Skip to content

Commit

Permalink
test the backup chart
Browse files Browse the repository at this point in the history
  • Loading branch information
Neha Sharma committed Dec 2, 2024
1 parent 236f53c commit 112f57f
Show file tree
Hide file tree
Showing 3 changed files with 194 additions and 51 deletions.
2 changes: 1 addition & 1 deletion charts/devtron-backups/Chart.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,4 +2,4 @@ apiVersion: v2
appVersion: "1.0"
description: A Helm chart for Devtron Backups
name: devtron-backups
version: 0.1.3
version: 0.1.4
173 changes: 129 additions & 44 deletions charts/devtron-backups/templates/backup-on-aws.yaml
View file
Original file line number Diff line number Diff line change
@@ -1,4 +1,22 @@
{{- if .Values.global.AWS.enabled }}
{{- if .Values.global.S3.enabled }}
{{- if or .Values.postgres_backup.enabled .Values.argocd_backup.enabled }}
apiVersion: v1
kind: Secret
metadata:
name: devtron-s3-backup-secret
namespace: devtroncd
type: Opaque
data:
S3_BUCKET_NAME: {{ .Values.global.S3.S3_BUCKET_NAME | b64enc }}
{{- if not (.Values.global.S3.NODE_ROLE | default true) }}
AWS_ACCESS_KEY: {{ .Values.global.S3.S3_ACCESS_KEY | b64enc }}
AWS_SECRET_KEY: {{ .Values.global.S3.S3_SECRET_KEY | b64enc }}
{{- end }}
AWS_CA_BUNDLE: {{ .Values.global.S3.CA_BUNDLE | default "" | b64enc }}
AWS_REGION: {{ .Values.global.S3.AWS_REGION | default "us-east-1" | b64enc }}
{{- end }}
---
{{- if .Values.postgres_backup.enabled }}
{{ if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: batch/v1
{{ else -}}
Expand All @@ -9,16 +27,16 @@ metadata:
name: postgres-app-backup-cronjob
namespace: devtroncd
spec:
schedule: {{ .Values.global.schedule }}
schedule: "{{ .Values.global.schedule }}"
jobTemplate:
spec:
template:
spec:
initContainers:
- name: postgres-app-backup-cronjob
image: postgres:12
image: {{ .Values.postgres_backup.postgresImage | default "postgres:12" }}
volumeMounts:
- mountPath: /tmp
- mountPath: /postgres
name: psql-volume
env:
- name: PGPASSWORD
Expand All @@ -30,38 +48,89 @@ spec:
args:
- /bin/bash
- -c
- pg_dumpall -h postgresql-postgresql.devtroncd --exclude-database=clairv4 -p 5432 -U postgres --no-privileges > /tmp/backup.tar;
- set -ex; pg_dumpall -h {{ .Values.postgres_backup.host | default "postgresql-postgresql.devtroncd" }} --exclude-database=clairv4 -p 5432 -U postgres --no-privileges > /postgres/backup.tar; echo $? ; du -sh /postgres/backup.tar
resources:
{{ toYaml .Values.postgres_backup.resources | indent 13 }}
containers:
- name: aws-cli-for-s3-download
image: quay.io/devtron/k8s-utils:ubuntu-aws-cli
image: {{ .Values.global.S3.image | default "quay.io/devtron/k8s-utils:ubuntu-aws-cli-multi-arch-1" }}
volumeMounts:
- mountPath: /tmp
- mountPath: /postgres
name: psql-volume
env:
{{- with .Values.global.AWS }}
- name: S3_BUCKET
value: "s3://{{ .S3_BUCKET_NAME }}"
# {{- if not .Values.global.S3.NODE_ROLE }}
- name: AWS_ACCESS_KEY_ID
value: {{ .AWS_ACCESS_KEY }}
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_ACCESS_KEY
- name: AWS_SECRET_ACCESS_KEY
value: {{ .AWS_SECRET_KEY }}
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_SECRET_KEY
# {{- end }}
- name: S3_BUCKET
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: S3_BUCKET_NAME
- name: AWS_DEFAULT_REGION
value: {{ .AWS_REGION }}
{{- end }}
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_REGION
- name: CA_BUNDLE
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_CA_BUNDLE
imagePullPolicy: Always
resources:
{{ toYaml .Values.postgres_backup.resources | indent 13 }}
args:
- /bin/bash
- -c
{{- if $.Values.global.AWS.encryption.enabled }}
- date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.AWS.encryption.passphrase }} /tmp/backup.tar; rm -rvf /tmp/backup.tar; mv /tmp/backup.tar.gpg /tmp/backup-$date1.tar.gpg; aws s3 cp /tmp/backup-$date1.tar.gpg $S3_BUCKET/postgres/;
{{- if .Values.global.S3.S3_ENDPOINT }}
{{- if $.Values.global.S3.encryption.enabled }}
- set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.S3.encryption.passphrase }} /postgres/backup.tar; rm -rvf /postgres/backup.tar; mv /postgres/backup.tar.gpg /postgres/backup-$date1.tar.gpg; aws s3 cp /postgres/backup-$date1.tar.gpg s3://$S3_BUCKET/postgres/ --endpoint-url {{ .Values.global.S3.S3_ENDPOINT }};
{{- else}}
- set -ex; date1=$(date +%Y%m%d-%H%M); mv /postgres/backup.tar /postgres/backup-$date1.tar; aws s3 cp /postgres/backup-$date1.tar s3://$S3_BUCKET/postgres/ --endpoint-url {{ .Values.global.S3.S3_ENDPOINT }};
{{- end }}
{{- else}}
{{- if $.Values.global.S3.encryption.enabled }}
- set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.S3.encryption.passphrase }} /postgres/backup.tar; rm -rvf /postgres/backup.tar; mv /postgres/backup.tar.gpg /postgres/backup-$date1.tar.gpg; aws s3 cp /postgres/backup-$date1.tar.gpg s3://$S3_BUCKET/postgres/;
{{- else}}
- set -ex; date1=$(date +%Y%m%d-%H%M); mv /postgres/backup.tar /postgres/backup-$date1.tar; aws s3 cp /postgres/backup-$date1.tar s3://$S3_BUCKET/postgres/;
{{- end }}
{{- end }}
# if ca_bundle is having some value
{{- if .Values.global.S3.CA_BUNDLE }}
{{- if .Values.global.S3.S3_ENDPOINT }}
{{- if $.Values.global.S3.encryption.enabled }}
path=$(pwd)
echo $CA_BUNDLE > $path/cert/cabundle.pem
export AWS_CA_BUNDLE=$path/cert/cabundle.pem
echo
- set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.S3.encryption.passphrase }} /postgres/backup.tar; rm -rvf /postgres/backup.tar; mv /postgres/backup.tar.gpg /postgres/backup-$date1.tar.gpg; aws s3 cp /postgres/backup-$date1.tar.gpg s3://$S3_BUCKET/postgres/ --endpoint-url {{ .Values.global.S3.S3_ENDPOINT }} --ca-bundle ;
{{- else}}
- set -ex; date1=$(date +%Y%m%d-%H%M); mv /postgres/backup.tar /postgres/backup-$date1.tar; aws s3 cp /postgres/backup-$date1.tar s3://$S3_BUCKET/postgres/ --endpoint-url {{ .Values.global.S3.S3_ENDPOINT }} --ca-bundle $AWS_CA_BUNDLE;
{{- end }}
{{- else}}
- date1=$(date +%Y%m%d-%H%M); mv /tmp/backup.tar /tmp/backup-$date1.tar; aws s3 cp /tmp/backup-$date1.tar $S3_BUCKET/postgres/;
{{- if $.Values.global.S3.encryption.enabled }}
- set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.S3.encryption.passphrase }} /postgres/backup.tar; rm -rvf /postgres/backup.tar; mv /postgres/backup.tar.gpg /postgres/backup-$date1.tar.gpg; aws s3 cp /postgres/backup-$date1.tar.gpg s3://$S3_BUCKET/postgres/;
{{- else}}
- set -ex; date1=$(date +%Y%m%d-%H%M); mv /postgres/backup.tar /postgres/backup-$date1.tar; aws s3 cp /postgres/backup-$date1.tar s3://$S3_BUCKET/postgres/;
{{- end }}
{{- end }}
{{- end }}
volumes:
- name: psql-volume
emptyDir: {}
restartPolicy: OnFailure
{{- end }}
---
{{- if .Values.argocd_backup.enabled }}
{{ if semverCompare ">=1.21-0" .Capabilities.KubeVersion.GitVersion -}}
apiVersion: batch/v1
{{ else -}}
Expand All @@ -72,62 +141,78 @@ metadata:
name: argocd-app-backup-cronjob
namespace: devtroncd
spec:
schedule: {{ .Values.global.schedule }}
schedule: "{{ .Values.global.schedule }}"
jobTemplate:
spec:
template:
spec:
initContainers:
- name: argocd-app-backup-job
{{- if eq .Values.argocdversion "v2"}}
image: quay.io/argoproj/argocd:v2.4.0
{{- end }}
{{- if eq .Values.argocdversion "v1"}}
image: argoproj/argocd:v1.8.1
{{- end }}
image: {{ .Values.argocd_backup.argocdImage | default "quay.io/argoproj/argocd:v2.4.0" }}
volumeMounts:
- mountPath: /cache
- mountPath: /argocd
name: argocd-volume
env:
imagePullPolicy: Always
args:
- /bin/bash
- -c
{{- if eq .Values.argocdversion "v2"}}
- argocd admin export -n devtroncd > /cache/backup.yaml
{{- end }}
{{- if eq .Values.argocdversion "v1"}}
- argocd-util export --namespace devtroncd > /cache/backup.yaml;
{{- end }}
- {{ .Values.argocd_backup.args | default "argocd admin export -n devtroncd > /argocd/backup.yaml" }}
resources:
{{ toYaml .Values.argocd_backup.resources | indent 13 }}
containers:
- name: aws-cli-for-s3-upload
image: quay.io/devtron/k8s-utils:ubuntu-aws-cli
image: {{ .Values.global.S3.image | default "quay.io/devtron/k8s-utils:ubuntu-aws-cli-multi-arch-1" }}
volumeMounts:
- mountPath: /cache
- mountPath: /argocd
name: argocd-volume
env:
{{- with .Values.global.AWS }}
- name: S3_BUCKET
value: "s3://{{ .S3_BUCKET_NAME }}"
{{- if not .Values.global.S3.NODE_ROLE }}
- name: AWS_ACCESS_KEY_ID
value: {{ .AWS_ACCESS_KEY }}
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_ACCESS_KEY
- name: AWS_SECRET_ACCESS_KEY
value: {{ .AWS_SECRET_KEY }}
- name: AWS_DEFAULT_REGION
value: {{ .AWS_REGION }}
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_SECRET_KEY
{{- end }}
- name: S3_BUCKET
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: S3_BUCKET_NAME
- name: AWS_DEFAULT_REGION
valueFrom:
secretKeyRef:
name: devtron-s3-backup-secret
key: AWS_REGION
imagePullPolicy: Always
resources:
{{ toYaml .Values.argocd_backup.resources | indent 13 }}
args:
- /bin/bash
- -c
{{- if $.Values.global.AWS.encryption.enabled }}
- date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.AWS.encryption.passphrase }} /cache/backup.yaml; rm -rvf /cache/backup.yaml; mv /cache/backup.yaml.gpg /cache/backup-$date1.yaml.gpg; aws s3 cp /cache/backup-$date1.yaml.gpg $S3_BUCKET/argocd/;
{{- if .Values.global.S3.S3_ENDPOINT }}
{{- if $.Values.global.S3.encryption.enabled }}
- set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.S3.encryption.passphrase }} /argocd/backup.yaml; rm -rvf /argocd/backup.yaml; mv /argocd/backup.yaml.gpg /argocd/backup-$date1.yaml.gpg; aws s3 cp /argocd/backup-$date1.yaml.gpg s3://$S3_BUCKET/argocd/ --endpoint-url {{ .Values.global.S3.S3_ENDPOINT }};
{{- else}}
- set -ex; date1=$(date +%Y%m%d-%H%M); mv /argocd/backup.yaml /argocd/backup-$date1.yaml; aws s3 cp /argocd/backup-$date1.yaml s3://$S3_BUCKET/argocd/ --endpoint-url {{ .Values.global.S3.S3_ENDPOINT }} --ca-bundle $path/$CA_BUNDLE;
{{- end }}
{{- else}}
{{- if $.Values.global.S3.encryption.enabled }}
- set -ex; date1=$(date +%Y%m%d-%H%M); gpg -c --batch --passphrase {{ .Values.global.S3.encryption.passphrase }} /argocd/backup.yaml; rm -rvf /argocd/backup.yaml; mv /argocd/backup.yaml.gpg /argocd/backup-$date1.yaml.gpg; aws s3 cp /argocd/backup-$date1.yaml.gpg s3://$S3_BUCKET/argocd/;
{{- else}}
- date1=$(date +%Y%m%d-%H%M); mv /cache/backup.yaml /cache/backup-$date1.yaml; aws s3 cp /cache/backup-$date1.yaml $S3_BUCKET/argocd/;
- set -ex; date1=$(date +%Y%m%d-%H%M); mv /argocd/backup.yaml /argocd/backup-$date1.yaml; aws s3 cp /argocd/backup-$date1.yaml s3://$S3_BUCKET/argocd/ --ca-bundle $path/$CA_BUNDLE;
{{- end }}
{{- end}}

volumes:
- name: argocd-volume
emptyDir: {}
restartPolicy: OnFailure
serviceAccountName: {{ .Values.argocd_backup.serviceAccountName }}
{{- end }}
{{- end }}

70 changes: 64 additions & 6 deletions charts/devtron-backups/values.yaml
View file
Original file line number Diff line number Diff line change
Expand Up @@ -2,29 +2,87 @@ global:
# Twice a day
schedule: "0 */12 * * *"
# devtron-backups
AWS:
S3:
# give the endpoint in case of non AWS storages with s3 protocol
enabled: true
S3_BUCKET_NAME: ""
AWS_ACCESS_KEY: ""
AWS_SECRET_KEY: ""
S3_ACCESS_KEY: ""
S3_SECRET_KEY: ""
AWS_REGION: ""
encryption:
S3_ENDPOINT: ""
CA_BUNDLE: ""
# set true if node has access of buckets
# By default, the node has access to buckets. Set to false if the node should not have access.
NODE_ROLE: ""
# passphrase used to encrypt/decrypt the file (encryption is done by gpg)
encryption:
enabled: false
passphrase: ""
# image: quay.io/devtron/k8s-utils:ubuntu-aws-cli #default amd
# image: quay.io/devtron/k8s-utils:0b9f5ba5-395-11405 #arm
AZURE:
enabled: false
AZURE_BLOB_ACCOUNT_NAME: ""
AZURE_ACCOUNT_KEY: ""
AZURE_BLOB_CONTAINER_FOR_POSTGRES: ""
AZURE_BLOB_CONTAINER_FOR_ARGOCD: ""
encryption:
enabled: false # Recommended
passphrase: # Required if encryption is enabled

# image: quay.io/devtron/k8s-utils:az-cli-ubuntu #amd
GCP:
enabled: false
GCS_BUCKET_NAME: "" # Required if GCP is enabled
CREDENTIALS: # Optional. Use only if in case node doesn't have permission to push over GCS.
enabled: false
# Only base64 Encoded JSON CREDENTIALS allowed. Example shown below.
# GCP_CREDENTIALS_JSON: "eyJ0eXBlIjogInNlcnZpY2VfYWNjb3VudCIsInByb2plY3RfaWQiOiAiPHlvdXItcHJvamVjdC1pZD4iLCJwcml2YXRlX2tleV9pZCI6ICI8eW91ci1wcml2YXRlLWtleS1pZD4iLCJwcml2YXRlX2tleSI6ICI8eW91ci1wcml2YXRlLWtleT4iLCJjbGllbnRfZW1haWwiOiAiPHlvdXItY2xpZW50LWVtYWlsPiIsImNsaWVudF9pZCI6ICI8eW91ci1jbGllbnQtaWQ+IiwiYXV0aF91cmkiOiAiaHR0cHM6Ly9hY2NvdW50cy5nb29nbGUuY29tL28vb2F1dGgyL2F1dGgiLCJ0b2tlbl91cmkiOiAiaHR0cHM6Ly9vYXV0aDIuZ29vZ2xlYXBpcy5jb20vdG9rZW4iLCJhdXRoX3Byb3ZpZGVyX3g1MDlfY2VydF91cmwiOiAiaHR0cHM6Ly93d3cuZ29vZ2xlYXBpcy5jb20vb2F1dGgyL3YxL2NlcnRzIiwiY2xpZW50X3g1MDlfY2VydF91cmwiOiAiPHlvdXItY2xpZW50LWNlcnQtdXJsPiJ9Cg=="
GCP_CREDENTIALS_JSON: ""

encryption:
enabled: false # Recommended
passphrase: "" # Required if encryption is enabled
# image: google/cloud-sdk:alpine # default amd

PERSISTENCE:
enabled: false
existingClaim: ""
# size: 30Gi # Required if existingClaim is not used
storageClass: "" # Required if existingClaim is not used
encryption:
enabled: false # Recommended
passphrase: "" # Required if encryption is enabled

argocdversion: v2


postgres_backup:
# Reference to secret which as postgresql password in PG_PASSWORD key
secretName: "devtron-secret"
enabled: true
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 100m
memory: 100Mi
# postgresImage: postgres:14
# host: "postgresql-custom.devtroncd"

argocd_backup:
serviceAccountName: "argocd-backup"
serviceAccountName: "argocd-backup"
enabled: false
resources:
requests:
cpu: 100m
memory: 100Mi
limits:
cpu: 100m
memory: 100Mi
# argocdImage: quay.io/argoproj/argocd:v2.4.0
# args: "argocd admin export -n devtroncd > /argocd/backup.yaml"

# argocdImage: argoproj/argocd:v1.8.1 #(image for argo-V1)
# args: argocd-util export --namespace devtroncd > /argocd/backup.yaml; #(argo-V1)

0 comments on commit 112f57f

Please sign in to comment.