From 30bf0874ae25c415750914e2e84bf4f361f9e79c Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?S=C3=A9bastien=20Huss?= Date: Sat, 12 Aug 2023 11:53:33 +0200 Subject: [PATCH] fix --- apps/dolibarr/index.yaml | 401 +++++++++++++++++++----------- apps/dolibarr/postgresql.tf | 40 +++ apps/gitea/index.yaml | 313 +++++++++++++++-------- apps/gitea/postgresql.tf | 40 +++ apps/nextcloud/index.yaml | 451 +++++++++++++++++++++------------- apps/nextcloud/postgresql.tf | 39 +++ share/authentik/index.yaml | 184 ++++++++------ share/authentik/postgresql.tf | 40 +++ 8 files changed, 1003 insertions(+), 505 deletions(-) diff --git a/apps/dolibarr/index.yaml b/apps/dolibarr/index.yaml index 6b5b6d3..4df9fdf 100644 --- a/apps/dolibarr/index.yaml +++ b/apps/dolibarr/index.yaml @@ -6,143 +6,30 @@ metadata: name: dolibarr description: null options: - resources: - default: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 100Mi - examples: - - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 50m - memory: 100Mi - properties: - limits: - default: - cpu: 200m - memory: 256Mi - properties: - cpu: - default: 200m - type: string - memory: - default: 256Mi - type: string - type: object - requests: - default: - cpu: 50m - memory: 100Mi - properties: - cpu: - default: 50m - type: string - memory: - default: 100Mi - type: string - type: object - type: object sub-domain: default: erp examples: - erp type: string - user-groups: + hpa: default: - - admin: true - name: dolibarr-admin + avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 examples: - - - admin: true - name: dolibarr-admin - items: - properties: - admin: - type: boolean - name: - type: string - type: object - type: array - storage: - default: - accessMode: ReadWriteOnce - size: 10Gi - type: Filesystem - examples: - - accessMode: ReadWriteOnce - size: 10Gi - type: Filesystem + - avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi - type: string - type: - default: Filesystem - enum: - - Filesystem - - block - type: string - type: object - parameters: - default: - MAIN_LANG_DEFAULT: auto - examples: - - MAIN_LANG_DEFAULT: auto - properties: - MAIN_LANG_DEFAULT: - default: auto - type: string - type: object - domain: - default: your-company - examples: - - your-company - type: string - log-level: - default: 5 - examples: - - 5 - type: integer - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - ingress-class: - default: traefik - examples: - - traefik - type: string - postgres: - default: - replicas: 1 - storage: 5Gi - version: '14' - examples: - - replicas: 1 - storage: 5Gi - version: '14' - properties: - replicas: + avg-cpu: + default: 50 + type: integer + max-replicas: + default: 5 + type: integer + min-replicas: default: 1 type: integer - storage: - default: 5Gi - type: string - version: - default: '14' - type: string type: object redis: default: @@ -177,30 +64,10 @@ options: default: 2Gi type: string type: object - hpa: - default: - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 + issuer: + default: letsencrypt-prod examples: - - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - properties: - avg-cpu: - default: 50 - type: integer - max-replicas: - default: 5 - type: integer - min-replicas: - default: 1 - type: integer - type: object - domain-name: - default: your_company.com - examples: - - your_company.com + - letsencrypt-prod type: string modules: default: @@ -210,6 +77,53 @@ options: items: type: string type: array + storage: + default: + accessMode: ReadWriteOnce + size: 10Gi + type: Filesystem + examples: + - accessMode: ReadWriteOnce + size: 10Gi + type: Filesystem + properties: + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 10Gi + type: string + type: + default: Filesystem + enum: + - Filesystem + - block + type: string + type: object + domain-name: + default: your_company.com + examples: + - your_company.com + type: string + parameters: + default: + MAIN_LANG_DEFAULT: auto + examples: + - MAIN_LANG_DEFAULT: auto + properties: + MAIN_LANG_DEFAULT: + default: auto + type: string + type: object + ingress-class: + default: traefik + examples: + - traefik + type: string images: default: dolibarr: @@ -275,6 +189,193 @@ options: type: string type: object type: object + backups: + default: + enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 20 3 * * * + check: 20 5 * * 1 + db: 0 3 * * * + prune: 20 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + examples: + - enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 20 3 * * * + check: 20 5 * * 1 + db: 0 3 * * * + prune: 20 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + properties: + enable: + default: false + type: boolean + endpoint: + default: '' + type: string + key-id-key: + default: s3-id + type: string + restic-key: + default: bck-password + type: string + retention: + default: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + properties: + db: + default: 30d + type: string + keepDaily: + default: 14 + type: integer + keepMonthly: + default: 12 + type: integer + keepWeekly: + default: 6 + type: integer + keepYearly: + default: 12 + type: integer + type: object + schedule: + default: + backup: 20 3 * * * + check: 20 5 * * 1 + db: 0 3 * * * + prune: 20 1 * * 0 + properties: + backup: + default: 20 3 * * * + type: string + check: + default: 20 5 * * 1 + type: string + db: + default: 0 3 * * * + type: string + prune: + default: 20 1 * * 0 + type: string + type: object + secret-key: + default: s3-secret + type: string + secret-name: + default: backup-settings + type: string + type: object + domain: + default: your-company + examples: + - your-company + type: string + user-groups: + default: + - admin: true + name: dolibarr-admin + examples: + - - admin: true + name: dolibarr-admin + items: + properties: + admin: + type: boolean + name: + type: string + type: object + type: array + log-level: + default: 5 + examples: + - 5 + type: integer + postgres: + default: + replicas: 1 + storage: 5Gi + version: '14' + examples: + - replicas: 1 + storage: 5Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 5Gi + type: string + version: + default: '14' + type: string + type: object + resources: + default: + limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 100Mi + examples: + - limits: + cpu: 200m + memory: 256Mi + requests: + cpu: 50m + memory: 100Mi + properties: + limits: + default: + cpu: 200m + memory: 256Mi + properties: + cpu: + default: 200m + type: string + memory: + default: 256Mi + type: string + type: object + requests: + default: + cpu: 50m + memory: 100Mi + properties: + cpu: + default: 50m + type: string + memory: + default: 100Mi + type: string + type: object + type: object dependencies: - dist: null category: share diff --git a/apps/dolibarr/postgresql.tf b/apps/dolibarr/postgresql.tf index 1ed1f27..4b08efe 100644 --- a/apps/dolibarr/postgresql.tf +++ b/apps/dolibarr/postgresql.tf @@ -2,6 +2,23 @@ locals { pg-labels = merge(local.common-labels, { "app.kubernetes.io/component" = "pg" }) + backup-def = var.backups.enable ? { + retentionPolicy = var.backups.retention.db + barmanObjectStore = { + destinationPath = "s3://${var.instance}-${var.namespace}/" + endpointURL = "${var.backups.endpoint}/barman" + s3Credentials = { + accessKeyId = { + name = var.backups.secret-name + key = var.backups.key-id-key + } + secretAccessKey = { + name = var.backups.secret-name + key = var.backups.secret-key + } + } + } + } : {} } resource "kubectl_manifest" "prj_pg" { @@ -14,7 +31,30 @@ resource "kubectl_manifest" "prj_pg" { labels: ${jsonencode(local.pg-labels)} spec: instances: ${var.postgres.replicas} + monitoring: + enablePodMonitor: true + bootstrap: + initdb: + database: "${var.component}" + owner: "${var.component}" storage: size: "${var.postgres.storage}" + backup: ${jsonencode(local.backup-def)} + EOF +} + +resource "kubectl_manifest" "prj_pg_backup" { + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: ScheduledBackup + metadata: + name: "${var.instance}-${var.component}-pg" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} + spec: + schedule: "${var.backups.schedule.db}" + backupOwnerReference: self + cluster: + name: "${var.instance}-${var.component}-pg" EOF } diff --git a/apps/gitea/index.yaml b/apps/gitea/index.yaml index 05c1c7f..2c1f872 100644 --- a/apps/gitea/index.yaml +++ b/apps/gitea/index.yaml @@ -9,15 +9,30 @@ metadata: A painless self-hosted Git service. Gitea is a community managed lightweight code hosting solution written in Go. It is published under the MIT license. options: - ssh-port: - default: 2222 + timezone: + default: Europe/Paris examples: - - 2222 - type: integer - ingress-class: - default: traefik + - Europe/Paris + type: string + load-balancer: + default: + ip: '' examples: - - traefik + - ip: '' + properties: + ip: + default: '' + type: string + type: object + issuer: + default: letsencrypt-prod + examples: + - letsencrypt-prod + type: string + domain: + default: your-company + examples: + - your-company type: string webhook: default: @@ -34,35 +49,10 @@ options: default: false type: boolean type: object - domain-name: - default: your_company.com + sub-domain: + default: git examples: - - your_company.com - type: string - replicas: - default: 1 - examples: - - 1 - type: integer - volume: - default: - size: 10Gi - examples: - - size: 10Gi - properties: - size: - default: 10Gi - type: string - type: object - theme: - default: gitea-modern - examples: - - gitea-modern - type: string - default-branch: - default: main - examples: - - main + - git type: string postgres: default: @@ -84,6 +74,182 @@ options: default: '14' type: string type: object + release: + default: 8.3.0 + examples: + - 8.3.0 + type: string + disable-registration: + default: true + examples: + - true + type: boolean + ingress-class: + default: traefik + examples: + - traefik + type: string + replicas: + default: 1 + examples: + - 1 + type: integer + backups: + default: + enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 10 3 * * * + check: 10 5 * * 1 + db: 10 3 * * * + prune: 10 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + examples: + - enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 10 3 * * * + check: 10 5 * * 1 + db: 10 3 * * * + prune: 10 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + properties: + enable: + default: false + type: boolean + endpoint: + default: '' + type: string + key-id-key: + default: s3-id + type: string + restic-key: + default: bck-password + type: string + retention: + default: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + properties: + db: + default: 30d + type: string + keepDaily: + default: 14 + type: integer + keepMonthly: + default: 12 + type: integer + keepWeekly: + default: 6 + type: integer + keepYearly: + default: 12 + type: integer + type: object + schedule: + default: + backup: 10 3 * * * + check: 10 5 * * 1 + db: 10 3 * * * + prune: 10 1 * * 0 + properties: + backup: + default: 10 3 * * * + type: string + check: + default: 10 5 * * 1 + type: string + db: + default: 10 3 * * * + type: string + prune: + default: 10 1 * * 0 + type: string + type: object + secret-key: + default: s3-secret + type: string + secret-name: + default: backup-settings + type: string + type: object + volume: + default: + size: 10Gi + examples: + - size: 10Gi + properties: + size: + default: 10Gi + type: string + type: object + default-branch: + default: main + examples: + - main + type: string + push-create: + default: + org: 'true' + private: 'false' + user: 'true' + examples: + - org: 'true' + private: 'false' + user: 'true' + properties: + org: + default: 'true' + type: string + private: + default: 'false' + type: string + user: + default: 'true' + type: string + type: object + admin: + default: + email: git-admin@git.your_company.com + name: gitea_admin + examples: + - email: git-admin@git.your_company.com + name: gitea_admin + properties: + email: + default: git-admin@git.your_company.com + type: string + name: + default: gitea_admin + type: string + type: object + ssh-port: + default: 2222 + examples: + - 2222 + type: integer images: default: gitea: @@ -147,81 +313,16 @@ options: type: string type: object type: object - load-balancer: - default: - ip: '' + theme: + default: gitea-modern examples: - - ip: '' - properties: - ip: - default: '' - type: string - type: object - timezone: - default: Europe/Paris - examples: - - Europe/Paris + - gitea-modern type: string - disable-registration: - default: true + domain-name: + default: your_company.com examples: - - true - type: boolean - sub-domain: - default: git - examples: - - git + - your_company.com type: string - release: - default: 8.3.0 - examples: - - 8.3.0 - type: string - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - push-create: - default: - org: 'true' - private: 'false' - user: 'true' - examples: - - org: 'true' - private: 'false' - user: 'true' - properties: - org: - default: 'true' - type: string - private: - default: 'false' - type: string - user: - default: 'true' - type: string - type: object - domain: - default: your-company - examples: - - your-company - type: string - admin: - default: - email: git-admin@git.your_company.com - name: gitea_admin - examples: - - email: git-admin@git.your_company.com - name: gitea_admin - properties: - email: - default: git-admin@git.your_company.com - type: string - name: - default: gitea_admin - type: string - type: object dependencies: - dist: null category: share diff --git a/apps/gitea/postgresql.tf b/apps/gitea/postgresql.tf index 1ed1f27..65545c7 100644 --- a/apps/gitea/postgresql.tf +++ b/apps/gitea/postgresql.tf @@ -2,6 +2,23 @@ locals { pg-labels = merge(local.common-labels, { "app.kubernetes.io/component" = "pg" }) + backup-def = var.backups.enable ? { + retentionPolicy = var.backups.retention.db + barmanObjectStore = { + destinationPath = "s3://${var.instance}-${var.namespace}/" + endpointURL = "${var.backups.endpoint}/barman" + s3Credentials = { + accessKeyId = { + name = var.backups.secret-name + key = var.backups.key-id-key + } + secretAccessKey = { + name = var.backups.secret-name + key = var.backups.secret-key + } + } + } + } : {} } resource "kubectl_manifest" "prj_pg" { @@ -16,5 +33,28 @@ resource "kubectl_manifest" "prj_pg" { instances: ${var.postgres.replicas} storage: size: "${var.postgres.storage}" + monitoring: + enablePodMonitor: true + bootstrap: + initdb: + database: "${var.component}" + owner: "${var.component}" + backup: ${jsonencode(local.backup-def)} + EOF +} + +resource "kubectl_manifest" "prj_pg_backup" { + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: ScheduledBackup + metadata: + name: "${var.instance}-${var.component}-pg" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} + spec: + schedule: "${var.backups.schedule.db}" + backupOwnerReference: self + cluster: + name: "${var.instance}-${var.component}-pg" EOF } diff --git a/apps/nextcloud/index.yaml b/apps/nextcloud/index.yaml index 460b738..5637634 100644 --- a/apps/nextcloud/index.yaml +++ b/apps/nextcloud/index.yaml @@ -6,21 +6,227 @@ metadata: name: nextcloud description: null options: - admin: - default: - name: nextcloud_admin + sub-domain: + default: files examples: - - name: nextcloud_admin + - files + type: string + hpa: + default: + avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 + examples: + - avg-cpu: 50 + max-replicas: 5 + min-replicas: 1 properties: - name: - default: nextcloud_admin + avg-cpu: + default: 50 + type: integer + max-replicas: + default: 5 + type: integer + min-replicas: + default: 1 + type: integer + type: object + ingress-class: + default: traefik + examples: + - traefik + type: string + backups: + default: + enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 30 3 * * * + check: 30 5 * * 1 + db: 30 3 * * * + prune: 30 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + examples: + - enable: false + endpoint: '' + key-id-key: s3-id + restic-key: bck-password + retention: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + schedule: + backup: 30 3 * * * + check: 30 5 * * 1 + db: 30 3 * * * + prune: 30 1 * * 0 + secret-key: s3-secret + secret-name: backup-settings + properties: + enable: + default: false + type: boolean + endpoint: + default: '' + type: string + key-id-key: + default: s3-id + type: string + restic-key: + default: bck-password + type: string + retention: + default: + db: 30d + keepDaily: 14 + keepMonthly: 12 + keepWeekly: 6 + keepYearly: 12 + properties: + db: + default: 30d + type: string + keepDaily: + default: 14 + type: integer + keepMonthly: + default: 12 + type: integer + keepWeekly: + default: 6 + type: integer + keepYearly: + default: 12 + type: integer + type: object + schedule: + default: + backup: 30 3 * * * + check: 30 5 * * 1 + db: 30 3 * * * + prune: 30 1 * * 0 + properties: + backup: + default: 30 3 * * * + type: string + check: + default: 30 5 * * 1 + type: string + db: + default: 30 3 * * * + type: string + prune: + default: 30 1 * * 0 + type: string + type: object + secret-key: + default: s3-secret + type: string + secret-name: + default: backup-settings type: string type: object - openid-name: - default: vynil + apps: + default: + audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true examples: - - vynil - type: string + - audioplayer: false + bookmarks: false + bpm: false + calendar: false + collabora: false + contacts: false + deck: false + groupfolders: true + mindmap: false + music: false + notes: false + onlyoffice: false + passman: false + spreed: false + tables: false + tasks: false + texteditor: true + properties: + audioplayer: + default: false + type: boolean + bookmarks: + default: false + type: boolean + bpm: + default: false + type: boolean + calendar: + default: false + type: boolean + collabora: + default: false + type: boolean + contacts: + default: false + type: boolean + deck: + default: false + type: boolean + groupfolders: + default: true + type: boolean + mindmap: + default: false + type: boolean + music: + default: false + type: boolean + notes: + default: false + type: boolean + onlyoffice: + default: false + type: boolean + passman: + default: false + type: boolean + spreed: + default: false + type: boolean + tables: + default: false + type: boolean + tasks: + default: false + type: boolean + texteditor: + default: true + type: boolean + type: object redis: default: exporter: @@ -54,20 +260,74 @@ options: default: 2Gi type: string type: object + postgres: + default: + replicas: 1 + storage: 5Gi + version: '14' + examples: + - replicas: 1 + storage: 5Gi + version: '14' + properties: + replicas: + default: 1 + type: integer + storage: + default: 5Gi + type: string + version: + default: '14' + type: string + type: object domain-name: default: your_company.com examples: - your_company.com type: string - sub-domain: - default: files + issuer: + default: letsencrypt-prod examples: - - files + - letsencrypt-prod type: string - ingress-class: - default: traefik + storage: + default: + accessMode: ReadWriteOnce + size: 10Gi examples: - - traefik + - accessMode: ReadWriteOnce + size: 10Gi + properties: + accessMode: + default: ReadWriteOnce + enum: + - ReadWriteOnce + - ReadOnlyMany + - ReadWriteMany + type: string + size: + default: 10Gi + type: string + type: object + admin: + default: + name: nextcloud_admin + examples: + - name: nextcloud_admin + properties: + name: + default: nextcloud_admin + type: string + type: object + domain: + default: your-company + examples: + - your-company + type: string + openid-name: + default: vynil + examples: + - vynil type: string images: default: @@ -232,165 +492,6 @@ options: type: string type: object type: object - domain: - default: your-company - examples: - - your-company - type: string - issuer: - default: letsencrypt-prod - examples: - - letsencrypt-prod - type: string - postgres: - default: - replicas: 1 - storage: 5Gi - version: '14' - examples: - - replicas: 1 - storage: 5Gi - version: '14' - properties: - replicas: - default: 1 - type: integer - storage: - default: 5Gi - type: string - version: - default: '14' - type: string - type: object - hpa: - default: - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - examples: - - avg-cpu: 50 - max-replicas: 5 - min-replicas: 1 - properties: - avg-cpu: - default: 50 - type: integer - max-replicas: - default: 5 - type: integer - min-replicas: - default: 1 - type: integer - type: object - apps: - default: - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - examples: - - audioplayer: false - bookmarks: false - bpm: false - calendar: false - collabora: false - contacts: false - deck: false - groupfolders: true - mindmap: false - music: false - notes: false - onlyoffice: false - passman: false - spreed: false - tables: false - tasks: false - texteditor: true - properties: - audioplayer: - default: false - type: boolean - bookmarks: - default: false - type: boolean - bpm: - default: false - type: boolean - calendar: - default: false - type: boolean - collabora: - default: false - type: boolean - contacts: - default: false - type: boolean - deck: - default: false - type: boolean - groupfolders: - default: true - type: boolean - mindmap: - default: false - type: boolean - music: - default: false - type: boolean - notes: - default: false - type: boolean - onlyoffice: - default: false - type: boolean - passman: - default: false - type: boolean - spreed: - default: false - type: boolean - tables: - default: false - type: boolean - tasks: - default: false - type: boolean - texteditor: - default: true - type: boolean - type: object - storage: - default: - accessMode: ReadWriteOnce - size: 10Gi - examples: - - accessMode: ReadWriteOnce - size: 10Gi - properties: - accessMode: - default: ReadWriteOnce - enum: - - ReadWriteOnce - - ReadOnlyMany - - ReadWriteMany - type: string - size: - default: 10Gi - type: string - type: object dependencies: - dist: null category: share diff --git a/apps/nextcloud/postgresql.tf b/apps/nextcloud/postgresql.tf index 1ed1f27..3d51075 100644 --- a/apps/nextcloud/postgresql.tf +++ b/apps/nextcloud/postgresql.tf @@ -2,6 +2,22 @@ locals { pg-labels = merge(local.common-labels, { "app.kubernetes.io/component" = "pg" }) + backup-def = var.backups.enable ? { + barmanObjectStore = { + destinationPath = "s3://${var.instance}-${var.namespace}/" + endpointURL = "${var.backups.endpoint}/barman" + s3Credentials = { + accessKeyId = { + name = var.backups.secret-name + key = var.backups.key-id-key + } + secretAccessKey = { + name = var.backups.secret-name + key = var.backups.secret-key + } + } + } + } : {} } resource "kubectl_manifest" "prj_pg" { @@ -16,5 +32,28 @@ resource "kubectl_manifest" "prj_pg" { instances: ${var.postgres.replicas} storage: size: "${var.postgres.storage}" + monitoring: + enablePodMonitor: true + bootstrap: + initdb: + database: "${var.component}" + owner: "${var.component}" + backup: ${jsonencode(local.backup-def)} + EOF +} + +resource "kubectl_manifest" "prj_pg_backup" { + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: ScheduledBackup + metadata: + name: "${var.instance}-${var.component}-pg" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} + spec: + schedule: "${var.backups.schedule.db}" + backupOwnerReference: self + cluster: + name: "${var.instance}-${var.component}-pg" EOF } diff --git a/share/authentik/index.yaml b/share/authentik/index.yaml index 6a04f0d..7b3bb67 100644 --- a/share/authentik/index.yaml +++ b/share/authentik/index.yaml @@ -6,21 +6,75 @@ metadata: name: authentik description: authentik is an open-source Identity Provider focused on flexibility and versatility options: - domain: - default: your-company + loglevel: + default: info examples: - - your-company + - info type: string - domain-name: - default: your_company.com + geoip: + default: /geoip/GeoLite2-City.mmdb examples: - - your_company.com + - /geoip/GeoLite2-City.mmdb type: string - sub-domain: - default: auth + ingress-class: + default: traefik examples: - - auth + - traefik type: string + backups: + default: + enable: false + endpoint: '' + key-id-key: s3-id + retention: + db: 30d + schedule: + db: 0 3 * * * + secret-key: s3-secret + secret-name: backup-settings + examples: + - enable: false + endpoint: '' + key-id-key: s3-id + retention: + db: 30d + schedule: + db: 0 3 * * * + secret-key: s3-secret + secret-name: backup-settings + properties: + enable: + default: false + type: boolean + endpoint: + default: '' + type: string + key-id-key: + default: s3-id + type: string + retention: + default: + db: 30d + properties: + db: + default: 30d + type: string + type: object + schedule: + default: + db: 0 3 * * * + properties: + db: + default: 0 3 * * * + type: string + type: object + secret-key: + default: s3-secret + type: string + secret-name: + default: backup-settings + type: string + type: object error_reporting: default: enabled: false @@ -41,49 +95,16 @@ options: default: false type: boolean type: object - loglevel: - default: info - examples: - - info - type: string - admin: - default: - email: auth-admin - examples: - - email: auth-admin - properties: - email: - default: auth-admin - type: string - type: object postgres: default: - cleanlogs: - image: docker.io/alpine:3.18 - schedule: 30 5/12 * * * replicas: 1 storage: 8Gi version: '14' examples: - - cleanlogs: - image: docker.io/alpine:3.18 - schedule: 30 5/12 * * * - replicas: 1 + - replicas: 1 storage: 8Gi version: '14' properties: - cleanlogs: - default: - image: docker.io/alpine:3.18 - schedule: 30 5/12 * * * - properties: - image: - default: docker.io/alpine:3.18 - type: string - schedule: - default: 30 5/12 * * * - type: string - type: object replicas: default: 1 type: integer @@ -94,31 +115,6 @@ options: default: '14' type: string type: object - email: - default: - port: 587 - timeout: 30 - use_ssl: false - use_tls: false - examples: - - port: 587 - timeout: 30 - use_ssl: false - use_tls: false - properties: - port: - default: 587 - type: integer - timeout: - default: 30 - type: integer - use_ssl: - default: false - type: boolean - use_tls: - default: false - type: boolean - type: object redis: default: exporter: @@ -182,20 +178,60 @@ options: default: 2023.5.4 type: string type: object - ingress-class: - default: traefik + domain-name: + default: your_company.com examples: - - traefik + - your_company.com type: string + sub-domain: + default: auth + examples: + - auth + type: string + admin: + default: + email: auth-admin + examples: + - email: auth-admin + properties: + email: + default: auth-admin + type: string + type: object issuer: default: letsencrypt-prod examples: - letsencrypt-prod type: string - geoip: - default: /geoip/GeoLite2-City.mmdb + email: + default: + port: 587 + timeout: 30 + use_ssl: false + use_tls: false examples: - - /geoip/GeoLite2-City.mmdb + - port: 587 + timeout: 30 + use_ssl: false + use_tls: false + properties: + port: + default: 587 + type: integer + timeout: + default: 30 + type: integer + use_ssl: + default: false + type: boolean + use_tls: + default: false + type: boolean + type: object + domain: + default: your-company + examples: + - your-company type: string dependencies: - dist: null diff --git a/share/authentik/postgresql.tf b/share/authentik/postgresql.tf index 39c2adc..e6cd42b 100644 --- a/share/authentik/postgresql.tf +++ b/share/authentik/postgresql.tf @@ -5,6 +5,23 @@ locals { pool-labels = merge(local.common-labels, { "app.kubernetes.io/component" = "pg-pool" }) + backup-def = var.backups.enable ? { + retentionPolicy = var.backups.retention.db + barmanObjectStore = { + destinationPath = "s3://${var.instance}-${var.namespace}/" + endpointURL = "${var.backups.endpoint}/barman" + s3Credentials = { + accessKeyId = { + name = var.backups.secret-name + key = var.backups.key-id-key + } + secretAccessKey = { + name = var.backups.secret-name + key = var.backups.secret-key + } + } + } + } : {} } resource "kubectl_manifest" "prj_pg" { @@ -19,6 +36,29 @@ resource "kubectl_manifest" "prj_pg" { instances: ${var.postgres.replicas} storage: size: "${var.postgres.storage}" + monitoring: + enablePodMonitor: true + bootstrap: + initdb: + database: "${var.component}" + owner: "${var.component}" + backup: ${jsonencode(local.backup-def)} + EOF +} + +resource "kubectl_manifest" "prj_pg_backup" { + yaml_body = <<-EOF + apiVersion: postgresql.cnpg.io/v1 + kind: ScheduledBackup + metadata: + name: "${var.instance}-${var.component}-pg" + namespace: "${var.namespace}" + labels: ${jsonencode(local.pg-labels)} + spec: + schedule: "${var.backups.schedule.db}" + backupOwnerReference: self + cluster: + name: "${var.instance}-${var.component}-pg" EOF }