Skip to content

Commit

Permalink
feat(volsync): volsync policy
Browse files Browse the repository at this point in the history
  • Loading branch information
@buroa
buroa committed Jan 2, 2025
1 parent e817ff5 commit 4756c33
Show file tree
Hide file tree
Showing 10 changed files with 197 additions and 27 deletions.
3 changes: 0 additions & 3 deletions .taskfiles/volsync/Taskfile.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -99,10 +99,7 @@ tasks:
now: '{{now | date "150405"}}'
ns: '{{.ns | default "default"}}'
job: volsync-src-{{.app}}
controller:
sh: true && {{.VOLSYNC_RESOURCES_DIR}}/which-controller.sh {{.app}} {{.ns}}
preconditions:
- test -f {{.VOLSYNC_RESOURCES_DIR}}/which-controller.sh
- test -f {{.VOLSYNC_RESOURCES_DIR}}/wait-for-job.sh
- kubectl -n {{.ns}} get replicationsources {{.app}}

Expand Down
37 changes: 18 additions & 19 deletions kubernetes/apps/kyverno/kyverno/app/helmrelease.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -31,31 +31,30 @@ spec:
rbac:
clusterRole:
extraResources:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- update
- delete
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "update", "delete"]
- apiGroups: ["external-secrets.io"]
resources: ["externalsecrets"]
verbs: ["create", "update", "patch", "delete", "get", "list"]
- apiGroups: ["volsync.backube"]
resources: ["replicationsources", "replicationdestinations"]
verbs: ["create", "update", "patch", "delete", "get", "list"]
serviceMonitor:
enabled: true
backgroundController:
rbac:
clusterRole:
extraResources:
- apiGroups:
- ""
resources:
- pods
verbs:
- create
- update
- patch
- delete
- get
- list
- apiGroups: [""]
resources: ["pods"]
verbs: ["create", "update", "patch", "delete", "get", "list"]
- apiGroups: ["external-secrets.io"]
resources: ["externalsecrets"]
verbs: ["create", "update", "patch", "delete", "get", "list"]
- apiGroups: ["volsync.backube"]
resources: ["replicationsources", "replicationdestinations"]
verbs: ["create", "update", "patch", "delete", "get", "list"]
resources:
requests:
cpu: 100m
Expand Down
10 changes: 5 additions & 5 deletions kubernetes/apps/kyverno/kyverno/policies/gatus.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -13,7 +13,6 @@ metadata:
all Ingresses with the ingressClassName set to external.
pod-policies.kyverno.io/autogen-controllers: none
spec:
generateExisting: true
rules:
- name: *name
match:
Expand All @@ -36,21 +35,22 @@ spec:
context:
- name: GATUS_HOST
variable:
value: '{{ request.object.metadata.annotations."gatus.io/host" || request.object.spec.rules[0].host }}'
value: "{{ request.object.metadata.annotations.\"gatus.io/host\" || request.object.spec.rules[0].host }}"
jmesPath: "to_string(@)"
- name: GATUS_NAME
variable:
value: '{{ request.object.metadata.annotations."gatus.io/name" || request.object.metadata.name }}'
value: "{{ request.object.metadata.annotations.\"gatus.io/name\" || request.object.metadata.name }}"
jmesPath: "to_string(@)"
- name: GATUS_PATH
variable:
value: '{{ request.object.metadata.annotations."gatus.io/path" || request.object.spec.rules[0].http.paths[0].path }}'
value: "{{ request.object.metadata.annotations.\"gatus.io/path\" || request.object.spec.rules[0].http.paths[0].path }}"
jmesPath: "to_string(@)"
- name: GATUS_STATUS_CODE
variable:
value: '{{ request.object.metadata.annotations."gatus.io/status-code" || `200` }}'
value: "{{ request.object.metadata.annotations.\"gatus.io/status-code\" || '200' }}"
jmesPath: "to_string(@)"
generate:
generateExisting: true
apiVersion: v1
kind: ConfigMap
name: "{{ request.object.metadata.name }}-gatus-ep"
Expand Down
1 change: 1 addition & 0 deletions kubernetes/apps/kyverno/kyverno/policies/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -5,3 +5,4 @@ resources:
- ./gatus.yaml
- ./limits.yaml
- ./ndots.yaml
- ./volsync.yaml
130 changes: 130 additions & 0 deletions kubernetes/apps/kyverno/kyverno/policies/volsync.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,130 @@
---
apiVersion: kyverno.io/v1
kind: ClusterPolicy
metadata:
name: volsync
annotations:
policies.kyverno.io/title: Volume Synchronization
policies.kyverno.io/category: Storage
policies.kyverno.io/severity: low
policies.kyverno.io/subject: Pod
policies.kyverno.io/description: >-
This policy will automatically synchronize volumes for all Pods with
the volumeSynchronization set to true.
pod-policies.kyverno.io/autogen-controllers: none
spec:
useServerSideApply: true
rules:
- name: volsync-mutate-pvc
match: &match
resources:
kinds:
- PersistentVolumeClaim
annotations:
volsync.io/enabled: "true"
mutate:
patchStrategicMerge:
spec:
dataSourceRef:
kind: ReplicationDestination
apiGroup: volsync.backube
name: "{{ request.object.metadata.name }}"
- name: volsync-external-secret
match: *match
generate:
generateExisting: true
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
name: "{{ request.object.metadata.name }}-restic"
namespace: "{{ request.object.metadata.namespace }}"
synchronize: true
data:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: "{{ request.object.metadata.name }}-restic-secret"
creationPolicy: Owner
template:
engineVersion: v2
data:
RESTIC_REPOSITORY: "\\{{ .REPOSITORY_TEMPLATE }}/{{ request.object.metadata.name }}"
RESTIC_PASSWORD: "\\{{ .RESTIC_PASSWORD }}"
AWS_ACCESS_KEY_ID: "\\{{ .AWS_ACCESS_KEY_ID }}"
AWS_SECRET_ACCESS_KEY: "\\{{ .AWS_SECRET_ACCESS_KEY }}"
dataFrom:
- extract:
key: volsync-restic-template
- name: volsync-replication-destination
match: *match
context: &context
- name: VOLSYNC_USER
variable:
value: "{{ request.object.metadata.annotations.\"volsync.io/user\" || '568' }}"
jmesPath: "to_number(@)"
- name: VOLSYNC_GROUP
variable:
value: "{{ request.object.metadata.annotations.\"volsync.io/group\" || '568' }}"
jmesPath: "to_number(@)"
- name: VOLSYNC_CACHE
variable:
value: "{{ request.object.metadata.annotations.\"volsync.io/cache\" || '8Gi' }}"
jmesPath: "to_string(@)"
generate:
generateExisting: true
apiVersion: volsync.backube/v1alpha1
kind: ReplicationDestination
name: "{{ request.object.metadata.name }}"
namespace: "{{ request.object.metadata.namespace }}"
synchronize: true
data:
spec:
trigger:
manual: restore-once
restic:
repository: "{{ request.object.metadata.name }}-restic-secret"
copyMethod: Snapshot
accessModes: "{{ request.object.spec.accessModes }}"
storageClassName: "{{ request.object.spec.storageClassName }}"
volumeSnapshotClassName: "csi-{{ request.object.spec.storageClassName }}"
cacheAccessModes: ["ReadWriteOnce"]
cacheCapacity: "{{ VOLSYNC_CACHE }}"
cacheStorageClassName: openebs-hostpath
moverSecurityContext:
runAsUser: "{{ VOLSYNC_USER }}"
runAsGroup: "{{ VOLSYNC_GROUP }}"
fsGroup: "{{ VOLSYNC_GROUP }}"
capacity: "{{ request.object.spec.resources.requests.storage }}"
- name: volsync-replication-source
match: *match
context: *context
generate:
generateExisting: true
apiVersion: volsync.backube/v1alpha1
kind: ReplicationSource
name: "{{ request.object.metadata.name }}"
namespace: "{{ request.object.metadata.namespace }}"
synchronize: true
data:
spec:
sourcePVC: "{{ request.object.metadata.name }}"
trigger:
schedule: "0 * * * *"
restic:
pruneIntervalDays: 14
repository: "{{ request.object.metadata.name }}-restic-secret"
copyMethod: Snapshot
accessModes: "{{ request.object.spec.accessModes }}"
storageClassName: "{{ request.object.spec.storageClassName }}"
volumeSnapshotClassName: "csi-{{ request.object.spec.storageClassName }}"
cacheAccessModes: ["ReadWriteOnce"]
cacheCapacity: "{{ VOLSYNC_CACHE }}"
cacheStorageClassName: openebs-hostpath
moverSecurityContext:
runAsUser: "{{ VOLSYNC_USER }}"
runAsGroup: "{{ VOLSYNC_GROUP }}"
fsGroup: "{{ VOLSYNC_GROUP }}"
retain:
hourly: 24
daily: 7
5 changes: 5 additions & 0 deletions kubernetes/apps/media/jellyseerr/app/kustomization.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./pvc.yaml
13 changes: 13 additions & 0 deletions kubernetes/apps/media/jellyseerr/app/pvc.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyseerr
annotations:
volsync.io/enabled: "true"
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 15Gi
storageClassName: ceph-block
23 changes: 23 additions & 0 deletions kubernetes/apps/media/jellyseerr/ks.yaml
View file
Original file line number Diff line number Diff line change
@@ -0,0 +1,23 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: &app jellyseerr
namespace: flux-system
spec:
targetNamespace: media
commonMetadata:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: rook-ceph-cluster
- name: volsync
path: ./kubernetes/apps/media/jellyseerr/app
prune: true
sourceRef:
kind: GitRepository
name: k8s-gitops
wait: true
interval: 30m
retryInterval: 1m
timeout: 5m
1 change: 1 addition & 0 deletions kubernetes/apps/media/kustomization.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -6,6 +6,7 @@ resources:
- ./autobrr/ks.yaml
- ./bazarr/ks.yaml
- ./cross-seed/ks.yaml
- ./jellyseerr/ks.yaml
- ./overseerr/ks.yaml
- ./plex/ks.yaml
- ./prowlarr/ks.yaml
Expand Down
1 change: 1 addition & 0 deletions kubernetes/apps/volsync-system/volsync/ks.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -10,6 +10,7 @@ spec:
labels:
app.kubernetes.io/name: *app
dependsOn:
- name: kyverno-policies
- name: snapshot-controller
path: ./kubernetes/apps/volsync-system/volsync/app
prune: true
Expand Down

1 comment on commit 4756c33

@onedr0p
Copy link
Contributor

@onedr0p onedr0p commented on 4756c33 Jan 2, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

@JJGadgets level Jank 🏆

Please sign in to comment.