Compare commits
6 Commits
dd64026d80
...
1cd6e0f1db
Author | SHA1 | Date |
---|---|---|
Fleur Kelpin | 1cd6e0f1db | |
Fleur Kelpin | 49be7be93e | |
Fleur Kelpin | ca939363f8 | |
Fleur Kelpin | 7df68882b6 | |
Fleur Kelpin | 4683bd6649 | |
Fleur Kelpin | 9f62298243 |
|
@ -104,7 +104,8 @@ This repository is serves also as a catalogue for Rancher. We have serveral apps
|
|||
- [Jenkins](molgenis-jenkins/README.md)
|
||||
- [NEXUS](molgenis-nexus/README.md)
|
||||
- [HTTPD](molgenis-httpd/README.md)
|
||||
- [MOLNIGES preview](molgenis-preview/README.md)
|
||||
- [MOLGENIS preview](molgenis-preview/README.md)
|
||||
- [MOLGENIS vault](molgenis-vault/README.md)
|
||||
|
||||
### Useful commands
|
||||
You can you need to know to easily develop and deploy helm-charts
|
||||
|
|
|
@ -0,0 +1,21 @@
|
|||
# Patterns to ignore when building packages.
|
||||
# This supports shell glob matching, relative path matching, and
|
||||
# negation (prefixed with !). Only one pattern per line.
|
||||
.DS_Store
|
||||
# Common VCS dirs
|
||||
.git/
|
||||
.gitignore
|
||||
.bzr/
|
||||
.bzrignore
|
||||
.hg/
|
||||
.hgignore
|
||||
.svn/
|
||||
# Common backup files
|
||||
*.swp
|
||||
*.bak
|
||||
*.tmp
|
||||
*~
|
||||
# Various IDEs
|
||||
.project
|
||||
.idea/
|
||||
*.tmproj
|
|
@ -0,0 +1,5 @@
|
|||
apiVersion: v1
|
||||
appVersion: "1.0"
|
||||
description: MOLGENIS vault
|
||||
name: molgenis-vault
|
||||
version: 0.1.1
|
|
@ -0,0 +1,31 @@
|
|||
# MOLGENIS Vault helm chart
|
||||
|
||||
This chart creates a vault operator, but NO vault.
|
||||
The vault operator defines a new custom resource named `vault` that you can use to create vaults.
|
||||
|
||||
After launching the operator, create the molgenis vault manually:
|
||||
`kubectl create -f resources/vault.yaml`
|
||||
|
||||
That creates a new vault with two vault pods.
|
||||
|
||||
See https://github.com/coreos/vault-operator/blob/master/doc/user/vault.md
|
||||
|
||||
## Parameters
|
||||
|
||||
### Azure cloud credentials
|
||||
Define credentials for backup to the Azure Blob Store.
|
||||
See [etcd-operator documentation](https://github.com/coreos/etcd-operator/blob/master/doc/user/abs_backup.md).
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| --------------- | ----------------------------- | ------------------ |
|
||||
| `abs.account` | name of storage account | `fdlkops` |
|
||||
| `abs.accessKey` | access key of storage account | `xxxx` |
|
||||
| `abs.cloud` | name of cloud environment | `AzurePublicCloud` |
|
||||
|
||||
### Backup job
|
||||
Define the schedule of the backup job
|
||||
|
||||
| Parameter | Description | Default |
|
||||
| -------------------- | ---------------------------- | ------------------ |
|
||||
| `backupJob.enable` | Enable backup cronjob | `true` |
|
||||
| `backupJob.schedule` | cron schedule for the backup | `0 0 0 ? * MON *` |
|
Binary file not shown.
Binary file not shown.
|
@ -0,0 +1,9 @@
|
|||
dependencies:
|
||||
- name: vault-operator
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
version: 0.1.1
|
||||
- name: etcd-operator
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
version: 0.8.0
|
||||
digest: sha256:47aa645df7dfce9760905800321599de05995ae50090735d45310936dbaa46de
|
||||
generated: 2018-09-06T18:59:39.861922543+02:00
|
|
@ -0,0 +1,7 @@
|
|||
dependencies:
|
||||
- name: vault-operator
|
||||
version: ^0.1.1
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
||||
- name: etcd-operator
|
||||
version: ^0.8.0
|
||||
repository: https://kubernetes-charts.storage.googleapis.com/
|
|
@ -0,0 +1,15 @@
|
|||
# Use kubectl create -f restore.yaml to manually execute a restore of the vault
|
||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||
kind: "EtcdRestore"
|
||||
metadata:
|
||||
# The restore CR name must be the same as spec.etcdCluster.name
|
||||
name: vault-etcd
|
||||
namespace: vault-operator
|
||||
spec:
|
||||
etcdCluster:
|
||||
# The namespace is the same as this EtcdRestore CR
|
||||
name: vault-etcd
|
||||
backupStorageType: ABS
|
||||
abs:
|
||||
path: vault/backup-<specify the backup name>
|
||||
absSecret: abs
|
|
@ -0,0 +1,9 @@
|
|||
# Use kubectl create -f vault.yaml to manually create a vault
|
||||
apiVersion: "vault.security.coreos.com/v1alpha1"
|
||||
kind: "VaultService"
|
||||
metadata:
|
||||
name: "vault"
|
||||
namespace: "vault-operator"
|
||||
spec:
|
||||
nodes: 2
|
||||
version: "0.9.1-0"
|
|
@ -0,0 +1,13 @@
|
|||
Vault operator created
|
||||
|
||||
Next steps:
|
||||
|
||||
* Manually create a vault using resources/vault.yaml
|
||||
* Manually restore a backup using resources/backup.yaml
|
||||
* Unseal the vault pods
|
||||
|
||||
{{ if .Values.backupJob.enable }}
|
||||
!! Make sure to check if the backups succeed !!
|
||||
{{ else }}
|
||||
!!!!!! NO BACKUPS CONFIGURED !!!!!!
|
||||
{{ end }}
|
|
@ -0,0 +1,40 @@
|
|||
{{/* See https://github.com/helm/helm/issues/4535 */}}
|
||||
{{- define "call-nested" }}
|
||||
{{- $dot := index . 0 }}
|
||||
{{- $subchart := index . 1 }}
|
||||
{{- $template := index . 2 }}
|
||||
{{- include $template (dict "Chart" (dict "Name" $subchart) "Values" (index $dot.Values $subchart) "Release" $dot.Release "Capabilities" $dot.Capabilities) }}
|
||||
{{- end }}
|
||||
|
||||
{{/* vim: set filetype=mustache: */}}
|
||||
{{/*
|
||||
Expand the name of the chart.
|
||||
*/}}
|
||||
{{- define "molgenis-vault.name" -}}
|
||||
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create a default fully qualified app name.
|
||||
We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
|
||||
If release name contains chart name it will be used as a full name.
|
||||
*/}}
|
||||
{{- define "molgenis-vault.fullname" -}}
|
||||
{{- if .Values.fullnameOverride -}}
|
||||
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- $name := default .Chart.Name .Values.nameOverride -}}
|
||||
{{- if contains $name .Release.Name -}}
|
||||
{{- .Release.Name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- else -}}
|
||||
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
{{- end -}}
|
||||
|
||||
{{/*
|
||||
Create chart name and version as used by the chart label.
|
||||
*/}}
|
||||
{{- define "molgenis-vault.chart" -}}
|
||||
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" -}}
|
||||
{{- end -}}
|
|
@ -0,0 +1,10 @@
|
|||
# Secret to access microsoft azure blob store
|
||||
apiVersion: v1
|
||||
kind: Secret
|
||||
metadata:
|
||||
name: abs
|
||||
type: Opaque
|
||||
stringData:
|
||||
storage-account: {{ .Values.abs.account }}
|
||||
storage-key: {{ .Values.abs.accessKey }}
|
||||
cloud: {{ .Values.abs.cloud }}
|
|
@ -0,0 +1,18 @@
|
|||
# configmap to use as a template by the backup cronjob to create etcdbackup instances
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: backup-config
|
||||
data:
|
||||
backup_cr.yaml: |
|
||||
apiVersion: "etcd.database.coreos.com/v1beta2"
|
||||
kind: "EtcdBackup"
|
||||
metadata:
|
||||
generateName: vault-backup-
|
||||
spec:
|
||||
etcdEndpoints: ["https://vault-etcd-client:2379"]
|
||||
storageType: ABS
|
||||
clientTLSSecret: vault-etcd-client-tls
|
||||
abs:
|
||||
path: vault/backup.<NOW>
|
||||
absSecret: abs
|
|
@ -0,0 +1,30 @@
|
|||
{{- if .Values.backupJob.enable }}
|
||||
# cronjob that creates etcdbackups using the etcd backup serviceaccount
|
||||
apiVersion: batch/v1beta1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: etcd-backup
|
||||
spec:
|
||||
schedule: {{ .Values.backupJob.schedule | quote }}
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
spec:
|
||||
serviceAccountName: {{ include "call-nested" (list . "etcd-operator" "etcd-operator.serviceAccountName") }}
|
||||
containers:
|
||||
- name: etcd-backup
|
||||
image: lachlanevenson/k8s-kubectl
|
||||
command:
|
||||
- /bin/sh
|
||||
- "-ec"
|
||||
- |
|
||||
sed -e "s|<NOW>|$(date '+%Y-%m-%d_%H:%M:%S')|g" /var/etcd_backup/backup_cr.yaml | kubectl create -f -
|
||||
volumeMounts:
|
||||
- name: backup-config
|
||||
mountPath: /var/etcd_backup
|
||||
restartPolicy: OnFailure
|
||||
volumes:
|
||||
- name: backup-config
|
||||
configMap:
|
||||
name: backup-config
|
||||
{{- end }}
|
|
@ -0,0 +1,47 @@
|
|||
# Default values for molgenis-vault.
|
||||
# This is a YAML-formatted file.
|
||||
# Declare variables to be passed into your templates.
|
||||
|
||||
# abs gives details of the credentials to reach the azure backup storage
|
||||
abs:
|
||||
# account is the name of the Storage account
|
||||
account: fdlkops
|
||||
# access key for the Storage account
|
||||
accessKey: xxxx
|
||||
# default cloud
|
||||
cloud: AzurePublicCloud
|
||||
|
||||
# backupjob describes the backup cronjob
|
||||
backupJob:
|
||||
# enable enables the backup job
|
||||
enable: true
|
||||
# schedule gives the cron schedule for the backup job
|
||||
schedule: "0 0 0 ? * MON *"
|
||||
|
||||
###
|
||||
# All of the config variables related to setting up the etcd-operator
|
||||
# If you want more information about the variables exposed, please visit:
|
||||
# https://github.com/kubernetes/charts/tree/master/stable/etcd-operator#configuration
|
||||
###
|
||||
etcd-operator:
|
||||
deployments:
|
||||
etcdOperator: true
|
||||
backupOperator: true
|
||||
restoreOperator: true
|
||||
serviceAccount:
|
||||
etcdOperatorServiceAccount:
|
||||
create: true
|
||||
backupOperatorServiceAccount:
|
||||
create: true
|
||||
restoreOperatorServiceAccount:
|
||||
create: true
|
||||
etcdOperator:
|
||||
image:
|
||||
tag: v0.9.2
|
||||
backupOperator:
|
||||
image:
|
||||
tag: v0.9.2
|
||||
restoreOperator:
|
||||
image:
|
||||
tag: v0.9.2
|
||||
|
|
@ -1,18 +0,0 @@
|
|||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: tiller
|
||||
namespace: kube-system
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1beta1
|
||||
kind: ClusterRoleBinding
|
||||
metadata:
|
||||
name: tiller
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: ClusterRole
|
||||
name: cluster-admin
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: tiller
|
||||
namespace: kube-system
|
Loading…
Reference in New Issue