-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathbackups-bucket.tf
81 lines (71 loc) · 2.12 KB
/
backups-bucket.tf
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
# Manages a Backblaze bucket for cluster (etcd + Velero) backups.
# Creates a k8s Secret with the connection details.
resource "b2_bucket" "backups" {
bucket_name = "samcday-home-cluster-backups"
bucket_type = "allPrivate"
lifecycle_rules {
days_from_hiding_to_deleting = 7
file_name_prefix = ""
}
}
resource "b2_application_key" "backups" {
key_name = "kube-system"
bucket_id = b2_bucket.backups.bucket_id
capabilities = ["listAllBucketNames", "listBuckets", "listFiles", "readFiles", "writeFiles", "deleteFiles"]
}
# etcd + velero backups go here
resource "kubernetes_secret" "backups-bucket" {
metadata {
name = "backups-bucket"
namespace = "kube-system"
}
data = {
"rclone.conf" = <<-EOT
[remote]
type = s3
provider = Other
access_key_id = ${b2_application_key.backups.application_key_id}
secret_access_key = ${b2_application_key.backups.application_key}
endpoint = s3.eu-central-003.backblazeb2.com
acl = private
EOT
"velero" = <<-EOT
[default]
aws_access_key_id=${b2_application_key.backups.application_key_id}
aws_secret_access_key=${b2_application_key.backups.application_key}
EOT
}
}
locals {
pg_namespaces = toset([
"forgejo",
"harbor",
"headscale",
"miniflux",
"monitoring",
"paperless",
"synapse",
"vaultwarden",
])
}
resource "b2_application_key" "postgres-backup-keys" {
for_each = local.pg_namespaces
key_name = "postgres-backup-${each.key}"
bucket_id = b2_bucket.backups.bucket_id
capabilities = ["listAllBucketNames", "listBuckets", "listFiles", "readFiles", "writeFiles", "deleteFiles"]
name_prefix = "postgres/${each.key}"
}
resource "kubernetes_secret" "postgres-backup-bucket" {
for_each = local.pg_namespaces
metadata {
name = "postgres-backups-bucket"
namespace = each.key
labels = {
"cnpg.io/reload" : "true",
}
}
data = {
ACCESS_KEY_ID = "${b2_application_key.postgres-backup-keys[each.key].application_key_id}"
SECRET_ACCESS_KEY = "${b2_application_key.postgres-backup-keys[each.key].application_key}"
}
}