Commit b7e31745 authored by Elouan Martinet's avatar Elouan Martinet
Browse files

Remove AWS support

parent 93b04583
......@@ -11,14 +11,12 @@ RUN apk update && \
jq \
python \
py-yaml \
py2-pip \
libstdc++ \
gpgme \
git-crypt \
&& \
rm -rf /var/cache/apk/*
RUN pip install ijson awscli
RUN adduser -h /backup -D backup
ENV KUBECTL_VERSION 1.17.0
......
......@@ -9,7 +9,7 @@ Props to @gianrubio for coming up with the idea.
Setup
-----
Use the deployment example ([ssh](cronjob-ssh.yaml) or [AWS CodeCommit](cronjob-codecommit.yaml) authentication) and deploy a kubernetes `CronJob` primitive in your kubernetes (1.5 and up) cluster ensuring backups of kubernetes resource definitions to your private git repo.
Use the deployment example ([ssh](cronjob-ssh.yaml) authentication) and deploy a kubernetes `CronJob` primitive in your kubernetes (1.5 and up) cluster ensuring backups of kubernetes resource definitions to your private git repo.
Define the following environment parameters:
* `GIT_REPO` - GIT repo url. **Required**
......@@ -24,29 +24,7 @@ Define the following environment parameters:
* `GITCRYPT_PRIVATE_KEY` - Path to private gpg key for git-crypt. See [git-crypt section](#git-crypt) for details. Default: `/secrets/gpg-private.key`
* `GITCRYPT_SYMMETRIC_KEY` - Path to shared symmetric key for git-crypt. See [git-crypt section](#git-crypt). Default: `/secrets/symmetric.key`
Choose one of two authentication mechanisms:
* When using AWS CodeCommit and policy-based access from AWS, modify your cluster configuration to provide GitPull and GitPush access for that CodeCommit repo to your cluster. If using `kops`, the configuration will look something like this:
```yaml
additionalPolicies:
node: |
[
{
"Effect": "Allow",
"Action": [
"codecommit:GitPull",
"codecommit:GitPush"
],
"Resource": "arn:aws:codecommit:<region>:<account name>:<repo-name>"
}
]
```
NOTE: in this deployment, the ssh volume and secret are not present.
* When using a different repository (GitHub, BitBucket, etc.), mount a configured ssh directory in `/backup/.ssh` with the following files:
Mount a configured ssh directory in `/backup/.ssh` with the following files:
* `known_hosts` - Preloaded with SSH host key of `$GIT_REPO` host.
* `id_rsa` - SSH private key of user allowed to push to `$GIT_REPO`.
......@@ -59,8 +37,6 @@ Choose one of two authentication mechanisms:
kubectl create secret generic kube-backup-ssh -n kube-system --from-file=id_rsa --from-file=known_hosts
```
NOTE: If `id_rsa` isn't found in your ssh directory, the backup script will assume you're using AWS CodeCommit.
Optional:
* Modify the snapshot frequency in `spec.schedule` using the [cron format](https://en.wikipedia.org/wiki/Cron).
* Modify the number of successful and failed finished jobs to retain in `spec.successfulJobsHistoryLimit` and `spec.failedJobsHistoryLimit`.
......
apiVersion: v1
kind: ServiceAccount
metadata:
name: kube-backup
namespace: kube-system
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: kube-state-backup
namespace: kube-system
labels:
app: kube-backup
spec:
schedule: "*/10 * * * *"
concurrencyPolicy: Replace
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
template:
metadata:
labels:
app: kube-backup
name: kube-backup
spec:
containers:
- image: quay.io/plange/kube-backup:1.12.0-1
imagePullPolicy: Always
name: backup
resources: {}
securityContext:
runAsUser: 1000
env:
- name: GIT_REPO
value: "git@git.example.com:infra/kube-backup.git"
- name: RESOURCETYPES
value: "ingress deployment configmap svc rc ds customresourcedefinition networkpolicy statefulset storageclass cronjob"
volumeMounts:
- mountPath: /backup/
name: cache
dnsPolicy: ClusterFirst
terminationGracePeriodSeconds: 30
serviceAccountName: kube-backup
volumes:
- name: cache
emptyDir: {}
restartPolicy: OnFailure
......@@ -18,10 +18,6 @@ GITCRYPT_ENABLE="${GITCRYPT_ENABLE:-"false"}"
GITCRYPT_PRIVATE_KEY="${GITCRYPT_PRIVATE_KEY:-"/secrets/gpg-private.key"}"
GITCRYPT_SYMMETRIC_KEY="${GITCRYPT_SYMMETRIC_KEY:-"/secrets/symmetric.key"}"
if [ ! -f /backup/.ssh/id_rsa ]; then
git config --global credential.helper '!aws codecommit credential-helper $@'
git config --global credential.UseHttpPath true
fi
[ -z "$DRY_RUN" ] && git config --global user.name "$GIT_USERNAME"
[ -z "$DRY_RUN" ] && git config --global user.email "$GIT_EMAIL"
......
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment