122e03f3ec
Implements daily online backups for oCIS persistent volumes. Each CronJob uses `rclone` to sync its respective PVC to a Storage Box, mounting the volume read-only to ensure zero downtime. Pod affinity is configured to schedule the backup job on the same node as the consuming application pod. This covers `idm`, `storagesystem`, and `storageusers` data volumes.
101 lines
3.2 KiB
YAML
101 lines
3.2 KiB
YAML
apiVersion: batch/v1
|
|
kind: CronJob
|
|
metadata:
|
|
annotations:
|
|
a8r.io/repository: ssh://git@git.tr1ceracop.de:222/gitea_admin/k8s-and-chill.git
|
|
name: ocis-volume-backup-idm
|
|
namespace: ocis
|
|
spec:
|
|
concurrencyPolicy: Forbid
|
|
failedJobsHistoryLimit: 3
|
|
jobTemplate:
|
|
spec:
|
|
template:
|
|
spec:
|
|
affinity:
|
|
podAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
- labelSelector:
|
|
matchLabels:
|
|
app: idm
|
|
topologyKey: kubernetes.io/hostname
|
|
containers:
|
|
- args:
|
|
- |
|
|
set -eu
|
|
echo "[backup] Syncing ${PVC}..."
|
|
rclone sync "/pvc" "storagebox:ocis-volumes/${PVC}" \
|
|
--links \
|
|
--transfers=4 \
|
|
-v
|
|
echo "[backup] Done."
|
|
command:
|
|
- /bin/sh
|
|
- -c
|
|
env:
|
|
- name: PVC
|
|
value: idm
|
|
- name: RCLONE_CONFIG_STORAGEBOX_TYPE
|
|
value: sftp
|
|
- name: RCLONE_CONFIG_STORAGEBOX_PORT
|
|
value: "23"
|
|
- name: RCLONE_CONFIG_STORAGEBOX_KEY_FILE
|
|
value: /etc/storagebox/ssh-key
|
|
- name: RCLONE_CONFIG_STORAGEBOX_SHELL_TYPE
|
|
value: none
|
|
- name: RCLONE_CONFIG_STORAGEBOX_MD5SUM_COMMAND
|
|
value: none
|
|
- name: RCLONE_CONFIG_STORAGEBOX_SHA1SUM_COMMAND
|
|
value: none
|
|
- name: RCLONE_CONFIG_STORAGEBOX_HOST
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: host
|
|
name: ocis-storagebox-credentials
|
|
- name: RCLONE_CONFIG_STORAGEBOX_USER
|
|
valueFrom:
|
|
secretKeyRef:
|
|
key: user
|
|
name: ocis-storagebox-credentials
|
|
image: rclone/rclone:1.69.0
|
|
name: rclone
|
|
resources:
|
|
requests:
|
|
cpu: 100m
|
|
memory: 256Mi
|
|
securityContext:
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop:
|
|
- ALL
|
|
readOnlyRootFilesystem: true
|
|
volumeMounts:
|
|
- mountPath: /pvc
|
|
name: pvc
|
|
readOnly: true
|
|
- mountPath: /etc/storagebox
|
|
name: storagebox-ssh
|
|
readOnly: true
|
|
restartPolicy: OnFailure
|
|
securityContext:
|
|
fsGroup: 1009
|
|
runAsGroup: 1009
|
|
runAsNonRoot: true
|
|
runAsUser: 1009
|
|
seccompProfile:
|
|
type: RuntimeDefault
|
|
volumes:
|
|
- name: pvc
|
|
persistentVolumeClaim:
|
|
claimName: idm-data
|
|
- name: storagebox-ssh
|
|
secret:
|
|
defaultMode: 288
|
|
items:
|
|
- key: ssh-key
|
|
path: ssh-key
|
|
secretName: ocis-storagebox-credentials
|
|
ttlSecondsAfterFinished: 86400
|
|
schedule: 30 2 * * *
|
|
successfulJobsHistoryLimit: 3
|