implement etcd-backup

charts/t8s-cluster/templates/management-cluster/clusterClass/_helpers.tpl

@@ -160,9 +160,9 @@ server = {{ printf "https://%s" .registry | quote }}
 {{- end }}
 
 {{- define "t8s-cluster.clusterClass.apiServer.admissionPlugins" -}}
-  {{- $admissionPlugins := list "AlwaysPullImages" -}}
+  {{- $admissionPlugins := list "AlwaysPullImages" "NodeRestriction" -}}
   {{- if not .excludePatches -}}
-    {{- $admissionPlugins = concat $admissionPlugins (list "EventRateLimit" "NodeRestriction") -}}
+    {{- $admissionPlugins = concat $admissionPlugins (list "EventRateLimit") -}}
   {{- end -}}
   {{- $admissionPlugins | toYaml -}}
 {{- end -}}

charts/t8s-cluster/templates/workload-cluster/etcd-backup.yaml

@@ -0,0 +1,117 @@
+{{- include "t8s-cluster.helm.resourceIntoCluster" (dict "name" "etcd-backup" "resource" (include "t8s-cluster.etcd-backup" (dict "context" $)) "context" $ "additionalLabels" (dict "app.kubernetes.io/component" "etcd")) | nindent 0 }}
+
+{{- define "t8s-cluster.etcd-backup" -}}
+  {{- $_ := mustMerge . (pick .context "Values" "Release" "Chart") -}}
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: kube-etcd-backup
+  namespace: kube-system
+  labels: {{- include "common.labels.standard" . | nindent 4 }}
+spec:
+  concurrencyPolicy: Forbid
+  failedJobsHistoryLimit: 10
+  successfulJobsHistoryLimit: 1
+  schedule: '0 0 * * *'
+  jobTemplate:
+    spec:
+      backoffLimit: 6
+      template:
+        spec:
+          initContainers:
+            - name: etcd-backup
+              command:
+                - sh
+                - -ec
+                - |
+                  etcdctl snapshot save /tmp/etcd-snapshot.db --cacert=/etc/kubernetes/pki/etcd/ca.crt --cert=/etc/kubernetes/pki/etcd/peer.crt --key=/etc/kubernetes/pki/etcd/peer.key
+                  etcdctl snapshot status -w table /tmp/etcd-snapshot.db
+              env:
+                - name: ETCDCTL_API
+                  value: "3"
+                - name: ETCDCTL_ENDPOINTS
+                  value: 'localhost:2379'
+              image: {{ include "common.images.image" (dict "imageRoot" .Values.global.etcd.image "global" .Values.global) }}
+              imagePullPolicy: IfNotPresent
+              securityContext: &securityContext
+                readOnlyRootFilesystem: true
+                allowPrivilegeEscalation: false
+                privileged: false
+                seccompProfile:
+                  type: RuntimeDefault
+                capabilities:
+                  drop:
+                    - ALL
+              volumeMounts:
+                - mountPath: /etc/kubernetes/pki/etcd
+                  name: etcd-certs
+                  readOnly: true
+                - mountPath: /tmp
+                  name: tmp
+          containers:
+            - name: upload-backup
+              command:
+                - bash
+                - -xec
+                - mc cp /tmp/etcd-snapshot.db container/$(S3_BUCKET)/$(date --iso-8601=hours).db
+              env:
+                - name: S3_HOST
+                  valueFrom:
+                    secretKeyRef:
+                      key: host
+                      name: etcd-backup-config
+                - name: S3_PORT
+                  valueFrom:
+                    secretKeyRef:
+                      key: port
+                      name: etcd-backup-config
+                - name: S3_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      key: access_key_id
+                      name: etcd-backup-config
+                - name: S3_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      key: secret_access_key
+                      name: etcd-backup-config
+                - name: S3_BUCKET
+                  valueFrom:
+                    secretKeyRef:
+                      key: bucket
+                      name: etcd-backup-config
+                - name: MC_HOST_container
+                  value: https://$(S3_ACCESS_KEY_ID):$(S3_SECRET_ACCESS_KEY)@$(S3_HOST):$(S3_PORT)
+                - name: MC_CONFIG_DIR
+                  value: /tmp/wtf-mc
+              image: {{ include "common.images.image" (dict "imageRoot" .Values.global.minioCli.image "global" .Values.global) }}
+              imagePullPolicy: IfNotPresent
+              securityContext: *securityContext
+              volumeMounts:
+                - mountPath: /tmp/etcd-snapshot.db
+                  name: tmp
+                  subPath: etcd-snapshot.db
+                  readOnly: true
+                - mountPath: /tmp/wtf-mc
+                  name: tmp
+                  subPath: wtf-mc
+          dnsPolicy: ClusterFirst
+          hostNetwork: true
+          nodeSelector:
+            node-role.kubernetes.io/control-plane: ""
+          restartPolicy: OnFailure
+          tolerations:
+            - effect: NoSchedule
+              key: node-role.kubernetes.io/control-plane
+              operator: Exists
+            - effect: NoSchedule
+              key: node-role.kubernetes.io/master
+              operator: Exists
+          volumes:
+            - hostPath:
+                path: /etc/kubernetes/pki/etcd
+                type: Directory
+              name: etcd-certs
+            - emptyDir: {}
+              name: tmp
+{{- end -}}

charts/t8s-cluster/values.yaml

@@ -30,6 +30,11 @@ global:
       registry: docker.io
       repository: alpine/semver
       tag: 7.5.4
+  minioCli:
+    image:
+      registry: docker.io
+      repository: minio/mc
+      tag: RELEASE.2024-06-24T19-40-33Z
   injectedCertificateAuthorities: ""
   kubeletExtraConfig:
     # This is only used when using 1.27 or later