Compare commits
6 Commits
1cd6e0f1db
...
dd64026d80
Author | SHA1 | Date |
---|---|---|
Fleur Kelpin | dd64026d80 | |
Fleur Kelpin | 453f0d6dd9 | |
Fleur Kelpin | a57f9c9fe4 | |
Fleur Kelpin | fdc0499d21 | |
Fleur Kelpin | 94f65b47ee | |
Fleur Kelpin | a26b90524d |
|
@ -104,7 +104,8 @@ This repository is serves also as a catalogue for Rancher. We have serveral apps
|
||||||
- [Jenkins](molgenis-jenkins/README.md)
|
- [Jenkins](molgenis-jenkins/README.md)
|
||||||
- [NEXUS](molgenis-nexus/README.md)
|
- [NEXUS](molgenis-nexus/README.md)
|
||||||
- [HTTPD](molgenis-httpd/README.md)
|
- [HTTPD](molgenis-httpd/README.md)
|
||||||
- [MOLNIGES preview](molgenis-preview/README.md)
|
- [MOLGENIS preview](molgenis-preview/README.md)
|
||||||
|
- [MOLGENIS vault](molgenis-vault/README.md)
|
||||||
|
|
||||||
### Useful commands
|
### Useful commands
|
||||||
You can you need to know to easily develop and deploy helm-charts
|
You can you need to know to easily develop and deploy helm-charts
|
||||||
|
|
|
@ -0,0 +1,21 @@
|
||||||
|
# Patterns to ignore when building packages.
|
||||||
|
# This supports shell glob matching, relative path matching, and
|
||||||
|
# negation (prefixed with !). Only one pattern per line.
|
||||||
|
.DS_Store
|
||||||
|
# Common VCS dirs
|
||||||
|
.git/
|
||||||
|
.gitignore
|
||||||
|
.bzr/
|
||||||
|
.bzrignore
|
||||||
|
.hg/
|
||||||
|
.hgignore
|
||||||
|
.svn/
|
||||||
|
# Common backup files
|
||||||
|
*.swp
|
||||||
|
*.bak
|
||||||
|
*.tmp
|
||||||
|
*~
|
||||||
|
# Various IDEs
|
||||||
|
.project
|
||||||
|
.idea/
|
||||||
|
*.tmproj
|
|
@ -0,0 +1,5 @@
|
||||||
|
apiVersion: v1
|
||||||
|
appVersion: "1.0"
|
||||||
|
description: MOLGENIS vault
|
||||||
|
name: molgenis-vault
|
||||||
|
version: 0.1.1
|
|
@ -0,0 +1,31 @@
|
||||||
|
# MOLGENIS Vault helm chart
|
||||||
|
|
||||||
|
This chart creates a vault operator, but NO vault.
|
||||||
|
The vault operator defines a new custom resource named `vault` that you can use to create vaults.
|
||||||
|
|
||||||
|
After launching the operator, create the molgenis vault manually:
|
||||||
|
`kubectl create -f resources/vault.yaml`
|
||||||
|
|
||||||
|
That creates a new vault with two vault pods.
|
||||||
|
|
||||||
|
See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
|
||||||
|
|
||||||
|
## Parameters
|
||||||
|
|
||||||
|
### Azure cloud credentials
|
||||||
|
Define credentials for backup to the Azure Blob Store.
|
||||||
|
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
|
||||||
|
|
||||||
|
| Parameter | Description | Default |
|
||||||
|
| --------------- | ----------------------------- | ------------------ |
|
||||||
|
| `abs.account` | name of storage account | `fdlkops` |
|
||||||
|
| `abs.accessKey` | access key of storage account | `xxxx` |
|
||||||
|
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |
|
||||||
|
|
||||||
|
### Backup job
|
||||||
|
Define the schedule of the backup job
|
||||||
|
|
||||||
|
| Parameter | Description | Default |
|
||||||
|
| -------------------- | ---------------------------- | ------------------ |
|
||||||
|
| `backupJob.enable` | Enable backup cronjob | `true` |
|
||||||
|
| `backupJob.schedule` | cron schedule for the backup | `0 0 0 ? * MON *` |
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,9 @@
|
||||||
|
dependencies:
|
||||||
|
- name: vault-operator
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
|
version: 0.1.1
|
||||||
|
- name: etcd-operator
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
|
version: 0.8.0
|
||||||
|
digest: sha256:47aa645df7dfce9760905800321599de05995ae50090735d45310936dbaa46de
|
||||||
|
generated: 2018-09-06T18:59:39.861922543+02:00
|
|
@ -0,0 +1,7 @@
|
||||||
|
dependencies:
|
||||||
|
- name: vault-operator
|
||||||
|
version: ^0.1.1
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||||
|
- name: etcd-operator
|
||||||
|
version: ^0.8.0
|
||||||
|
repository: https://kubernetes-charts.storage.googleapis.com/
|
|
@ -0,0 +1,15 @@
|
||||||
|
# Use kubectl create -f restore.yaml to manually execute a restore of the vault
|
||||||
|
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||||
|
kind: "EtcdRestore"
|
||||||
|
metadata:
|
||||||
|
# The restore CR name must be the same as spec.etcdCluster.name
|
||||||
|
name: vault-etcd
|
||||||
|
namespace: vault-operator
|
||||||
|
spec:
|
||||||
|
etcdCluster:
|
||||||
|
# The namespace is the same as this EtcdRestore CR
|
||||||
|
name: vault-etcd
|
||||||
|
backupStorageType: ABS
|
||||||
|
abs:
|
||||||
|
path: vault/backup-<specify the backup name>
|
||||||
|
absSecret: abs
|
|
@ -0,0 +1,9 @@
|
||||||
|
# Use kubectl create -f vault.yaml to manually create a vault
|
||||||
|
apiVersion: "vault.security.coreos.com/v1alpha1"
|
||||||
|
kind: "VaultService"
|
||||||
|
metadata:
|
||||||
|
name: "vault"
|
||||||
|
namespace: "vault-operator"
|
||||||
|
spec:
|
||||||
|
nodes: 2
|
||||||
|
version: "0.9.1-0"
|
|
@ -0,0 +1,13 @@
|
||||||
|
Vault operator created
|
||||||
|
|
||||||
|
Next steps:
|
||||||
|
|
||||||
|
* Manually create a vault using resources/vault.yaml
|
||||||
|
* Manually restore a backup using resources/backup.yaml
|
||||||
|
* Unseal the vault pods
|
||||||
|
|
||||||
|
{{ if .Values.backupJob.enable }}
|
||||||
|
!! Make sure to check if the backups succeed !!
|
||||||
|
{{ else }}
|
||||||
|
!!!!!! NO BACKUPS CONFIGURED !!!!!!
|
||||||
|
{{ end }}
|
|
@ -0,0 +1,40 @@
|
||||||
|
{{/* See https://github.com/helm/helm/issues/4535 */}}
|
||||||
|
{{- define "call-nested" }}
|
||||||
|
{{- $dot := index . 0 }}
|
||||||
|
{{- $subchart := index . 1 }}
|
||||||
|
{{- $template := index . 2 }}
|
||||||
|
{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }}
|
||||||
|
{{- end }}
|
||||||
|
|
||||||
|
{{/* vim: set filetype=mustache: */}}
|
||||||
|
{{/*
|
||||||
|
Expand the name of the chart.
|
||||||
|
*/}}
|
||||||
|
{{- define "molgenis-vault.name" -}}
|
||||||
|
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create a default fully qualified app name.
|
||||||
|
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||||
|
If release name contains chart name it will be used as a full name.
|
||||||
|
*/}}
|
||||||
|
{{- define "molgenis-vault.fullname" -}}
|
||||||
|
{{- if .Values.fullnameOverride -}}
|
||||||
|
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||||
|
{{- if contains $name .Release.Name -}}
|
||||||
|
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- else -}}
|
||||||
|
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
{{- end -}}
|
||||||
|
|
||||||
|
{{/*
|
||||||
|
Create chart name and version as used by the chart label.
|
||||||
|
*/}}
|
||||||
|
{{- define "molgenis-vault.chart" -}}
|
||||||
|
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||||
|
{{- end -}}
|
|
@ -0,0 +1,10 @@
|
||||||
|
# Secret to access microsoft azure blob store
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: abs
|
||||||
|
type: Opaque
|
||||||
|
stringData:
|
||||||
|
storage-account: {{ .Values.abs.account }}
|
||||||
|
storage-key: {{ .Values.abs.accessKey }}
|
||||||
|
cloud: {{ .Values.abs.cloud }}
|
|
@ -0,0 +1,18 @@
|
||||||
|
# configmap to use as a template by the backup cronjob to create etcdbackup instances
|
||||||
|
apiVersion: v1
|
||||||
|
kind: ConfigMap
|
||||||
|
metadata:
|
||||||
|
name: backup-config
|
||||||
|
data:
|
||||||
|
backup_cr.yaml: |
|
||||||
|
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||||
|
kind: "EtcdBackup"
|
||||||
|
metadata:
|
||||||
|
generateName: vault-backup-
|
||||||
|
spec:
|
||||||
|
etcdEndpoints: ["https://vault-etcd-client:2379"]
|
||||||
|
storageType: ABS
|
||||||
|
clientTLSSecret: vault-etcd-client-tls
|
||||||
|
abs:
|
||||||
|
path: vault/backup.<NOW>
|
||||||
|
absSecret: abs
|
|
@ -0,0 +1,30 @@
|
||||||
|
{{- if .Values.backupJob.enable }}
|
||||||
|
# cronjob that creates etcdbackups using the etcd backup serviceaccount
|
||||||
|
apiVersion: batch/v1beta1
|
||||||
|
kind: CronJob
|
||||||
|
metadata:
|
||||||
|
name: etcd-backup
|
||||||
|
spec:
|
||||||
|
schedule: {{ .Values.backupJob.schedule | quote }}
|
||||||
|
jobTemplate:
|
||||||
|
spec:
|
||||||
|
template:
|
||||||
|
spec:
|
||||||
|
serviceAccountName: {{ include "call-nested" (list . "etcd-operator" "etcd-operator.serviceAccountName") }}
|
||||||
|
containers:
|
||||||
|
- name: etcd-backup
|
||||||
|
image: lachlanevenson/k8s-kubectl
|
||||||
|
command:
|
||||||
|
- /bin/sh
|
||||||
|
- "-ec"
|
||||||
|
- |
|
||||||
|
sed -e "s|<NOW>|$(date '+%Y-%m-%d_%H:%M:%S')|g" /var/etcd_backup/backup_cr.yaml | kubectl create -f -
|
||||||
|
volumeMounts:
|
||||||
|
- name: backup-config
|
||||||
|
mountPath: /var/etcd_backup
|
||||||
|
restartPolicy: OnFailure
|
||||||
|
volumes:
|
||||||
|
- name: backup-config
|
||||||
|
configMap:
|
||||||
|
name: backup-config
|
||||||
|
{{- end }}
|
|
@ -0,0 +1,47 @@
|
||||||
|
# Default values for molgenis-vault.
|
||||||
|
# This is a YAML-formatted file.
|
||||||
|
# Declare variables to be passed into your templates.
|
||||||
|
|
||||||
|
# abs gives details of the credentials to reach the azure backup storage
|
||||||
|
abs:
|
||||||
|
# account is the name of the Storage account
|
||||||
|
account: fdlkops
|
||||||
|
# access key for the Storage account
|
||||||
|
accessKey: xxxx
|
||||||
|
# default cloud
|
||||||
|
cloud: AzurePublicCloud
|
||||||
|
|
||||||
|
# backupjob describes the backup cronjob
|
||||||
|
backupJob:
|
||||||
|
# enable enables the backup job
|
||||||
|
enable: true
|
||||||
|
# schedule gives the cron schedule for the backup job
|
||||||
|
schedule: "0 0 0 ? * MON *"
|
||||||
|
|
||||||
|
###
|
||||||
|
# All of the config variables related to setting up the etcd-operator
|
||||||
|
# If you want more information about the variables exposed, please visit:
|
||||||
|
# https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
|
||||||
|
###
|
||||||
|
etcd-operator:
|
||||||
|
deployments:
|
||||||
|
etcdOperator: true
|
||||||
|
backupOperator: true
|
||||||
|
restoreOperator: true
|
||||||
|
serviceAccount:
|
||||||
|
etcdOperatorServiceAccount:
|
||||||
|
create: true
|
||||||
|
backupOperatorServiceAccount:
|
||||||
|
create: true
|
||||||
|
restoreOperatorServiceAccount:
|
||||||
|
create: true
|
||||||
|
etcdOperator:
|
||||||
|
image:
|
||||||
|
tag: v0.9.2
|
||||||
|
backupOperator:
|
||||||
|
image:
|
||||||
|
tag: v0.9.2
|
||||||
|
restoreOperator:
|
||||||
|
image:
|
||||||
|
tag: v0.9.2
|
||||||
|
|
|
@ -1,18 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: ServiceAccount
|
|
||||||
metadata:
|
|
||||||
name: tiller
|
|
||||||
namespace: kube-system
|
|
||||||
---
|
|
||||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
|
||||||
kind: ClusterRoleBinding
|
|
||||||
metadata:
|
|
||||||
name: tiller
|
|
||||||
roleRef:
|
|
||||||
apiGroup: rbac.authorization.k8s.io
|
|
||||||
kind: ClusterRole
|
|
||||||
name: cluster-admin
|
|
||||||
subjects:
|
|
||||||
- kind: ServiceAccount
|
|
||||||
name: tiller
|
|
||||||
namespace: kube-system
|
|
Loading…
Reference in New Issue