diff --git a/restic-exporter/.gitignore b/restic-exporter/.gitignore new file mode 100644 index 0000000..040b854 --- /dev/null +++ b/restic-exporter/.gitignore @@ -0,0 +1,2 @@ +password +restic-s3 diff --git a/restic-exporter/kustomization.yaml b/restic-exporter/kustomization.yaml new file mode 100644 index 0000000..9fd819f --- /dev/null +++ b/restic-exporter/kustomization.yaml @@ -0,0 +1,36 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: restic-exporter + +labels: +- pairs: + app.kubernetes.io/instance: restic-exporter + +resources: +- namespace.yaml +- network-policy.yaml +- restic-exporter.yaml +- secrets.yaml + +configMapGenerator: +- name: restic-exporter + envs: + - restic-exporter.env + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: restic-exporter + spec: + template: + spec: + containers: + - name: restic-exporter + envFrom: + - secretRef: + name: restic-s3 + - configMapRef: + name: restic-exporter diff --git a/restic-exporter/namespace.yaml b/restic-exporter/namespace.yaml new file mode 100644 index 0000000..7465d19 --- /dev/null +++ b/restic-exporter/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: restic-exporter + labels: + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/part-of: restic-exporter diff --git a/restic-exporter/network-policy.yaml b/restic-exporter/network-policy.yaml new file mode 100644 index 0000000..bc978a0 --- /dev/null +++ b/restic-exporter/network-policy.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter +spec: + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - ipBlock: + cidr: 172.30.0.30/32 + ports: + - port: 9000 + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: victoria-metrics + podSelector: + matchLabels: + app.kubernetes.io/name: vmagent + ports: + - port: metrics + podSelector: + matchLabels: + app.kubernetes.io/component: restic-exporter diff --git a/restic-exporter/restic-exporter.env b/restic-exporter/restic-exporter.env new file mode 100644 index 0000000..61e18a2 --- /dev/null +++ b/restic-exporter/restic-exporter.env @@ -0,0 +1,4 @@ +TZ=America/Chicago +RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic +INCLUDE_PATHS=True +REFRESH_INTERVAL=3600 diff --git a/restic-exporter/restic-exporter.yaml b/restic-exporter/restic-exporter.yaml new file mode 100644 index 0000000..068d0ca --- /dev/null +++ b/restic-exporter/restic-exporter.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter +spec: + selector: + matchLabels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + template: + metadata: + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter + spec: + containers: + - name: restic-exporter + image: git.pyrocufflink.net/containerimages/restic-exporter + ports: + - containerPort: 8001 + name: metrics + envFrom: + - configMapRef: + name: restic-exporter + optional: true + env: + - name: RESTIC_PASSWORD_FILE + value: /run/secrets/restic/password + - name: XDG_CACHE_HOME + value: /var/cache + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /run/secrets/restic + name: secrets + - mountPath: /tmp + name: tmp + subPath: tmp + - mountPath: /var/cache + name: tmp + subPath: cache + securityContext: + fsGroup: 8001 + runAsGroup: 8001 + runAsNonRoot: true + runAsUser: 8001 + volumes: + - name: secrets + secret: + secretName: restic-exporter + - name: tmp + emptyDir: {} diff --git a/restic-exporter/secrets.yaml b/restic-exporter/secrets.yaml new file mode 100644 index 0000000..a0d1ca5 --- /dev/null +++ b/restic-exporter/secrets.yaml @@ -0,0 +1,43 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: restic-exporter + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter +spec: + encryptedData: + password: AgCpMgAhyZTIoqWaH7LdC+OOZdywr8c50WyAdd+f6IBUERfV6Wq8mYcpAIqXoCRqputyiK29+BxkBk4OPSHzEPh1HMUZZg8Hl0x0E4PG+MCLxV4UEbTRkhbHxRkN74X7dPQFtli5yFugiA+WNIi8PD8Ez8G9yGO5Iziud+OLo15iB18ThaSppdYYwtE3J9yOqlc9wez0dfFC63M2xfZtlv2gqh0fuK0CR4eDckk93t1aNcKZMR/QvzCryZnxi1xIs82thl5pszvI9qaHZv2Emvupwuq3MzWqluDhVme8wSoanOHCtq3hiTsGeO1+d+PMxnDVcaAXO1m13Gt6Ck0S3Oz5OoTi0mpjADG+O/TXA4NI1xwqfgE4VV7mHv7yvWIgpWRyD56x/igrpsDRAE4OIlxczVa99eaZHUhw9zsF9NeEene5k5G1BDQCzyFFXSsCZ9jfodZB/gaRqjHCbAM3F2JbFB6vo7zuQZrCRETIS+570NC8yKlDsitG1kGBHJ1Opm9y9lnFyJeGfp1G71Mw3GkF7hwxIC76pltjZob5ZHHgons+9AxOvRVLJJK9nu6MI5FwuJl6CAA+Obh/tjSRkc98wUnJay3qQ09O0AMk6xhSwVpdNs87h3Z2j5yj7SXFDb0LZDpUtipRChh/VPZK6s+DWT3PkhK5RO8w+2ZFr/0s1bo6fQbsfOeqGXdieV2MsVxLSeQARJTNkqhxuohORlUwgsImzmstoI62Ro4MjAkE9JPPGz/zfXdA2IPomrPYy/VXX2sNGdyhYBsURWEfJO46 + template: + metadata: + name: restic-exporter + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: restic-s3 + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-s3 + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter +spec: + encryptedData: + AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr + AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw== + template: + metadata: + name: restic-s3 + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-s3 + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter