feat(kubernetes-etcd-backup): s3 support for kubernetes etcd backups (#…

…1341)

* feat(): s3 support for kubernetes etcd backups

* fix(): remove extra parameters

* feat(): bump version

* fix(): update README.md

* fix(): Update main README.md

* fix(): Update root readme

* feat(): allow using custom CA

* fix(): update helm docs

* feat(): update Chart.yaml with correct image tag

* fix(): update README.md

charts/kubernetes-etcd-backup/Chart.yaml

@@ -3,8 +3,8 @@ apiVersion: v2
 name: kubernetes-etcd-backup
 description: Chart for kubernetes-etcd-backup solution
 type: application
-version: 1.4.2
-appVersion: v1.2.1
+version: 1.5.1
+appVersion: v1.4.0
 keywords:
   - kubernetes-etcd-backup
   - kubernetes
@@ -20,5 +20,8 @@ maintainers:
 annotations:
   artifacthub.io/containsSecurityUpdates: "false"
   artifacthub.io/changes: |
-    - kind: fixed
-      description: "disallow concurrent job runs"
+    - kind: changed
+      description: "Add support for s3 storage"
+      links:
+        - name: "kubernetes-etcd-backup v1.4.0"
+          url: https://github.com/adfinis/kubernetes-etcd-backup/releases/tag/v1.4.0

charts/kubernetes-etcd-backup/templates/configmap.yaml

@@ -5,6 +5,7 @@ metadata:
   labels:
     {{- include "kubernetes-etcd-backup.labels" . | nindent 4 }}
 data:
+  ETCD_BACKUP_S3: {{ .Values.persistence.s3.enabled | quote }}
   ETCD_BACKUP_SUBDIR: {{ .Values.backup.subdir | quote }}
   ETCD_BACKUP_DIRNAME: {{ .Values.backup.dirname | quote }}
   ETCD_BACKUP_EXPIRE_TYPE: {{ .Values.backup.expiretype | quote }}

charts/kubernetes-etcd-backup/templates/cronjob.yaml

@@ -14,28 +14,39 @@ spec:
       template:
         spec:
           securityContext:
-              runAsUser: 1000
-              fsGroup: 1000
+            {{- toYaml .Values.podSecurityContext | nindent 12 }}
           containers:
           - command:
             - /bin/sh
             - /usr/local/bin/backup.sh
             image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
             imagePullPolicy: {{ .Values.image.pullPolicy }}
             name: {{ .Chart.Name }}
+            securityContext:
+              {{- toYaml .Values.securityContext | nindent 14 }}
             envFrom:
             - configMapRef:
                 name: {{ include "kubernetes-etcd-backup.fullname" . }}
+            {{- if .Values.persistence.s3.enabled }}
+            - secretRef:
+              {{- if .Values.persistence.s3.existingSecret }}
+                name: "{{ .Values.persistence.s3.existingSecret }}"
+              {{- else }}
+                name: {{ include "kubernetes-etcd-backup.fullname" . }}-secret
+              {{- end }}
+            {{- end }}
             resources:
               {{- toYaml .Values.resources | nindent 14 }}
             volumeMounts:
             - name: etcd-peer-tls
               mountPath: /etc/kubernetes/pki/etcd-peer
             - name: etcd-server-ca
               mountPath: /etc/kubernetes/pki/etcd-ca
-            {{- if or .Values.persistence.nfs.enabled .Values.persistence.provisioning.enabled }}
             - name: volume-backup
               mountPath: /backup
+            {{- if and (.Values.persistence.s3.enabled) (.Values.persistence.s3.ca.enabled) }}
+            - name: s3-ca
+              mountPath: /etc/pki/ca-trust/source/anchors
             {{- end }}
             {{- if .Values.extraVolumeMounts }}
               {{- toYaml .Values.extraVolumeMounts | nindent 12 }}
@@ -48,6 +59,11 @@ spec:
           - name: etcd-server-ca
             secret:
               secretName: {{ .Values.etcdCertification.etcdServerCaName }}
+          {{- if and (.Values.persistence.s3.enabled) (.Values.persistence.s3.ca.enabled) }}
+          - name: s3-ca
+            secret:
+              secretName: {{ .Values.persistence.s3.ca.secretName }}
+          {{- end }}
           - name: volume-backup
             {{- if .Values.persistence.nfs.enabled }}
             nfs:
@@ -59,6 +75,8 @@ spec:
             {{- else if .Values.persistence.existingClaim }}
             persistentVolumeClaim:
               claimName: {{ .Values.persistence.existingClaim }}
+            {{- else }}
+            emptyDir: {}
             {{- end }}
           {{- if .Values.extraVolumes }}
             {{- toYaml .Values.extraVolumes | nindent 10 }}

charts/kubernetes-etcd-backup/templates/secret.yaml

@@ -0,0 +1,15 @@
+{{- if and (.Values.persistence.s3.enabled) (not .Values.persistence.s3.existingSecret) }}
+apiVersion: v1
+kind: Secret
+metadata:
+  labels:
+    {{- include "kubernetes-etcd-backup.labels" . | nindent 4 }}
+  name: {{ include "kubernetes-etcd-backup.fullname" . }}-secret
+data:
+  ETCD_BACKUP_S3_NAME: "{{ .Values.persistence.s3.name | b64enc }}"
+  ETCD_BACKUP_S3_HOST: "{{ .Values.persistence.s3.host | b64enc }}"
+  ETCD_BACKUP_S3_BUCKET: "{{ .Values.persistence.s3.bucket | b64enc }}"
+  ETCD_BACKUP_S3_ACCESS_KEY: "{{ .Values.persistence.s3.accessKey | b64enc }}"
+  ETCD_BACKUP_S3_SECRET_KEY: "{{ .Values.persistence.s3.secretKey | b64enc }}"
+type: Opaque
+{{- end }}

charts/kubernetes-etcd-backup/values.yaml

@@ -56,6 +56,24 @@ persistence:
     storageClass: ""
   # -- Use an exising PVC
   existingClaim: ""
+  s3:
+    # -- Enable S3 backend storage
+    enabled: false
+    # -- S3 endpoint name
+    name: etcd-backup
+    # -- S3 endpoint host
+    host: https://minio.local:9000
+    # -- S3 bucket name
+    bucket: etcd-backup
+    # -- S3 access key
+    accessKey: mysuperaccesskey
+    # -- S3 secret key
+    secretKey: mysupersecretkey
+    # -- S3 use an existing Secret instead of creating one
+    existingSecret: ""
+    ca:
+      enabled: false
+      secretName: "changeme"
 
 image:
   # -- Repository image to use
@@ -116,3 +134,16 @@ extraVolumes: []
 ## Additional volumes to the pod.
 #  - name: additional-volume
 #    emptyDir: {}
+
+securityContext: {}
+podSecurityContext:
+  runAsUser: 1000
+  fsGroup: 1000
+  # Settings required when s3 persistence is used
+  # Required because of `update-ca-trust` command
+  # # -- Run pod as privileged
+  # privileged: true
+  # # -- Set user ID
+  # runAsUser: 0
+  # # -- Set group ID
+  # runAsGroup: 0