K3S-HOME/storage
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

FEAT(velero): Add Velero, Falco,

Browse Source 
- and CNPG infrastructure components
Add three critical infrastructure components via GitOps:

- Velero: Backup and disaster recovery solution
  - Configured with Minio S3 backend
  - Daily full cluster backups (30-day retention)
  - Hourly backups for critical namespaces (7-day retention)
  - Credentials managed via External Secrets from Vault

- Falco: Runtime security monitoring
  - eBPF-based threat detection
  - Custom rules for container security
  - Falcosidekick for alert forwarding
  - Prometheus metrics enabled

- CNPG (CloudNativePG): PostgreSQL operator
  - Kubernetes-native PostgreSQL management
  - Automated failover and backups
  - Will replace Bitnami PostgreSQL

All components follow existing GitOps patterns:
- Helm charts deployed via ArgoCD
- Values managed in Git
- Automated sync with selfHeal enabled
This commit is contained in:
Mayne0213
2025-12-25 12:21:19 +09:00
parent b6802a45e6
commit 3366a6b5b8
7 changed files with 333 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

47
cnpg/argocd/cnpg.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cnpg
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
# Helm chart from CloudNativePG repository
- repoURL: https://cloudnative-pg.github.io/charts
chart: cloudnative-pg
targetRevision: 0.23.0
helm:
valueFiles:
- $values/cnpg/helm-values/cnpg.yaml
# Values file from Git repository
- repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: cnpg-system
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
revisionHistoryLimit: 10

78
cnpg/helm-values/cnpg.yaml Normal file
View File

@@ -0,0 +1,78 @@
# CloudNativePG Operator Helm Values
# Chart: https://github.com/cloudnative-pg/charts
# Operator image
image:
repository: ghcr.io/cloudnative-pg/cloudnative-pg
tag: 1.25.1
pullPolicy: IfNotPresent
# Replica count for operator
replicaCount: 1
# Resource requests for operator
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# RBAC
rbac:
create: true
# Service Account
serviceAccount:
create: true
name: cnpg-operator
# Monitoring
monitoring:
# Enable Prometheus PodMonitor
podMonitorEnabled: true
# Webhook configuration
webhook:
port: 9443
mutating:
create: true
validating:
create: true
# Operator configuration
config:
# Data checksums for PostgreSQL
data:
INHERITED_ANNOTATIONS: "cert-manager.io/*, argocd.argoproj.io/*"
INHERITED_LABELS: "app.kubernetes.io/*"
# Monitoring queries interval
MONITORING_QUERIES_CONFIGMAP: ""
MONITORING_QUERIES_SECRET: ""
# CRD configuration
crds:
create: true
# Node selector
nodeSelector: {}
# Tolerations
tolerations: []
# Affinity
affinity: {}
# Security context
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
runAsNonRoot: true
runAsUser: 10001
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault

6
cnpg/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# ArgoCD Application 리소스는 root kustomization.yaml에서 관리
# - argocd/cnpg.yaml

47
velero/argocd/velero.yaml Normal file
View File

@@ -0,0 +1,47 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: velero
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
sources:
# Helm chart from VMware Tanzu repository
- repoURL: https://vmware-tanzu.github.io/helm-charts
chart: velero
targetRevision: 11.2.0
helm:
valueFiles:
- $values/velero/helm-values/velero.yaml
# Values file from Git repository
- repoURL: https://gitea0213.kro.kr/bluemayne/cluster-infrastructure.git
targetRevision: main
ref: values
destination:
server: https://kubernetes.default.svc
namespace: velero
syncPolicy:
automated:
prune: true
selfHeal: true
allowEmpty: false
syncOptions:
- CreateNamespace=true
- PrunePropagationPolicy=foreground
- PruneLast=true
- ServerSideApply=true
retry:
limit: 5
backoff:
duration: 5s
factor: 2
maxDuration: 3m
revisionHistoryLimit: 10

33
velero/external-secret.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: velero-s3-credentials
namespace: velero
spec:
refreshInterval: 1h
secretStoreRef:
name: vault-backend
kind: ClusterSecretStore
target:
name: velero-s3-credentials
creationPolicy: Owner
template:
type: Opaque
data:
cloud: |
[default]
aws_access_key_id={{ .minioAccessKey }}
aws_secret_access_key={{ .minioSecretKey }}
data:
- secretKey: minioAccessKey
remoteRef:
key: secret/data/minio
property: accessKey
- secretKey: minioSecretKey
remoteRef:
key: secret/data/minio
property: secretKey

113
velero/helm-values/velero.yaml Normal file
View File

@@ -0,0 +1,113 @@
# Velero Helm Values
# Chart: https://github.com/vmware-tanzu/helm-charts/tree/main/charts/velero
# Image configuration
image:
repository: velero/velero
tag: v1.15.0
pullPolicy: IfNotPresent
# Resource requests
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
# Init containers for plugins
initContainers:
# AWS plugin for S3-compatible storage (Minio)
- name: velero-plugin-for-aws
image: velero/velero-plugin-for-aws:v1.11.0
volumeMounts:
- mountPath: /target
name: plugins
# Configuration for backup storage
configuration:
# Use existing BackupStorageLocation and VolumeSnapshotLocation
backupStorageLocation:
- name: default
provider: aws
bucket: velero-backups
config:
region: minio
s3ForcePathStyle: "true"
s3Url: http://minio.minio.svc.cluster.local:9000
publicUrl: https://s3.minio0213.kro.kr
volumeSnapshotLocation:
- name: default
provider: aws
config:
region: minio
# Default backup retention
defaultBackupTTL: 720h # 30 days
# Restore only mode (for disaster recovery)
restoreOnlyMode: false
# Credentials for S3 access (from Vault via External Secrets)
credentials:
useSecret: true
existingSecret: velero-s3-credentials
secretContents: {}
# Backup schedules
schedules:
# Daily full cluster backup
daily-backup:
disabled: false
schedule: "0 2 * * *" # 2 AM daily
template:
ttl: 720h # 30 days
includedNamespaces:
- "*"
excludedNamespaces:
- kube-system
- kube-public
- kube-node-lease
snapshotVolumes: true
# Hourly backup for critical namespaces
hourly-critical-backup:
disabled: false
schedule: "0 * * * *" # Every hour
template:
ttl: 168h # 7 days
includedNamespaces:
- postgresql
- postgresql-dev
- vault
- gitea
- harbor
snapshotVolumes: true
# Metrics
metrics:
enabled: true
serviceMonitor:
enabled: true
prometheusRule:
enabled: false
# RBAC
serviceAccount:
server:
create: true
name: velero
rbac:
create: true
# Node selector (optional)
nodeSelector: {}
# Tolerations (optional)
tolerations: []
# Affinity (optional)
affinity: {}

9
velero/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# ArgoCD Application 리소스는 root kustomization.yaml에서 관리
# - argocd/velero.yaml
# Velero credentials from Vault
- external-secret.yaml