minio, velero y tal

2025-08-27 01:46:41 +02:00
parent 4265121e6e
commit 7e429dd17a
26 changed files with 993 additions and 0 deletions
--- a/velero/README.md
+++ b/velero/README.md
@@ -0,0 +1,32 @@
+# Velero + MinIO (c2et.net)
+
+Este paquete contiene:
+- `namespace.yaml`
+- Secrets de credenciales (`cloud-credentials-site-a`, `cloud-credentials-site-b`)
+- BackupStorageLocation (BSL) por YAML: `default` (site-a) y `site-b`
+- Ejemplo de `Schedule` (nightly a las 02:00 y 02:30)
+- Dos `values.yaml` de Helm:
+  - `helm/values-approach-a.yaml`: crea BSL por defecto y Secret desde Helm
+  - `helm/values-approach-b.yaml`: sin BSL/Secret; los aplicas tú en YAML (GitOps)
+- `ServiceMonitor` (si usas Prometheus Operator)
+- Dashboard de Grafana (JSON)
+
+## Flujo recomendado (GitOps, Approach B)
+```bash
+# 1) Instala Velero por Helm sin BSL ni secrets
+helm repo add vmware-tanzu https://vmware-tanzu.github.io/helm-charts
+helm upgrade --install velero vmware-tanzu/velero -n velero --create-namespace -f helm/values-approach-b.yaml
+
+# 2) Aplica Secrets, BSLs y Schedules
+kubectl apply -f namespace.yaml
+kubectl apply -f secrets/secret-site-a.yaml -f secrets/secret-site-b.yaml
+kubectl apply -f bsl/bsl-default-site-a.yaml -f bsl/bsl-site-b.yaml
+kubectl apply -f schedules/schedules.yaml
+```
+
+## Notas
+- MinIO requiere `s3ForcePathStyle=true`.
+- Si usas CA propia, añade `spec.config.caCert` en los BSL.
+- `ServiceMonitor` requiere Prometheus Operator; ajusta `metadata.labels.release` al valor que use tu Prometheus.
+- Importa el dashboard JSON en Grafana (datasource `prometheus`).
+
--- a/velero/bsl/bsl-default-site-a.yaml
+++ b/velero/bsl/bsl-default-site-a.yaml
@@ -0,0 +1,16 @@
+apiVersion: velero.io/v1
+kind: BackupStorageLocation
+metadata:
+  name: default
+  namespace: velero
+spec:
+  provider: aws
+  objectStorage:
+    bucket: velero
+  config:
+    region: minio
+    s3Url: https://s3-a.c2et.net
+    s3ForcePathStyle: "true"
+  credential:
+    name: cloud-credentials-site-a
+    key: cloud
--- a/velero/bsl/bsl-site-b.yaml
+++ b/velero/bsl/bsl-site-b.yaml
@@ -0,0 +1,16 @@
+apiVersion: velero.io/v1
+kind: BackupStorageLocation
+metadata:
+  name: site-b
+  namespace: velero
+spec:
+  provider: aws
+  objectStorage:
+    bucket: velero
+  config:
+    region: minio
+    s3Url: https://s3-b.c2et.net
+    s3ForcePathStyle: "true"
+  credential:
+    name: cloud-credentials-site-b
+    key: cloud
--- a/velero/helm/values-approach-a.yaml
+++ b/velero/helm/values-approach-a.yaml
@@ -0,0 +1,36 @@
+credentials:
+  useSecret: true
+  existingSecret: ""
+  secretContents:
+    cloud: |
+      [default]
+      aws_access_key_id=velero-a
+      aws_secret_access_key=Clave-Velero-A
+
+configuration:
+  features: EnableCSI
+  backupStorageLocation:
+    - name: default
+      provider: aws
+      bucket: velero
+      config:
+        region: minio
+        s3Url: https://s3-a.c2et.net
+        s3ForcePathStyle: "true"
+
+initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.9.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - name: plugins
+        mountPath: /target
+  - name: velero-plugin-for-csi
+    image: velero/velero-plugin-for-csi:v0.7.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - name: plugins
+        mountPath: /target
+
+nodeAgent:
+  enabled: true
--- a/velero/helm/values-approach-b.yaml
+++ b/velero/helm/values-approach-b.yaml
@@ -0,0 +1,23 @@
+credentials:
+  useSecret: false  # Secrets y BSLs los aplicas tú por YAML
+
+configuration:
+  features: EnableCSI
+  backupStorageLocation: []  # ninguno desde Helm
+
+initContainers:
+  - name: velero-plugin-for-aws
+    image: velero/velero-plugin-for-aws:v1.9.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - name: plugins
+        mountPath: /target
+  - name: velero-plugin-for-csi
+    image: velero/velero-plugin-for-csi:v0.7.0
+    imagePullPolicy: IfNotPresent
+    volumeMounts:
+      - name: plugins
+        mountPath: /target
+
+nodeAgent:
+  enabled: true
--- a/velero/monitoring/grafana-dashboard-velero.json
+++ b/velero/monitoring/grafana-dashboard-velero.json
@@ -0,0 +1,92 @@
+{
+  "annotations": {
+    "list": []
+  },
+  "editable": true,
+  "gnetId": null,
+  "graphTooltip": 0,
+  "panels": [
+    {
+      "type": "stat",
+      "title": "Backups - Total",
+      "targets": [
+        {
+          "expr": "sum(velero_backup_total)",
+          "legendFormat": "total"
+        }
+      ],
+      "id": 1,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      },
+      "options": {
+        "reduceOptions": {
+          "calcs": [
+            "lastNotNull"
+          ]
+        }
+      }
+    },
+    {
+      "type": "timeSeries",
+      "title": "Backups por estado",
+      "targets": [
+        {
+          "expr": "sum by (phase) (increase(velero_backup_attempt_total[1h]))",
+          "legendFormat": "{{phase}}"
+        }
+      ],
+      "id": 2,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      }
+    },
+    {
+      "type": "timeSeries",
+      "title": "Duraci\u00f3n de backups (p95)",
+      "targets": [
+        {
+          "expr": "histogram_quantile(0.95, sum(rate(velero_backup_duration_seconds_bucket[5m])) by (le))",
+          "legendFormat": "p95"
+        }
+      ],
+      "id": 3,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      }
+    },
+    {
+      "type": "timeSeries",
+      "title": "Errores del node-agent",
+      "targets": [
+        {
+          "expr": "sum(rate(velero_node_agent_errors_total[5m]))",
+          "legendFormat": "errores"
+        }
+      ],
+      "id": 4,
+      "datasource": {
+        "type": "prometheus",
+        "uid": "prometheus"
+      }
+    }
+  ],
+  "schemaVersion": 37,
+  "style": "dark",
+  "tags": [
+    "velero",
+    "backup"
+  ],
+  "templating": {
+    "list": []
+  },
+  "time": {
+    "from": "now-24h",
+    "to": "now"
+  },
+  "title": "Velero (MinIO S3)",
+  "version": 1
+}
--- a/velero/monitoring/servicemonitor.yaml
+++ b/velero/monitoring/servicemonitor.yaml
@@ -0,0 +1,16 @@
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: velero
+  namespace: velero
+  labels:
+    release: prometheus  # ajusta al selector de tu Prometheus
+spec:
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: velero
+  namespaceSelector:
+    matchNames: ["velero"]
+  endpoints:
+    - port: metrics
+      interval: 30s
--- a/velero/namespace.yaml
+++ b/velero/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: velero
--- a/velero/schedules/schedules.yaml
+++ b/velero/schedules/schedules.yaml
@@ -0,0 +1,27 @@
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: nightly-a
+  namespace: velero
+spec:
+  schedule: "0 2 * * *"
+  template:
+    ttl: 168h
+    includedNamespaces:
+      - gitea
+      - apolo
+    storageLocation: default
+---
+apiVersion: velero.io/v1
+kind: Schedule
+metadata:
+  name: nightly-b
+  namespace: velero
+spec:
+  schedule: "30 2 * * *"
+  template:
+    ttl: 168h
+    includedNamespaces:
+      - giteay
+      - apolo
+    storageLocation: site-b
--- a/velero/secrets/secret-site-a.yaml
+++ b/velero/secrets/secret-site-a.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloud-credentials-site-a
+  namespace: velero
+type: Opaque
+stringData:
+  cloud: |
+    [default]
+    aws_access_key_id=velero-a
+    aws_secret_access_key=Pozuelo12345
--- a/velero/secrets/secret-site-b.yaml
+++ b/velero/secrets/secret-site-b.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloud-credentials-site-b
+  namespace: velero
+type: Opaque
+stringData:
+  cloud: |
+    [default]
+    aws_access_key_id=velero-b
+    aws_secret_access_key=Pozuelo12345