feat: port restic backup chart

70e28a95 · Janne Mareike Koschinski · 36617998 · 70e28a95 · 70e28a95 · 70e28a95
Verified Commit 70e28a95 authored 2 years ago by Janne Mareike Koschinski
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -14,3 +14,4 @@ include:
 - mailu/pipeline.yml
 - oauth2-proxy/pipeline.yml
 - quassel/pipeline.yml
+- restic/pipeline.yml
--- a/restic/Chart.yaml
+++ b/restic/Chart.yaml
+apiVersion: v2
+name: restic
+description: Helm Chart for restic
+type: application
+version: 1.0.0
+appVersion: "0.13.1"
--- a/restic/pipeline.yml
+++ b/restic/pipeline.yml
+lint-restic:
+  stage: lint
+  script:
+    - helm lint restic
+
+release-restic:
+  stage: release
+  needs:
+    - lint-restic
+  rules:
+    - if: '$CI_COMMIT_BRANCH == $CI_DEFAULT_BRANCH'
+  script:
+    - apk add --no-cache git
+    - helm plugin install https://github.com/chartmuseum/helm-push.git
+    - helm repo add --username gitlab-ci-token --password $CI_JOB_TOKEN repo ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/packages/helm/stable
+    - helm cm-push restic repo
--- a/restic/templates/_helpers.tpl
+++ b/restic/templates/_helpers.tpl
+{{/*
+Expand the name of the chart.
+*/}}
+{{- define "restic-helm.name" -}}
+{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Create a default fully qualified app name.
+We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec).
+If release name contains chart name it will be used as a full name.
+*/}}
+{{- define "restic-helm.fullname" -}}
+{{- if .Values.fullnameOverride }}
+{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- $name := default .Chart.Name .Values.nameOverride }}
+{{- if contains $name .Release.Name }}
+{{- .Release.Name | trunc 63 | trimSuffix "-" }}
+{{- else }}
+{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
+{{- end }}
+{{- end }}
+{{- end }}
+
+{{/*
+Create chart name and version as used by the chart label.
+*/}}
+{{- define "restic-helm.chart" -}}
+{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
+{{- end }}
+
+{{/*
+Common labels
+*/}}
+{{- define "restic-helm.labels" -}}
+helm.sh/chart: {{ include "restic-helm.chart" . }}
+{{ include "restic-helm.selectorLabels" . }}
+{{- if .Chart.AppVersion }}
+app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
+{{- end }}
+app.kubernetes.io/managed-by: {{ .Release.Service }}
+{{- end }}
+
+{{/*
+Selector labels
+*/}}
+{{- define "restic-helm.selectorLabels" -}}
+app.kubernetes.io/name: {{ include "restic-helm.name" . }}
+app.kubernetes.io/instance: {{ .Release.Name }}
+{{- end }}
+
+
+{{- define "restic-helm.sslPath" -}}
+/certs
+{{- end }}
--- a/restic/templates/cronjob_backup.yaml
+++ b/restic/templates/cronjob_backup.yaml
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: {{ include "restic-helm.fullname" . }}
+  labels:
+    {{- include "restic-helm.labels" . | nindent 4 }}
+spec:
+  schedule: "{{ .Values.schedule }}"
+  jobTemplate:
+    metadata:
+      {{- with .Values.jobAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "restic-helm.labels" . | nindent 8 }}
+    spec:
+      template:
+        metadata:
+          {{- with .Values.podAnnotations }}
+          annotations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          labels:
+            {{- include "restic-helm.labels" . | nindent 12 }}
+        spec:
+          {{- with .Values.imagePullSecrets }}
+          imagePullSecrets:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          securityContext:
+            {{- toYaml .Values.podSecurityContext | nindent 12 }}
+          volumes:
+            - name: data
+              {{- .Values.volume | nindent 14 }}
+          containers:
+            - name: {{ .Chart.Name }}
+              securityContext:
+                {{- toYaml .Values.securityContext | nindent 16 }}
+              image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+              imagePullPolicy: {{ .Values.image.pullPolicy }}
+              workingDir: "/sync"
+              args:
+                - "-r"
+                - "{{ .Values.repository.name }}"
+                - "backup"
+                - "."
+              envFrom:
+                - secretRef:
+                    name: {{ include "restic-helm.fullname" . }}
+              resources:
+                {{- toYaml .Values.resources | nindent 16 }}
+              volumeMounts:
+                - mountPath: "/sync"
+                  name: data
+          {{- with .Values.nodeSelector }}
+          nodeSelector:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.affinity }}
+          affinity:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
+          {{- with .Values.tolerations }}
+          tolerations:
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
--- a/restic/templates/job_init.yaml
+++ b/restic/templates/job_init.yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: {{ include "restic-helm.fullname" . }}
+  labels:
+    {{- include "restic-helm.labels" . | nindent 4 }}
+spec:
+  template:
+    metadata:
+      {{- with .Values.podAnnotations }}
+      annotations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      labels:
+        {{- include "restic-helm.labels" . | nindent 8 }}
+    spec:
+      {{- with .Values.imagePullSecrets }}
+      imagePullSecrets:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      securityContext:
+        {{- toYaml .Values.podSecurityContext | nindent 8 }}
+      volumes:
+        - name: data
+          {{- .Values.volume | nindent 10 }}
+      containers:
+        - name: {{ .Chart.Name }}
+          securityContext:
+            {{- toYaml .Values.securityContext | nindent 12 }}
+          image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
+          imagePullPolicy: {{ .Values.image.pullPolicy }}
+          workingDir: "/sync"
+          args:
+            - "-r"
+            - "{{ .Values.repository.name }}"
+            - "init"
+          envFrom:
+            - secretRef:
+                name: {{ include "restic-helm.fullname" . }}
+          resources:
+            {{- toYaml .Values.resources | nindent 12 }}
+          volumeMounts:
+            - mountPath: "/sync"
+              name: data
+      {{- with .Values.nodeSelector }}
+      nodeSelector:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.affinity }}
+      affinity:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
+      {{- with .Values.tolerations }}
+      tolerations:
+        {{- toYaml . | nindent 8 }}
+      {{- end }}
--- a/restic/templates/secret.yaml
+++ b/restic/templates/secret.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ include "restic-helm.fullname" . }}
+  labels:
+    {{- include "restic-helm.labels" . | nindent 4 }}
+data:
+  RESTIC_PASSWORD: "{{ .Values.repository.key }}"
+  RESTIC_REPOSITORY: "{{ .Values.repository.name }}"
+  {{- toYaml .Values.auth | nindent 2 }}
--- a/restic/values.yaml
+++ b/restic/values.yaml
+image:
+  repository: restic/restic
+  pullPolicy: IfNotPresent
+  tag: ""
+
+imagePullSecrets: [ ]
+nameOverride: ""
+fullnameOverride: ""
+
+volume: |-
+  emptyDir: {}
+
+schedule: "0 0 * * *"
+
+auth:
+  B2_ACCOUNT_ID: "AzureDiamond"
+  B2_ACCOUNT_KEY: "hunter2"
+
+repository:
+  name: "mybackuprepo"
+  key: "mypassword"
+
+jobAnnotations: { }
+
+podAnnotations: { }
+
+podSecurityContext:
+  fsGroup: 2000
+
+securityContext:
+  capabilities:
+    drop:
+      - ALL
+  runAsNonRoot: true
+  runAsUser: 1000
+
+resources:
+  limits:
+    cpu: 500m
+    memory: 512Mi
+  requests:
+    cpu: 10m
+    memory: 64Mi
+
+nodeSelector: { }
+
+tolerations: [ ]
+
+affinity: { }