment]
+apiVersion: v1
+kind: Secret
+metadata:
+    name: velero-s3-credentials
+    namespace: velero
+stringData:
+    cloud: ENC[AES256_GCM,data:zEXjmiGstB5h+GrIro48JKZZQlVUIQ2tuAf9NipGWcCRUZ1FZVPdLQvwoCr9xLLn7lwITeTdpZEfTSHYwc0m17SLdKDUSP0cMhqo5uyjJ1EDwR8GrUVgo66mF06yOX0sB1iPqKgKNnMpB3ujzf0J,iv:QTmUUw/Z0+TKmMyW5EDcLqvM0bCKqthe5yIun2cD9KM=,tag:pRxBiLLd4IvW5c5pKtkdZA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDOFFhMG8ySnNKSmZicm44
+            d3cvT1JTWDF5UCsxMmdSNlJvelJBOE1yb0ZFCmxCZXA3em02a0g3OExWRFc4L1l2
+            TDYrYUlkdUw4aVVDK1lVNGFqS2RZaFkKLS0tIC9ETVR2dWR3YkFGQzczeWVmSWRM
+            bEFQMWpNUzBzSzFvNGRuQkRJLzM3QTQK8V9YrrhRkXIBuXWz8hhJzY7LVNOIm6nR
+            LZxSlHOj+ydw37u5Npj3mSDNqtmUp9BdrD6lMNwmnZZXLU0VVLOUog==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-10T23:11:10Z"
+    mac: ENC[AES256_GCM,data:9mBG+oGHvwiZ7Zlq7eyMqcXNLgVjwqUiXOOmEmImWIlx3o3g0DBFx3AovnusMkg12jIXKXM7u2vdna0zKA062TLUyUmRtjNsPEmHlE4QXjqYowdUaHPlXrn6KR996kZKnU7ABsRZF2wAG8HPLNJ0KKna7T/9qqi3Y1txby+PNxw=,iv:mFZ8di9k2Vb6EdCXg4QAGMkjUsMcRtyudqfHsWpMR50=,tag:a6kTnSpopkNPd8wIBNFOiQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.1