Skip to content

mvgmb/kube-dumper

Repository files navigation

kube-dumper

Backup service for Kubernetes that keeps the cluster state history in a Git repository. Reacts to K8s events to detect state changes while encrypting secrets using Mozilla SOPS.

Configuration

Environment Variables

REPOSITORY_URL=git@github.com:mvgmb/kube-dumper-test.git
REFRESH_GVRS_TIME_IN_MINUTES=1

K8s

Since it's expected to be running inside a pod running on K8s, by default this program tries to use the service account K8s gives to pods to generate a configuration.

If it fails, it'll try picking up the default file used by K8s (~/.kube/config).

SOPS

This program uses SOPS to encrypt secret configuration files.

It uses the creation rules defined in .sops.yaml configuration file during encryption. Here's an example of a SOPS configuration using AWS KMS:

creation_rules:
  - encrypted_regex: ^(data|stringData)$
    kms: arn:aws:kms:us-east-2:466238317701:key/463d7832-ad9c-4bef-aff3-55ae1151ad4e

To enforce git diff decrypts secrets before diffing, textconv option must be configured in .gitconfig file:

[diff "sopsdiffer"]
	textconv = sops -d

and .gitattribute file:

**/secrets/*.yaml diff=sopsdiffer

These files must be placed in dumper's git repository. Here's an example of a dumper https://github.com/mvgmb/kube-dumper-test.

Read more: https://github.com/mozilla/sops

AWS KMS

When using AWS KSM, you'll need your AWS credentials to authenticate with AWS services. This program picks up the credentials from AWS SDK's default credential chain. The common items in the credential chain are the following:

  • Environment Credentials
  • Shared Credentials file (~/.aws/credentials)
  • EC2 Instance Role Credentials

Read more: https://github.com/aws/aws-sdk-go#configuring-credentials

Field Filters

This program uses ./dump-files/fieldFilters.yaml fields to filter undesired YAML fields.

Usage

Locally

Prerequisites:

  • Go v1.15.5

WARNING: running this code will delete all content from current folder

# create an empty directory
mkdir tmp
cd ./tmp

# load environment variables
source ../env.sh

# run program
go run ../*.go

On K8s Cluster

Prerequisites:

To learn how to generate encrypted aws.secret.yaml and ssh.secret.yaml files look into https://github.com/inloco/sops-kustomize-generator-plugin

To build service's docker image, run:

docker build . -t inloco/kube-dumper

This repository uses Kustomize to generate K8s configuration files. To apply to K8s run:

kustomize build --enable_alpha_plugins ./k8s | kubectl apply -f -

Contributors

https://github.com/mvgmb/kube-dumper/graphs/contributors

About

Backup service for Kubernetes

Resources

License

Stars

Watchers

Forks

Releases

No releases published

Packages

No packages published