-
Notifications
You must be signed in to change notification settings - Fork 0
/
cronjob-backup-etcd.yaml
83 lines (83 loc) · 2.49 KB
/
cronjob-backup-etcd.yaml
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
apiVersion: batch/v1
kind: CronJob
metadata:
name: etcd-backup
namespace: kube-system
spec:
concurrencyPolicy: Forbid
schedule: "12 4 * * *" # Change me if needed (04:12 daily)
jobTemplate:
spec:
template:
spec:
initContainers:
- name: talosctl
image: ghcr.io/siderolabs/talosctl:v1.3.5
args:
- -n
- "$(CP_NODE_IP)"
- etcd
- snapshot
- /data/etcd.snapshot
env:
- name: CP_NODE_IP
value: "" # Change me to a Talos control plane node IP
volumeMounts:
- name: talos-secrets
mountPath: /var/run/secrets/talos.dev
- name: backupdata
mountPath: /data
containers:
- name: restic
image: restic/restic:latest
workingDir: /data
args:
- backup
- --host
- kubernetes # set a consistent hostname to avoid restic rescans
- . # use workingDir to get relative paths in backup
env:
- name: RESTIC_REPOSITORY
valueFrom:
secretKeyRef:
name: talos-etcd-s3-keys
key: bucketName
optional: false
- name: RESTIC_PASSWORD
valueFrom:
secretKeyRef:
name: talos-etcd-s3-keys
key: resticKey
optional: false
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-s3-keys
key: accessKeyId
optional: false
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-s3-keys
key: secretAccessKey
optional: false
volumeMounts:
- name: backupdata
mountPath: /data
readOnly: true
volumes:
- name: backupdata
emptydir: {}
- name: talos-secrets
secret:
secretName: etcd-backup-talos-secrets
restartPolicy: OnFailure
---
apiVersion: talos.dev/v1alpha1
kind: ServiceAccount
metadata:
name: etcd-backup-talos-secrets
namespace: kube-system
spec:
roles:
- os:etcd:backup