diff --git a/charts/otomi-db/values.yaml b/charts/otomi-db/values.yaml index d4471e02fc..a1239f9650 100644 --- a/charts/otomi-db/values.yaml +++ b/charts/otomi-db/values.yaml @@ -21,25 +21,8 @@ clusterAffinity: topologyKey: kubernetes.io/hostname podAntiAffinityType: preferred -# Example for backups: -# clusterBackup: -# backup: -# barmanObjectStore: -# destinationPath: s3://bucket/ -# endpointURL: "http://minio.minio.svc.cluster.local:9000" -# s3Credentials: -# accessKeyId: -# name: minio-creds -# key: MINIO_ACCESS_KEY -# secretAccessKey: -# name: minio-creds -# key: MINIO_SECRET_KEY - clusterSpec: - bootstrap: - initdb: - database: app - owner: app + bootstrap: {} backup: enabled: false @@ -53,4 +36,4 @@ backup: minioLocal: destinationPath: "" linode: - destinationPath: "" \ No newline at end of file + destinationPath: "" diff --git a/helmfile.d/helmfile-03.init.yaml b/helmfile.d/helmfile-03.init.yaml index 0e783821f4..86acdfd2b3 100644 --- a/helmfile.d/helmfile-03.init.yaml +++ b/helmfile.d/helmfile-03.init.yaml @@ -17,7 +17,7 @@ releases: namespace: argocd labels: app: core - <<: *default + <<: *default - name: otomi-operator installed: true namespace: otomi-operator @@ -57,6 +57,12 @@ releases: pkg: apl-gitea-operator app: core <<: *default + - name: harbor-artifacts + installed: {{ $a | get "harbor.enabled" }} + namespace: harbor + labels: + pkg: harbor + <<: *raw - name: apl-harbor-operator-artifacts installed: {{ $a | get "harbor.enabled" }} namespace: apl-harbor-operator diff --git a/helmfile.d/helmfile-04.databases.yaml b/helmfile.d/helmfile-04.databases.yaml index b0526e357f..3135cd08ee 100644 --- a/helmfile.d/helmfile-04.databases.yaml +++ b/helmfile.d/helmfile-04.databases.yaml @@ -27,7 +27,7 @@ releases: pkg: keycloak <<: *otomiDb - name: gitea-otomi-db - installed: {{ or $v.databases.gitea.useOtomiDB $v.databases.gitea.imported }} + installed: true namespace: gitea labels: pkg: gitea diff --git a/helmfile.d/helmfile-09.init.yaml b/helmfile.d/helmfile-09.init.yaml index 4a0a63bc40..a998ba629a 100644 --- a/helmfile.d/helmfile-09.init.yaml +++ b/helmfile.d/helmfile-09.init.yaml @@ -10,8 +10,6 @@ bases: {{ readFile "snippets/templates.gotmpl" }} {{- $v := .Values }} {{- $a := $v.apps }} -{{- $h := $a.harbor }} -{{- $k := $a.keycloak }} releases: - name: knative-serving-artifacts @@ -40,12 +38,6 @@ releases: labels: pkg: minio <<: *default - - name: harbor-artifacts - installed: {{ $h | get "enabled" }} - namespace: harbor - labels: - pkg: harbor - <<: *raw - name: tekton-triggers installed: true namespace: tekton-pipelines @@ -58,4 +50,4 @@ releases: namespace: otomi-pipelines labels: app: core - <<: *default \ No newline at end of file + <<: *default diff --git a/helmfile.d/snippets/defaults.yaml b/helmfile.d/snippets/defaults.yaml index 8b9b4bbdfe..f57ae0ddc1 100644 --- a/helmfile.d/snippets/defaults.yaml +++ b/helmfile.d/snippets/defaults.yaml @@ -14,7 +14,7 @@ environments: memory: 64Mi limits: cpu: 200m - memory: 256Mi + memory: 256Mi _rawValues: {} argocd: controllerStatusProcessors: 20 @@ -249,7 +249,7 @@ environments: condition: ( container.image.repository in ( docker.io/gitea/gitea - ) or (k8s.ns.name = "keycloak") + ) or (k8s.ns.name = "keycloak") ) - macro: user_known_create_files_below_dev_activities condition: ( @@ -881,7 +881,7 @@ environments: cpu: 100m memory: 256Mi persistence: - master: + master: size: 1Gi sentinel: size: 1Gi @@ -1037,7 +1037,7 @@ environments: memory: 24Mi limits: cpu: 100m - memory: 128Mi + memory: 128Mi _rawValues: {} otel: enabled: false @@ -1261,9 +1261,10 @@ environments: databases: keycloak: imageName: null - imported: false size: 5Gi replicas: 2 + recovery: {} + externalClusters: [] resources: limits: cpu: "200m" @@ -1276,6 +1277,8 @@ environments: size: 5Gi replicas: 2 coreDatabase: registry + recovery: {} + externalClusters: [] resources: limits: cpu: "200m" @@ -1285,10 +1288,10 @@ environments: memory: 192Mi gitea: imageName: null - useOtomiDB: true - imported: false size: 5Gi replicas: 2 + recovery: {} + externalClusters: [] resources: limits: cpu: "200m" @@ -1303,12 +1306,23 @@ environments: database: harbor: enabled: false + retentionPolicy: 7d + schedule: 0 0 * * * + pathSuffix: harbor gitea: enabled: false + retentionPolicy: 7d + schedule: 0 0 * * * + pathSuffix: gitea keycloak: enabled: false + retentionPolicy: 7d + schedule: 0 0 * * * + pathSuffix: keycloak gitea: enabled: false + retentionPolicy: 7d + schedule: 0 0 * * * cluster: provider: linode name: apl diff --git a/tests/fixtures/env/settings/platformBackups.yaml b/tests/fixtures/env/settings/platformBackups.yaml index 5b0f5554b7..69acdad160 100644 --- a/tests/fixtures/env/settings/platformBackups.yaml +++ b/tests/fixtures/env/settings/platformBackups.yaml @@ -8,16 +8,46 @@ spec: enabled: true retentionPolicy: 7d schedule: 0 0 * * * + pathSuffix: gitea harbor: enabled: true retentionPolicy: 7d schedule: 0 0 * * * + pathSuffix: harbor-1 + recovery: + source: harbor-backup + database: registry + owner: harbor + externalClusters: + - name: harbor-backup + barmanObjectStore: + serverName: harbor-otomi-db + destinationPath: s3://my-clusterid-harbor/harbor + endpointURL: https://nl-ams-1.linodeobjects.com + s3Credentials: + accessKeyId: + name: linode-creds + key: S3_STORAGE_ACCOUNT + secretAccessKey: + name: linode-creds + key: S3_STORAGE_KEY + wal: + compression: gzip + maxParallel: 8 + data: + compression: gzip keycloak: enabled: true retentionPolicy: 7d schedule: 0 0 * * * + pathSuffix: keycloak-1 + recovery: + backup: + name: keycloak-backup + database: keycloak + owner: keycloak gitea: enabled: true retentionPolicy: 7d - schedule: 0 0 0 * * * + schedule: 0 0 * * * persistentVolumes: {} diff --git a/values-changes.yaml b/values-changes.yaml index ebc5d2276b..76d5f2b828 100644 --- a/values-changes.yaml +++ b/values-changes.yaml @@ -336,3 +336,8 @@ changes: - databases.harbor.resources.limits.cpu: '200m' - databases.harbor.resources.requests.memory: '192Mi' - databases.harbor.resources.requests.cpu: '200m' + - version: 33 + deletions: + - 'databases.keycloak.imported' + - 'databases.gitea.imported' + - 'databases.gitea.useOtomiDB' diff --git a/values-schema.yaml b/values-schema.yaml index 4dc50771d7..b264b63bbe 100644 --- a/values-schema.yaml +++ b/values-schema.yaml @@ -1655,7 +1655,7 @@ properties: $ref: '#/definitions/email' issuer: description: | - Indicates the origin of the wildcard certificate. + Indicates the origin of the wildcard certificate. The custom-ca - cert-manager uses the customRootCA to generate wildcard certificate. The letsencrypt - cert-manager requests certificate from letsencrypt endpoint. The byo-wildcard-cert allows users to bring their own trusted wildcard certificate (cert-manager not involved) @@ -3168,6 +3168,10 @@ properties: $ref: '#/definitions/backupRetentionPolicy' schedule: $ref: '#/definitions/backupSchedule' + pathSuffix: + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])$' + default: harbor gitea: title: Gitea properties: @@ -3180,6 +3184,10 @@ properties: $ref: '#/definitions/backupRetentionPolicy' schedule: $ref: '#/definitions/backupSchedule' + pathSuffix: + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])$' + default: gitea keycloak: title: Keycloak properties: @@ -3192,6 +3200,10 @@ properties: $ref: '#/definitions/backupRetentionPolicy' schedule: $ref: '#/definitions/backupSchedule' + pathSuffix: + type: string + pattern: '^[a-z0-9]([-a-z0-9]*[a-z0-9])$' + default: keycloak persistentVolumes: type: object description: Create backups of persistent volumes @@ -3293,9 +3305,16 @@ properties: replicas: type: integer default: 2 - imported: - type: boolean - default: false + recovery: + type: object + additionalProperties: true + default: {} + externalClusters: + type: array + items: + type: object + additionalProperties: true + default: [] harbor: title: Harbor properties: @@ -3306,12 +3325,19 @@ properties: replicas: type: integer default: 2 + recovery: + type: object + additionalProperties: true + default: {} + externalClusters: + type: array + items: + type: object + additionalProperties: true + default: [] gitea: title: gitea properties: - useOtomiDB: - type: boolean - default: false size: type: string resources: @@ -3319,9 +3345,16 @@ properties: replicas: type: integer default: 2 - imported: - type: boolean - default: false + recovery: + type: object + additionalProperties: true + default: {} + externalClusters: + type: array + items: + type: object + additionalProperties: true + default: [] teamConfig: additionalProperties: false patternProperties: diff --git a/values/gitea/gitea-otomi-db.gotmpl b/values/gitea/gitea-otomi-db.gotmpl index b93fb798e7..79e3a600dc 100644 --- a/values/gitea/gitea-otomi-db.gotmpl +++ b/values/gitea/gitea-otomi-db.gotmpl @@ -29,44 +29,21 @@ backup: type: {{ $obj.type }} {{- if eq $obj.type "minioLocal" }} minioLocal: - destinationPath: "s3://cnpg/gitea" + destinationPath: "s3://cnpg/{{ $b.pathSuffix }}" {{- end }} {{- if eq $obj.type "linode" }} linode: - destinationPath: "s3://{{ $obj.linode.buckets.cnpg }}/gitea" + destinationPath: "s3://{{ $obj.linode.buckets.cnpg }}/{{ $b.pathSuffix }}" endpointURL: https://{{ $obj.linode.region }}.linodeobjects.com {{- end }} {{- end }} {{- end }} -{{- if $gdb.imported }} clusterSpec: bootstrap: - initdb: - database: gitea - owner: gitea - secret: - name: gitea-db-secret - import: - type: microservice - databases: - - gitea - source: - externalCluster: gitea-postgresql - externalClusters: - - name: gitea-postgresql - connectionParameters: - host: gitea-postgresql.gitea.svc.cluster.local - user: gitea - dbname: gitea - sslmode: disable - password: - name: gitea-postgresql - key: postgresql-password - +{{- if $gdb.recovery }} + recovery: {{ toYaml $gdb.recovery | nindent 6 }} {{- else }} -clusterSpec: - bootstrap: initdb: database: gitea owner: gitea @@ -75,5 +52,8 @@ clusterSpec: localeCollate: 'en_US.UTF-8' localeCType: 'en_US.UTF-8' {{- end }} +{{- if $gdb.externalClusters }} + externalClusters: {{ toYaml $gdb.externalClusters | nindent 4 }} +{{- end }} resources: {{- toYaml $gdb.resources | nindent 2 }} diff --git a/values/gitea/gitea-raw.gotmpl b/values/gitea/gitea-raw.gotmpl index 251af31ca5..9ebbe29cda 100644 --- a/values/gitea/gitea-raw.gotmpl +++ b/values/gitea/gitea-raw.gotmpl @@ -2,6 +2,9 @@ {{- $otomiAdmin := "otomi-admin" }} {{- $obj := $v.obj.provider }} {{- $giteaBackupConfig := $v.platformBackups.gitea }} +{{- $rcloneVersion := "1.69.0" }} +{{- $rcloneZipSha512 := "35ee43f2c52599f80fcd753f7fef3fd8ad7ddcc4d22025ab67cbcfb9cf516bb819a303f3fe9d79b38593c392fd6c4748cdbc24c87ba2a93fd42c6ebfef0908b0" }} +{{- $rcloneBinSha512 := "cb5de4f3d5a5f03791c19fe25304eac874fa1a5db30867c1b7919bc9a99f1fb30d709b1ad16a18f5ef878952282f376b97001ba48578f2006d8a400a130ee542" }} resources: {{- if $v._derived.untrustedCA }} @@ -64,7 +67,7 @@ resources: rules: - apiGroups: [""] resources: ["pods"] - verbs: ["get", "watch", "list"] + verbs: ["get", "watch", "list"] - apiGroups: [""] resources: ["pods/exec"] verbs: ["create"] @@ -76,7 +79,7 @@ resources: - kind: ServiceAccount name: gitea-backup roleRef: - kind: Role + kind: Role name: gitea-backup-operator apiGroup: rbac.authorization.k8s.io - apiVersion: batch/v1 @@ -95,29 +98,31 @@ resources: spec: serviceAccountName: gitea-backup containers: - - image: bitnami/kubectl:1.30 + - image: bitnami/kubectl:1.31 name: kubectl command: - /bin/sh - -ec - >- kubectl exec gitea-0 -- /bin/sh -ec " + echo 'Verifying Rclone...' && + ( test ! -f '/backup/.bin/rclone' || echo '{{ $rcloneBinSha512 }} /backup/.bin/rclone' | sha512sum -c - || rm '/backup/.bin/rclone' ) && if [ ! -f '/backup/.bin/rclone' ]; then echo 'Installing RClone...' && mkdir -p /backup/.bin && cd /backup/.bin && - curl -fsSL -o rclone.zip https://github.com/rclone/rclone/releases/download/v1.68.0/rclone-v1.68.0-linux-amd64.zip && - echo '2fd93c246c72fa6bb192d33b0447013b31a982f9daaaa1f9c0b85e99f4233ee47c089e8b3f7f994dfe21090dab8e2adaec2e62c68aed0c7dadbac9bcce4e1706 rclone.zip' | sha512sum -c - && - unzip -oj rclone.zip + curl -fsSL -o rclone.zip https://github.com/rclone/rclone/releases/download/v{{ $rcloneVersion }}/rclone-v{{ $rcloneVersion }}-linux-amd64.zip && + echo '{{ $rcloneZipSha512 }} rclone.zip' | sha512sum -c - && + unzip -oj rclone.zip && + echo '{{ $rcloneBinSha512 }} rclone' | sha512sum -c - fi && cd /backup && echo 'Creating backup...' && gitea dump --type tar.bz2 && - echo '5d20f5562609695b565d696980bbee91ec0503ed946410eb2e6024a8b6850ebd5b587d5c71488f471012ea39e6bf440d843840165e8ac75cd0ec737defa2a749 .bin/rclone' | sha512sum -c - && echo 'Uploading to object storage...' && .bin/rclone copy --exclude '\.*/**' /backup gitea:/\$BUCKET_NAME && echo 'Removing old backups from object storage...' && - .bin/rclone sync --min-age $RETENTION_TIME --exclude '\.*/**' /backup gitea:/\$BUCKET_NAME && + .bin/rclone delete --min-age $RETENTION_TIME --exclude '\.*/**' gitea:/\$BUCKET_NAME && echo 'Cleaning up local backups...' && find . -type f -iname '*.tar.bz2' -ctime +1 -delete" resources: diff --git a/values/gitea/gitea.gotmpl b/values/gitea/gitea.gotmpl index 740dd00056..60880dc3ce 100644 --- a/values/gitea/gitea.gotmpl +++ b/values/gitea/gitea.gotmpl @@ -53,7 +53,6 @@ gitea: username: {{ $g.adminUsername }} password: {{ $g.adminPassword }} config: - {{- if $gdb.useOtomiDB }} database: DB_TYPE: postgres HOST: gitea-db-rw.gitea.svc.cluster.local:5432 @@ -61,7 +60,6 @@ gitea: USER: gitea PASSWD: {{ $v.apps.gitea.postgresqlPassword }} SCHEMA: public - {{- end }} admin: DISABLE_REGULAR_ORG_CREATION: false log: @@ -112,7 +110,7 @@ gitea: DOMAIN: {{ $giteaDomain }} ROOT_URL: "https://{{ $giteaDomain }}/" DISABLE_SSH: true - + metrics: enabled: true serviceMonitor: @@ -141,7 +139,7 @@ statefulset: valueFrom: secretKeyRef: name: minio-creds - key: MINIO_SECRET_KEY + key: MINIO_SECRET_KEY {{- else if eq $obj.type "linode" }} - name: RCLONE_CONFIG_GITEA_PROVIDER value: Linode @@ -159,7 +157,7 @@ statefulset: key: S3_STORAGE_KEY {{- end }} - name: BUCKET_NAME - value: {{ $giteaBucketName }} + value: {{ $giteaBucketName }} memcached: # @TODO: @@ -182,50 +180,7 @@ persistence: size: 1Gi postgresql: - {{- if $gdb.useOtomiDB }} enabled: false - {{- else }} - enabled: true - {{- end }} - # @TODO: - image: - tag: {{ $g | get "image.postgresql.tag" "13.5.0" }} - pullPolicy: {{ $g | get "image.postgresql.pullPolicy" "IfNotPresent" }} - metrics: - image: - tag: 0.10.0 - persistence: - size: 1Gi - global: - postgresql: - postgresqlPassword: {{ $g | get "postgresqlPassword" }} - postgresqlPostgresPassword: {{ $g | get "postgresqlPassword" }} - resources: - {{ with $g | get "resources.postgresql" nil }} - {{- toYaml . | nindent 4 }} - {{- else }} - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 250m - memory: 256Mi - {{- end }} - metrics: - enabled: true - resources: - limits: - cpu: 200m - memory: 128M - requests: - cpu: 50m - memory: 64M - securityContext: - enabled: true - serviceMonitor: - enabled: true - additionalLabels: - prometheus: system extraVolumeMounts: - name: backup diff --git a/values/harbor/harbor-otomi-db.gotmpl b/values/harbor/harbor-otomi-db.gotmpl index 341ebb056c..5db9000348 100644 --- a/values/harbor/harbor-otomi-db.gotmpl +++ b/values/harbor/harbor-otomi-db.gotmpl @@ -28,11 +28,11 @@ backup: type: {{ $obj.type }} {{- if eq $obj.type "minioLocal" }} minioLocal: - destinationPath: "s3://cnpg/harbor" + destinationPath: "s3://cnpg/{{ $b.pathSuffix }}" {{- end }} {{- if eq $obj.type "linode" }} linode: - destinationPath: "s3://{{ $obj.linode.buckets.cnpg }}/harbor" + destinationPath: "s3://{{ $obj.linode.buckets.cnpg }}/{{ $b.pathSuffix }}" endpointURL: https://{{ $obj.linode.region }}.linodeobjects.com {{- end }} {{- end }} @@ -40,10 +40,17 @@ backup: clusterSpec: bootstrap: +{{- with $hdb.recovery }} + recovery: {{ toYaml . | nindent 6 }} +{{- else }} initdb: database: {{ $hdb.coreDatabase }} owner: harbor localeCollate: 'en_US.UTF-8' localeCType: 'en_US.UTF-8' +{{- end }} +{{- with $hdb.externalClusters }} + externalClusters: {{ toYaml . | nindent 4 }} +{{- end }} resources: {{- toYaml $hdb.resources | nindent 2 }} diff --git a/values/keycloak/keycloak-otomi-db.gotmpl b/values/keycloak/keycloak-otomi-db.gotmpl index 2245d0b07c..2d58d53c01 100644 --- a/values/keycloak/keycloak-otomi-db.gotmpl +++ b/values/keycloak/keycloak-otomi-db.gotmpl @@ -29,47 +29,29 @@ backup: type: {{ $obj.type }} {{- if eq $obj.type "minioLocal" }} minioLocal: - destinationPath: "s3://cnpg/keycloak" + destinationPath: "s3://cnpg/{{ $b.pathSuffix }}" {{- end }} {{- if eq $obj.type "linode" }} linode: - destinationPath: "s3://{{ $obj.linode.buckets.cnpg }}/keycloak" + destinationPath: "s3://{{ $obj.linode.buckets.cnpg }}/{{ $b.pathSuffix }}" endpointURL: https://{{ $obj.linode.region }}.linodeobjects.com {{- end }} {{- end }} {{- end }} -{{- if $kdb.imported }} clusterSpec: bootstrap: - initdb: - database: keycloak - owner: keycloak - import: - type: microservice - databases: - - keycloak - source: - externalCluster: keycloak-postgresql - externalClusters: - - name: keycloak-postgresql - connectionParameters: - host: keycloak-postgresql.keycloak.svc.cluster.local - user: keycloak - dbname: keycloak - sslmode: disable - password: - name: keycloak-postgresql - key: postgresql-password - +{{- with $kdb.recovery }} + recovery: {{ toYaml . | nindent 6 }} {{- else }} -clusterSpec: - bootstrap: initdb: database: keycloak owner: keycloak localeCollate: 'en_US.UTF-8' localeCType: 'en_US.UTF-8' {{- end }} +{{- with $kdb.externalClusters }} + externalClusters: {{ toYaml . | nindent 4 }} +{{- end }} -resources: {{- toYaml $kdb.resources | nindent 2 }} \ No newline at end of file +resources: {{- toYaml $kdb.resources | nindent 2 }}