From 2331da8cf8b056879d7b94b3ec971fde4f002c37 Mon Sep 17 00:00:00 2001 From: Xavor Date: Sun, 31 Aug 2025 00:24:21 +0200 Subject: [PATCH] velero --- Clusterkey.txt | 10 -- .../backupstoragelocations/bsl-a.yaml | 16 ++++ .../backupstoragelocations/bsl-b.yaml | 16 ++++ minio-velero/deployments/minio-a.yaml | 47 ++++++++++ minio-velero/deployments/minio-b.yaml | 47 ++++++++++ minio-velero/jobs/minio-a-init.yaml | 50 ++++++++++ minio-velero/jobs/minio-b-init.yaml | 50 ++++++++++ minio-velero/kustomization.yaml | 21 +++++ {velero => minio-velero}/namespace.yaml | 2 +- .../networkpolicies/allow-self-to-minio.yaml | 19 ++++ .../networkpolicies/default-deny-ingress.yaml | 7 ++ minio-velero/pvcs/minio-a-pvc.yaml | 10 ++ minio-velero/pvcs/minio-b-pvc.yaml | 10 ++ {velero => minio-velero}/readme.md | 56 ++++++----- minio-velero/secrets/cloud-credentials.yaml | 10 ++ minio-velero/secrets/minio-root.yaml | 8 ++ minio-velero/services/minio-a.yaml | 19 ++++ minio-velero/services/minio-b.yaml | 19 ++++ minio-velero/values-velero.yaml | 28 ++++++ minio/readme.md | 78 ---------------- minio/site-a/service.yaml | 18 ---- minio/site-b/service.yaml | 18 ---- seagate/storageclass/nano | 0 test/testpod.yaml | 36 -------- velero/bsl/bsl-default-site-a.yaml | 16 ---- velero/bsl/bsl-site-b.yaml | 16 ---- velero/helm/values-approach-a.yaml | 36 -------- velero/helm/values-approach-b.yaml | 30 ------ .../monitoring/grafana-dashboard-velero.json | 92 ------------------- velero/monitoring/servicemonitor.yaml | 16 ---- velero/schedules/schedules.yaml | 27 ------ velero/secrets/secret-site-a.yaml | 11 --- velero/secrets/secret-site-b.yaml | 11 --- velero/vsl-default.yaml | 7 -- 34 files changed, 411 insertions(+), 446 deletions(-) delete mode 100644 Clusterkey.txt create mode 100644 minio-velero/backupstoragelocations/bsl-a.yaml create mode 100644 minio-velero/backupstoragelocations/bsl-b.yaml create mode 100644 minio-velero/deployments/minio-a.yaml create mode 100644 minio-velero/deployments/minio-b.yaml create mode 100644 minio-velero/jobs/minio-a-init.yaml create mode 100644 minio-velero/jobs/minio-b-init.yaml create mode 100644 minio-velero/kustomization.yaml rename {velero => minio-velero}/namespace.yaml (66%) create mode 100644 minio-velero/networkpolicies/allow-self-to-minio.yaml create mode 100644 minio-velero/networkpolicies/default-deny-ingress.yaml create mode 100644 minio-velero/pvcs/minio-a-pvc.yaml create mode 100644 minio-velero/pvcs/minio-b-pvc.yaml rename {velero => minio-velero}/readme.md (60%) create mode 100644 minio-velero/secrets/cloud-credentials.yaml create mode 100644 minio-velero/secrets/minio-root.yaml create mode 100644 minio-velero/services/minio-a.yaml create mode 100644 minio-velero/services/minio-b.yaml create mode 100644 minio-velero/values-velero.yaml delete mode 100644 minio/readme.md delete mode 100644 minio/site-a/service.yaml delete mode 100644 minio/site-b/service.yaml delete mode 100644 seagate/storageclass/nano delete mode 100644 test/testpod.yaml delete mode 100644 velero/bsl/bsl-default-site-a.yaml delete mode 100644 velero/bsl/bsl-site-b.yaml delete mode 100644 velero/helm/values-approach-a.yaml delete mode 100644 velero/helm/values-approach-b.yaml delete mode 100644 velero/monitoring/grafana-dashboard-velero.json delete mode 100644 velero/monitoring/servicemonitor.yaml delete mode 100644 velero/schedules/schedules.yaml delete mode 100644 velero/secrets/secret-site-a.yaml delete mode 100644 velero/secrets/secret-site-b.yaml delete mode 100644 velero/vsl-default.yaml diff --git a/Clusterkey.txt b/Clusterkey.txt deleted file mode 100644 index 9e94474..0000000 --- a/Clusterkey.txt +++ /dev/null @@ -1,10 +0,0 @@ -kubeadm join 192.168.0.20:6443 --token rvz86n.c8rdb9ygtikrwnub --discovery-token-ca-cert-hash sha256:f925653dfb3d2b4697395a272e0b07cf4eb16b7ae5a2cc3b33aeab1f36fe7d13 --control-plane --certificate-key eeab98651b2f07f6ce53649b2cca1bf3c449d4fe6270ec0645219cd8c6795ca7 --apiserver-advertise-address=192.168.4.2 - - -sudo rm -rf /var/lib/kubelet/ -sudo rm -rf /etc/kubernetes -sudo rm -rf /etc/cni/ -sudo rm -rf /var/lib/etcd -sudo systemctl stop kubelet -sudo systemctl status kubelet -sudo kubeadm join 192.168.0.20:6443 --token rvz86n.c8rdb9ygtikrwnub --discovery-token-ca-cert-hash sha256:f925653dfb3d2b4697395a272e0b07cf4eb16b7ae5a2cc3b33aeab1f36fe7d13 --control-plane --certificate-key eeab98651b2f07f6ce53649b2cca1bf3c449d4fe6270ec0645219cd8c6795ca7 --apiserver-advertise-address=192.168.4.2 diff --git a/minio-velero/backupstoragelocations/bsl-a.yaml b/minio-velero/backupstoragelocations/bsl-a.yaml new file mode 100644 index 0000000..71c6e6a --- /dev/null +++ b/minio-velero/backupstoragelocations/bsl-a.yaml @@ -0,0 +1,16 @@ +apiVersion: velero.io/v1 +kind: BackupStorageLocation +metadata: + name: bsl-incluster-a +spec: + provider: aws + objectStorage: + bucket: velero-backups + config: + s3Url: http://minio-a.minio-velero.svc.cluster.local:9000 + s3ForcePathStyle: "true" + region: site-a + accessMode: ReadWrite + credential: + name: cloud-credentials + key: cloud diff --git a/minio-velero/backupstoragelocations/bsl-b.yaml b/minio-velero/backupstoragelocations/bsl-b.yaml new file mode 100644 index 0000000..67f7f7f --- /dev/null +++ b/minio-velero/backupstoragelocations/bsl-b.yaml @@ -0,0 +1,16 @@ +apiVersion: velero.io/v1 +kind: BackupStorageLocation +metadata: + name: bsl-incluster-b +spec: + provider: aws + objectStorage: + bucket: velero-backups + config: + s3Url: http://minio-b.minio-velero.svc.cluster.local:9000 + s3ForcePathStyle: "true" + region: site-b + accessMode: ReadWrite + credential: + name: cloud-credentials + key: cloud diff --git a/minio-velero/deployments/minio-a.yaml b/minio-velero/deployments/minio-a.yaml new file mode 100644 index 0000000..81568e0 --- /dev/null +++ b/minio-velero/deployments/minio-a.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio-a + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-a +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-a + template: + metadata: + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-a + spec: + securityContext: + fsGroup: 1000 + containers: + - name: minio + image: quay.io/minio/minio:latest + args: ["server", "/data", "--console-address", ":9001"] + envFrom: + - secretRef: + name: minio-root + ports: + - name: s3 + containerPort: 9000 + - name: console + containerPort: 9001 + volumeMounts: + - name: data + mountPath: /data + resources: + requests: + cpu: "250m" + memory: "512Mi" + limits: + cpu: "2" + memory: "4Gi" + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-a-data diff --git a/minio-velero/deployments/minio-b.yaml b/minio-velero/deployments/minio-b.yaml new file mode 100644 index 0000000..c5caa3a --- /dev/null +++ b/minio-velero/deployments/minio-b.yaml @@ -0,0 +1,47 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio-b + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-b +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-b + template: + metadata: + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-b + spec: + securityContext: + fsGroup: 1000 + containers: + - name: minio + image: quay.io/minio/minio:latest + args: ["server", "/data", "--console-address", ":9001"] + envFrom: + - secretRef: + name: minio-root + ports: + - name: s3 + containerPort: 9000 + - name: console + containerPort: 9001 + volumeMounts: + - name: data + mountPath: /data + resources: + requests: + cpu: "250m" + memory: "512Mi" + limits: + cpu: "2" + memory: "4Gi" + volumes: + - name: data + persistentVolumeClaim: + claimName: minio-b-data diff --git a/minio-velero/jobs/minio-a-init.yaml b/minio-velero/jobs/minio-a-init.yaml new file mode 100644 index 0000000..099cf20 --- /dev/null +++ b/minio-velero/jobs/minio-a-init.yaml @@ -0,0 +1,50 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: minio-a-init + namespace: minio-velero +spec: + backoffLimit: 3 + template: + spec: + restartPolicy: OnFailure + containers: + - name: init + image: bitnami/minio-client:latest + command: ["/bin/sh","-lc"] + env: + - name: MINIO_ENDPOINT + value: "http://minio-a.minio-velero.svc.cluster.local:9000" + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: minio-root + key: MINIO_ROOT_USER + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: minio-root + key: MINIO_ROOT_PASSWORD + args: + - | + set -euo pipefail + echo "[init-a] waiting for $MINIO_ENDPOINT ..." + until curl -sf "$MINIO_ENDPOINT/minio/health/ready" >/dev/null; do sleep 2; done + echo "[init-a] configuring bucket/user/policy" + mc alias set minioA "$MINIO_ENDPOINT" "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" + mc mb minioA/velero-backups || true + mc version enable minioA/velero-backups || true + mc admin user add minioA velero Velero12345 || true + cat > /tmp/policy.json <<'EOF' + { "Version":"2012-10-17", + "Statement":[ + {"Effect":"Allow","Action":["s3:*"], + "Resource":["arn:aws:s3:::velero-backups","arn:aws:s3:::velero-backups/*"]} + ]} + EOF + mc admin policy create minioA velero-rw /tmp/policy.json || true + mc admin policy attach minioA velero-rw --user velero || true + echo "[init-a] verifying with velero creds" + mc alias set a-vel "$MINIO_ENDPOINT" velero Velero12345 + mc ls a-vel/velero-backups >/dev/null + echo "[init-a] done" diff --git a/minio-velero/jobs/minio-b-init.yaml b/minio-velero/jobs/minio-b-init.yaml new file mode 100644 index 0000000..d1dbbeb --- /dev/null +++ b/minio-velero/jobs/minio-b-init.yaml @@ -0,0 +1,50 @@ +apiVersion: batch/v1 +kind: Job +metadata: + name: minio-b-init + namespace: minio-velero +spec: + backoffLimit: 3 + template: + spec: + restartPolicy: OnFailure + containers: + - name: init + image: bitnami/minio-client:latest + command: ["/bin/sh","-lc"] + env: + - name: MINIO_ENDPOINT + value: "http://minio-b.minio-velero.svc.cluster.local:9000" + - name: MINIO_ROOT_USER + valueFrom: + secretKeyRef: + name: minio-root + key: MINIO_ROOT_USER + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: minio-root + key: MINIO_ROOT_PASSWORD + args: + - | + set -euo pipefail + echo "[init-b] waiting for $MINIO_ENDPOINT ..." + until curl -sf "$MINIO_ENDPOINT/minio/health/ready" >/dev/null; do sleep 2; done + echo "[init-b] configuring bucket/user/policy" + mc alias set minioB "$MINIO_ENDPOINT" "$MINIO_ROOT_USER" "$MINIO_ROOT_PASSWORD" + mc mb minioB/velero-backups || true + mc version enable minioB/velero-backups || true + mc admin user add minioB velero Velero12345 || true + cat > /tmp/policy.json <<'EOF' + { "Version":"2012-10-17", + "Statement":[ + {"Effect":"Allow","Action":["s3:*"], + "Resource":["arn:aws:s3:::velero-backups","arn:aws:s3:::velero-backups/*"]} + ]} + EOF + mc admin policy create minioB velero-rw /tmp/policy.json || true + mc admin policy attach minioB velero-rw --user velero || true + echo "[init-b] verifying with velero creds" + mc alias set b-vel "$MINIO_ENDPOINT" velero Velero12345 + mc ls b-vel/velero-backups >/dev/null + echo "[init-b] done" diff --git a/minio-velero/kustomization.yaml b/minio-velero/kustomization.yaml new file mode 100644 index 0000000..4073165 --- /dev/null +++ b/minio-velero/kustomization.yaml @@ -0,0 +1,21 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: minio-velero + +resources: + - namespace.yaml + - secrets/minio-root.yaml + - secrets/cloud-credentials.yaml + - networkpolicies/default-deny-ingress.yaml + - networkpolicies/allow-self-to-minio.yaml + - pvcs/minio-a-pvc.yaml + - deployments/minio-a.yaml + - services/minio-a.yaml + - jobs/minio-a-init.yaml + - pvcs/minio-b-pvc.yaml + - deployments/minio-b.yaml + - services/minio-b.yaml + - jobs/minio-b-init.yaml + - backupstoragelocations/bsl-a.yaml + - backupstoragelocations/bsl-b.yaml diff --git a/velero/namespace.yaml b/minio-velero/namespace.yaml similarity index 66% rename from velero/namespace.yaml rename to minio-velero/namespace.yaml index b442fae..f6ba99b 100644 --- a/velero/namespace.yaml +++ b/minio-velero/namespace.yaml @@ -1,4 +1,4 @@ apiVersion: v1 kind: Namespace metadata: - name: velero + name: minio-velero diff --git a/minio-velero/networkpolicies/allow-self-to-minio.yaml b/minio-velero/networkpolicies/allow-self-to-minio.yaml new file mode 100644 index 0000000..ae29ed5 --- /dev/null +++ b/minio-velero/networkpolicies/allow-self-to-minio.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: allow-self-to-minio +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: minio + policyTypes: ["Ingress"] + ingress: + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: minio-velero + ports: + - protocol: TCP + port: 9000 + - protocol: TCP + port: 9001 diff --git a/minio-velero/networkpolicies/default-deny-ingress.yaml b/minio-velero/networkpolicies/default-deny-ingress.yaml new file mode 100644 index 0000000..3616619 --- /dev/null +++ b/minio-velero/networkpolicies/default-deny-ingress.yaml @@ -0,0 +1,7 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: default-deny-ingress +spec: + podSelector: {} + policyTypes: ["Ingress"] diff --git a/minio-velero/pvcs/minio-a-pvc.yaml b/minio-velero/pvcs/minio-a-pvc.yaml new file mode 100644 index 0000000..6280c35 --- /dev/null +++ b/minio-velero/pvcs/minio-a-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-a-data +spec: + accessModes: ["ReadWriteOnce"] + storageClassName: sc-me5-site-a + resources: + requests: + storage: 5Ti diff --git a/minio-velero/pvcs/minio-b-pvc.yaml b/minio-velero/pvcs/minio-b-pvc.yaml new file mode 100644 index 0000000..52f828e --- /dev/null +++ b/minio-velero/pvcs/minio-b-pvc.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-b-data +spec: + accessModes: ["ReadWriteOnce"] + storageClassName: sc-me5-site-b + resources: + requests: + storage: 5Ti diff --git a/velero/readme.md b/minio-velero/readme.md similarity index 60% rename from velero/readme.md rename to minio-velero/readme.md index a8c6ee6..a4d3d99 100644 --- a/velero/readme.md +++ b/minio-velero/readme.md @@ -1,28 +1,33 @@ # Velero + MinIO (c2et.net) Este paquete contiene: -- `namespace.yaml` -- Secrets de credenciales (`cloud-credentials-site-a`, `cloud-credentials-site-b`) -- BackupStorageLocation (BSL) por YAML: `default` (site-a) y `site-b` -- Ejemplo de `Schedule` (nightly a las 02:00 y 02:30) -- `helm/values-approach-b.yaml`: despliegue de Velero sin BSL/Secret (GitOps) -- `ServiceMonitor` (si usas Prometheus Operator) -- Dashboard de Grafana (JSON) -## Flujo recomendado (GitOps, Approach B) +* `namespace.yaml` +* Secrets de credenciales (`cloud-credentials.yaml`, `minio-root.yaml`) +* Despliegues de MinIO (`minio-a`, `minio-b`) con sus `PVC` y `Service` +* Jobs de inicialización (`minio-a-init`, `minio-b-init`) +* `BackupStorageLocation` (BSL) por YAML: `bsl-incluster-a` y `bsl-incluster-b` +* Ejemplo de `Schedule` (nightly a las 02:00 y 02:30) +* `values-velero.yaml`: despliegue de Velero sin BSL/Secret (GitOps) +* `ServiceMonitor` (si usas Prometheus Operator) +* Dashboard de Grafana (JSON) + +## Flujo recomendado (GitOps) + ```bash -# 1) Instala Velero por Helm sin BSL ni secrets +# 1) Instalar Velero por Helm sin BSL ni secrets helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts -helm upgrade --install velero vmware-tanzu/velero -n velero --create-namespace -f helm/values-approach-b.yaml +helm upgrade --install velero vmware-tanzu/velero -n minio-velero -f values-velero.yaml -# 2) Aplica Secrets, BSLs y Schedules -kubectl apply -f namespace.yaml -kubectl apply -f secrets/secret-site-a.yaml -f secrets/secret-site-b.yaml -kubectl apply -f bsl/bsl-default-site-a.yaml -f bsl/bsl-site-b.yaml +# 2) Crear namespace y desplegar MinIO con sus Secrets, PVCs, Services y Jobs de init +kubectl apply -k ./ + +# 3) (Opcional) Aplicar Schedules kubectl apply -f schedules/schedules.yaml ``` ## Cliente Velero + Para interactuar con Velero necesitas el binario en tu máquina de administración. ```bash @@ -30,32 +35,33 @@ Para interactuar con Velero necesitas el binario en tu máquina de administraci wget https://github.com/vmware-tanzu/velero/releases/download/v1.16.2/velero-v1.16.2-linux-amd64.tar.gz tar -xvf velero-v1.16.2-linux-amd64.tar.gz sudo mv velero-v1.16.2-linux-amd64/velero /usr/local/bin/ - -# MacOS Intel -wget https://github.com/vmware-tanzu/velero/releases/download/v1.16.2/velero-v1.16.2-darwin-amd64.tar.gz -tar -xvf velero-v1.16.2-darwin-amd64.tar.gz -sudo mv velero-v1.16.2-darwin-amd64/velero /usr/local/bin/ ``` Verifica la instalación: + ```bash velero version ``` ## Hacer un backup manual + Ejemplo: respaldar el namespace `wireguard`. + ```bash velero backup create wireguard-backup --include-namespaces wireguard --wait velero backup describe wireguard-backup --details ``` Puedes excluir recursos innecesarios (ej. CRDs de KubeVirt): + ```bash velero backup create smoke --include-namespaces default --exclude-resources uploadtokenrequests.upload.cdi.kubevirt.io --wait ``` ## Programar backups (Schedules) + Ejemplo de programación diaria a las 03:15, TTL de 30 días: + ```bash velero schedule create daily-wireguard --schedule "15 3 * * *" --include-namespaces wireguard --ttl 720h --default-volumes-to-fs-backup ``` @@ -63,7 +69,9 @@ velero schedule create daily-wireguard --schedule "15 3 * * *" --include-nam Los schedules también se pueden definir por YAML en `schedules/schedules.yaml`. ## Restaurar un backup + ### Restaurar al mismo namespace (desastre real) + ```bash # 1) Borrar el namespace roto kubectl delete ns wireguard @@ -74,13 +82,15 @@ velero restore describe wireguard-restore --details ``` ### Restaurar a otro namespace (ensayo) + ```bash kubectl create ns wireguard-restore velero restore create wireguard-restore-test --from-backup wireguard-backup --namespace-mappings wireguard:wireguard-restore --wait ``` ## Notas -- MinIO requiere `s3ForcePathStyle=true`. -- Si usas CA propia, añade `spec.config.caCert` en los BSL. -- `ServiceMonitor` requiere Prometheus Operator; ajusta `metadata.labels.release` al valor que use tu Prometheus. -- Importa el dashboard JSON en Grafana (datasource `prometheus`). + +* MinIO requiere `s3ForcePathStyle=true`. +* Si usas CA propia, añade `spec.config.caCert` en los BSL. +* `ServiceMonitor` requiere Prometheus Operator; ajusta `metadata.labels.release` al valor que use tu Prometheus. +* Importa el dashboard JSON en Grafana (datasource `prometheus`). diff --git a/minio-velero/secrets/cloud-credentials.yaml b/minio-velero/secrets/cloud-credentials.yaml new file mode 100644 index 0000000..2d911ab --- /dev/null +++ b/minio-velero/secrets/cloud-credentials.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloud-credentials +type: Opaque +stringData: + cloud: | + [default] + aws_access_key_id = velero + aws_secret_access_key = Velero12345 diff --git a/minio-velero/secrets/minio-root.yaml b/minio-velero/secrets/minio-root.yaml new file mode 100644 index 0000000..89be06d --- /dev/null +++ b/minio-velero/secrets/minio-root.yaml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: minio-root +type: Opaque +stringData: + MINIO_ROOT_USER: admin + MINIO_ROOT_PASSWORD: "Pozuelo12345" diff --git a/minio-velero/services/minio-a.yaml b/minio-velero/services/minio-a.yaml new file mode 100644 index 0000000..c04c1c2 --- /dev/null +++ b/minio-velero/services/minio-a.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-a + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-a +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-a + ports: + - name: s3 + port: 9000 + targetPort: 9000 + - name: console + port: 9001 + targetPort: 9001 diff --git a/minio-velero/services/minio-b.yaml b/minio-velero/services/minio-b.yaml new file mode 100644 index 0000000..d2ef8ac --- /dev/null +++ b/minio-velero/services/minio-b.yaml @@ -0,0 +1,19 @@ +apiVersion: v1 +kind: Service +metadata: + name: minio-b + labels: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-b +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: minio + app.kubernetes.io/instance: minio-b + ports: + - name: s3 + port: 9000 + targetPort: 9000 + - name: console + port: 9001 + targetPort: 9001 diff --git a/minio-velero/values-velero.yaml b/minio-velero/values-velero.yaml new file mode 100644 index 0000000..fceba1c --- /dev/null +++ b/minio-velero/values-velero.yaml @@ -0,0 +1,28 @@ +# No crear credenciales ni BSL/VSL desde Helm (los gestionas por YAML) +credentials: + useSecret: false + +configuration: + # En v1.16 ya no es necesario el flag, pero si quieres forzar el motor FS: + # features: EnableFSBackup + features: "" # déjalo vacío si no quieres forzar nada + backupStorageLocation: [] # BSL por YAML + volumeSnapshotLocation: [] # evita el error "spec.provider: Required value" + defaultVolumesToFsBackup: true # hace FS-backup por defecto (Kopia/node-agent) + +# Despliega el node-agent (DaemonSet en todos los nodos) +deployNodeAgent: true +nodeAgent: + podConfig: + # Tómatelo como "catch-all" para cualquier taint + tolerations: + - operator: "Exists" + +# Plugin S3 para MinIO (obligatorio para que el server tenga el provider "aws") +initContainers: + - name: velero-plugin-for-aws + image: velero/velero-plugin-for-aws:v1.9.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - name: plugins + mountPath: /target diff --git a/minio/readme.md b/minio/readme.md deleted file mode 100644 index a85b686..0000000 --- a/minio/readme.md +++ /dev/null @@ -1,78 +0,0 @@ -# MinIO en Kubernetes — c2et.net (Site A/B) - -Este paquete contiene manifiestos sin Helm para desplegar **dos instancias independientes de MinIO**, -una por site, usando tus StorageClasses `sc-me5-site-a` y `sc-me5-site-b`, y forzando programación por zona. - -## Estructura - -``` -minio-k8s-c2et-net/ - site-a/ - namespace.yaml - secret-root.yaml - pvc.yaml - statefulset.yaml - service.yaml - ingress-api.yaml - ingress-console.yaml - site-b/ - (idéntico con valores del site B) -``` - -## Credenciales de administración -- Usuario: **admin** -- Password: **Pozuelo12345** - -> Cambia estas credenciales en `secret-root.yaml` antes de ir a producción. - -## Dominios -- Site A API: `s3-a.c2et.net` -- Site A Consola: `console.s3-a.c2et.net` -- Site B API: `s3-b.c2et.net` -- Site B Consola: `console.s3-b.c2et.net` - -Requisitos previos: -- IngressClass `nginx` operativo. -- `cert-manager` con `ClusterIssuer` llamado `letsencrypt-prod`. -- DNS apuntando los hosts anteriores al Ingress Controller. - -## Despliegue rápido - -```bash -kubectl apply -f site-a/namespace.yaml -kubectl apply -f site-a/secret-root.yaml -kubectl apply -f site-a/pvc.yaml -kubectl apply -f site-a/service.yaml -kubectl apply -f site-a/statefulset.yaml -kubectl apply -f site-a/ingress-api.yaml -kubectl apply -f site-a/ingress-console.yaml - -kubectl apply -f site-b/namespace.yaml -kubectl apply -f site-b/secret-root.yaml -kubectl apply -f site-b/pvc.yaml -kubectl apply -f site-b/service.yaml -kubectl apply -f site-b/statefulset.yaml -kubectl apply -f site-b/ingress-api.yaml -kubectl apply -f site-b/ingress-console.yaml -``` - -## Probar - -```bash -export AWS_ACCESS_KEY_ID=admin -export AWS_SECRET_ACCESS_KEY='Pozuelo12345' -export AWS_S3_FORCE_PATH_STYLE=true - -aws --endpoint-url https://s3-a.c2et.net s3 mb s3://mi-bucket-a -aws --endpoint-url https://s3-a.c2et.net s3 ls - -aws --endpoint-url https://s3-b.c2et.net s3 mb s3://mi-bucket-b -aws --endpoint-url https://s3-b.c2et.net s3 ls -``` - -## Notas - -- Los PVC usan `WaitForFirstConsumer` a través de tus StorageClasses; el `nodeSelector` del StatefulSet garantiza - que cada volumen se cree en el **site** correcto. -- Imagen MinIO: `quay.io/minio/minio:RELEASE.2025-02-20T00-00-00Z` (ajústala a la que certifiques). -- Tamaño del PVC por defecto: `2Ti` (modifícalo a tu necesidad). \ No newline at end of file diff --git a/minio/site-a/service.yaml b/minio/site-a/service.yaml deleted file mode 100644 index 5dd1d7e..0000000 --- a/minio/site-a/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: minio - namespace: minio-site-a -spec: - type: ClusterIP - selector: - app: minio - ports: - - name: api - port: 9000 - targetPort: 9000 - protocol: TCP - - name: console - port: 9001 - targetPort: 9001 - protocol: TCP diff --git a/minio/site-b/service.yaml b/minio/site-b/service.yaml deleted file mode 100644 index f977b73..0000000 --- a/minio/site-b/service.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: minio - namespace: minio-site-b -spec: - type: ClusterIP - selector: - app: minio - ports: - - name: api - port: 9000 - targetPort: 9000 - protocol: TCP - - name: console - port: 9001 - targetPort: 9001 - protocol: TCP diff --git a/seagate/storageclass/nano b/seagate/storageclass/nano deleted file mode 100644 index e69de29..0000000 diff --git a/test/testpod.yaml b/test/testpod.yaml deleted file mode 100644 index c1dc334..0000000 --- a/test/testpod.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: test-http -# annotations: -# metallb.universe.tf/address-pool: default -spec: -# type: NodePort - type: LoadBalancer - loadBalancerIP: 192.168.200.10 - selector: - app: test-http - ports: - - port: 80 - targetPort: 80 -# nodePort: 30080 ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: test-http -spec: - replicas: 1 - selector: - matchLabels: - app: test-http - template: - metadata: - labels: - app: test-http - spec: - containers: - - name: test-http - image: nginx:alpine - ports: - - containerPort: 80 diff --git a/velero/bsl/bsl-default-site-a.yaml b/velero/bsl/bsl-default-site-a.yaml deleted file mode 100644 index 9c38c4b..0000000 --- a/velero/bsl/bsl-default-site-a.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: velero.io/v1 -kind: BackupStorageLocation -metadata: - name: default - namespace: velero -spec: - provider: aws - objectStorage: - bucket: velero - config: - region: minio - s3Url: https://s3-a.c2et.net - s3ForcePathStyle: "true" - credential: - name: cloud-credentials-site-a - key: cloud diff --git a/velero/bsl/bsl-site-b.yaml b/velero/bsl/bsl-site-b.yaml deleted file mode 100644 index 2426b6f..0000000 --- a/velero/bsl/bsl-site-b.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: velero.io/v1 -kind: BackupStorageLocation -metadata: - name: site-b - namespace: velero -spec: - provider: aws - objectStorage: - bucket: velero - config: - region: minio - s3Url: https://s3-b.c2et.net - s3ForcePathStyle: "true" - credential: - name: cloud-credentials-site-b - key: cloud diff --git a/velero/helm/values-approach-a.yaml b/velero/helm/values-approach-a.yaml deleted file mode 100644 index 0665b33..0000000 --- a/velero/helm/values-approach-a.yaml +++ /dev/null @@ -1,36 +0,0 @@ -credentials: - useSecret: true - existingSecret: "" - secretContents: - cloud: | - [default] - aws_access_key_id=velero-a - aws_secret_access_key=Clave-Velero-A - -configuration: - features: EnableCSI - backupStorageLocation: - - name: default - provider: aws - bucket: velero - config: - region: minio - s3Url: https://s3-a.c2et.net - s3ForcePathStyle: "true" - -initContainers: - - name: velero-plugin-for-aws - image: velero/velero-plugin-for-aws:v1.9.0 - imagePullPolicy: IfNotPresent - volumeMounts: - - name: plugins - mountPath: /target - - name: velero-plugin-for-csi - image: velero/velero-plugin-for-csi:v0.7.0 - imagePullPolicy: IfNotPresent - volumeMounts: - - name: plugins - mountPath: /target - -nodeAgent: - enabled: true diff --git a/velero/helm/values-approach-b.yaml b/velero/helm/values-approach-b.yaml deleted file mode 100644 index 6bc6b3c..0000000 --- a/velero/helm/values-approach-b.yaml +++ /dev/null @@ -1,30 +0,0 @@ -# values-combined.yaml -credentials: - useSecret: false # Secrets y BSLs los aplicas tú por YAML (como ya hiciste) - -configuration: - features: "" - backupStorageLocation: [] # ninguno desde Helm (los gestionas por YAML) - defaultVolumesToFsBackup: true # copia datos de PV vía node-agent/Kopia al BSL - -# Dejamos SOLO el plugin de AWS; el CSI externo se quita (viene integrado en Velero 1.16) -initContainers: - - name: velero-plugin-for-aws - image: velero/velero-plugin-for-aws:v1.9.0 - imagePullPolicy: IfNotPresent - volumeMounts: - - name: plugins - mountPath: /target - -# **activar** el node-agent (DaemonSet) y darle tolerations "catch-all" -deployNodeAgent: true -nodeAgent: - podConfig: - tolerations: - - key: "node-role.kubernetes.io/master" - operator: "Exists" - effect: "NoSchedule" - - key: "node-role.kubernetes.io/control-plane" - operator: "Exists" - effect: "NoSchedule" - - operator: "Exists" # tolera cualquier otro taint diff --git a/velero/monitoring/grafana-dashboard-velero.json b/velero/monitoring/grafana-dashboard-velero.json deleted file mode 100644 index b7d6d66..0000000 --- a/velero/monitoring/grafana-dashboard-velero.json +++ /dev/null @@ -1,92 +0,0 @@ -{ - "annotations": { - "list": [] - }, - "editable": true, - "gnetId": null, - "graphTooltip": 0, - "panels": [ - { - "type": "stat", - "title": "Backups - Total", - "targets": [ - { - "expr": "sum(velero_backup_total)", - "legendFormat": "total" - } - ], - "id": 1, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - }, - "options": { - "reduceOptions": { - "calcs": [ - "lastNotNull" - ] - } - } - }, - { - "type": "timeSeries", - "title": "Backups por estado", - "targets": [ - { - "expr": "sum by (phase) (increase(velero_backup_attempt_total[1h]))", - "legendFormat": "{{phase}}" - } - ], - "id": 2, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - } - }, - { - "type": "timeSeries", - "title": "Duraci\u00f3n de backups (p95)", - "targets": [ - { - "expr": "histogram_quantile(0.95, sum(rate(velero_backup_duration_seconds_bucket[5m])) by (le))", - "legendFormat": "p95" - } - ], - "id": 3, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - } - }, - { - "type": "timeSeries", - "title": "Errores del node-agent", - "targets": [ - { - "expr": "sum(rate(velero_node_agent_errors_total[5m]))", - "legendFormat": "errores" - } - ], - "id": 4, - "datasource": { - "type": "prometheus", - "uid": "prometheus" - } - } - ], - "schemaVersion": 37, - "style": "dark", - "tags": [ - "velero", - "backup" - ], - "templating": { - "list": [] - }, - "time": { - "from": "now-24h", - "to": "now" - }, - "title": "Velero (MinIO S3)", - "version": 1 -} \ No newline at end of file diff --git a/velero/monitoring/servicemonitor.yaml b/velero/monitoring/servicemonitor.yaml deleted file mode 100644 index 089ec7f..0000000 --- a/velero/monitoring/servicemonitor.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: monitoring.coreos.com/v1 -kind: ServiceMonitor -metadata: - name: velero - namespace: velero - labels: - release: prometheus # ajusta al selector de tu Prometheus -spec: - selector: - matchLabels: - app.kubernetes.io/name: velero - namespaceSelector: - matchNames: ["velero"] - endpoints: - - port: metrics - interval: 30s diff --git a/velero/schedules/schedules.yaml b/velero/schedules/schedules.yaml deleted file mode 100644 index c0d0265..0000000 --- a/velero/schedules/schedules.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: nightly-a - namespace: velero -spec: - schedule: "0 2 * * *" - template: - ttl: 168h - includedNamespaces: - - gitea - - apolo - storageLocation: default ---- -apiVersion: velero.io/v1 -kind: Schedule -metadata: - name: nightly-b - namespace: velero -spec: - schedule: "30 2 * * *" - template: - ttl: 168h - includedNamespaces: - - giteay - - apolo - storageLocation: site-b diff --git a/velero/secrets/secret-site-a.yaml b/velero/secrets/secret-site-a.yaml deleted file mode 100644 index 976c8bd..0000000 --- a/velero/secrets/secret-site-a.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloud-credentials-site-a - namespace: velero -type: Opaque -stringData: - cloud: | - [default] - aws_access_key_id=velero-a - aws_secret_access_key=Pozuelo12345 diff --git a/velero/secrets/secret-site-b.yaml b/velero/secrets/secret-site-b.yaml deleted file mode 100644 index 00b0c57..0000000 --- a/velero/secrets/secret-site-b.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloud-credentials-site-b - namespace: velero -type: Opaque -stringData: - cloud: | - [default] - aws_access_key_id=velero-b - aws_secret_access_key=Pozuelo12345 diff --git a/velero/vsl-default.yaml b/velero/vsl-default.yaml deleted file mode 100644 index 90b81f6..0000000 --- a/velero/vsl-default.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: velero.io/v1 -kind: VolumeSnapshotLocation -metadata: - name: default - namespace: velero -spec: - provider: velero.io/csi