diff --git a/cnpg/argocd/cnpg.yaml b/cnpg/argocd/cnpg.yaml new file mode 100644 index 0000000..ebf325c --- /dev/null +++ b/cnpg/argocd/cnpg.yaml @@ -0,0 +1,47 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cnpg + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + # Helm chart from CloudNativePG repository + - repoURL: https://cloudnative-pg.github.io/charts + chart: cloudnative-pg + targetRevision: 0.23.0 + helm: + valueFiles: + - $values/cnpg/helm-values/cnpg.yaml + # Values file from Git repository + - repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git + targetRevision: main + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: cnpg-system + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - ServerSideApply=true + + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + + revisionHistoryLimit: 10 diff --git a/cnpg/helm-values/cnpg.yaml b/cnpg/helm-values/cnpg.yaml new file mode 100644 index 0000000..da4fd95 --- /dev/null +++ b/cnpg/helm-values/cnpg.yaml @@ -0,0 +1,78 @@ +# CloudNativePG Operator Helm Values +# Chart: https://github.com/cloudnative-pg/charts + +# Operator image +image: + repository: ghcr.io/cloudnative-pg/cloudnative-pg + tag: 1.25.1 + pullPolicy: IfNotPresent + +# Replica count for operator +replicaCount: 1 + +# Resource requests for operator +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + +# RBAC +rbac: + create: true + +# Service Account +serviceAccount: + create: true + name: cnpg-operator + +# Monitoring +monitoring: + # Enable Prometheus PodMonitor + podMonitorEnabled: true + +# Webhook configuration +webhook: + port: 9443 + mutating: + create: true + validating: + create: true + +# Operator configuration +config: + # Data checksums for PostgreSQL + data: + INHERITED_ANNOTATIONS: "cert-manager.io/*, argocd.argoproj.io/*" + INHERITED_LABELS: "app.kubernetes.io/*" + + # Monitoring queries interval + MONITORING_QUERIES_CONFIGMAP: "" + MONITORING_QUERIES_SECRET: "" + +# CRD configuration +crds: + create: true + +# Node selector +nodeSelector: {} + +# Tolerations +tolerations: [] + +# Affinity +affinity: {} + +# Security context +securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 10001 + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault diff --git a/cnpg/kustomization.yaml b/cnpg/kustomization.yaml new file mode 100644 index 0000000..d412fe5 --- /dev/null +++ b/cnpg/kustomization.yaml @@ -0,0 +1,6 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + # ArgoCD Application 리소스는 root kustomization.yaml에서 관리 + # - argocd/cnpg.yaml diff --git a/velero/argocd/velero.yaml b/velero/argocd/velero.yaml new file mode 100644 index 0000000..5f568da --- /dev/null +++ b/velero/argocd/velero.yaml @@ -0,0 +1,47 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: velero + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: default + + sources: + # Helm chart from VMware Tanzu repository + - repoURL: https://vmware-tanzu.github.io/helm-charts + chart: velero + targetRevision: 11.2.0 + helm: + valueFiles: + - $values/velero/helm-values/velero.yaml + # Values file from Git repository + - repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git + targetRevision: main + ref: values + + destination: + server: https://kubernetes.default.svc + namespace: velero + + syncPolicy: + automated: + prune: true + selfHeal: true + allowEmpty: false + + syncOptions: + - CreateNamespace=true + - PrunePropagationPolicy=foreground + - PruneLast=true + - ServerSideApply=true + + retry: + limit: 5 + backoff: + duration: 5s + factor: 2 + maxDuration: 3m + + revisionHistoryLimit: 10 diff --git a/velero/external-secret.yaml b/velero/external-secret.yaml new file mode 100644 index 0000000..87d4e5c --- /dev/null +++ b/velero/external-secret.yaml @@ -0,0 +1,33 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: velero-s3-credentials + namespace: velero +spec: + refreshInterval: 1h + + secretStoreRef: + name: vault-backend + kind: ClusterSecretStore + + target: + name: velero-s3-credentials + creationPolicy: Owner + template: + type: Opaque + data: + cloud: | + [default] + aws_access_key_id={{ .minioAccessKey }} + aws_secret_access_key={{ .minioSecretKey }} + + data: + - secretKey: minioAccessKey + remoteRef: + key: secret/data/minio + property: accessKey + + - secretKey: minioSecretKey + remoteRef: + key: secret/data/minio + property: secretKey diff --git a/velero/helm-values/velero.yaml b/velero/helm-values/velero.yaml new file mode 100644 index 0000000..49c0f69 --- /dev/null +++ b/velero/helm-values/velero.yaml @@ -0,0 +1,113 @@ +# Velero Helm Values +# Chart: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero + +# Image configuration +image: + repository: velero/velero + tag: v1.15.0 + pullPolicy: IfNotPresent + +# Resource requests +resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + +# Init containers for plugins +initContainers: + # AWS plugin for S3-compatible storage (Minio) + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.11.0 + volumeMounts: + - mountPath: /target + name: plugins + +# Configuration for backup storage +configuration: + # Use existing BackupStorageLocation and VolumeSnapshotLocation + backupStorageLocation: + - name: default + provider: aws + bucket: velero-backups + config: + region: minio + s3ForcePathStyle: "true" + s3Url: http://minio.minio.svc.cluster.local:9000 + publicUrl: https://s3.minio0213.kro.kr + + volumeSnapshotLocation: + - name: default + provider: aws + config: + region: minio + + # Default backup retention + defaultBackupTTL: 720h # 30 days + + # Restore only mode (for disaster recovery) + restoreOnlyMode: false + +# Credentials for S3 access (from Vault via External Secrets) +credentials: + useSecret: true + existingSecret: velero-s3-credentials + secretContents: {} + +# Backup schedules +schedules: + # Daily full cluster backup + daily-backup: + disabled: false + schedule: "0 2 * * *" # 2 AM daily + template: + ttl: 720h # 30 days + includedNamespaces: + - "*" + excludedNamespaces: + - kube-system + - kube-public + - kube-node-lease + snapshotVolumes: true + + # Hourly backup for critical namespaces + hourly-critical-backup: + disabled: false + schedule: "0 * * * *" # Every hour + template: + ttl: 168h # 7 days + includedNamespaces: + - postgresql + - postgresql-dev + - vault + - gitea + - harbor + snapshotVolumes: true + +# Metrics +metrics: + enabled: true + serviceMonitor: + enabled: true + prometheusRule: + enabled: false + +# RBAC +serviceAccount: + server: + create: true + name: velero + +rbac: + create: true + +# Node selector (optional) +nodeSelector: {} + +# Tolerations (optional) +tolerations: [] + +# Affinity (optional) +affinity: {} diff --git a/velero/kustomization.yaml b/velero/kustomization.yaml new file mode 100644 index 0000000..f13d532 --- /dev/null +++ b/velero/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + # ArgoCD Application 리소스는 root kustomization.yaml에서 관리 + # - argocd/velero.yaml + + # Velero credentials from Vault + - external-secret.yaml