From 83ca1d3140c87fb3be0e32ecf94a9345e03edb37 Mon Sep 17 00:00:00 2001 From: Gerrit Date: Wed, 23 Oct 2024 13:57:07 +0200 Subject: [PATCH] Provide configuration option to encrypt backup-restore-sidecar backups. --- .../auditing-meili/defaults/main/main.yaml | 1 + .../roles/auditing-meili/tasks/main.yaml | 1 + .../roles/headscale/defaults/main/db.yaml | 1 + control-plane/roles/headscale/tasks/main.yaml | 1 + .../roles/ipam-db/defaults/main/main.yaml | 1 + control-plane/roles/ipam-db/tasks/main.yaml | 2 +- .../masterdata-db/defaults/main/main.yaml | 1 + .../roles/masterdata-db/tasks/main.yaml | 1 + .../roles/meili-backup-restore/README.md | 50 ++++++------- .../defaults/main/main.yaml | 1 + .../roles/meili-backup-restore/tasks/main.yml | 1 + .../templates/meilisearch.yaml | 3 + .../roles/metal-db/defaults/main/main.yaml | 1 + control-plane/roles/metal-db/tasks/main.yaml | 1 + .../roles/postgres-backup-restore/README.md | 71 ++++++++++--------- .../defaults/main/main.yaml | 1 + .../postgres-backup-restore/tasks/main.yml | 1 + .../templates/postgres.yaml | 3 + .../roles/rethinkdb-backup-restore/README.md | 53 +++++++------- .../defaults/main/main.yaml | 1 + .../rethinkdb-backup-restore/tasks/main.yml | 1 + .../templates/rethinkdb.yaml | 3 + 22 files changed, 114 insertions(+), 86 deletions(-) diff --git a/control-plane/roles/auditing-meili/defaults/main/main.yaml b/control-plane/roles/auditing-meili/defaults/main/main.yaml index a1dd1713..2dab145f 100644 --- a/control-plane/roles/auditing-meili/defaults/main/main.yaml +++ b/control-plane/roles/auditing-meili/defaults/main/main.yaml @@ -17,6 +17,7 @@ auditing_meili_backup_restore_sidecar_backup_cron_schedule: "0 * * * *" auditing_meili_backup_restore_sidecar_log_level: debug auditing_meili_backup_restore_sidecar_object_prefix: "{{ auditing_meili_name }}-{{ metal_control_plane_stage_name }}" auditing_meili_backup_restore_sidecar_object_max_keep: +auditing_meili_backup_restore_sidecar_encryption_key: auditing_meili_backup_restore_sidecar_gcp_bucket_name: auditing_meili_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/auditing-meili/tasks/main.yaml b/control-plane/roles/auditing-meili/tasks/main.yaml index 1c4377a6..fe69d289 100644 --- a/control-plane/roles/auditing-meili/tasks/main.yaml +++ b/control-plane/roles/auditing-meili/tasks/main.yaml @@ -41,3 +41,4 @@ meilisearch_backup_restore_sidecar_gcp_serviceaccount_json: "{{ auditing_meili_backup_restore_sidecar_gcp_serviceaccount_json }}" meilisearch_resources: "{{ auditing_meili_resources }}" meilisearch_backup_restore_sidecar_object_max_keep: "{{ auditing_meili_backup_restore_sidecar_object_max_keep }}" + meilisearch_backup_restore_sidecar_encryption_key: "{{ auditing_meili_backup_restore_sidecar_encryption_key }}" diff --git a/control-plane/roles/headscale/defaults/main/db.yaml b/control-plane/roles/headscale/defaults/main/db.yaml index d08fb0e6..f96f2e09 100644 --- a/control-plane/roles/headscale/defaults/main/db.yaml +++ b/control-plane/roles/headscale/defaults/main/db.yaml @@ -12,6 +12,7 @@ headscale_db_backup_restore_sidecar_provider: local headscale_db_backup_restore_sidecar_backup_cron_schedule: "0 0 * * *" headscale_db_backup_restore_sidecar_log_level: debug headscale_db_backup_restore_sidecar_object_prefix: "{{ headscale_db_name }}" +headscale_db_backup_restore_sidecar_encryption_key: headscale_db_backup_restore_sidecar_gcp_bucket_name: headscale_db_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/headscale/tasks/main.yaml b/control-plane/roles/headscale/tasks/main.yaml index 73dec327..d395e70e 100644 --- a/control-plane/roles/headscale/tasks/main.yaml +++ b/control-plane/roles/headscale/tasks/main.yaml @@ -50,6 +50,7 @@ postgres_backup_restore_sidecar_gcp_backup_location: "{{ headscale_db_backup_restore_sidecar_gcp_backup_location }}" postgres_backup_restore_sidecar_gcp_project_id: "{{ headscale_db_backup_restore_sidecar_gcp_project_id }}" postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ headscale_db_backup_restore_sidecar_gcp_serviceaccount_json }}" + postgres_backup_restore_sidecar_encryption_key: "{{ headscale_db_backup_restore_sidecar_encryption_key }}" postgres_resources: "{{ headscale_db_resources }}" - name: Deploy headscale diff --git a/control-plane/roles/ipam-db/defaults/main/main.yaml b/control-plane/roles/ipam-db/defaults/main/main.yaml index a304e7b9..b5134a94 100644 --- a/control-plane/roles/ipam-db/defaults/main/main.yaml +++ b/control-plane/roles/ipam-db/defaults/main/main.yaml @@ -17,6 +17,7 @@ ipam_db_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *" ipam_db_backup_restore_sidecar_log_level: debug ipam_db_backup_restore_sidecar_object_prefix: "{{ ipam_db_name }}-{{ metal_control_plane_stage_name }}" ipam_db_backup_restore_sidecar_object_max_keep: +ipam_db_backup_restore_sidecar_encryption_key: ipam_db_backup_restore_sidecar_gcp_bucket_name: ipam_db_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/ipam-db/tasks/main.yaml b/control-plane/roles/ipam-db/tasks/main.yaml index ac77cf2c..23b068f6 100644 --- a/control-plane/roles/ipam-db/tasks/main.yaml +++ b/control-plane/roles/ipam-db/tasks/main.yaml @@ -42,4 +42,4 @@ postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ ipam_db_backup_restore_sidecar_gcp_serviceaccount_json }}" postgres_resources: "{{ ipam_db_resources }}" postgres_backup_restore_sidecar_object_max_keep: "{{ ipam_db_backup_restore_sidecar_object_max_keep }}" - + postgres_backup_restore_sidecar_encryption_key: "{{ ipam_db_backup_restore_sidecar_encryption_key }}" diff --git a/control-plane/roles/masterdata-db/defaults/main/main.yaml b/control-plane/roles/masterdata-db/defaults/main/main.yaml index 1e62ab0d..ccb43843 100644 --- a/control-plane/roles/masterdata-db/defaults/main/main.yaml +++ b/control-plane/roles/masterdata-db/defaults/main/main.yaml @@ -17,6 +17,7 @@ masterdata_db_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *" masterdata_db_backup_restore_sidecar_log_level: debug masterdata_db_backup_restore_sidecar_object_prefix: "{{ masterdata_db_name }}-{{ metal_control_plane_stage_name }}" masterdata_db_backup_restore_sidecar_object_max_keep: +masterdata_db_backup_restore_sidecar_encryption_key: masterdata_db_backup_restore_sidecar_gcp_bucket_name: masterdata_db_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/masterdata-db/tasks/main.yaml b/control-plane/roles/masterdata-db/tasks/main.yaml index 14def4b0..5326673b 100644 --- a/control-plane/roles/masterdata-db/tasks/main.yaml +++ b/control-plane/roles/masterdata-db/tasks/main.yaml @@ -42,3 +42,4 @@ postgres_backup_restore_sidecar_gcp_serviceaccount_json: "{{ masterdata_db_backup_restore_sidecar_gcp_serviceaccount_json }}" postgres_resources: "{{ masterdata_db_resources }}" postgres_backup_restore_sidecar_object_max_keep: "{{ masterdata_db_backup_restore_sidecar_object_max_keep }}" + postgres_backup_restore_sidecar_encryption_key: "{{ masterdata_db_backup_restore_sidecar_encryption_key }}" diff --git a/control-plane/roles/meili-backup-restore/README.md b/control-plane/roles/meili-backup-restore/README.md index 7ee81d4e..965ab6a5 100644 --- a/control-plane/roles/meili-backup-restore/README.md +++ b/control-plane/roles/meili-backup-restore/README.md @@ -8,27 +8,29 @@ This role uses variables from [control-plane-defaults](/control-plane). So, make You can look up all the default values of this role [here](defaults/main/main.yaml). -| Name | Mandatory | Description | -| ---------------------------------------------------------- | --------- | ----------------------------------------------------------------------- | -| meilisearch_image_name | yes | Image version of the meilisearch | -| meilisearch_image_tag | yes | Image tag of the meilisearch | -| meilisearch_registry_auth_enabled | | Enables registry authentication | -| meilisearch_registry_auth | | The dockerconfigjson content used for registry authentication | -| meilisearch_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | -| meilisearch_name | | The name of the meilisearch instance | -| meilisearch_namespace | | The deployment's target namespace | -| meilisearch_storage_size | | The size of the PVC | -| meilisearch_storage_class | | The storage class of the PVC | -| meilisearch_api_key | | The api key for meilisearch | -| meilisearch_environment | | Sets the environment configuration for meilisearch | -| meilisearch_no_analytics | | Sets the no analytics configuration for meilisearch | -| meilisearch_backup_restore_sidecar_image_name | yes | Image version of the backup-restore-sidecar | -| meilisearch_backup_restore_sidecar_image_tag | yes | Image tag of the backup-restore-sidecar | -| meilisearch_backup_restore_sidecar_provider | | The backup provider | -| meilisearch_backup_restore_sidecar_backup_cron_schedule | | The backup cron schedule | -| meilisearch_backup_restore_sidecar_log_level | | The log level of the sidecar | -| meilisearch_backup_restore_sidecar_gcp_bucket_name | | Bucket name of the GCP bucket | -| meilisearch_backup_restore_sidecar_gcp_backup_location | | Location of the GCP bucket | -| meilisearch_backup_restore_sidecar_gcp_project_id | | GCP project name | -| meilisearch_backup_restore_sidecar_gcp_serviceaccount_json | | GCP Serviceaccount JSON string (service account requires bucket access) | -| meilisearch_resources | | The kubernetes resources for the actual meilisearch container | +| Name | Mandatory | Description | +| ---------------------------------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------- | +| meilisearch_image_name | yes | Image version of the meilisearch | +| meilisearch_image_tag | yes | Image tag of the meilisearch | +| meilisearch_registry_auth_enabled | | Enables registry authentication | +| meilisearch_registry_auth | | The dockerconfigjson content used for registry authentication | +| meilisearch_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | +| meilisearch_name | | The name of the meilisearch instance | +| meilisearch_namespace | | The deployment's target namespace | +| meilisearch_storage_size | | The size of the PVC | +| meilisearch_storage_class | | The storage class of the PVC | +| meilisearch_api_key | | The api key for meilisearch | +| meilisearch_environment | | Sets the environment configuration for meilisearch | +| meilisearch_no_analytics | | Sets the no analytics configuration for meilisearch | +| meilisearch_backup_restore_sidecar_image_name | yes | Image version of the backup-restore-sidecar | +| meilisearch_backup_restore_sidecar_image_tag | yes | Image tag of the backup-restore-sidecar | +| meilisearch_backup_restore_sidecar_provider | | The backup provider | +| meilisearch_backup_restore_sidecar_backup_cron_schedule | | The backup cron schedule | +| meilisearch_backup_restore_sidecar_log_level | | The log level of the sidecar | +| meilisearch_backup_restore_sidecar_gcp_bucket_name | | Bucket name of the GCP bucket | +| meilisearch_backup_restore_sidecar_gcp_backup_location | | Location of the GCP bucket | +| meilisearch_backup_restore_sidecar_gcp_project_id | | GCP project name | +| meilisearch_backup_restore_sidecar_gcp_serviceaccount_json | | GCP Serviceaccount JSON string (service account requires bucket access) | +| meilisearch_resources | | The kubernetes resources for the actual meilisearch container | +| meilisearch_backup_restore_sidecar_object_max_keep | | The number of objects to keep at the cloud provider bucket | +| meilisearch_backup_restore_sidecar_encryption_key | | An optional encryption key to AES-encrypt the backups before uploading them to the backup provider (length == 32) | diff --git a/control-plane/roles/meili-backup-restore/defaults/main/main.yaml b/control-plane/roles/meili-backup-restore/defaults/main/main.yaml index e3600ec9..16fa8567 100644 --- a/control-plane/roles/meili-backup-restore/defaults/main/main.yaml +++ b/control-plane/roles/meili-backup-restore/defaults/main/main.yaml @@ -17,6 +17,7 @@ meilisearch_backup_restore_sidecar_backup_cron_schedule: "0 * * * *" meilisearch_backup_restore_sidecar_log_level: debug meilisearch_backup_restore_sidecar_object_prefix: "{{ meilisearch_name }}-{{ metal_control_plane_stage_name }}" meilisearch_backup_restore_sidecar_object_max_keep: +meilisearch_backup_restore_sidecar_encryption_key: meilisearch_backup_restore_sidecar_gcp_bucket_name: meilisearch_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/meili-backup-restore/tasks/main.yml b/control-plane/roles/meili-backup-restore/tasks/main.yml index 92a064e2..3db47b4a 100644 --- a/control-plane/roles/meili-backup-restore/tasks/main.yml +++ b/control-plane/roles/meili-backup-restore/tasks/main.yml @@ -11,6 +11,7 @@ - meilisearch_image_tag is defined - meilisearch_backup_restore_sidecar_image_name is defined - meilisearch_backup_restore_sidecar_image_tag is defined + - meilisearch_backup_restore_sidecar_encryption_key is none or meilisearch_backup_restore_sidecar_encryption_key | length == 32 - name: Deploy meilisearch (backup-restore) k8s: diff --git a/control-plane/roles/meili-backup-restore/templates/meilisearch.yaml b/control-plane/roles/meili-backup-restore/templates/meilisearch.yaml index d100275b..49067dc4 100644 --- a/control-plane/roles/meili-backup-restore/templates/meilisearch.yaml +++ b/control-plane/roles/meili-backup-restore/templates/meilisearch.yaml @@ -231,6 +231,9 @@ data: compression-method: targz {% if meilisearch_backup_restore_sidecar_object_max_keep %} object-max-keep: {{ meilisearch_backup_restore_sidecar_object_max_keep }} +{% endif %} +{% if meilisearch_backup_restore_sidecar_encryption_key %} + encryption-key: {{ meilisearch_backup_restore_sidecar_encryption_key }} {% endif %} post-exec-cmds: - meilisearch --db-path=/data/data.ms/ --dump-dir=/backup/upload/files diff --git a/control-plane/roles/metal-db/defaults/main/main.yaml b/control-plane/roles/metal-db/defaults/main/main.yaml index 90219a82..b7ee9ef0 100644 --- a/control-plane/roles/metal-db/defaults/main/main.yaml +++ b/control-plane/roles/metal-db/defaults/main/main.yaml @@ -14,6 +14,7 @@ metal_db_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *" metal_db_backup_restore_sidecar_log_level: debug metal_db_backup_restore_sidecar_object_max_keep: +metal_db_backup_restore_sidecar_encryption_key: metal_db_backup_restore_sidecar_gcp_bucket_name: metal_db_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/metal-db/tasks/main.yaml b/control-plane/roles/metal-db/tasks/main.yaml index 3a121a41..5381ef1f 100644 --- a/control-plane/roles/metal-db/tasks/main.yaml +++ b/control-plane/roles/metal-db/tasks/main.yaml @@ -40,3 +40,4 @@ rethinkdb_ingress_dns: "{{ metal_db_ingress_dns }}" rethinkdb_resources: "{{ metal_db_resources }}" rethinkdb_backup_restore_sidecar_object_max_keep: "{{ metal_db_backup_restore_sidecar_object_max_keep }}" + rethinkdb_backup_restore_sidecar_encryption_key: "{{ metal_db_backup_restore_sidecar_encryption_key }}" diff --git a/control-plane/roles/postgres-backup-restore/README.md b/control-plane/roles/postgres-backup-restore/README.md index 6640b69e..4c6ab642 100644 --- a/control-plane/roles/postgres-backup-restore/README.md +++ b/control-plane/roles/postgres-backup-restore/README.md @@ -8,38 +8,39 @@ This role uses variables from [control-plane-defaults](/control-plane). So, make You can look up all the default values of this role [here](defaults/main/main.yaml). -| Name | Mandatory | Description | -| ------------------------------------------------------- | --------- | ------------------------------------------------------------------------ | -| postgres_image_name | yes | Image version of the postgres | -| postgres_image_tag | yes | Image tag of the postgres | -| postgres_registry_auth_enabled | | Enables registry authentication | -| postgres_registry_auth | | The dockerconfigjson content used for registry authentication | -| postgres_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | -| postgres_name | | The name of the postgres instance | -| postgres_namespace | | The deployment's target namespace | -| postgres_storage_size | | The size of the PVC | -| postgres_storage_class | | The storage class of the PVC | -| postgres_db | | The name of the database | -| postgres_user | | The user of the postgres database | -| postgres_password | | The password of the postgres database | -| postgres_max_connections | | The amount of max. connections possible, defaults to 100 | -| postgres_backup_restore_sidecar_image_name | yes | Image version of the backup-restore-sidecar | -| postgres_backup_restore_sidecar_image_tag | yes | Image tag of the backup-restore-sidecar | -| postgres_backup_restore_sidecar_provider | | The backup provider | -| postgres_backup_restore_sidecar_backup_cron_schedule | | The backup cron schedule | -| postgres_backup_restore_sidecar_log_level | | The log level of the sidecar | -| postgres_backup_restore_sidecar_gcp_bucket_name | | Bucket name of the GCP bucket | -| postgres_backup_restore_sidecar_gcp_backup_location | | Location of the GCP bucket | -| postgres_backup_restore_sidecar_gcp_project_id | | GCP project name | -| postgres_backup_restore_sidecar_gcp_serviceaccount_json | | GCP Serviceaccount JSON string (service account requires bucket access) | -| postgres_expose_frontend | | Exposes the postgres over ingress (only use for dev environments) | -| postgres_ingress_dns | | The virtual host to reach the postgres frontend when exposed via ingress | -| postgres_resources | | The kubernetes resources for the actual postgres container | -| postgres_backup_restore_sidecar_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | -| postgres_shared_libraries_preload | | Allows setting shared libraries preload configuration | -| postgres_shared_buffers | | Allows setting shared buffer size | -| postgres_maintenance_work_mem | | Allows setting maintenance work memory | -| postgres_work_mem | | Allows setting work memory | -| postgres_effective_cache_size | | Allows setting effective cache size | -| postgres_backup_restore_sidecar_object_prefix | | The prefix to store the object in the cloud provider bucket | -| postgres_backup_restore_sidecar_object_max_keep | | The number of objects to keep at the cloud provider bucket | +| Name | Mandatory | Description | +| ------------------------------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------- | +| postgres_image_name | yes | Image version of the postgres | +| postgres_image_tag | yes | Image tag of the postgres | +| postgres_registry_auth_enabled | | Enables registry authentication | +| postgres_registry_auth | | The dockerconfigjson content used for registry authentication | +| postgres_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | +| postgres_name | | The name of the postgres instance | +| postgres_namespace | | The deployment's target namespace | +| postgres_storage_size | | The size of the PVC | +| postgres_storage_class | | The storage class of the PVC | +| postgres_db | | The name of the database | +| postgres_user | | The user of the postgres database | +| postgres_password | | The password of the postgres database | +| postgres_max_connections | | The amount of max. connections possible, defaults to 100 | +| postgres_backup_restore_sidecar_image_name | yes | Image version of the backup-restore-sidecar | +| postgres_backup_restore_sidecar_image_tag | yes | Image tag of the backup-restore-sidecar | +| postgres_backup_restore_sidecar_provider | | The backup provider | +| postgres_backup_restore_sidecar_backup_cron_schedule | | The backup cron schedule | +| postgres_backup_restore_sidecar_log_level | | The log level of the sidecar | +| postgres_backup_restore_sidecar_gcp_bucket_name | | Bucket name of the GCP bucket | +| postgres_backup_restore_sidecar_gcp_backup_location | | Location of the GCP bucket | +| postgres_backup_restore_sidecar_gcp_project_id | | GCP project name | +| postgres_backup_restore_sidecar_gcp_serviceaccount_json | | GCP Serviceaccount JSON string (service account requires bucket access) | +| postgres_expose_frontend | | Exposes the postgres over ingress (only use for dev environments) | +| postgres_ingress_dns | | The virtual host to reach the postgres frontend when exposed via ingress | +| postgres_resources | | The kubernetes resources for the actual postgres container | +| postgres_backup_restore_sidecar_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | +| postgres_shared_libraries_preload | | Allows setting shared libraries preload configuration | +| postgres_shared_buffers | | Allows setting shared buffer size | +| postgres_maintenance_work_mem | | Allows setting maintenance work memory | +| postgres_work_mem | | Allows setting work memory | +| postgres_effective_cache_size | | Allows setting effective cache size | +| postgres_backup_restore_sidecar_object_prefix | | The prefix to store the object in the cloud provider bucket | +| postgres_backup_restore_sidecar_object_max_keep | | The number of objects to keep at the cloud provider bucket | +| postgres_backup_restore_sidecar_encryption_key | | An optional encryption key to AES-encrypt the backups before uploading them to the backup provider (length == 32) | diff --git a/control-plane/roles/postgres-backup-restore/defaults/main/main.yaml b/control-plane/roles/postgres-backup-restore/defaults/main/main.yaml index df0fc6a9..ac7b9084 100644 --- a/control-plane/roles/postgres-backup-restore/defaults/main/main.yaml +++ b/control-plane/roles/postgres-backup-restore/defaults/main/main.yaml @@ -23,6 +23,7 @@ postgres_backup_restore_sidecar_backup_cron_schedule: "*/3 * * * *" postgres_backup_restore_sidecar_log_level: debug postgres_backup_restore_sidecar_object_prefix: "{{ postgres_name }}-{{ metal_control_plane_stage_name }}" postgres_backup_restore_sidecar_object_max_keep: +postgres_backup_restore_sidecar_encryption_key: postgres_backup_restore_sidecar_gcp_bucket_name: postgres_backup_restore_sidecar_gcp_backup_location: diff --git a/control-plane/roles/postgres-backup-restore/tasks/main.yml b/control-plane/roles/postgres-backup-restore/tasks/main.yml index 8cea859f..3cb86531 100644 --- a/control-plane/roles/postgres-backup-restore/tasks/main.yml +++ b/control-plane/roles/postgres-backup-restore/tasks/main.yml @@ -11,6 +11,7 @@ - postgres_image_tag is defined - postgres_backup_restore_sidecar_image_name is defined - postgres_backup_restore_sidecar_image_tag is defined + - postgres_backup_restore_sidecar_encryption_key is none or postgres_backup_restore_sidecar_encryption_key | length == 32 - name: Deploy postgres (backup-restore) k8s: diff --git a/control-plane/roles/postgres-backup-restore/templates/postgres.yaml b/control-plane/roles/postgres-backup-restore/templates/postgres.yaml index 566a8325..a6b1e464 100644 --- a/control-plane/roles/postgres-backup-restore/templates/postgres.yaml +++ b/control-plane/roles/postgres-backup-restore/templates/postgres.yaml @@ -240,6 +240,9 @@ data: compression-method: targz {% if postgres_backup_restore_sidecar_object_max_keep %} object-max-keep: {{ postgres_backup_restore_sidecar_object_max_keep }} +{% endif %} +{% if postgres_backup_restore_sidecar_encryption_key %} + encryption-key: {{ postgres_backup_restore_sidecar_encryption_key }} {% endif %} post-exec-cmds: - docker-entrypoint.sh postgres {% if postgres_shared_libraries_preload %} -c shared_preload_libraries={{ postgres_shared_libraries_preload | join(',') }}{% endif %}{% if postgres_maintenance_work_mem %} -c maintenance_work_mem={{ postgres_maintenance_work_mem }}{% endif %}{% if postgres_shared_buffers %} -c shared_buffers={{ postgres_shared_buffers }}{% endif %}{% if postgres_effective_cache_size %} -c effective_cache_size={{ postgres_effective_cache_size }}{% endif %}{% if postgres_work_mem %} -c work_mem={{ postgres_work_mem }}{% endif %} -c max_connections={{ postgres_max_connections }} diff --git a/control-plane/roles/rethinkdb-backup-restore/README.md b/control-plane/roles/rethinkdb-backup-restore/README.md index 2147d214..5fef449b 100644 --- a/control-plane/roles/rethinkdb-backup-restore/README.md +++ b/control-plane/roles/rethinkdb-backup-restore/README.md @@ -8,29 +8,30 @@ This role uses variables from [control-plane-defaults](/control-plane). So, make You can look up all the default values of this role [here](defaults/main/main.yaml). -| Name | Mandatory | Description | -| -------------------------------------------------------- | --------- | ------------------------------------------------------------------------- | -| rethinkdb_image_name | yes | Image version of the rethinkdb | -| rethinkdb_image_tag | yes | Image tag of the rethinkdb | -| rethinkdb_registry_auth_enabled | | Enables registry authentication | -| rethinkdb_registry_auth | | The dockerconfigjson content used for registry authentication | -| rethinkdb_image_pull_policy | yes | Image pull policy (defaults to IfNotPresent) | -| rethinkdb_name | | The name of the rethinkdb instance | -| rethinkdb_namespace | | The deployment's target namespace | -| rethinkdb_storage_size | | The size of the PVC | -| rethinkdb_storage_class | | The storage class of the PVC | -| rethinkdb_password | | The password of the rethinkdb | -| rethinkdb_backup_restore_sidecar_image_name | yes | Image version of the backup-restore-sidecar | -| rethinkdb_backup_restore_sidecar_image_tag | yes | Image tag of the backup-restore-sidecar | -| rethinkdb_backup_restore_sidecar_provider | | The backup provider | -| rethinkdb_backup_restore_sidecar_backup_cron_schedule | | The backup cron schedule | -| rethinkdb_backup_restore_sidecar_log_level | | The log level of the sidecar | -| rethinkdb_backup_restore_sidecar_gcp_bucket_name | | Bucket name of the GCP bucket | -| rethinkdb_backup_restore_sidecar_gcp_backup_location | | Location of the GCP bucket | -| rethinkdb_backup_restore_sidecar_gcp_project_id | | GCP project name | -| rethinkdb_backup_restore_sidecar_gcp_serviceaccount_json | | GCP Serviceaccount JSON string (service account requires bucket access) | -| rethinkdb_expose_frontend | | Exposes the rethinkdb over ingress (only use for dev environments) | -| rethinkdb_ingress_dns | | The virtual host to reach the rethinkdb frontend when exposed via ingress | -| rethinkdb_resources | | The kubernetes resources for the actual rethinkdb container | -| rethinkdb_backup_restore_sidecar_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | -| rethinkdb_backup_restore_sidecar_object_max_keep | | The number of objects to keep at the cloud provider bucket | +| Name | Mandatory | Description | +| -------------------------------------------------------- | --------- | ----------------------------------------------------------------------------------------------------------------- | +| rethinkdb_image_name | yes | Image version of the rethinkdb | +| rethinkdb_image_tag | yes | Image tag of the rethinkdb | +| rethinkdb_registry_auth_enabled | | Enables registry authentication | +| rethinkdb_registry_auth | | The dockerconfigjson content used for registry authentication | +| rethinkdb_image_pull_policy | yes | Image pull policy (defaults to IfNotPresent) | +| rethinkdb_name | | The name of the rethinkdb instance | +| rethinkdb_namespace | | The deployment's target namespace | +| rethinkdb_storage_size | | The size of the PVC | +| rethinkdb_storage_class | | The storage class of the PVC | +| rethinkdb_password | | The password of the rethinkdb | +| rethinkdb_backup_restore_sidecar_image_name | yes | Image version of the backup-restore-sidecar | +| rethinkdb_backup_restore_sidecar_image_tag | yes | Image tag of the backup-restore-sidecar | +| rethinkdb_backup_restore_sidecar_provider | | The backup provider | +| rethinkdb_backup_restore_sidecar_backup_cron_schedule | | The backup cron schedule | +| rethinkdb_backup_restore_sidecar_log_level | | The log level of the sidecar | +| rethinkdb_backup_restore_sidecar_gcp_bucket_name | | Bucket name of the GCP bucket | +| rethinkdb_backup_restore_sidecar_gcp_backup_location | | Location of the GCP bucket | +| rethinkdb_backup_restore_sidecar_gcp_project_id | | GCP project name | +| rethinkdb_backup_restore_sidecar_gcp_serviceaccount_json | | GCP Serviceaccount JSON string (service account requires bucket access) | +| rethinkdb_expose_frontend | | Exposes the rethinkdb over ingress (only use for dev environments) | +| rethinkdb_ingress_dns | | The virtual host to reach the rethinkdb frontend when exposed via ingress | +| rethinkdb_resources | | The kubernetes resources for the actual rethinkdb container | +| rethinkdb_backup_restore_sidecar_image_pull_policy | | Image pull policy (defaults to IfNotPresent) | +| rethinkdb_backup_restore_sidecar_object_max_keep | | The number of objects to keep at the cloud provider bucket | +| rethinkdb_backup_restore_sidecar_encryption_key | | An optional encryption key to AES-encrypt the backups before uploading them to the backup provider (length == 32) | diff --git a/control-plane/roles/rethinkdb-backup-restore/defaults/main/main.yaml b/control-plane/roles/rethinkdb-backup-restore/defaults/main/main.yaml index 6a30a1d5..852d536b 100644 --- a/control-plane/roles/rethinkdb-backup-restore/defaults/main/main.yaml +++ b/control-plane/roles/rethinkdb-backup-restore/defaults/main/main.yaml @@ -19,6 +19,7 @@ rethinkdb_backup_restore_sidecar_gcp_project_id: rethinkdb_backup_restore_sidecar_gcp_serviceaccount_json: rethinkdb_backup_restore_sidecar_object_max_keep: +rethinkdb_backup_restore_sidecar_encryption_key: rethinkdb_expose_frontend: no rethinkdb_ingress_dns: rethinkdb.{{ metal_control_plane_ingress_dns }} diff --git a/control-plane/roles/rethinkdb-backup-restore/tasks/main.yml b/control-plane/roles/rethinkdb-backup-restore/tasks/main.yml index ad7bf3f7..dff0c699 100644 --- a/control-plane/roles/rethinkdb-backup-restore/tasks/main.yml +++ b/control-plane/roles/rethinkdb-backup-restore/tasks/main.yml @@ -11,6 +11,7 @@ - rethinkdb_image_tag is defined - rethinkdb_backup_restore_sidecar_image_name is defined - rethinkdb_backup_restore_sidecar_image_tag is defined + - rethinkdb_backup_restore_sidecar_encryption_key is none or rethinkdb_backup_restore_sidecar_encryption_key | length == 32 - name: Check mandatory variables for this role are set assert: diff --git a/control-plane/roles/rethinkdb-backup-restore/templates/rethinkdb.yaml b/control-plane/roles/rethinkdb-backup-restore/templates/rethinkdb.yaml index 035a4289..ab0c7fa1 100644 --- a/control-plane/roles/rethinkdb-backup-restore/templates/rethinkdb.yaml +++ b/control-plane/roles/rethinkdb-backup-restore/templates/rethinkdb.yaml @@ -191,6 +191,9 @@ data: {% if rethinkdb_backup_restore_sidecar_object_max_keep %} object-max-keep: {{ rethinkdb_backup_restore_sidecar_object_max_keep }} {% endif %} +{% if rethinkdb_backup_restore_sidecar_encryption_key %} + encryption-key: {{ rethinkdb_backup_restore_sidecar_encryption_key }} +{% endif %} --- apiVersion: v1 kind: Secret