From b3484f22f18b1347cfc6596eb98efc39cbe26b50 Mon Sep 17 00:00:00 2001 From: Tanguy Herbron Date: Thu, 19 Dec 2024 11:12:02 +0100 Subject: [PATCH] feat(db): Add backup and refine ingress --- manifests/database-backup.yaml | 10 ++++++++ manifests/database.yaml | 44 +++++++++++++++++----------------- manifests/deployment.yaml | 13 ++++++---- manifests/ingress.yaml | 41 ++++++++++++++++--------------- manifests/kustomization.yaml | 1 + manifests/pvc.yaml | 7 ++++-- manifests/secrets.yaml | 2 +- 7 files changed, 69 insertions(+), 49 deletions(-) create mode 100644 manifests/database-backup.yaml diff --git a/manifests/database-backup.yaml b/manifests/database-backup.yaml new file mode 100644 index 0000000..78d8676 --- /dev/null +++ b/manifests/database-backup.yaml @@ -0,0 +1,10 @@ +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: vaultwarden-db-backup + namespace: vaultwarden +spec: + schedule: "0 0 0 * * *" + backupOwnerReference: self + cluster: + name: vaultwarden-db diff --git a/manifests/database.yaml b/manifests/database.yaml index 5fc11a2..c42426e 100644 --- a/manifests/database.yaml +++ b/manifests/database.yaml @@ -5,11 +5,11 @@ metadata: namespace: vaultwarden spec: - instances: 2 + instances: 3 storage: size: 1Gi - storageClass: redundant-storage-class + storageClass: local-path bootstrap: initdb: @@ -22,6 +22,24 @@ spec: pg_hba: - host all all all md5 + backup: + barmanObjectStore: + destinationPath: "s3://halis/cloudnativepg" + endpointURL: https://s3.halia.dev + s3Credentials: + accessKeyId: + name: s3-secret + key: AWS_ACCESS_KEY_ID + secretAccessKey: + name: s3-secret + key: AWS_SECRET_ACCESS_KEY + region: + name: s3-secret + key: AWS_REGION + wal: + compression: gzip + maxParallel: 8 + resources: requests: cpu: 100m @@ -30,23 +48,5 @@ spec: cpu: 500m memory: 500Mi - backup: - barmanObjectStore: - destinationPath: s3://cluster-example-full-backup - endpointURL: http://10.10.0.32:9000 - s3Credentials: - accessKeyId: - name: backup-creds - key: ACCESS_KEY_ID - secretAccessKey: - name: backup-creds - key: ACCESS_SECRET_KEY - region: - name: backup-creds - key: REGION - wal: - compression: gzip - data: - compression: gzip - jobs: 2 - retentionPolicy: "30d" + monitoring: + enablePodMonitor: true diff --git a/manifests/deployment.yaml b/manifests/deployment.yaml index f1bbddf..701c0ad 100644 --- a/manifests/deployment.yaml +++ b/manifests/deployment.yaml @@ -4,7 +4,7 @@ metadata: name: vaultwarden namespace: vaultwarden spec: - replicas: 2 + replicas: 1 selector: matchLabels: app: vaultwarden @@ -17,7 +17,7 @@ spec: subdomain: vaultwarden containers: - name: vaultwarden - image: vaultwarden/server + image: vaultwarden/server:1.32.6 ports: - containerPort: 80 env: @@ -35,7 +35,10 @@ spec: secretKeyRef: name: vaultwarden-admin key: token + volumeMounts: + - mountPath: "/data" + name: vaultwarden-data volumes: - - name: vaultwarden-pv - hostPath: - path: "/mnt/vaultwarden" + - name: vaultwarden-data + persistentVolumeClaim: + claimName: vaultwarden-pvc diff --git a/manifests/ingress.yaml b/manifests/ingress.yaml index 65b24f3..1b74f29 100644 --- a/manifests/ingress.yaml +++ b/manifests/ingress.yaml @@ -1,23 +1,26 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: vaultwarden-ingress - namespace: vaultwarden - annotations: - kubernetes.io/ingress.class: "traefik" + name: vaultwarden-ingress + namespace: vaultwarden + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + kubernetes.io/ingress.class: nginx-external + acme.cert-manager.io/http01-edit-in-place: "true" spec: - tls: - - secretName: vaultwarden-beta-tls - hosts: - - bitwarden.beta.halia.dev - rules: - - host: bitwarden.beta.halia.dev - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: vaultwarden-svc - port: - number: 80 + tls: + - hosts: + - bitwarden.halis.io + secretName: bitwarden-halis-io-tls + ingressClassName: nginx-external + rules: + - host: bitwarden.halis.io + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: vaultwarden-svc + port: + number: 80 diff --git a/manifests/kustomization.yaml b/manifests/kustomization.yaml index 93c987f..244bb23 100644 --- a/manifests/kustomization.yaml +++ b/manifests/kustomization.yaml @@ -5,6 +5,7 @@ resources: - namespace.yaml - secrets.yaml - database.yaml + - database-backup.yaml - service.yaml - ingress.yaml - pvc.yaml diff --git a/manifests/pvc.yaml b/manifests/pvc.yaml index 14d276d..7626d72 100644 --- a/manifests/pvc.yaml +++ b/manifests/pvc.yaml @@ -3,10 +3,13 @@ kind: PersistentVolumeClaim metadata: name: vaultwarden-pvc namespace: vaultwarden + labels: + recurring-job.longhorn.io/source: enabled + recurring-job-group.longhorn.io/standard-pvc: enabled spec: accessModes: - ReadWriteMany - storageClassName: redundant-storage-class resources: requests: - storage: 1Gi + storage: 5Gi + storageClassName: redundant-storage-class diff --git a/manifests/secrets.yaml b/manifests/secrets.yaml index c9da1c0..25e5162 100644 --- a/manifests/secrets.yaml +++ b/manifests/secrets.yaml @@ -9,7 +9,7 @@ spec: project: default source: repoURL: https://git.halis.io/athens-school/k3s-secrets.git - targetRevision: dev + targetRevision: prod-migration path: vaultwarden syncPolicy: automated: