From 507959942359467a6a5d276f348efbebadb9d5ef Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 22 Jun 2024 19:58:23 -0500 Subject: [PATCH] restic-exporter: Deploy Restic Prometheus exporter The [restic-exporter][0] exposes metrics about Restic snapshots as Prometheus metrics. This allows us to get similar data as we have for BURP backups. Chiefly important among the metrics are last backup time and size, which we can use to determine if backups are working correctly. [0]: https://github.com/ngosang/restic-exporter --- restic-exporter/.gitignore | 2 + restic-exporter/kustomization.yaml | 36 ++++++++++++++++++ restic-exporter/namespace.yaml | 8 ++++ restic-exporter/network-policy.yaml | 39 +++++++++++++++++++ restic-exporter/restic-exporter.env | 4 ++ restic-exporter/restic-exporter.yaml | 57 ++++++++++++++++++++++++++++ restic-exporter/secrets.yaml | 43 +++++++++++++++++++++ 7 files changed, 189 insertions(+) create mode 100644 restic-exporter/.gitignore create mode 100644 restic-exporter/kustomization.yaml create mode 100644 restic-exporter/namespace.yaml create mode 100644 restic-exporter/network-policy.yaml create mode 100644 restic-exporter/restic-exporter.env create mode 100644 restic-exporter/restic-exporter.yaml create mode 100644 restic-exporter/secrets.yaml diff --git a/restic-exporter/.gitignore b/restic-exporter/.gitignore new file mode 100644 index 0000000..040b854 --- /dev/null +++ b/restic-exporter/.gitignore @@ -0,0 +1,2 @@ +password +restic-s3 diff --git a/restic-exporter/kustomization.yaml b/restic-exporter/kustomization.yaml new file mode 100644 index 0000000..9fd819f --- /dev/null +++ b/restic-exporter/kustomization.yaml @@ -0,0 +1,36 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: restic-exporter + +labels: +- pairs: + app.kubernetes.io/instance: restic-exporter + +resources: +- namespace.yaml +- network-policy.yaml +- restic-exporter.yaml +- secrets.yaml + +configMapGenerator: +- name: restic-exporter + envs: + - restic-exporter.env + +patches: +- patch: |- + apiVersion: apps/v1 + kind: Deployment + metadata: + name: restic-exporter + spec: + template: + spec: + containers: + - name: restic-exporter + envFrom: + - secretRef: + name: restic-s3 + - configMapRef: + name: restic-exporter diff --git a/restic-exporter/namespace.yaml b/restic-exporter/namespace.yaml new file mode 100644 index 0000000..7465d19 --- /dev/null +++ b/restic-exporter/namespace.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: restic-exporter + labels: + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/part-of: restic-exporter diff --git a/restic-exporter/network-policy.yaml b/restic-exporter/network-policy.yaml new file mode 100644 index 0000000..bc978a0 --- /dev/null +++ b/restic-exporter/network-policy.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter +spec: + egress: + - to: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: kube-system + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + - to: + - ipBlock: + cidr: 172.30.0.30/32 + ports: + - port: 9000 + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: victoria-metrics + podSelector: + matchLabels: + app.kubernetes.io/name: vmagent + ports: + - port: metrics + podSelector: + matchLabels: + app.kubernetes.io/component: restic-exporter diff --git a/restic-exporter/restic-exporter.env b/restic-exporter/restic-exporter.env new file mode 100644 index 0000000..61e18a2 --- /dev/null +++ b/restic-exporter/restic-exporter.env @@ -0,0 +1,4 @@ +TZ=America/Chicago +RESTIC_REPOSITORY=s3:https://burp.pyrocufflink.blue:9000/restic +INCLUDE_PATHS=True +REFRESH_INTERVAL=3600 diff --git a/restic-exporter/restic-exporter.yaml b/restic-exporter/restic-exporter.yaml new file mode 100644 index 0000000..068d0ca --- /dev/null +++ b/restic-exporter/restic-exporter.yaml @@ -0,0 +1,57 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter +spec: + selector: + matchLabels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + template: + metadata: + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter + spec: + containers: + - name: restic-exporter + image: git.pyrocufflink.net/containerimages/restic-exporter + ports: + - containerPort: 8001 + name: metrics + envFrom: + - configMapRef: + name: restic-exporter + optional: true + env: + - name: RESTIC_PASSWORD_FILE + value: /run/secrets/restic/password + - name: XDG_CACHE_HOME + value: /var/cache + securityContext: + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /run/secrets/restic + name: secrets + - mountPath: /tmp + name: tmp + subPath: tmp + - mountPath: /var/cache + name: tmp + subPath: cache + securityContext: + fsGroup: 8001 + runAsGroup: 8001 + runAsNonRoot: true + runAsUser: 8001 + volumes: + - name: secrets + secret: + secretName: restic-exporter + - name: tmp + emptyDir: {} diff --git a/restic-exporter/secrets.yaml b/restic-exporter/secrets.yaml new file mode 100644 index 0000000..a0d1ca5 --- /dev/null +++ b/restic-exporter/secrets.yaml @@ -0,0 +1,43 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: restic-exporter + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter +spec: + encryptedData: + password: AgCpMgAhyZTIoqWaH7LdC+OOZdywr8c50WyAdd+f6IBUERfV6Wq8mYcpAIqXoCRqputyiK29+BxkBk4OPSHzEPh1HMUZZg8Hl0x0E4PG+MCLxV4UEbTRkhbHxRkN74X7dPQFtli5yFugiA+WNIi8PD8Ez8G9yGO5Iziud+OLo15iB18ThaSppdYYwtE3J9yOqlc9wez0dfFC63M2xfZtlv2gqh0fuK0CR4eDckk93t1aNcKZMR/QvzCryZnxi1xIs82thl5pszvI9qaHZv2Emvupwuq3MzWqluDhVme8wSoanOHCtq3hiTsGeO1+d+PMxnDVcaAXO1m13Gt6Ck0S3Oz5OoTi0mpjADG+O/TXA4NI1xwqfgE4VV7mHv7yvWIgpWRyD56x/igrpsDRAE4OIlxczVa99eaZHUhw9zsF9NeEene5k5G1BDQCzyFFXSsCZ9jfodZB/gaRqjHCbAM3F2JbFB6vo7zuQZrCRETIS+570NC8yKlDsitG1kGBHJ1Opm9y9lnFyJeGfp1G71Mw3GkF7hwxIC76pltjZob5ZHHgons+9AxOvRVLJJK9nu6MI5FwuJl6CAA+Obh/tjSRkc98wUnJay3qQ09O0AMk6xhSwVpdNs87h3Z2j5yj7SXFDb0LZDpUtipRChh/VPZK6s+DWT3PkhK5RO8w+2ZFr/0s1bo6fQbsfOeqGXdieV2MsVxLSeQARJTNkqhxuohORlUwgsImzmstoI62Ro4MjAkE9JPPGz/zfXdA2IPomrPYy/VXX2sNGdyhYBsURWEfJO46 + template: + metadata: + name: restic-exporter + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-exporter + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter + +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: restic-s3 + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-s3 + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter +spec: + encryptedData: + AWS_ACCESS_KEY_ID: AgCiUz6l8sPPSxh8lmtH4HEiQEu2EWN8zpS3Farh4/CxWVn01HufAU7n7xxPjMTkkoCfa42ux/WNLl3Gl539CgAoyaudlAfuzl+Uq5w3S1XesL/lTwBqYr3mF0ZeGxeHBh2h+S9IaTPef9SWFTV/F+X3rDOKw6OfMLSI3TZAarVuvNJ9GnK8vTu5MoE+4IhHfJRBor4qI9TGKOQQDtoQP9xcwWrOQJOKvyXGtOmz/u+H4K5VVsGvPpIWYDHS3V1HIzCaVLDEulL13dyNofXKmQB7mW7yPhRIn/MJGfuAvUXAE5Or1bgamftCujtl1nR8/K5Gq6h5212hVCtY2F8YMBZSt5G+GmitTSz7PJrjTB6OzXy1Uu+bNGWgjtck6bxzm/pkO44bC5/ZvhB0AESDSBIkpBSm1o7LMl6rCF+mUybsGNmRq9mcMvtMwAbUgzEewlMbdA+zN/YqEJFMZWcE9fYHms9pil3O+mDB1LilBMUczPD/zzpP88b2m36XmT3nSRBCTcfx8nqaqB6dvYK2AYjmM9iDPM0jRxZOaA6WZy3PsTUeJvfzxNapfE72lWREtaTVP3wfhwt2BcoiIxWqc7i/9LplcEOl62S2WhMtP0wJGXMSWmzxOPHno98u1aA4r/2K3LBk+9gSzA9grwi3VpK9NsADf1vFbLmd25eDqSe6zQl5YNk+Ty20uHqK53fdqwkM2WlvOmakXlw9dBr1CWGr + AWS_SECRET_ACCESS_KEY: AgCJ3K0gt8GqI3go1fQ/pMjFjpW0Z+j/YElaPqTUp8dpuhEdRS3MybCOjLhKwfpQN/nufRXbk0hLZYgloGznjEpdJvP4EEb3uwwdfZ2oP+h8YVyHpHsh7DlnuHUk7RwGJiL+wb+Xnh6ChsYKQQ2HfWnIQ+JZMGKDMQqaq0CwaQAde8MUZlJyqu7tZjD5wP3PFf6WxG2lwQiwD7vMi+M/r8h0a5Sf4TVdXIrRSPE9nvVmuaN7+4eAmOmzRmVqUxXqHhSL0/yMichOFGXXOCWryQlM/gm0BETEj8g9RdhqyJ6iXvgR8/ObZUQ4zoOeonaQQNZYOjgcZ+oWD+8n0gayziCIQz1Czf3HeGyXFpmVRCcQKOFb+Pz/U308zefDT/sCg4ggH8Le/7VVBYqKjUZWPFrJrhVju1IU3BZDs8PZhjaFWDIHvL7IuI9QLLKhhHHNWQ1IQSZgSyQUNYGK0lLbOWpID14w1FgIBI9+JhLSGtue+KwKgZxgrmE9QUI1CEhEPVXCZDCSmjY629QNLiVmNG/SiEL9uJAj2BlXkMpPtZuI4b9iINcw+vS8yYifdiRxcBpCZQTD9DiEf9NRh8pvC4YuwTkFVN8++vQyDtPiJPigJpZo3Uuz2S7dEcsRD28Y2sSiLMOdzTzRwovUigkUUSONCecNWhWeMWneFx7u97PvNMK1ogDOAzjDxvM13I8dw/eK6uXB9XNKZh3NkC/18RsIqdHhLhZKeAzx3VOtbvTOIw== + template: + metadata: + name: restic-s3 + namespace: restic-exporter + labels: + app.kubernetes.io/name: restic-s3 + app.kubernetes.io/component: restic-exporter + app.kubernetes.io/part-of: restic-exporter