1
0
Fork 0

feat (molgenis-vault): Switch backup storage to s3.

We can host s3 compatible storage locally by deploying the stable/minio chart.
Ran into https://github.com/coreos/etcd-operator/issues/1980 and therefore downgrade the backup and restore operator images to 0.8.3.
This commit is contained in:
Fleur Kelpin 2018-09-17 00:27:50 +02:00
parent 16f2701fd2
commit 3162da416f
10 changed files with 76 additions and 46 deletions

View File

@ -2,5 +2,5 @@ apiVersion: v1
appVersion: "1.0"
description: MOLGENIS vault
name: molgenis-vault
version: 0.1.1
version: 0.2.1
icon: https://git.webhosting.rug.nl/molgenis/molgenis-ops-docker-helm/raw/master/molgenis-vault/catalogIcon-molgenis-vault.svg

View File

@ -13,21 +13,25 @@ See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
## Parameters
### Azure cloud credentials
Define credentials for backup to the Azure Blob Store.
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
Define credentials for an S3 compatible backup bucket.
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/walkthrough/backup-operator.md).
> Default values backup to the minio play server.
You can host the stable/minio chart to backup to a bucket on the cluster.
| Parameter | Description | Default |
| --------------- | ----------------------------- | ------------------ |
| `abs.account` | name of storage account | `fdlkops` |
| `abs.accessKey` | access key of storage account | `xxxx` |
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |
| Parameter | Description | Default |
| -------------------- | ---------------------------------------- | ------------------------------------------ |
| `s3.accessKeyId` | key id storage account | `Q3AM3UQ867SPQQA43P2F` |
| `s3.secretAccessKey` | secret access key of storage account | `zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG` |
| `s3.region` | region of the storage server | `us-east-1` |
| `s3.endpoint` | endpoint for the storage server | `https://play.minio.io:9000` |
| `s3.bucket` | name of the bucket on the storage server | `vault` |
### Backup job
Define the schedule of the backup job
| Parameter | Description | Default |
| -------------------- | ---------------------------- | ------------- |
| `backupJob.enable` | Enable backup cronjob | `true` |
| `backupJob.suspend` | Suspend backup cronjob | `false` |
| `backupJob.schedule` | cron schedule for the backup | `0 12 * * 1` |
### UI

View File

@ -0,0 +1,13 @@
apiVersion: "etcd.database.coreos.com/v1beta2"
kind: "EtcdBackup"
metadata:
name: vault-backup
namespace: "vault-operator"
spec:
etcdEndpoints: ["https://vault-etcd-client:2379"]
storageType: S3
clientTLSSecret: vault-etcd-client-tls
s3:
path: vault/backup-manual
awsSecret: aws
endpoint: http://minio.minio.svc:9000

View File

@ -9,7 +9,8 @@ spec:
etcdCluster:
# The namespace is the same as this EtcdRestore CR
name: vault-etcd
backupStorageType: ABS
abs:
path: vault/backup-<specify the backup name>
absSecret: abs
backupStorageType: S3
s3:
path: vault/backup-<name>
awsSecret: aws
endpoint: http://minio.minio.svc:9000

View File

@ -3,11 +3,17 @@ Vault operator created
Next steps:
* Manually create a vault using resources/vault.yaml
* Manually restore a backup using resources/backup.yaml
* Manually restore a backup using resources/restore.yaml
* Unseal the vault pods
{{ if .Values.backupJob.enable }}
!! Make sure to check if the backups succeed !!
{{ if .Values.backupJob.suspend }}
!!!!!! BACKUP JOB SUSPENDED !!!!!!
{{ else }}
!!!!!! NO BACKUPS CONFIGURED !!!!!!
{{- if .Values.s3.endpoint -}}
Backing up to non-standard s3 endpoint {{ .Values.s3.endpoint }}
{{- else }}
Backing up to S3 on aws
{{- end }}
in bucket {{ .Values.s3.bucket }}.
!! Make sure to check if the backups succeed !!
{{ end }}

View File

@ -1,10 +0,0 @@
# Secret to access microsoft azure blob store
apiVersion: v1
kind: Secret
metadata:
name: abs
type: Opaque
stringData:
storage-account: {{ .Values.abs.account }}
storage-key: {{ .Values.abs.accessKey }}
cloud: {{ .Values.abs.cloud }}

View File

@ -0,0 +1,10 @@
# Secret to access s3 compatible store
apiVersion: v1
kind: Secret
metadata:
name: aws
type: Opaque
data:
config: {{ printf "[default]\nregion = %s" .Values.s3.region | b64enc | quote }}
credentials: {{ printf "[default]\naws_access_key_id = %s\naws_secret_access_key = %s\n" .Values.s3.accessKeyId .Values.s3.secretAccessKey | b64enc | quote }}

View File

@ -11,8 +11,11 @@ data:
generateName: vault-backup-
spec:
etcdEndpoints: ["https://vault-etcd-client:2379"]
storageType: ABS
storageType: S3
clientTLSSecret: vault-etcd-client-tls
abs:
path: vault/backup.<NOW>
absSecret: abs
s3:
path: {{ .Values.s3.bucket }}/backup.<NOW>
awsSecret: aws
{{- if .Values.s3.endpoint }}
endpoint: {{ .Values.s3.endpoint }}
{{- end }}

View File

@ -1,10 +1,10 @@
{{- if .Values.backupJob.enable }}
# cronjob that creates etcdbackups using the etcd backup serviceaccount
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: etcd-backup
spec:
suspend: {{ .Values.backupJob.suspend }}
schedule: {{ .Values.backupJob.schedule | quote }}
jobTemplate:
spec:
@ -26,5 +26,4 @@ spec:
volumes:
- name: backup-config
configMap:
name: backup-config
{{- end }}
name: backup-config

View File

@ -2,19 +2,23 @@
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.
# abs gives details of the credentials to reach the azure backup storage
abs:
# account is the name of the Storage account
account: fdlkops
# access key for the Storage account
accessKey: xxxx
# default cloud
cloud: AzurePublicCloud
# s3 configures s3 backup storage
s3:
# accessKey for the s3 storage account
accessKeyId: Q3AM3UQ867SPQQA43P2F
# secretAccessKey for the s3 storage account
secretAccessKey: zuf+tfteSlswRu7BJ86wekitnifILbZam1KYY3TG
# region
region: us-east-1
# endpoint for the s3 storage
endpoint: https://play.minio.io:9000
# bucket is the name of the bucket
bucket: vault
# backupjob describes the backup cronjob
backupJob:
# enable enables the backup job
enable: true
# suspend suspends the backup job
suspend: false
# schedule gives the cron schedule for the backup job
schedule: "0 12 * * 1"
@ -40,10 +44,10 @@ etcd-operator:
tag: v0.9.2
backupOperator:
image:
tag: v0.9.2
tag: v0.8.3
restoreOperator:
image:
tag: v0.9.2
tag: v0.8.3
ui:
name: "vault-ui"