diff --git a/.github/trusted_registries.yaml b/.github/trusted_registries.yaml index 808a02d9fd..14e73d430d 100644 --- a/.github/trusted_registries.yaml +++ b/.github/trusted_registries.yaml @@ -10,6 +10,8 @@ registries: curl: ALL_TAGS fluxcd: ALL_IMAGES grafana: ALL_IMAGES + minio: + mc: ALL_TAGS stellio: ALL_IMAGES velero: ALL_IMAGES vladgh: diff --git a/charts/t8s-cluster/templates/_etcd-backup.yaml b/charts/t8s-cluster/templates/_etcd-backup.yaml new file mode 100644 index 0000000000..ec7b541691 --- /dev/null +++ b/charts/t8s-cluster/templates/_etcd-backup.yaml @@ -0,0 +1,150 @@ +{{- define "t8s-cluster.etcd-backup" -}} + {{- $_ := mustMerge . (pick .context "Values" "Release" "Chart") -}} +apiVersion: batch/v1 +kind: CronJob +metadata: + name: kube-etcd-backup + namespace: {{ .hosted | ternary .Release.Namespace "kube-system" }} + labels: {{- include "common.labels.standard" . | nindent 4 }} +spec: + concurrencyPolicy: Forbid + failedJobsHistoryLimit: 10 + successfulJobsHistoryLimit: 1 + schedule: '0 0 * * *' + jobTemplate: + spec: + backoffLimit: 6 + template: + spec: + initContainers: + - name: etcd-backup + command: + - sh + - -ec + - | + etcdctl snapshot save /tmp/etcd-snapshot.db --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/peer.crt --key=/etc/kubernetes/pki/etcd/peer.key + etcdctl snapshot status -w table /tmp/etcd-snapshot.db + env: + - name: ETCDCTL_API + value: "3" + - name: ETCDCTL_ENDPOINTS + value: {{ .hosted | ternary (printf "kmc-%s-etcd:2379" .Release.Name) "localhost:2379" }} + image: {{ include "common.images.image" (dict "imageRoot" .Values.global.etcd.image "global" .Values.global) }} + imagePullPolicy: IfNotPresent + securityContext: + runAsGroup: 1000 + runAsUser: {{ .hosted | ternary 1000 0 }} + runAsNonRoot: {{ .hosted }} + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /etc/kubernetes/pki/etcd + name: etcd-certs + readOnly: true + containers: + - name: upload-backup + command: + - bash + - -xec + - mc cp /tmp/etcd-snapshot.db container/$(S3_BUCKET)/$(date --iso-8601=hours).db + env: + - name: S3_HOST + valueFrom: + secretKeyRef: + key: host + name: etcd-backup-config + - name: S3_PORT + valueFrom: + secretKeyRef: + key: port + name: etcd-backup-config + - name: S3_ACCESS_KEY_ID + valueFrom: + secretKeyRef: + key: access_key_id + name: etcd-backup-config + - name: S3_SECRET_ACCESS_KEY + valueFrom: + secretKeyRef: + key: secret_access_key + name: etcd-backup-config + - name: S3_BUCKET + valueFrom: + secretKeyRef: + key: bucket + name: etcd-backup-config + - name: MC_HOST_container + value: https://$(S3_ACCESS_KEY_ID):$(S3_SECRET_ACCESS_KEY)@$(S3_HOST):$(S3_PORT) + - name: MC_CONFIG_DIR + value: /tmp/wtf-mc + image: {{ include "common.images.image" (dict "imageRoot" .Values.global.minioCli.image "global" .Values.global) }} + imagePullPolicy: IfNotPresent + securityContext: + runAsGroup: 1000 + runAsUser: {{ .hosted | ternary 1000 0 }} + runAsNonRoot: {{ .hosted }} + privileged: false + allowPrivilegeEscalation: false + seccompProfile: + type: RuntimeDefault + capabilities: + drop: + - ALL + readOnlyRootFilesystem: true + volumeMounts: + - mountPath: /tmp/etcd-snapshot.db + name: tmp + subPath: etcd-snapshot.db + readOnly: true + - mountPath: /tmp/wtf-mc + name: tmp + subPath: wtf-mc + dnsPolicy: ClusterFirst + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: "" + restartPolicy: OnFailure + {{- if not .hosted }} + hostNetwork: true + nodeSelector: + node-role.kubernetes.io/control-plane: "" + tolerations: + - effect: NoSchedule + key: node-role.kubernetes.io/control-plane + operator: Exists + - effect: NoSchedule + key: node-role.kubernetes.io/master + operator: Exists + {{- end }} + volumes: + - name: etcd-certs + {{- if .hosted }} + projected: + defaultMode: 420 + sources: + - secret: + items: + - key: tls.crt + path: ca.crt + name: {{ printf "%s-etcd" .Release.Name }} + - secret: + items: + - key: tls.crt + path: peer.crt + - key: tls.key + path: peer.key + name: {{ printf "%s-etcd-peer" .Release.Name }} + {{- else }} + hostPath: + path: /etc/kubernetes/pki/etcd + type: Directory + {{- end }} + - emptyDir: {} + name: tmp +{{- end -}} diff --git a/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl b/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl index 3b07e7ee5d..62c4f00d2c 100644 --- a/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl +++ b/charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl @@ -157,9 +157,9 @@ server = {{ printf "https://%s" .registry | quote }} {{- end }} {{- define "t8s-cluster.clusterClass.apiServer.admissionPlugins" -}} - {{- $admissionPlugins := list "AlwaysPullImages" -}} + {{- $admissionPlugins := list "AlwaysPullImages" "NodeRestriction" -}} {{- if not .excludePatches -}} - {{- $admissionPlugins = concat $admissionPlugins (list "EventRateLimit" "NodeRestriction") -}} + {{- $admissionPlugins = concat $admissionPlugins (list "EventRateLimit") -}} {{- end -}} {{- $admissionPlugins | toYaml -}} {{- end -}} diff --git a/charts/t8s-cluster/templates/management-cluster/clusterClass/bootstrapConfigTemplate/_k0smotronConfigTemplateSpec.yaml b/charts/t8s-cluster/templates/management-cluster/clusterClass/bootstrapConfigTemplate/_k0sWorkerConfigTemplateSpec.yaml similarity index 100% rename from charts/t8s-cluster/templates/management-cluster/clusterClass/bootstrapConfigTemplate/_k0smotronConfigTemplateSpec.yaml rename to charts/t8s-cluster/templates/management-cluster/clusterClass/bootstrapConfigTemplate/_k0sWorkerConfigTemplateSpec.yaml diff --git a/charts/t8s-cluster/templates/management-cluster/etcd-backup.yaml b/charts/t8s-cluster/templates/management-cluster/etcd-backup.yaml new file mode 100644 index 0000000000..d23b671082 --- /dev/null +++ b/charts/t8s-cluster/templates/management-cluster/etcd-backup.yaml @@ -0,0 +1,3 @@ +{{- if .Values.controlPlane.hosted -}} + {{- include "t8s-cluster.etcd-backup" (dict "context" $ "hosted" true) | nindent 0 -}} +{{- end -}} diff --git a/charts/t8s-cluster/templates/workload-cluster/etcd-backup.yaml b/charts/t8s-cluster/templates/workload-cluster/etcd-backup.yaml new file mode 100644 index 0000000000..b8dce1f1e9 --- /dev/null +++ b/charts/t8s-cluster/templates/workload-cluster/etcd-backup.yaml @@ -0,0 +1,3 @@ +{{- if not .Values.controlPlane.hosted -}} + {{- include "t8s-cluster.helm.resourceIntoCluster" (dict "name" "etcd-backup" "resource" (include "t8s-cluster.etcd-backup" (dict "context" $ "hosted" false)) "context" $ "additionalLabels" (dict "app.kubernetes.io/component" "etcd")) | nindent 0 -}} +{{- end -}} diff --git a/charts/t8s-cluster/values.yaml b/charts/t8s-cluster/values.yaml index 3093833aec..b444e5a30a 100644 --- a/charts/t8s-cluster/values.yaml +++ b/charts/t8s-cluster/values.yaml @@ -30,6 +30,11 @@ global: registry: docker.io repository: alpine/semver tag: 7.5.4 + minioCli: + image: + registry: docker.io + repository: minio/mc + tag: RELEASE.2024-06-24T19-40-33Z injectedCertificateAuthorities: "" kubeletExtraConfig: # This is only used when using 1.27 or later