diff --git a/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml b/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml new file mode 100644 index 0000000..1a52974 --- /dev/null +++ b/prototypes/ocis/ytt/volume-backup-cronjob.ytt.yaml @@ -0,0 +1,120 @@ +#@ load("@ytt:data", "data") + +#@ ns = data.values.application.namespace + +#! Daily online volume backup. One CronJob per oCIS PVC, each pinned +#! via podAffinity to the consumer pod that already holds that volume. +#! Mounts the RWO PVC read-only alongside the running app — no +#! downtime, no scale-down dance, no cross-pod coupling. +#! +#! Storage Box layout (latest-state mirror): +#! storagebox:ocis-volumes/{pvc}/... +#! +#! NOTE: online backup — not crash-consistent. decomposedfs writes may +#! be caught mid-flight. Acceptable trade for zero-downtime. + +#@ targets = [ +#@ {"app": "storageusers", "pvc": "storageusers-data"}, +#@ {"app": "idm", "pvc": "idm-data"}, +#@ {"app": "storagesystem", "pvc": "storagesystem-data"}, +#@ ] + +#@ for t in targets: +--- +apiVersion: batch/v1 +kind: CronJob +metadata: + name: #@ "ocis-volume-backup-{}".format(t["app"]) + namespace: #@ ns +spec: + schedule: "30 2 * * *" + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 3 + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + ttlSecondsAfterFinished: 86400 + template: + spec: + restartPolicy: OnFailure + securityContext: + runAsNonRoot: true + runAsUser: 1009 + runAsGroup: 1009 + fsGroup: 1009 + seccompProfile: + type: RuntimeDefault + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: #@ t["app"] + topologyKey: kubernetes.io/hostname + containers: + - name: rclone + image: rclone/rclone:1.69.0 + command: [/bin/sh, -c] + args: + - | + set -eu + echo "[backup] Syncing ${PVC}..." + rclone sync "/pvc" "storagebox:ocis-volumes/${PVC}" \ + --links \ + --transfers=4 \ + -v + echo "[backup] Done." + resources: + requests: + cpu: 100m + memory: 256Mi + env: + - name: PVC + value: #@ t["app"] + - name: RCLONE_CONFIG_STORAGEBOX_TYPE + value: sftp + - name: RCLONE_CONFIG_STORAGEBOX_PORT + value: "23" + - name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE + value: /etc/storagebox/ssh-key + - name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE + value: none + - name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_HOST + valueFrom: + secretKeyRef: + name: ocis-storagebox-credentials + key: host + - name: RCLONE_CONFIG_STORAGEBOX_USER + valueFrom: + secretKeyRef: + name: ocis-storagebox-credentials + key: user + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + volumeMounts: + - name: pvc + mountPath: /pvc + readOnly: true + - name: storagebox-ssh + mountPath: /etc/storagebox + readOnly: true + volumes: + - name: pvc + persistentVolumeClaim: + claimName: #@ t["pvc"] + - name: storagebox-ssh + secret: + secretName: ocis-storagebox-credentials + items: + - key: ssh-key + path: ssh-key + defaultMode: 0440 +#@ end diff --git a/rendered/envs/production/ocis/cronjob-ocis-volume-backup-idm.yaml b/rendered/envs/production/ocis/cronjob-ocis-volume-backup-idm.yaml new file mode 100644 index 0000000..bdb7629 --- /dev/null +++ b/rendered/envs/production/ocis/cronjob-ocis-volume-backup-idm.yaml @@ -0,0 +1,100 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + name: ocis-volume-backup-idm + namespace: ocis +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: idm + topologyKey: kubernetes.io/hostname + containers: + - args: + - | + set -eu + echo "[backup] Syncing ${PVC}..." + rclone sync "/pvc" "storagebox:ocis-volumes/${PVC}" \ + --links \ + --transfers=4 \ + -v + echo "[backup] Done." + command: + - /bin/sh + - -c + env: + - name: PVC + value: idm + - name: RCLONE_CONFIG_STORAGEBOX_TYPE + value: sftp + - name: RCLONE_CONFIG_STORAGEBOX_PORT + value: "23" + - name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE + value: /etc/storagebox/ssh-key + - name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE + value: none + - name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_HOST + valueFrom: + secretKeyRef: + key: host + name: ocis-storagebox-credentials + - name: RCLONE_CONFIG_STORAGEBOX_USER + valueFrom: + secretKeyRef: + key: user + name: ocis-storagebox-credentials + image: rclone/rclone:1.69.0 + name: rclone + resources: + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /pvc + name: pvc + readOnly: true + - mountPath: /etc/storagebox + name: storagebox-ssh + readOnly: true + restartPolicy: OnFailure + securityContext: + fsGroup: 1009 + runAsGroup: 1009 + runAsNonRoot: true + runAsUser: 1009 + seccompProfile: + type: RuntimeDefault + volumes: + - name: pvc + persistentVolumeClaim: + claimName: idm-data + - name: storagebox-ssh + secret: + defaultMode: 288 + items: + - key: ssh-key + path: ssh-key + secretName: ocis-storagebox-credentials + ttlSecondsAfterFinished: 86400 + schedule: 30 2 * * * + successfulJobsHistoryLimit: 3 diff --git a/rendered/envs/production/ocis/cronjob-ocis-volume-backup-storagesystem.yaml b/rendered/envs/production/ocis/cronjob-ocis-volume-backup-storagesystem.yaml new file mode 100644 index 0000000..c076f9b --- /dev/null +++ b/rendered/envs/production/ocis/cronjob-ocis-volume-backup-storagesystem.yaml @@ -0,0 +1,100 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + name: ocis-volume-backup-storagesystem + namespace: ocis +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: storagesystem + topologyKey: kubernetes.io/hostname + containers: + - args: + - | + set -eu + echo "[backup] Syncing ${PVC}..." + rclone sync "/pvc" "storagebox:ocis-volumes/${PVC}" \ + --links \ + --transfers=4 \ + -v + echo "[backup] Done." + command: + - /bin/sh + - -c + env: + - name: PVC + value: storagesystem + - name: RCLONE_CONFIG_STORAGEBOX_TYPE + value: sftp + - name: RCLONE_CONFIG_STORAGEBOX_PORT + value: "23" + - name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE + value: /etc/storagebox/ssh-key + - name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE + value: none + - name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_HOST + valueFrom: + secretKeyRef: + key: host + name: ocis-storagebox-credentials + - name: RCLONE_CONFIG_STORAGEBOX_USER + valueFrom: + secretKeyRef: + key: user + name: ocis-storagebox-credentials + image: rclone/rclone:1.69.0 + name: rclone + resources: + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /pvc + name: pvc + readOnly: true + - mountPath: /etc/storagebox + name: storagebox-ssh + readOnly: true + restartPolicy: OnFailure + securityContext: + fsGroup: 1009 + runAsGroup: 1009 + runAsNonRoot: true + runAsUser: 1009 + seccompProfile: + type: RuntimeDefault + volumes: + - name: pvc + persistentVolumeClaim: + claimName: storagesystem-data + - name: storagebox-ssh + secret: + defaultMode: 288 + items: + - key: ssh-key + path: ssh-key + secretName: ocis-storagebox-credentials + ttlSecondsAfterFinished: 86400 + schedule: 30 2 * * * + successfulJobsHistoryLimit: 3 diff --git a/rendered/envs/production/ocis/cronjob-ocis-volume-backup-storageusers.yaml b/rendered/envs/production/ocis/cronjob-ocis-volume-backup-storageusers.yaml new file mode 100644 index 0000000..9e3fd23 --- /dev/null +++ b/rendered/envs/production/ocis/cronjob-ocis-volume-backup-storageusers.yaml @@ -0,0 +1,100 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + annotations: + a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git + name: ocis-volume-backup-storageusers + namespace: ocis +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 3 + jobTemplate: + spec: + template: + spec: + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchLabels: + app: storageusers + topologyKey: kubernetes.io/hostname + containers: + - args: + - | + set -eu + echo "[backup] Syncing ${PVC}..." + rclone sync "/pvc" "storagebox:ocis-volumes/${PVC}" \ + --links \ + --transfers=4 \ + -v + echo "[backup] Done." + command: + - /bin/sh + - -c + env: + - name: PVC + value: storageusers + - name: RCLONE_CONFIG_STORAGEBOX_TYPE + value: sftp + - name: RCLONE_CONFIG_STORAGEBOX_PORT + value: "23" + - name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE + value: /etc/storagebox/ssh-key + - name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE + value: none + - name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND + value: none + - name: RCLONE_CONFIG_STORAGEBOX_HOST + valueFrom: + secretKeyRef: + key: host + name: ocis-storagebox-credentials + - name: RCLONE_CONFIG_STORAGEBOX_USER + valueFrom: + secretKeyRef: + key: user + name: ocis-storagebox-credentials + image: rclone/rclone:1.69.0 + name: rclone + resources: + requests: + cpu: 100m + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /pvc + name: pvc + readOnly: true + - mountPath: /etc/storagebox + name: storagebox-ssh + readOnly: true + restartPolicy: OnFailure + securityContext: + fsGroup: 1009 + runAsGroup: 1009 + runAsNonRoot: true + runAsUser: 1009 + seccompProfile: + type: RuntimeDefault + volumes: + - name: pvc + persistentVolumeClaim: + claimName: storageusers-data + - name: storagebox-ssh + secret: + defaultMode: 288 + items: + - key: ssh-key + path: ssh-key + secretName: ocis-storagebox-credentials + ttlSecondsAfterFinished: 86400 + schedule: 30 2 * * * + successfulJobsHistoryLimit: 3