diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 43a12c3..8ef1177 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -35,13 +35,13 @@ repos: args: - --markdown-linebreak-ext=md -- repo: https://github.com/adrienverge/yamllint - rev: v1.37.1 - hooks: - - id: yamllint - types: - - file - files: (\.yaml|\.yaml.j2)$ +#- repo: https://github.com/adrienverge/yamllint +# rev: v1.37.1 +# hooks: +# - id: yamllint +# types: +# - file +# files: (\.yaml|\.yaml.j2)$ #- repo: https://github.com/ansible-community/ansible-lint # rev: v6.16.1 diff --git a/.yamllint b/.yamllint index 1beb178..ef9689a 100644 --- a/.yamllint +++ b/.yamllint @@ -38,6 +38,7 @@ ignore: | roles/infrastructure/templates/cronjob-postgres-backup-hourly.yaml.j2 roles/infrastructure/templates/cronjob-postgres-backup-daily.yaml.j2 roles/infrastructure/templates/cronjob-postgres-backup-weekly.yaml.j2 + roles/infrastructure/templates/cronjob-postgres-backup-monthly.yaml.j2 roles/infrastructure/templates/pvc-postgres.yaml.j2 roles/infrastructure/templates/pvc-postgres-backup.yaml.j2 roles/infrastructure/templates/serviceaccount-im-infra.yaml.j2 diff --git a/parameters-local.yaml b/parameters-local.yaml index 1d80d05..ee4ba93 100644 --- a/parameters-local.yaml +++ b/parameters-local.yaml @@ -14,7 +14,6 @@ infra_priority_class: im-application-critical ingress_class: "{{ lookup('env', 'IM_DEV_INGRESS_CLASS') | default('nginx', True)}}" -ic_state: absent efs_state: absent cinder_state: absent ax_state: absent diff --git a/parameters-scw-im-main.yaml b/parameters-scw-im-main.yaml index 29ae101..bf666aa 100644 --- a/parameters-scw-im-main.yaml +++ b/parameters-scw-im-main.yaml @@ -1,5 +1,12 @@ --- +# Where are we deploying this stuff? +# +# The name is used to decrypt installation-specific variables +# that are expected to be found in 'vars/sensitive-.vault', +# and you will need to provide the vault password when running the playbook. +infra_installation_name: scw-im-main + # A set of parameters for our im-main Scaleway cluster. k8s_kubeconfig: "{{ lookup('env', 'KUBECONFIG') }}" @@ -11,19 +18,31 @@ infra_priority_class: im-application-critical ingress_class: nginx -ic_state: absent efs_state: absent cinder_state: absent -ax_state: absent pg_state: present -pg_bu_state: absent pg_image: informaticsmatters/rdkit-cartridge-debian pg_version: Release_2024_03_3 pg_vol_size_g: 1 pg_cpu_request: 100m pg_mem_request: 250Mi +pg_bu_state: present +pg_bu_image_tag: "15.8" +# 4 backups a day (at 6-hourly intervals) +pg_bu_hourly_schedule: "1 5,11,17,23 * * *" +pg_bu_hourly_history: 4 +# 7 daily backups +pg_bu_daily_schedule: "31 5 * * *" +pg_bu_daily_history: 7 +# 4 weekly backups (on Sundays) +pg_bu_weekly_schedule: "41 5 * * 0" +pg_bu_weekly_history: 4 +# 3 monthly backups (on the 1st of each month) +pg_bu_monthly_schedule: "41 5 1 * *" +pg_bu_monthly_history: 3 + kc_state: present kc_hostname: keycloak-scw.informaticsmatters.com diff --git a/provisioning/ingress-controller/ingress-nginx-1.4.0.yaml b/provisioning/ingress-controller/ingress-nginx-1.4.0.yaml deleted file mode 100644 index 5c656bf..0000000 --- a/provisioning/ingress-controller/ingress-nginx-1.4.0.yaml +++ /dev/null @@ -1,662 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - name: ingress-nginx ---- -apiVersion: v1 -automountServiceAccountToken: true -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get -- apiGroups: - - "" - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resourceNames: - - ingress-controller-leader - resources: - - configmaps - verbs: - - get - - update -- apiGroups: - - "" - resources: - - configmaps - verbs: - - create -- apiGroups: - - coordination.k8s.io - resourceNames: - - ingress-controller-leader - resources: - - leases - verbs: - - get - - update -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission - namespace: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - secrets - verbs: - - get - - create ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx -rules: -- apiGroups: - - "" - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - - namespaces - verbs: - - list - - watch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - verbs: - - get -- apiGroups: - - "" - resources: - - services - verbs: - - get - - list - - watch -- apiGroups: - - networking.k8s.io - resources: - - ingresses - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - events - verbs: - - create - - patch -- apiGroups: - - networking.k8s.io - resources: - - ingresses/status - verbs: - - update -- apiGroups: - - networking.k8s.io - resources: - - ingressclasses - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - list - - watch - - get ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission -rules: -- apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: -- kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: -- kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -apiVersion: v1 -data: - allow-snippet-annotations: "true" -kind: ConfigMap -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-controller - namespace: ingress-nginx ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: "true" - service.beta.kubernetes.io/aws-load-balancer-type: nlb - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - externalTrafficPolicy: Local - ipFamilies: - - IPv4 - ipFamilyPolicy: SingleStack - ports: - - appProtocol: http - name: http - port: 80 - protocol: TCP - targetPort: http - - appProtocol: https - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - ports: - - appProtocol: https - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - type: ClusterIP ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - minReadySeconds: 0 - revisionHistoryLimit: 10 - selector: - matchLabels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - template: - metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - spec: - containers: - - args: - - /nginx-ingress-controller - - --publish-service=$(POD_NAMESPACE)/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --controller-class=k8s.io/ingress-nginx - - --ingress-class=nginx - - --configmap=$(POD_NAMESPACE)/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - - name: LD_PRELOAD - value: /usr/local/lib/libmimalloc.so - image: registry.k8s.io/ingress-nginx/controller:v1.4.0@sha256:34ee929b111ffc7aa426ffd409af44da48e5a0eea1eb2207994d9e0c0882d143 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - livenessProbe: - failureThreshold: 5 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - name: controller - ports: - - containerPort: 80 - name: http - protocol: TCP - - containerPort: 443 - name: https - protocol: TCP - - containerPort: 8443 - name: webhook - protocol: TCP - readinessProbe: - failureThreshold: 3 - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - successThreshold: 1 - timeoutSeconds: 1 - resources: - requests: - cpu: 100m - memory: 90Mi - securityContext: - allowPrivilegeEscalation: true - capabilities: - add: - - NET_BIND_SERVICE - drop: - - ALL - runAsUser: 101 - volumeMounts: - - mountPath: /usr/local/certificates/ - name: webhook-cert - readOnly: true - dnsPolicy: ClusterFirst - nodeSelector: - kubernetes.io/os: linux - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission-create - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission-create - spec: - containers: - - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc - - --namespace=$(POD_NAMESPACE) - - --secret-name=ingress-nginx-admission - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - imagePullPolicy: IfNotPresent - name: create - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: batch/v1 -kind: Job -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission-patch - namespace: ingress-nginx -spec: - template: - metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission-patch - spec: - containers: - - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=$(POD_NAMESPACE) - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - env: - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v20220916-gd32f8c343@sha256:39c5b2e3310dc4264d638ad28d9d1d96c4cbb2b2dcfb52368fe4e3c63f61e10f - imagePullPolicy: IfNotPresent - name: patch - securityContext: - allowPrivilegeEscalation: false - nodeSelector: - kubernetes.io/os: linux - restartPolicy: OnFailure - securityContext: - fsGroup: 2000 - runAsNonRoot: true - runAsUser: 2000 - serviceAccountName: ingress-nginx-admission ---- -apiVersion: networking.k8s.io/v1 -kind: IngressClass -metadata: - labels: - app.kubernetes.io/component: controller - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: nginx -spec: - controller: k8s.io/ingress-nginx ---- -apiVersion: admissionregistration.k8s.io/v1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - app.kubernetes.io/component: admission-webhook - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/part-of: ingress-nginx - app.kubernetes.io/version: 1.4.0 - name: ingress-nginx-admission -webhooks: -- admissionReviewVersions: - - v1 - clientConfig: - service: - name: ingress-nginx-controller-admission - namespace: ingress-nginx - path: /networking/v1/ingresses - failurePolicy: Fail - matchPolicy: Equivalent - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - networking.k8s.io - apiVersions: - - v1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - sideEffects: None diff --git a/provisioning/ingress-controller/ingress-nginx-2.9.1.yaml b/provisioning/ingress-controller/ingress-nginx-2.9.1.yaml deleted file mode 100644 index 8c74fb1..0000000 --- a/provisioning/ingress-controller/ingress-nginx-2.9.1.yaml +++ /dev/null @@ -1,672 +0,0 @@ ---- - -# Original file (unmodified at the moment) taken from: -# https://raw.githubusercontent.com/kubernetes/ingress-nginx/ingress-nginx-2.9.1/deploy/static/provider/aws/deploy.yaml -# -# Changes: -# -# 1) The addition of... -# service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "owner=im-main" -# ...in the LoadBalancer service -# -# 2) Use of DaemonSet instead of a Deployment -# for the nginx-ingress-controller - -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-configmap.yaml -apiVersion: v1 -kind: ConfigMap -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller - namespace: ingress-nginx -data: ---- -# Source: ingress-nginx/templates/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx - namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - configmaps - - endpoints - - nodes - - pods - - secrets - verbs: - - list - - watch - - apiGroups: - - '' - resources: - - nodes - verbs: - - get - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io # k8s 1.14+ - resources: - - ingressclasses - verbs: - - get - - list - - watch ---- -# Source: ingress-nginx/templates/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx - namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - namespaces - verbs: - - get - - apiGroups: - - '' - resources: - - configmaps - - pods - - secrets - - endpoints - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - services - verbs: - - get - - list - - update - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses - verbs: - - get - - list - - watch - - apiGroups: - - extensions - - networking.k8s.io # k8s 1.14+ - resources: - - ingresses/status - verbs: - - update - - apiGroups: - - networking.k8s.io # k8s 1.14+ - resources: - - ingressclasses - verbs: - - get - - list - - watch - - apiGroups: - - '' - resources: - - configmaps - resourceNames: - - ingress-controller-leader-nginx - verbs: - - get - - update - - apiGroups: - - '' - resources: - - configmaps - verbs: - - create - - apiGroups: - - '' - resources: - - endpoints - verbs: - - create - - get - - update - - apiGroups: - - '' - resources: - - events - verbs: - - create - - patch ---- -# Source: ingress-nginx/templates/controller-rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx -subjects: - - kind: ServiceAccount - name: ingress-nginx - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/controller-service-webhook.yaml -apiVersion: v1 -kind: Service -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller-admission - namespace: ingress-nginx -spec: - type: ClusterIP - ports: - - name: https-webhook - port: 443 - targetPort: webhook - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller ---- -# Source: ingress-nginx/templates/controller-service.yaml -apiVersion: v1 -kind: Service -metadata: - annotations: - service.beta.kubernetes.io/aws-load-balancer-backend-protocol: tcp - service.beta.kubernetes.io/aws-load-balancer-connection-idle-timeout: '60' - service.beta.kubernetes.io/aws-load-balancer-cross-zone-load-balancing-enabled: 'true' - service.beta.kubernetes.io/aws-load-balancer-type: nlb - service.beta.kubernetes.io/aws-load-balancer-additional-resource-tags: "owner=im-main" - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - type: LoadBalancer - externalTrafficPolicy: Local - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - - name: https - port: 443 - protocol: TCP - targetPort: https - selector: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller ---- -# Source: ingress-nginx/templates/controller-deployment.yaml -apiVersion: apps/v1 -kind: DaemonSet -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: controller - name: ingress-nginx-controller - namespace: ingress-nginx -spec: - selector: - matchLabels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - revisionHistoryLimit: 10 - minReadySeconds: 0 - template: - metadata: - labels: - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/component: controller - spec: - dnsPolicy: ClusterFirst - containers: - - name: controller - image: quay.io/kubernetes-ingress-controller/nginx-ingress-controller:0.33.0 - imagePullPolicy: IfNotPresent - lifecycle: - preStop: - exec: - command: - - /wait-shutdown - args: - - /nginx-ingress-controller - - --publish-service=ingress-nginx/ingress-nginx-controller - - --election-id=ingress-controller-leader - - --ingress-class=nginx - - --configmap=ingress-nginx/ingress-nginx-controller - - --validating-webhook=:8443 - - --validating-webhook-certificate=/usr/local/certificates/cert - - --validating-webhook-key=/usr/local/certificates/key - securityContext: - capabilities: - drop: - - ALL - add: - - NET_BIND_SERVICE - runAsUser: 101 - allowPrivilegeEscalation: true - env: - - name: POD_NAME - valueFrom: - fieldRef: - fieldPath: metadata.name - - name: POD_NAMESPACE - valueFrom: - fieldRef: - fieldPath: metadata.namespace - livenessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /healthz - port: 10254 - scheme: HTTP - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 1 - successThreshold: 1 - failureThreshold: 3 - ports: - - name: http - containerPort: 80 - protocol: TCP - - name: https - containerPort: 443 - protocol: TCP - - name: webhook - containerPort: 8443 - protocol: TCP - volumeMounts: - - name: webhook-cert - mountPath: /usr/local/certificates/ - readOnly: true - resources: - requests: - cpu: 100m - memory: 90Mi - serviceAccountName: ingress-nginx - terminationGracePeriodSeconds: 300 - volumes: - - name: webhook-cert - secret: - secretName: ingress-nginx-admission ---- -# Source: ingress-nginx/templates/admission-webhooks/validating-webhook.yaml -# before changing this value, check the required kubernetes version -# https://kubernetes.io/docs/reference/access-authn-authz/extensible-admission-controllers/#prerequisites -apiVersion: admissionregistration.k8s.io/v1beta1 -kind: ValidatingWebhookConfiguration -metadata: - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - name: ingress-nginx-admission - namespace: ingress-nginx -webhooks: - - name: validate.nginx.ingress.kubernetes.io - rules: - - apiGroups: - - extensions - - networking.k8s.io - apiVersions: - - v1beta1 - operations: - - CREATE - - UPDATE - resources: - - ingresses - failurePolicy: Fail - sideEffects: None - admissionReviewVersions: - - v1 - - v1beta1 - clientConfig: - service: - namespace: ingress-nginx - name: ingress-nginx-controller-admission - path: /extensions/v1beta1/ingresses ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrole.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -rules: - - apiGroups: - - admissionregistration.k8s.io - resources: - - validatingwebhookconfigurations - verbs: - - get - - update ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/clusterrolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-createSecret.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: ingress-nginx-admission-create - annotations: - helm.sh/hook: pre-install,pre-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -spec: - template: - metadata: - name: ingress-nginx-admission-create - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - spec: - containers: - - name: create - image: docker.io/jettech/kube-webhook-certgen:v1.2.0 - imagePullPolicy: IfNotPresent - args: - - create - - --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.ingress-nginx.svc - - --namespace=ingress-nginx - - --secret-name=ingress-nginx-admission - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/job-patchWebhook.yaml -apiVersion: batch/v1 -kind: Job -metadata: - name: ingress-nginx-admission-patch - annotations: - helm.sh/hook: post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -spec: - template: - metadata: - name: ingress-nginx-admission-patch - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - spec: - containers: - - name: patch - image: docker.io/jettech/kube-webhook-certgen:v1.2.0 - imagePullPolicy: IfNotPresent - args: - - patch - - --webhook-name=ingress-nginx-admission - - --namespace=ingress-nginx - - --patch-mutating=false - - --secret-name=ingress-nginx-admission - - --patch-failure-policy=Fail - restartPolicy: OnFailure - serviceAccountName: ingress-nginx-admission - securityContext: - runAsNonRoot: true - runAsUser: 2000 ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/role.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -rules: - - apiGroups: - - '' - resources: - - secrets - verbs: - - get - - create ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/rolebinding.yaml -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: ingress-nginx-admission -subjects: - - kind: ServiceAccount - name: ingress-nginx-admission - namespace: ingress-nginx ---- -# Source: ingress-nginx/templates/admission-webhooks/job-patch/serviceaccount.yaml -apiVersion: v1 -kind: ServiceAccount -metadata: - name: ingress-nginx-admission - annotations: - helm.sh/hook: pre-install,pre-upgrade,post-install,post-upgrade - helm.sh/hook-delete-policy: before-hook-creation,hook-succeeded - labels: - helm.sh/chart: ingress-nginx-2.9.0 - app.kubernetes.io/name: ingress-nginx - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/version: 0.33.0 - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/component: admission-webhook - namespace: ingress-nginx diff --git a/roles/infrastructure/defaults/main.yaml b/roles/infrastructure/defaults/main.yaml index 42fd750..b65e75e 100644 --- a/roles/infrastructure/defaults/main.yaml +++ b/roles/infrastructure/defaults/main.yaml @@ -6,13 +6,20 @@ # the namespace, database, PSPs etc. infra_state: present # The priority class applied to DB, keycloak and RabbitMQ (if set) -infra_priority_class: '' +infra_priority_class: "" + +# The (optional) 'installation' name. This is used to uniquely identify the Infrastructure for a +# specific customer. It is used by the playbook to load customer-specific variables, +# which are encoded in sensitive ('.vault') files that are located in the +# role's 'vars' directory. To load the variables the user will also need to provide +# the playbook with the vault password. +infra_installation_name: "" # If set, use this kubernetes config, rather than K8S credentials. # You would set this if executing the playbooks locally, i.e. not from # and AWX server, where K8S_AUTH_HOST, K8S_AUTH_API_KEY environment # variables are set and used. -k8s_kubeconfig: '' +k8s_kubeconfig: "" # Database (postgres) --------------------------------------------------------- @@ -71,6 +78,33 @@ pg_bu_volume_is_s3: no # The S3 URL (used by s3fs in the backup and recovery containers) pg_bu_volume_s3_url: "https://s3.{{ pg_bu_s3_default_region }}.amazonaws.com" +# Do we use rclone to copy the backups (to an S3 bucket)? +pg_bu_use_rclone: no + +# The backup container image tag. +pg_bu_image_tag: "15.0" +# The registry +pg_bu_image_registry: docker.io + +# Backups run as a CronJob. +# Set the schedule (and the number of hourly backups to keep) here. + +# Daily, weekly, and monthly schedules +# (only used if the corresponding history is 1 or more) +pg_bu_hourly_schedule: '1 * * * *' +pg_bu_daily_schedule: "31 3 * * *" +pg_bu_weekly_schedule: "41 3 * * 0" +pg_bu_monthly_schedule: "51 3 1 * *" + +pg_bu_hourly_history: 0 +# ...and daily history (0 implies no backup) +# If you use daily you must also use hourly. +pg_bu_daily_history: 0 +# If you use weekly you must also use daily. +pg_bu_weekly_history: 0 +# If you use monthly you must also use weekly. +pg_bu_monthly_history: 0 + # Keycloak -------------------------------------------------------------------- # Deploy (or un-deploy)? @@ -91,7 +125,7 @@ kc_hostname: SetMe # See: - # https://stackoverflow.com/questions/44624844/ # configure-reverse-proxy-for-keycloak-docker-with-custom-base-url/54311713#54311713. -kc_hostname_path: '' +kc_hostname_path: "" # Kubernetes certificate issuer. # One of 'staging' or 'production' (rate-limited) kc_cert_issuer: production diff --git a/roles/infrastructure/tasks/deploy-backup.yaml b/roles/infrastructure/tasks/deploy-backup.yaml index 26217fd..8fe4370 100644 --- a/roles/infrastructure/tasks/deploy-backup.yaml +++ b/roles/infrastructure/tasks/deploy-backup.yaml @@ -78,3 +78,10 @@ wait: yes wait_timeout: "{{ wait_timeout }}" when: pg_bu_weekly_history | int > 0 + +- name: Deploy backup (monthly) + kubernetes.core.k8s: + definition: "{{ lookup('template', 'cronjob-postgres-backup-monthly.yaml.j2') }}" + wait: yes + wait_timeout: "{{ wait_timeout }}" + when: pg_bu_monthly_history | int > 0 diff --git a/roles/infrastructure/tasks/main.yaml b/roles/infrastructure/tasks/main.yaml index 28a2bd8..5a3e9ab 100644 --- a/roles/infrastructure/tasks/main.yaml +++ b/roles/infrastructure/tasks/main.yaml @@ -3,6 +3,15 @@ - name: Prep include_tasks: prep.yaml +# Include sensitive (Ansible Vault) variables based on the installation name. +# We include 'sensitive-local.vault' variables if the installation name is 'local'. +# The user will need to provide the vault password. + +- name: Include sensitive (vault) variables ({{ infra_installation_name }}) + ansible.builtin.include_vars: + file: sensitive-{{ infra_installation_name }}.vault + when: infra_installation_name | length > 0 + - name: Display k8s_auth_host ansible.builtin.debug: var: k8s_auth_host diff --git a/roles/infrastructure/templates/configmap-postgres-init.yaml.j2 b/roles/infrastructure/templates/configmap-postgres-init.yaml.j2 index 5771217..e6dfcb9 100644 --- a/roles/infrastructure/templates/configmap-postgres-init.yaml.j2 +++ b/roles/infrastructure/templates/configmap-postgres-init.yaml.j2 @@ -17,14 +17,6 @@ data: CREATE DATABASE keycloak; GRANT ALL PRIVILEGES ON DATABASE keycloak TO keycloak; ALTER DATABASE keycloak OWNER TO keycloak; -{% endif%} -{% if ax_userax_user_password_fact_fact is defined %} - -- Configure a user and database for AWX - CREATE USER {{ ax_user_fact }}; - ALTER USER {{ ax_user_fact }} WITH PASSWORD '{{ ax_user_password_fact }}'; - CREATE DATABASE {{ ax_database_fact }}; - GRANT ALL PRIVILEGES ON DATABASE {{ ax_database_fact }} TO {{ ax_user_fact }}; - ALTER DATABASE {{ ax_database_fact }} OWNER TO {{ ax_user_fact }}; {% endif%} EOSQL {% endif %} diff --git a/roles/infrastructure/templates/cronjob-postgres-backup-daily.yaml.j2 b/roles/infrastructure/templates/cronjob-postgres-backup-daily.yaml.j2 index 202612c..1601805 100644 --- a/roles/infrastructure/templates/cronjob-postgres-backup-daily.yaml.j2 +++ b/roles/infrastructure/templates/cronjob-postgres-backup-daily.yaml.j2 @@ -57,11 +57,11 @@ spec: value: '{{ pg_bu_daily_history }}' - name: BACKUP_PRIOR_TYPE value: hourly - - name: BACKUP_PRIOR_COUNT - value: '{{ pg_bu_hourly_history }}' {% if pg_bu_volume_is_s3 %} - name: BACKUP_VOLUME_IS_S3 value: 'yes' +{% endif %} +{% if pg_bu_volume_s3_url %} - name: BACKUP_VOLUME_S3_URL value: '{{ pg_bu_volume_s3_url }}' {% endif %} diff --git a/roles/infrastructure/templates/cronjob-postgres-backup-hourly.yaml.j2 b/roles/infrastructure/templates/cronjob-postgres-backup-hourly.yaml.j2 index 7bf7d5e..50f49ec 100644 --- a/roles/infrastructure/templates/cronjob-postgres-backup-hourly.yaml.j2 +++ b/roles/infrastructure/templates/cronjob-postgres-backup-hourly.yaml.j2 @@ -70,9 +70,17 @@ spec: {% if pg_bu_volume_is_s3 %} - name: BACKUP_VOLUME_IS_S3 value: 'yes' +{% endif %} +{% if pg_bu_volume_s3_url %} - name: BACKUP_VOLUME_S3_URL value: '{{ pg_bu_volume_s3_url }}' {% endif %} +{% if pg_bu_use_rclone | bool %} + - name: USE_RCLONE + value: 'yes' + - name: USE_RCLONE_BUCKET_AND_PATH + value: '/{{ pg_bu_s3_bucket_name }}' +{% endif %} {% if pg_bu_s3_bucket_name %} - name: AWS_BUCKET_NAME value: '{{ pg_bu_s3_bucket_name }}' diff --git a/roles/infrastructure/templates/cronjob-postgres-backup-monthly.yaml.j2 b/roles/infrastructure/templates/cronjob-postgres-backup-monthly.yaml.j2 new file mode 100644 index 0000000..52ca254 --- /dev/null +++ b/roles/infrastructure/templates/cronjob-postgres-backup-monthly.yaml.j2 @@ -0,0 +1,95 @@ +--- +kind: CronJob +apiVersion: batch/v1 +metadata: + name: postgres-backup-monthly + namespace: {{ infra_namespace }} +spec: + schedule: '{{ pg_bu_monthly_schedule }}' + startingDeadlineSeconds: 180 + concurrencyPolicy: Forbid + jobTemplate: + spec: + template: + metadata: + labels: + name: postgres-backup-monthly + spec: + serviceAccountName: {{ infra_namespace_service_account }} + +{% if all_image_preset_pullsecret_name|string|length > 0 %} + imagePullSecrets: + - name: {{ all_image_preset_pullsecret_name }} +{% endif %} + + containers: + - image: {{ pg_bu_image_registry }}/informaticsmatters/sql-backup:{{ pg_bu_image_tag }} + name: postgres-backup-weekly +{% if pg_bu_image_tag in ['latest', 'stable'] %} + imagePullPolicy: Always +{% else %} + imagePullPolicy: IfNotPresent +{% endif %} + terminationMessagePolicy: FallbackToLogsOnError + +{% if pg_bu_volume_is_s3 %} + # In order to use 'fuse' and mount S3 buckets + # the container needs to run as 'privileged' + # and as SYS-ADMIN. + securityContext: + privileged: true + capabilities: + add: + - SYS_ADMIN +{% endif %} + + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 100m + memory: 128Mi + env: + - name: BACKUP_TYPE + value: monthly + - name: BACKUP_COUNT + value: '{{ pg_bu_monthly_history }}' + - name: BACKUP_PRIOR_TYPE + value: daily +{% if pg_bu_volume_is_s3 %} + - name: BACKUP_VOLUME_IS_S3 + value: 'yes' +{% endif %} +{% if pg_bu_volume_s3_url %} + - name: BACKUP_VOLUME_S3_URL + value: '{{ pg_bu_volume_s3_url }}' +{% endif %} +{% if pg_bu_s3_bucket_name %} + - name: AWS_BUCKET_NAME + value: '{{ pg_bu_s3_bucket_name }}' + - name: AWS_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + name: im-s3 + key: access_key_id + - name: AWS_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + name: im-s3 + key: secret_access_key +{% endif %} +{% if not pg_bu_volume_is_s3 %} + volumeMounts: + - name: backup-data + mountPath: /backup +{% endif %} + +{% if not pg_bu_volume_is_s3 %} + volumes: + - name: backup-data + persistentVolumeClaim: + claimName: pg-bu +{% endif %} + + restartPolicy: Never diff --git a/roles/infrastructure/templates/cronjob-postgres-backup-weekly.yaml.j2 b/roles/infrastructure/templates/cronjob-postgres-backup-weekly.yaml.j2 index 72fb23d..b181a9d 100644 --- a/roles/infrastructure/templates/cronjob-postgres-backup-weekly.yaml.j2 +++ b/roles/infrastructure/templates/cronjob-postgres-backup-weekly.yaml.j2 @@ -57,11 +57,11 @@ spec: value: '{{ pg_bu_weekly_history }}' - name: BACKUP_PRIOR_TYPE value: daily - - name: BACKUP_PRIOR_COUNT - value: '{{ pg_bu_daily_history }}' {% if pg_bu_volume_is_s3 %} - name: BACKUP_VOLUME_IS_S3 value: 'yes' +{% endif %} +{% if pg_bu_volume_s3_url %} - name: BACKUP_VOLUME_S3_URL value: '{{ pg_bu_volume_s3_url }}' {% endif %} diff --git a/roles/infrastructure/templates/secret-awx.yaml.j2 b/roles/infrastructure/templates/secret-awx.yaml.j2 deleted file mode 100644 index 8f3ad6b..0000000 --- a/roles/infrastructure/templates/secret-awx.yaml.j2 +++ /dev/null @@ -1,12 +0,0 @@ ---- -kind: Secret -apiVersion: v1 -metadata: - name: im-awx - namespace: {{ infra_namespace }} -stringData: - database_user: {{ ax_user_fact }} - database_user_password: {{ ax_user_password_fact }} - database_name: {{ ax_database_fact }} - ax_admin: {{ ax_admin_fact }} - ax_admin_password: {{ ax_admin_password_fact }} diff --git a/roles/infrastructure/vars/main.yaml b/roles/infrastructure/vars/main.yaml index 33fef54..7764abd 100644 --- a/roles/infrastructure/vars/main.yaml +++ b/roles/infrastructure/vars/main.yaml @@ -42,27 +42,6 @@ pg_cpu_limit: 1000m pg_mem_request: 1Gi pg_mem_limit: 1Gi -# Backup ---------------------------------------------------------------------- - -# Backups run as a CronJob. -# Set the schedule (and the number of hourly backups to keep) here. -pg_bu_hourly_schedule: '7 3 * * *' -pg_bu_hourly_history: 24 -# The backup container image tag. -pg_bu_image_tag: '15.0' -# The registry -pg_bu_image_registry: docker.io - -# Daily and weekly schedules -# (only of use if the corresponding history is set) -pg_bu_daily_schedule: '7 2 * * *' -pg_bu_weekly_schedule: '7 1 * * 0' -# ...and daily history (0 implies no backup) -pg_bu_daily_history: 0 -# ...and weekly history (0 implies no backup) -# If you use weekly you must also use daily. -pg_bu_weekly_history: 0 - # Keycloak -------------------------------------------------------------------- # The Keycloak image version and image registry diff --git a/roles/infrastructure/vars/sensitive-scw-im-main.vault b/roles/infrastructure/vars/sensitive-scw-im-main.vault new file mode 100644 index 0000000..6b7b420 --- /dev/null +++ b/roles/infrastructure/vars/sensitive-scw-im-main.vault @@ -0,0 +1,20 @@ +$ANSIBLE_VAULT;1.1;AES256 +39666539613331356362323032306432393662326530646634656362643565613663313038303136 +6133363565613439356331363936306463386236396265370a396134373361656264613032303938 +35376331633132636532363935633333626632346665616434393934363164376463623538633235 +3438313434333130610a333932303639306265353936363730366162333338666564656663353037 +38616230626631643864376437373863326135376161383337636461336566373964646232666265 +61636563616430306337343130616262623866313034653930623937356236363932376537363865 +62396537313134373865366265636639626661626133303636353366343964323539643736653433 +66353262643832353366376437383861383537663534646266646561626164396536626361626134 +65666439396536306335383938646262306332613031326466663365366531343666643961306264 +37383365383264303663616336623930643666313263326133613836616562366466323432323432 +30373462663666346430643866313766626536366638323566623662343964613864386662623139 +62316430356264323933386236653362336666363337396434393261313538623062383565303330 +30633166343038616430303632633962393865303535386632336633636365363239376331633436 +39343934626333343030653132646139636431643234323161316335376163383537373263373838 +35303438663039386539303433346164633232313161656166363461613864326137393733666335 +39646562613365623832313664306636343931653731396638333331613132313464653039636332 +38333361333163646539333932373534653264386163376137316466663437313935346266353662 +62393736633965386364373232386538653934613936313634636336313734633830363439373365 +346338333131356332313831653063306638